Using VNC through a secure ssh tunnel

This document (7000593) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 10
SUSE Linux Enterprise Server 10

 

Situation

Internal or external network where communication to a remote system through VNC requires encryption.

Helpdesk or administrative systems need to be able to take remote control of client systems (SLED or SLES) through VNC but need to have the communication encrypted.

Resolution

Remote systems must have the Remote Desktop feature enabled. Open the Control Center and under the System group take the selection for Remote Desktop.  Configure it as appropriate.

There is also another selection for Remote Administration in YaST but it does not allow a connection to display :0.  It starts a session independent from the users so you do not see the users desktop.  The Remote Desktop selection in the Control Center runs "vino" which is a vncserver equivalent that allows the connection to display :0 (what the user is viewing) on port 5900.

The client systems must also allow an ssh connection as we will use a ssh tunnel to secure the VNC communication.  By default the firewall is turned on and ssh is blocked.  Verify your firewall settings in YaST-->Security and Users-->Firewall.  Add ssh to the allowed services if needed.

On the administrator system a ssh connection will need to be established to the remote system.  From a terminal run the following command:

ssh -L 5900:127.0.0.2:5900 <user>@<remotesystem>

The -L port:host:port  specifies that the given port on the local administrator host is to be forwarded to the given host and port on the remote side.

If port 5900 is already in use on the administrator system a different port could be used.  For example, when vncviewer is run for display :1 it will attempt to connect to port 5901 rather than 5900 (vncviewer host:1).  The command to setup the local port 5901 to route to 5900 on the remote system would look like this:

ssh -L 5901:127.0.0.2:5900 <user>@<remotesystem>

Once this connection is established you can switch to another terminal and startup the vncviewer with the following command:

vncviewer localhost:0

The ":0" would use port 5900.  Just change it to a ":1" to use 5901 as indicated in the second ssh example.  The port number will follow the display indicated (5900+display).

A normal VNC connection should be established to the remote system.  Once the VNC connection is terminated logout or exit from the ssh session and the ssh tunnel is closed.
 

Additional Information

If the administrator system is running Windows, a program will need to be installed to allow a ssh connection to the Linux system.  Putty is a common one.  It uses the plink command.  Here's an example of how the command may look:

plink -ssh -L 5900:127.0.0.2:5900<user>@<remotesystem>

Once the connection is established open the VNC client and connect to localhost.

***Note***
SUSE Technical Support does not provide support for the Windows applications.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7000593
  • Creation Date: 25-Feb-2009
  • Modified Date:15-Mar-2021
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center