Re: A couple more SSH / VNC questions
 

When you tell to the nokia VNC client to connect to MACHINE:N, it tries to connect to port 5900+N on the specified machine. So, if you put as host your.windows.box.ip:0, it will try to connect to port 5900 of your.windows.box.ip. This connection is "straight" (it does not use the ssh tunnel at all), and it is unencrypted. Moreover, it will be rejected if in the VNC server side you specified the option -localhost (which only allows connections coming from the own windows box).

When you specify the host 127.0.0.1:1 (or localhost:1 which is the same), the VNC client will try to connect with port 5901 of localhos, i.e. of the nokia.

No, it is not that way. The :1 part only specifies that it should connect to the port 5901, instead of the default 5900. The magic is performed by the ssh option -L5901:localhost:5900, which means that ssh is listenint in the port 5901 (and thus it is ssh which receives the VNC client connection), and fowards it to the windows machine, where the connection is again forwaded to "localhost:5900". Note that, at this point, localhost refers to the windows machine, since this second forward happens there. So, finally the connection arrives at port 5900 in the windows machine, where the VNC server is listening.

Re: A couple more SSH / VNC questions
 

Paths starting with / are absolute paths; to give a relative path, use a path without the leading slash:Also of interest are the special directories . and ..; . refers to the current directory, so changes to your current directory; ordinarily rather useless. But suppose you're in /usr/bin, and want to go to /usr/share:There's a lot of addresses and ports flipping around here, so pay close attention: ;)
Warm colors designate data interpreted by ssh; cool colors designate data interpreted by sshd. (The ssh server, running on the machine you want to control.)

Code:

---

ssh -Llocalport:forwardhost:forwardport user@remotehost

---

ssh makes a connection to remotehost[/code], telling it your username is user (this controls what password to accept, and what UID processes you run will be, if you're doing that...). It sets itself up listening on localport, and forwards any connections made there through a tunnel to the remote machine, which will then try to make a connection to forwardport on forwardhost.
Now you can skip this paragraph, if you don't care; it's just an example of how you might use some of these options; stuff relevant to the specific case under consideration is later: Suppose you have a LAN behind a NAT, with one computer exposed as a DMZ; further suppose that you (from out in the internet somewhere) want to access one of the other machines on the LAN. You can't get to it directly, but you can ssh into the DMZ. You can do

Code:

---

ssh -Llocalport:insecure.host.lan:forwardport DMZlogin@NAT's.WAN.side.IP

---

Now, even though insecure.host.lan is so unsecure we daren't expose it, we can still get at it through the industrial strength DMZ. And we could even be making the connections to the machine running ssh from some other machine. That's why this is so complicated; each port forwarding involves 4 machines. It just happens, in our simple case of VNC tunneling, one machine is being both the connection client and one tunnel endpoint, and one machine is being both the other endpoint and the eventual connection server

So to forward traffic from port 5901 (local) to 5900 on your XP box, you want:That covers making the tunnel.
Whether the VNC connection goes through the tunnel depends on what you specify as the server in VNC Viewer.
This is much, much simpler, because VNC only deals with two machines; the client and the server. You use .
servername is the server to connect to; since we want to connect to the near end of the tunnel, that'll be 127.0.0.1
Now the standard way of specifying a VNC display is with the display number; these start at 0. The actual port numbers used are allocated starting from 5900 for display 0, and go up as expected. But, if you put in a number like 5901 for the display, it's "helpful" enough to know that you couldn't mean display 5901, connecting on port 5900+5901 = port 11801, but must have meant port 5901. I don't remember at what cutoff it considers a number to be large; but that doesn't really matter. Since we just opened a tunnel at port 5901, subtract 5900, and it's display 1. So we need to tell VNC Viewer to connect to 127.0.0.1:1; 127.0.0.1:5901 would work, too, but is bad form.

As in my previous post, you can wrap it all up with this shell script:
The -f tells ssh to drop to the background so we can start the next command; the sleep 10 is a command for the remote host; if you don't specify anything, it gives a shell, but this way it just waits 10 seconds and disconnects. That way, you don't have to manually log out when you're done with VNC.

Re: A couple more SSH / VNC questions
 

I can't believe I'm still unclear about this.

