Personal tools
You are here: Home Tools SSH Port Forwarding and VNC
Document Actions

SSH Port Forwarding and VNC

last modified 2006-02-22 03:52 PM

VNC (Virtual Network Computing) software makes it possible to view and fully-interact with one computer from any other computer or mobile device anywhere on the Internet. VNC software is cross-platform, allowing remote control between different types of computer.

One feature all system administrators want is the ability to remotely access either user workstations or servers. Ssh gives that capability on GNU/LInux or Macintosh OS X at the command line level. And both Macintosh OS X and Windows XP have capabilities that allow remote access (and in the Microsoft OS world there are various commercial tools that do the same).

But VNC is a FOSS tool that allows for such a capability across platform types. It uses a client-server model, so any platform can be viewed on any other platform. Of course,on Unix platforms, since X11 is inherently client-server, the X11 client can be running on a different machine than the X11 server, so one can always have remote access. VNC however, is more light weight and so can even be used over a WAN [NB: Mac OS X remote desktop is based on VNC]

One major difference between Macintosh and Windows vs. GNU/Linux is that in the former one sees the same desktop as the local user. On GNU/Linux, VNC is it's own X server, so provides it's own X displays and not the one's seen by the local user.

The one problem with VNC is that the protocol itself is not encrypted. But as this article points out, ssh solves that problem. Ssh allows you to listen on a port on your local machine, and forward the packets securely to a port on another machine.

Here's what I do. First on my server for example, I start up VNC with this command, logged in (for example) as user aront:

   $ vncserver -geometry 800x600 -depth 16 :1

which means start up an X VNC window of size 800x600 with color depth 16-bit on X display :1. The first time you run VNC, you will be asked o provide a password. I use the same password as my login.

Then, on my client box I use the following ssh command:

   $ ssh -f -N -C -T -l aront -L5902:localhost:5901

59XX is the VNC port (where XX is the display number). So 5901 is the port on osiris that VNC is listening on. The -L option forwards stuff from port 5902 on the client box to 5901 on osiris. The -f option allows ssh to run in background after it prompts for the login password. -N means don't execute any remote command (like a shell initiation script). This is used because all we want is port forwarding. -C means use compression. -T disables a pseudo-tty allocation (again because all we want to do is port forwarding, not open a remote shell). -l  is login as username "aront".

N.B. If the VNC server is on a Mac OS X machine, e.g. OSXVNC, then you must use "" instead of "localhost" in the ssh command. Make sure the Apple Remote Desktop is not set on if you want to use OSX VNC, and close that port on the built in firewall.

Finally, on the client, I issue the following command:

   $ vncviewer [-shared] localhost:2

in other words, communicate with VNC on port 5902 on the local machine. Ssh will send traffic back and forth between port 5901 on osiris and 5902 on the client. The optional "-shared" option is if you want to open a vncviewer to the same X desktop on multiple clients.

VNC is not perfect and sometimes dies, In that case you issue the following command on your server (assuming you are running on display :1):

   $ vncserver -kill :1

You may have to also delete some .X* directories in /tmp. Once that is all cleaned up you restart the vncserver.

Two more points. If you want to do this on a Macintosh machine, you may have to open up the SSH ports if you are running firewall software. But it should work just as well as on a Linux desktop.

Finally, the cool part about port forwarding in SSH is that you can use it for any TCP/IP service. For example, let's say you want to use Webmin, an excellent web-based management tool, on a remote server. Webmin (which works on nearly every Unix out there) does not require that you have X-Windows installed, which is a good thing. It comes with its own light-weight web-server so it doesn't require Apache either. Since Webmin allows you to manage your whole system, you don't want to give anyone from the "outside" access to it. The simple solution: configure Webmin to listen to port 10000 on localhost, and use ssh to forward that port to, say, 10001 on your machine. Fire up your favorite browser and you now can securely manage that remote machine using the Webmin interface. And so on for any TCP/IP service.

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: