Using VNC through a PuTTY SSH tunnel Introduction So why would I want to do this? VNC is a powerful suite of tools that allows one to link and use a variety of platforms from almost any other platform. In the CIS department at RIT, VNC is most often used by students to access a Unix workstation via a virtual desktop from a Windows-based PC whether on- or off-campus. The problem is that it is inherently wide-open and not secure. In other words, almost anyone with some very basic skills can gain access to your VNC session and thus your account, particularly if the connection is outside the CIS subnet. The VNC password option is not secure despite what one might suspect. In the future, the security features might be upgraded, but they are very limited at this time. However, there is no reason to despair or buy something else. You simply need to create a secure environment to run VNC through. This is where the PuTTY toolkit or an alternative SSH toolkit comes into play. The purpose of this pseudo-tutorial is to walk through setting up a VNC session through a secure SSH tunnel using PuTTY. Such a tunnel can be setup when establishing a connection from a Unix or Mac platform to a different PC, Unix, or Mac platform, but is not directly covered in this document. The philosophy and general guidelines are appropriate, but different tools and commands are used. The bottom-line is that VNC can be used in a secure environment. Please do not open yourself or CIS s computer network to attacks. There is rarely a valid excuse for security laziness or ignorance. Step1: Get the latest version of PuTTY toolkit. It can be downloaded from a variety of sites, but http://www.sosdg.org/software.php is one option. Typically, Windows users select the PuTTY installer package. You may select a different SSH utility, but the secure tunnel setup will be different depending upon the SSH utility. Note that a lot of other neat utilities come with PuTTY and currently it is freeware for educational and personal use. Step 2: Get the VNC viewer from here http://www.realvnc.com/download.html. You can read more about VNC here http://www.realvnc.com/documentation.html. The documentation for beginners is pretty good, but you can get started with this simple tutorial. Step 3: Now for the fun part. The basic concept is that we want to create a secure SSH connection and tunnel to route the VNC server output through. Then we start the VNC server with instructions on which secure port to use (the one we just created). Locally, we then start the VNC viewer with instructions to connect to the other end of the tunnel. Below we shall walk through a simple example. Some of the steps (particularly
the PuTTY session setup) may not be necessary once you have completed them once and have saved the PuTTY session description. In this example we will setup an SSH connection to smith.cis.rit.edu and give it the session name smith (VNC). Launch PuTTY and type in the host name (smith.cis.rit.edu) and the session name (smith (VNC)) as shown below: Step 4: Now we need to set the SSH options to use compression and the SSH2 protocol. Select the SSH category on the left and ensure that these two options are selected.
Step 5: Next we will set up a tunnel from port 5923 on your computer to port 5923 on the smith.cis.rit.edu. (Note that you can select which port you want to set for either end and that your choice will alter the port numbers that you enter for starting the VNC server and viewer in the next section.) Step 6: Now you must save the session otherwise you'll need to do it all again next time you make a connection. Essentially, you have configured a SSH2 connection with a built-in secure tunnel to run VNC through. The next few steps will demonstrate how to establish and use that connection.
Step 7: Now we can begin to connect to smith.cis.rit.edu. Open the session and make a connection to the VNC server. If this is the first time that PuTTY has connected to smith.cis.rit.edu then you will be prompted whether you want to store the security keys/fingerprints. Select yes and continue. Now smith.cis.rit.edu will ask you for your CIS userid and password.
Step 8: Once you have logged in, you need to start the VNC server and attach it to the right port. To start the VNC server, type the command: vncserver :23 depth 24 geometry 1024x768 localhost For a detailed explanation, refer to the VNC documentation, but let s go through some of the above command structure. First the :23 is the port number that we created for the secure tunnel. The depth command sets the display to have 24 bit color. The geometry command is set for the local screen and usually is something that a user plays around with to suit their own needs. The -localhost option limits connections to only from the local host (smith in this case) and is usually only used when tunneling VNC sessions via a SSH. Also, note that if you have never used VNC from your CIS account, you will be prompted for a VNC password. This password must differ from your CIS account password. Please use similar care in choosing a VNC session password. The VNC password can be changed later using the command vncpasswd and following the prompts. Step 9: Now the VNC server is up and running. You need to run the VNC viewer installed on your local machine. For a Windows PC, run the VNC viewer and make a connection to localhost:5923. You should have a login prompt from the VNC server machine now.
Once you have logged in, your unix desktop should open and you can begin using it like you would if you were sitting down at the terminal. Note that one restriction is that VNC doesn t currently support programs (like bulldozer) which require opengl to run. Step 10 (optional): By the way, if you want to set the type of desktop that appears when you use the VNC server, you have to modify your ~/.vnc/xstartup file in your unix account. Here are a few options: (a) Gnome Desktop #!/bin/sh xrdb $HOME/.Xresources xsetroot -solid grey xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & /usr/local/bin/gnome-session & (b) CDE Desktop #!/bin/sh xrdb $HOME/.Xresources xsetroot -solid grey xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & /usr/dt/bin/xsession &
You may also choose to alias the vncserver command in your.cshrc file. You simply need to add a line like: alias vnc vncserver :23 depth 24 geometry 1024x768 localhost Now you only have to type vnc to start the VNC server. Step 11: Now for something very important. Even if you close the viewer window and the PuTTY session, the VNC server is still running. This can be useful if you want to return to your desktop exactly as it is and work on it later; however, in general, you need to shutdown the VNC server session. You do that by using the command: vncserver kill :23 Note that the port number is very important here. Also note that if you close the PuTTY window, the secure tunnel is closed and your VNC viewer will be disconnected from the VNC server. To reconnect, you simply start at Step 6 and skip Step 7. (The VNC server is still running if you didn t kill it.)