From this explanation:

It sounds like the proper way to enter the command is as so:

ssh -L5901:localhost:5900 [name]@127.0.0.1:1

What I'm confused about (well one of the things I'm confused about) is, how does my nokia find the XP box without specifying the XP box's IP?

Re: A couple more SSH / VNC questions
 

I posted this before I saw Benson's very educational post immediately preceding it. While I am still unclear, I'm going to study that a few more times before I ask any more questions.

Please, talk amongst yourselves. No, really.

Re: A couple more SSH / VNC questions
 

Let's try again, this way with a picture (at the end of the post). For the sake of this example, assume that the IP of your XP box is 145.32.79.12, and the IP of your Nokia is 201.24.5.32 (you don't need this information, but anyway).

You run in XP the ssh server (called sshd) and the VNC server. Each of these processes opens a port with a well-known number. For sshd, the port number is 22, for VNC it is 5900 (plus the number of the display, but let us assume that it is zero).

So, your windows machine has two open ports. If you have no firewalls, both ports would be accesible from the outside. From any computer in the world, anyone could connect to your port 22 for a ssh sesion (he would require a ssh client, such as the ssh in the nokia), or to your port 5900 for a VNC session (he would require a VNC client).

You can estabilsh both connections from your nokia. Using ssh, you can issue the command: ssh user@145.32.79.12, and this will make a connection between the ssh process in your nokia, and the port 22 of your XP machine (in which the sshd server is listening). You will be prompted for a password and then you will have access to a command-line shell which is run in your XP machine. You can control your XP machine via this shell. If you prefer to control it via its graphical interface, you can launch your VNC client and specifying the host 145.32.79.12:0 This will connect your VNC client in your nokia with the port 5900 in your XP (in which the VNC server is listening). However, doing so, the data sent through the VNC protocol is unencrypted.

But ssh has another functionality (in addition to allows us to access to a remote shell as described above). It can also create a "secure tunnel", thanks to his ability of forwarding ports. In order to use this functionality, the -L swicth is used. This switch requires three parameters (separated by colons):

• The number of a local port; the ssh client will listen in this port (in the nokia), and any data received through this port is sent to the other end of the ssh conection (to the sshd process).
• The name (or IP) of a machine (which in our case is the XP machine, but in general it could be a third machine)
• A second port number, (which exists in the machine specified in the previous argument). The sshd process which receives the "tunneled" data from ssh, forwards this data to the machine and port specified here.

That is, if, in machine A the following command is issued:

me@machineA:~$ ssh -L P1:machineC:P2 user@machineB

Then, any traffic coming to port P1 in machineA would be redirected to the sshd process in machineB, which, in turn, will forward it to port P2 of machineC. The traffic between A and B is encrypted, but between B and C is not. In our case, B and C are both the WindowsXP server, and A is the nokia.

Now, once the tunnel is set up, when we launch the VNC client in the nokia, instead of specifying 145.32.79.12:0 has host:display, whe specify localhosts:1, as if a vncserver were running in the nokia in the display 1. Of course, there is not such a server. However, VNC is fooled in thinking this, so it will try to connect to port 5901 of the Nokia. In this port ssh is listening (due to the -L option), and this petition is forwaded to sshd in the XP box, which in turn translates it into a connection to the port 5900 of the XP box. Here is the VNC server, so the VNC client finds indeed an VNC server, only that (without he knowing it), it is not in the nokia, at localhost. The VNC client only talks with the local process ssh, which he takes for a VNC server.

Similarly, from the viewpoint of the VNC server in XP, a connection from a client has been received, but this connection was coming from the own XP machine (sshd process), so VNC is "thinking" that the client is running in localhost (the XP). The VNC server knows nothing about the existence of the Nokia client. The VNC server only "talks" with the local process sshd, which he takes for a VNC client.

This way, the ssh protocol is fooling the two ends of the comunication, pretending that he is the other end. The picture should make this clear. I hope so :-)

http://www.atc.uniovi.es/~jdiaz/Tunnel.png

Re: A couple more SSH / VNC questions
 

Hello again. I just wanted to write a quick post to say that I am still studying this thread. I appreciate all the helpful contributions and would like to specifically thank Benson and jldiaz for their amazing explanations.

I am learning a great deal here. I feel that the willingness of the folks here in forum (especially the aforementioned users) really demonstrates the true spirit of the open source philosophy and the things that made the internet great for sharing knowledge among users.

