[KLUG Members] Restricting VNC access to SSH tunnel in SuSE 9.0 Pro
Robert V. Kanaley
rvk at agdia.com
Mon Jun 6 16:48:54 EDT 2005
>Personally I don't view a wireless subnet any differently than a cabled
>one. You don't send data in-the-clear over the Internet, you don't do
>it over the ether (radio waves), why would you do it over a piece of
>copper? (Maybe at home this is different, but certainly not inside a
>company - you have no idea who is plugging what into a switch in some
>closet, you may think you do, but you don't).
On a related note, I always use VNC through an SSH tunnel, copper or not.
Usually I start the SSH tunnel up first, then fire up the Xvnc server. I can
then connect to localhost with a VNC client to securely grab the running
Xvnc session. When I am done with the X session, I log out. I then kill the
Xvnc server and shut down the tunnel.
However, I now have a SuSE 9.0 Pro box that always has a running X desktop.
I have the desktop configured so that I can get to it via an SSH tunnel.
But, this configuration leaves port 5900 wide open for anyone on the LAN to
take pot shots at. I want to prevent anyone not using a localhost connection
via an SSH tunnel from even knowing I have a running X desktop. I am doing
this by using firewall rules, but this is a bit awkward. I use this SuSE box
to try out a lot of things. I don't want to mess with firewall rules every
time I load an application to try. I would prefer to use xinetd. But, for
some reason I cannot get xinetd to block non-local access to port 5900.
I setup a krfb service as below. This generates the message: xinetd[7266]:
bind failed (Address already in use (errno = 98)). service = krfb. I tried
variations with and without the server arguments and even tried setting the
user to root. Nothing helped. (And, yes, I reloaded xinetd after each
change). I even tried killing the X sessions between configuration changes.
It seems that remote desktop takes control of port 5900 before xinetd can
take control of remote desktop.
Does anyone have any suggestions as to what I am missing here?
# default: off
# description: To only allow Remote Desktop from a local connection (e.g. an
SSH tunnel).
service krfb
{
port = 5900
socket_type = stream
protocol = tcp
wait = no
server = /opt/kde3/bin/krfb
server_args = -kinetd
only_from = 127.0.0.1
type = UNLISTED
user = nobody
}
Regards,
Bob
Robert V. Kanaley
Manager Information Systems
Agdia, Inc.
rvk at agdia.com
http://www.agdia.com
More information about the Members
mailing list