VNC and OpenSSH on Windows

You say that you cannot connect VNC through the ssh tunnel. That was a
big challenge for me too!

First question: Are you trying to connect with a client that is running
on Linux, or with a client that is running on Windows?

If your answer is "on Linux", setting the VNC_VIA_CMD environment
variable before invoking xvncviewer with the -via option proved crucial
to my success. The documentation of this variable is scant, and I didn't
do much in my how-to document to improve upon that situation.

If your answer is "on Windows", the -via option will not work, and you
need either to connect via ssh with port forwarding (-L) and stay
connected or to fork into the background (-f) and stay alive long enough
(sleep 20) till the VNC client has connected to the VNC server.

Second question: What does SSH report to you if you use the verbose (-v)
option? For instance (but all one line without backslashes):
ssh -v -i /path/to/your/private/key \
-L 5901:dotted.decimal.intranet.address:5901 \
-l userIDforSSHlogin your.firewall.topleveldomain

Here is what I get (and I'm able to connect with TightVNC using this ssh
command from both Cygwin and Linux):

ssh -v -i /home/egallo/.ssh/id_rsa -L 5901:192.168.1.16:5900 -p 15000 -l
gallo001 caritas.amor.org
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to caritas.amor.org [65.29.227.72] port 15000.
debug1: Connection established.
debug1: identity file /home/egallo/.ssh/id_rsa type 1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.6.1p1
debug1: match: OpenSSH_3.6.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 143/256
debug1: bits set: 1571/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'caritas.amor.org' is known and matches the RSA host key.
debug1: Found key in /home/egallo/.ssh/known_hosts:1
debug1: bits set: 1592/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try pubkey: /home/egallo/.ssh/id_rsa
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8091788
hint 0
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/egallo/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: ssh-userauth2 successful: method publickey
debug1: Connections to local port 5901 forwarded to remote address
192.168.1.16:5900
debug1: Local forwarding listening on 127.0.0.1 port 5901.
debug1: fd 4 setting O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: channel 1: new [client-session]
debug1: send channel open 1
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 1
debug1: channel request 1: pty-req
debug1: channel request 1: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 1: open confirm rwindow 0 rmax 32768
Last login: Wed Jul 9 22:59:18 2003 from nowhere.utopia.com

Then, when I connect via TightVNC viewer to localhost:1, the following
additional info prints out:

debug1: Connection to port 5901 forwarding to 192.168.0.10 port 5900
requested.
debug1: fd 8 setting O_NONBLOCK
debug1: channel 2: new [direct-tcpip]
debug1: channel 2: open confirm rwindow 131072 rmax 32768

What do you see?

Best regards,
Art

jay wrote:

>I have cygwin and openssh working, but I am still not connecting
>vnc through the ssh tunnel.
>For you take note of step 5, 6,and 7.
>These steps have taken lots of time to put together.
>Hope it may help you.
>If you find anything new or need answers, let me know.
>Try uninstalling your cygwin, install fresh, and try my steps.
>You can also study and try the following the page below.
>
>http://eudyptula.freezope.org/ms/Cygwin-SSH-VNC-HowTo.html
>
>
>
>Tightvnc and openssh
>http://eudyptula.freezope.org/ms/Cygwin-SSH-VNC-HowTo.html
>For tightvnc download
> http://search.rpmseek.com/search.html
>For cygwin and openssh
> http://sources.redhat.com/cygwin/
>
>Windows 2000 setup
>Steps:
>
>1. Router setup and use virtual server, or port forwarding
> forward the computer ip of the server to port 5901 and 5801
>
>2. Install Tightvnc-server
> execute vncserver on windows computer.
> right click on V icon in right of taskbar
> select properties
> select ports in display or port numbers to use
> use ports 5901 and 5801 from step 1
> Enter Password for client to login with
> right click the vncserver icon and select advance.
> Check the loop back enabled box.
> You now have a Vnc Server running.
>
>3. Install Tightvnc-viewer on the other computer (Client)
> Execute vncviewer in a konsole or find it in a menu.
> enter router wanip with :x which is the xdisplay number
> Example: 65.34.2.212:1
> To find your wanip logon to www.whatismyip.com
> For local use, use the server computer ip.
> To find your ip, In konsole type ifconfig
> In windows ipconfig or winipcfg
> Example: 192.144.3.133:1
> Enter password from step 2
> You now should be controlling a computer remotely.
>
>Linux Suse setup
>Steps:
>
>1. Install Tightvnc-viewer for linux
>
>2. Execute vncviewer in konsole
>
>3. type in the windows server ip with the :1
> type in the password.
> or for internet logon, use the router wanip with :1
> Test it by taking control of the windows box.
>
>4. Install Tightvnc-server for linux
> Execute "vncpasswd" and set a new password for clients
> Execute "vncserver :1"
> The :1 is for xdisplay 1
> You now have a vnc server in windows and linux
> Execute "vncserver -kill :1" to remove the server
>
>5. If you want a secure shell, install openssh in linux.
> I use suse linux.
> In suse goto yast2, system, runlevel editor, runlevel properties.
> Make sure sshd is running.
> For windows, find and install cygwin with openssh for windows and
> follow there installation instructions.
> They are free programs for windows.
> If you use a router you must forward the server's ip to port 22.
> ssh uses port 22.
> After installing cygwin make group and password according to the
> documentation to be able to login with ssh.
>
> With nt, 2000,and xp you will need to execute these as is.
> Example 3-5. Setting up the groups file for local accounts
> $ mkdir /etc
> $ mkgroup -l > /etc/group
>
> Example 3-6. Setting up the passwd file for local accounts
> $ mkdir /etc
> $ mkpasswd -l > /etc/passwd
> These commands will take windows user information and store them in
> a group and passwd file in the c:\cygwin\etc folder.
> Do not change the word c:\cygwin\etc\group and c:\cygwin\etc\passwd.
> You might think that passwd must be changed to a choosen password.
> You must executed these two commands when you add or change user
> accounts.
>
>
>6. Now it is time to give it a try. In a terminal window on my own desktop,
> I entered vncviewer -via xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx:1
> where the xxx's represent server IP address in both instances.
> The -via option directs tightVNC to use ssh for a secure tunnel
> through which to operate.
> See man page for -via switch. Type in konsole "man vncviewer"
> Now you can vnc through an ssh tunnel
> which gives you some security.
>
>7. If you change or add any useraccounts or a computer ip in windows,
> you must execute the mkgroup and mkpasswd again to update the files
> located in c:\cgwin\etc\group and c:\cygwin\etc\group
> Also in my suse linux when i had executed ssh I got a warning
> of intrusion.
> I had to delete /home/myuseraccount/.ssh/known_hosts file
> This is the file that has the key for security. If anything
> in the host system changes this key will alert me.
> Just delete it if you know that you are aware of changes to
> your system. Remember that .ssh is a hidden folder.
> In konqueror click on view and show hidden files.
>
>
>
>help:
>if ssh or vnc login fails look at server ip... use ipconf ifconf winipcf
>If you get a localloop back disabled, in windows right click the
>vncserver icon and select advance. Check the loop back enabled box.
>
>For tightvnc download
> http://search.rpmseek.com/search.html
>For cygwin and openssh
> http://www.redhat.com/software/cygwin/
>
>http://www.realvnc.com/pipermail/vnc-list/2003-June/039500.html
>http://www.realvnc.com/pipermail/vnc-list/2003-June/039521.html
>http://linuxworld.sys-con.com/story/32625.htm
>
>ports:
>I found these inside of /home/useraccout/.vnc/vnc:1.log
> Listening for VNC connections on TCP port 5901
> Listening for HTTP connections on TCP port 5801
>ssh port 22
>
>
>vnc connection set ports 5901 for xdisplay :1 in router
>execute "vncpasswd" to make the server password
>vncviewer and enter wanip with :x which is the xdisplay number
>enter password
>
>
>
>
>
>
>
>
>
>
>On Thursday 31 July 2003 03:14 am, dave spence wrote:
>
>
>>Hello,
>>
>>I am interested in securing OpenSSH on Windows, specifically doing
>>something like the host.allow and host.deny on UNIX. I have looked on the
>>web but cannot really find anything that addresses the problem of
>>restircting access by IP to the SSH service on Windows.
>>
>>I am running OpenSSH version 3.6.1.
>>
>>Dave
>>--
>>List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
>>List Archives: http://erdelynet.com/archive/ssh-l/
>>To Unsubscribe: Go to http://tech.erdelynet.com/mailman/listinfo/ssh-l/ and
>>enter your email address at the bottom to "Edit Options". If you don't know
>>your password, have it emailed to you. Then unsubscribe.
>>
>>
>
>--
>List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
>List Archives: http://erdelynet.com/archive/ssh-l/
>To Unsubscribe: Go to http://tech.erdelynet.com/mailman/listinfo/ssh-l/ and enter your email address at the bottom to "Edit Options". If you don't know your password, have it emailed to you. Then unsubscribe.
>
>
>
>

--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives:    http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Go to http://tech.erdelynet.com/mailman/listinfo/ssh-l/ and enter your email address at the bottom to "Edit Options". If you don't know your password, have it emailed to you. Then unsubscribe.