SSH



How to Connect to a VNC Server Using SSH

Need to connect to a VNC server behind a firewall that only allows SSH traffic? With SSH access to the VNC server, you can tunnel the VNC traffic through an SSH connection. This will encrypt your VNC traffic through an SSH tunnel.

To begin, SSH to the VNC server and forward the local client's 5904 TCP port to the VNC server's port 5901.

client$ ssh user@vncserver.mydomain.com -L 5904:*:5901

Next, In a new window, direct vncviewer to your localhost 5904 port and the traffic will be forwarded to your VNC server's port 5901.

client$ vncviewer localhost:5904

If you get any errors, be sure that your client's firewall is not blocking localhost's port 5904.

client$ su -c "iptables -L"

Passwordless SSH

Passwordless SSH can be accomplished using SSH's public key authentication. To configure passwordless SSH, follow the directions below. Warning: passwordless SSH will make your systems less secure. If you are comfortable with that, the directions below will walk you through server and client configurations. Then, I'll show you how to debug SSH if you encounter problems.

SSHD Server Configuration

First, you must ensure that your SSHD server allows for passwordless authentication using public keys. If you do not have root access to the server, do not worry. By default, public key authentication over protocol 2 is enabled. Skip this step. If you have any problems, contact your System Administrator.

If you have root privileges, edit your system's /etc/ssh/sshd_config and apply the following settings. I suggest you disable protocol 1 RSA key based authentication and leave all other settings alone for now. Visit the man page SSHD_CONFIG(5) for details.

# Disable protocol 1 RSA key based authentication
RSAAuthentication no
# Protocol 2 public key based authentication
PubkeyAuthentication yes
# Authorized public keys file
AuthorizedKeysFile .ssh/authorized_keys

If you make any changes, save them and restart your SSH server.

service sshd restart

SSH Client Configuration

Now that the server is configured, log into your client system and examine /etc/ssh/ssh_config. This is the SSH client configuration file and you do not need to edit it.

less /etc/ssh/ssh_config

By default, public key authentication over protocol 2 is enabled for clients. You only need to make sure that it is not disabled. If it is, create an ~/.ssh/config to override the /etc/ssh/ssh_config options.

cp -a /etc/ssh/ssh_config ~/.ssh/config

Then edit it and add this to the "Host *" block:

PubkeyAuthentication yes

Create Client Key

With the client in order, you need to create a public and private key pair. The following command will build a DSA key pair. Hit for all questions asked. This will create a DSA key pair in ~/.ssh/. The private key is called id_dsa and the public key is id_dsa.pub.

ssh-keygen -t dsa

Use Key for Authentication

Now that you have a public and private key pair, put the public key on the server you wish to log into without a password. You will need to put the public key inside the server's /home/user/.ssh/authorized_keys file. This file can contain multiple keys, so you generally do not want to just copy over it. Note that the authorized_keys2 file was deprecated in OpenSSH 3.0 (2001).

cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

Alternatively, modern releases of SSH have a command to help you copy keys.

ssh-copy-id -i ~/.ssh/id_dsa.pub user@server

Test and Debug SSH

Now, test.

ssh username@server date

If you get prompted for a password, check the server's system logs for clues. You can also enable debugging in /etc/ssh/sshd_config with the following directive.

LogLevel DEBUG

Other options are INFO, VERBOSE, DEBUG2 and DEBUG3. See the man page SSHD_CONFIG(5) for details. For the client, the exact same option can be placed inside a /etc/ssh/ssh_config's Host block. See SSH_CONFIG(5) for client debugging details.

man 5 sshd_config
man 5 ssh_config

Syndicate content