[vox-tech] Tunneling vnc over ssh --- solved

Henry House hajhouse at houseag.com
Sun Dec 10 06:07:21 PST 2006


P=E5 2006-12-08, skrev Alex Mandel:
[...]
> Sounds like you should just write a script on your local machine to do =

> these in order.

Solved, more or less. Here is my new script.

#!/bin/sh
# vncssh.sh
# used as: ./vncssh.sh remote_host_running_vnc.domain.org
# Reference: http://www.vanemery.com/Linux/VNC/vnc-over-ssh.html
HOST=3D$1
ENC=3D'copyrect tight hextile zlib corre rre raw'
VNCDISPLAY=3D`ssh $HOST ps ux | egrep 'X.*vnc' \
   | perl -ne 'm/ +:(\d+)\b/; if ($1) {print "$1\n"; exit}'`
export VNC_VIA_CMD=3D"/usr/bin/ssh -2 -x -f -L %L:%H:%R %G sleep 20"
echo 'Xtightvncviewer*grabKeyboard: true' | xrdb -merge
scp @$HOST:.vnc/passwd $HOME/.vncauth_$HOST
xtightvncviewer -fullscreen -compresslevel 9 -quality 2 \
   -encodings "$ENC" -passwd $HOME/.vncauth_$HOST \
   -via $HOST localhost:${VNCDISPLAY}
rm $HOME/.vncauth_$HOST # remove password-hash file when viewer exits
#end of script

The above works fairly well as long as I only have a single VNC running.

[...]
> I'm not familiar with the password stuff you're doing but to be honest =

> my vncserver isn't running by default. I actually turn it on once I'm in =

> via ssh and then connect to the vnc.
> Call it a little extra paranoia.

The fiddling with the password file is to permit me to log in without
retyping the password if I have access to the required ssh key.

You are probably right to be extra paranoid; in my case I consider the
security risk of having a VNC session running constantly acceptable; it
it mitigated by the fact that a running VNC can only be accessed from
localhost (proxying via ssh notwithstanding) and the server is in a NAT
LAN behind a firewall that blocks all ports except ssh, ftp, and http. I
use VNC to make my X session portable between different desks and to
allow reattaching if my client machine loses power (only the server is
on a UPS). Sessions tend to have a longevity of many months.

-- =

Henry House
+1 530 753 3361 ext. 13
Please don't send me HTML mail! My mail system frequently rejects it.
The unintelligible text that may follow is a digital signature.
See <http://hajhouse.org/pgp> to find out how to use it.
My OpenPGP key: <http://hajhouse.org/hajhouse.asc>.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.lugod.org/pipermail/vox-tech/attachments/20061210/c756be=
b4/attachment.pgp


More information about the vox-tech mailing list