2

At this link is information on securing VNC over SSH. Apparently, the server invocation of VNC is unchanged. And the difference between unsecured and secured is due to invoking SSH with these arguments, shown, and then invoking the viewer with arguments that are different from what would be done in the unsecured scenario.

ssh user@server -L 5901/127.0.0.1/5901
vncviewer 127.0.0.1:5901

Reading the SSH man page's description of the -L option is clear as mud. Of course 127.0.0.1 is a local address but other than that, please explain what each argument instructs the corresponding program to do and why 5901 is used when 5900 is known to be the VNC port. Is the author (carelessly?) presuming that I use the :1 argument on the server side? Why do we loopback to accomplish this?

Improve this question

1 Answer 1

Reset to default
3

Reading the SSH man page's description of the -L option is clear as mud. Of course 127.0.0.1 is a local address but other than that, please explain what each argument instructs the corresponding program to do

The option -L 5901/127.0.0.1/5901 (more commonly written as 5901:127.0.0.1:5901) instructs the SSH client to set up a TCP "tunnel", listening on port 5901 on the client machine, and forward all connections to 127.0.0.1:5901 of the server machine. Afterwards, vncviewer 127.0.0.1:5901 is used to connect to the client side of the tunnel. ssh accepts the connections, and instructs the SSH server (sshd) to open an identical connection server-side.

  • On client: vncviewer ⇆ 127.0.0.1:5901 (ssh)

  • On server: sshd ⇆ 127.0.0.1:5901 (vncserver)

As you can see, loopback is used because vncviewer only connects to ssh, which is running on the same computer. Similarly, both sshd and vncserver run on the same server.

Tunnelling to a third host might make a clearer example:

  • ssh gatewayhost -L 1357:securehost:5901
vncviewer 127.0.0.1:1357

  • On client: vncviewer ⇆ 127.0.0.1:1357 (ssh)

  • On server: sshd ⇆ securehost:5901 (vncserver)

and why 5901 is used when 5900 is known to be the VNC port. Is the author (carelessly?) presuming that I use the :1 argument on the server side?

Yes, by providing -L <any>/127.0.0.1/5901 the author assumes that the VNC server is listening on port 5901 (VNC display :1).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .