Women in Technology

Hear us Roar



Article:
  Control Your Mac from Afar
Subject:   Great article, but there's a better downside to VNC
Date:   2003-09-19 19:18:51
From:   csoto
Don't forget that VNC sends ALL data in the clear. This can be bad, as any passwords you enter, or any other sensitive information can be sniffed from the network. See http://www.realvnc.com/faq.html#security for some tips. Of course, since you already know how to use SSH, you should learn how to do tunneling, in order to encrypt ANY traffic, including VNC.


Charles

Full Threads Newest First

Showing messages 1 through 7 of 7.

  • Great article, but there's a better downside to VNC
    2003-09-20 19:01:24  anonymous2 [View]

    Charles --
    Please, would you write that article,
    so that we can all learn to tunnel --
    Pick it up, right from here. and, in
    the same style and 'weight'.
    please?

    • Great article, but there's a better downside to VNC
      2003-09-22 14:44:20  csoto [View]

      I'm pretty sure there's an article somewhere on tunneling using SSH. I'll look and post the URL of what I find.

      OK. Found one, right here on Oranet:

      http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html

      Simply follow the instructions, but instead of connecting via VNC to the remote host, connect to localhost, on the port that you have forwarded. The VNC team has a "Making VNC more secure with SSH" page at:

      http://www.uk.research.att.com/archive/vnc/sshvnc.html

      SSH is super useful. I just hope Apple gets off their tuckus and patches the current vulnerability!

      Charles
      • Great article, but there's a better downside to VNC
        2003-09-23 15:57:09  tychay [View]

        Actually Apple has patched the current portable OpenSSH vulnerability with 10.2.8 <http://archives:archives@lists.apple.com/mhonarc/security-announce/msg00035.html> which means that no G3 or G4 Mac OS X is vulnerable to it (I don't know about the G5 and if such a patch was rolled into 10.2.7). Given the recent news about it, I find it hard to state that Apple was ever one "their tuckus" about this patch. ;)

        Note that Apple has pulled the updater because some users are losing their internet connection after running it. I didn't have any problems but I imagine you can check it tomorrow.

        Take care,

        terry
      • Great article, but there's a better downside to VNC
        2003-09-26 07:56:30  anonymous2 [View]


        The recent 10.2.8 patch takes care of the SSH vulnerability and a bunch of others as well.
    • VNC via SSH
      2003-09-23 15:48:49  tychay [View]

      Here are two .command scripts that will start and stop your an SSH VNC tunnel:

      #!/bin/sh
      USERNAME=<username on remote machine>
      HOSTNAME=<ip address of remote machine>
      BINDPORT=<local port to bind to: VNC # + 5900>
      VNCPORT=<remote port to bind to: VNC # + 5900>
      VNCSESSION=<path to VNCSession file>

      ssh -c blowfish -l $USERNAME $HOSTNAME -L $BINDPORT:localhost:$VNCPORT -f -N
      open $VNCSESSION


      Obviously you have to customize the first part. The first VNC port is the bind port you have on your VNC client (for instance 1->5901 and you are binding to localhost:5901 in your VNC session file. The first line contains the syntax to set up the tunnel and the secibd line opens your VNC session file that is bound to localhost:6901--NOTE: I use VNCDimension not ChickenOfTheVNC so YMMV! Note also that this does not start the VNCServer running on the remote computer/Mac. You have to use OSXvnc or "Share My Desktop" to do that and there is the caveat that if you logout of VNC your session is killed and needs to be restarted! Note also that this script isn't automated since it will ask you for a password (your password on the remote machine). To fix this you have to follow a hint which I won't give (it's in the OReilly Mac OS X hacks book as many other places) and use an SSH keychain tool. For the cheap among you, do a lookup of "ssh-agent" and Mac clients for it as well as passwordless ssh login for tutorials on the web.

      To close the script down....
      #!/bin/sh
      BINDPORT=<local port to bind to: VNC # + 5900>
      VNCPORT=<remote port to bind to: VNC # + 5900>

      for X in `ps xww | grep $BINDPORT:localhost:$VNCPORT | grep -v grep | awk '{ print $1 }'`; do
      kill $X;
      done


      This will destroy your tunnel but it leaves the VNC server running on the remote machine.

      Write these as text files with the name "start.command" and "stop.command" (or whatever) and then turn on executable (with get info) and double click. Obviously with AppleScript Studio and the AppleScript basics provided in this article, you can roll your own interface. :)

      Note, I should mention that on LANs this is not much of an issue. VNC uses a challenge/response password verification system that will protect the password from being hacked so the only thing you are transmitting out in the open are the VNC controls.

      Take care and happy hacking,

      terry
      • VNC via SSH
        2003-09-28 10:52:10  anonymous2 [View]

        Here's another, perhaps easier way:

        Type in terminal this one line, for VNC thru SSH:

        ssh user@22.66.111.88 -L 15901:localhost:5901

        then open vnc and connect to localhost:5901

        :)

        and reverse SSH tunelling, open from inside then connect from outside back in

        ssh -l user 22.66.44.111 -R 15902:127.0.0.1:5902 sleep 900000

        check out:

        http://www.afp548.com/

        -mr.x
    • Great article, but there's a better downside to VNC
      2004-01-13 22:58:48  anonymous2 [View]

      There's a great GUI app for OSX for SSH Tunnels:
      SSH Tunnel Manager
      http://www.versiontracker.com/dyn/moreinfo/macosx/16840

      i wrote an ariticle about using ssh tunnels to secure email (pop and smtp):
      http://www.macosxhints.com/article.php?story=20030721022245232