[KLUG Members] Restricting VNC access to SSH tunnel in SuSE 9.0 Pro

Robert V. Kanaley rvk at agdia.com
Mon Jun 6 16:48:54 EDT 2005

Previous message: [KLUG Members] Netscape/Fedora Directory Server ?
Next message: [KLUG Members] Drive Shield/Deep Freeze for Linux
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Personally I don't view a wireless subnet any differently than a cabled
>one.   You don't send data in-the-clear over the Internet, you don't do
>it over the ether (radio waves), why would you do it over a piece of
>copper? (Maybe at home this is different, but certainly not inside a
>company - you have no idea who is plugging what into a switch in some
>closet,  you may think you do, but you don't).

On a related note, I always use VNC through an SSH tunnel, copper or not.
Usually I start the SSH tunnel up first, then fire up the Xvnc server. I can
then connect to localhost with a VNC client to securely grab the running
Xvnc session. When I am done with the X session, I log out. I then kill the
Xvnc server and shut down the tunnel.

However, I now have a SuSE 9.0 Pro box that always has a running X desktop.
I have the desktop configured so that I can get to it via an SSH tunnel.
But, this configuration leaves port 5900 wide open for anyone on the LAN to
take pot shots at. I want to prevent anyone not using a localhost connection
via an SSH tunnel from even knowing I have a running X desktop. I am doing
this by using firewall rules, but this is a bit awkward. I use this SuSE box
to try out a lot of things. I don't want to mess with firewall rules every
time I load an application to try. I would prefer to use xinetd. But, for
some reason I cannot get xinetd to block non-local access to port 5900.

I setup a krfb service as below. This generates the message: xinetd[7266]:
bind failed (Address already in use (errno = 98)). service = krfb. I tried
variations with and without the server arguments and even tried setting the
user to root. Nothing helped. (And, yes, I reloaded xinetd after each
change). I even tried killing the X sessions between configuration changes.
It seems that remote desktop takes control of port 5900 before xinetd can
take control of remote desktop.

Does anyone have any suggestions as to what I am missing here?

# default: off
# description: To only allow Remote Desktop from a local connection (e.g. an
SSH tunnel).

service krfb
{
        port            = 5900
        socket_type     = stream
        protocol        = tcp
        wait            = no
        server = /opt/kde3/bin/krfb
        server_args = -kinetd
        only_from       = 127.0.0.1
        type            = UNLISTED
        user            = nobody
}


Regards,

Bob

Robert V. Kanaley
Manager Information Systems
Agdia, Inc.
rvk at agdia.com
http://www.agdia.com

Previous message: [KLUG Members] Netscape/Fedora Directory Server ?
Next message: [KLUG Members] Drive Shield/Deep Freeze for Linux
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list