vncserver -localhost and ssh tunneling
Solution 1
The -localhost
option is telling the VNC server to bind only to the loopback interface, so that you can only connect to the VNC server from the machine it's running on. This means that anyone trying to break into your VNC session would have to be able to get on that particular machine. Without -localhost
, your VNC server would accept non-local connections, so an attacker could use another machine to try to break into your VNC session.
If you're going to use -localhost
, then you should be passing -L 5900:localhost:5901
, not -L 5900:vnc.machine:5901
, since your VNC server is listening only on the loopback (localhost) interface.
Solution 2
jjlin
's answer covers troubleshooting, but to really make it secure you should also pass -nolisten tcp
to vncserver
. This ensures that there won't be an open TCP listener on the X
side of things.
Related videos on Youtube
shwoseph
Updated on September 18, 2022Comments
-
shwoseph over 1 year
I'm trying to setup a ssh tunneled vnc connection from my centos 5.10 machine and I've been following some online tutorials such as this one: https://wiki.archlinux.org/index.php/Vncserver. I'm running the server like this:
$ vncserver -geometry 1024x768 -localhost :1
and connecting with an openssh client like this:ssh -f [email protected] -L 5900:vnc.machine:5901 -N
. Then I connect with realvnc viewer to localhost:5900. For some reason this doesn't work if I use the -localhost param, but it works great if I leave it out. All of the guides say that it's more secure to use it. I'm thinking this might be a configuration issue on the server side, but I'm pretty much stumped at this point and I've tried a lot of stuff. Can anybody tell me why this is happening? -
shwoseph over 10 yearsMaybe I'm confused, but wouldn't that just forward port 5900 from the client machine to 5901 on the client machine?
-
jjlin over 10 yearsNo, it forwards 5900 on the client machine to 5901 on
localhost
-- from the point of view of the server, not the client. Solocalhost
would refer to the server. -
user71931 about 7 yearsI dont think this makes any significant improvement in security with @jjlin's answer. In his answer explicitly isn't listening on anything but localhost (which is what OP wants). At that point, I don't see how blocking tcp access would make it any more secure
-
DepressedDaniel about 7 years@user71931
vncserver
launchesX
as part of its operation. The-localhost
option ofvncserver
doesn't do anything to theX
server which may listen on, e.g.,TCP
port 6001 for clients. Since thevncserver
process is running on the same machine, it can connect to theX
server using unix domain sockets, and this is what it does by default. However, without-nolisten tcp
theX
server will still listen onTCP
port (forX
clients rather thanVNC
clients). -
user71931 about 7 yearsAh I see, thanks for explaining. You might want to add that to your answer, that's seems like a pretty big
gotcha
. Didn't know this, thanks for sharing -
thang almost 5 yearsstrange -localhost doesn't seem to do anything