I am going to study the recent posts more closely and try to formulate some intelligent question which I will, hopefully, post tonight.

In fact, does anyone think maybe I should compile the info in this thread for a wiki entry?

Re: A couple more SSH / VNC questions
 

Yes, wiki entry sounds great! There is a lot of really good info here. Thanks to everyone.

Re: A couple more SSH / VNC questions
 

Thanks again to everyone for contributing to this thread. I'm learning a lot.

Okay, what jldiaz wrote really has started to make all this info come together for me. It particularly clarifies what Benson meant when he said
If I'm getting this right (and there's probably at least 50 50 odds), then jldiaz's diagram clearly illustrates the four machines.

The command

ssh -L5901:localhost:5900 user@my.XP.box's.IP

instructs the ssh client on my nokia to contact the sshd server on the XP box through port 22, they shake hands and use their mutual keys to identify each other and establish a secure tunnel over port 22.

The -L is the switch function that creates the secure tunnel through the process of port forwarding.

The 5901 (immediately following the -L) refers to the port on my nokia which is listening to the nokia's VNC client and sending what it gets through the nokia's port 22 to the XP box's port 22 where the sshd server's picks it up and then sends it through the XP box's port 5900 to the VNC server.

localhost (immediately following 5901: ) refers to the sshd server on the XP box that is listening through the XP box's port 22.

5900 refers to the port on my XP box where it receives info from the sshd server (the info it gets from the ssh client through port 22) and transmits that info to the VNC server on the XP machine.

user refers to the account that one wishes to access on the machine at my.XP.box's.IP.

Finally, I think I understand this.

But for some reason I can't make it work.

I can set up the ssh session. xterm takes the command, and then prompts me with the CLI prompt appropriate for the Cygwin terminal. It really seems like the session is set up appropriately.

But VNC won't do anything with 127.0.0.1:1

I can connect to the XP box's VNC server directly at my.XP.box's.IP.address But that's not what we're shooting for.

If my ssh client is listening to the VNC client on 5901, then it should be able to send the VNC info through port 22 to the sshd server which can send it through port 5900 to the VNC server.

Could this be a problem with my router? I've tried setting up port forwarding, but I can't make anything work. But that doesn't seem right. If I can connect the ssh between the nokia and the XP box on port 22, and I can connect the VNC between the nokia and the XP box on port 5901, then how could the router interfere with the nokia's port 5900 ability to talk to the nokia's port 22 to talk to the xp box's port 22 which finally sends it to the XP box's 5900.

Or could it be the router?

And if I can connect to the VNC server, directly, and insecurely, does that mean that any damn computer on the internet with a VNC client can connect to my XP box directly and insecurely? Or does it just work for me because I my nokia and XP box happen to be on the same wlan.

So I guess this thread can keep going if everyone's still game. I certainly won't be able to post that wiki until I work through this problem and make this work properly.

Re: A couple more SSH / VNC questions
 

I think you got it. :)

Uh-oh :(

I assume that's my.XP.box.IP:0 ? If it's a different display, then that would cause problems (you'd need to change which port you forward to).
Exactly; if the SSH link is getting through, the router cannot impede a connection tunneled through. It's not the router.

Hopefully just cause you're on the same LAN. The question is which ports are you forwarding? If you're only forwarding the port you're using for ssh (presumably 22), and still blocking stuff like port 5900, you should be safe against other (outside) people; still vulnerable to anyone on your WLAN. WPA makes that hard, but why even allow it at all? We'll get to that later, but until you get things working through ssh, it's good to leave it (that far) open as a troubleshooting aid.


The most likely explanation at the moment seems to be that your XP box's VNC is not set up right.
If that's the case, you're in luck, cause we're both running tightVNC. I should be able to point you exactly to the relevant settings:
Double-click the tightVNC logo in the system tray to bring up the config dialog. On the Administration tab, there's a box with three checkboxes:

• Disable empty passwords
• Allow loopback connections
• Allow only loopback connections

The first one should be unchecked if you want to be able to use an empty password (not no password, just a password of zero length; there's a difference.). Doesn't really matter.

The second one must be checked. It's off by default, to spare you from VNCing into your console from your console (heap bad medicine), and resulting pointer freeze and such. But the way the ssh tunnel ends on the local machine means that the outcoming VNC connection is indeed a loopback connection, and we must allow that.

The third one blocks all normal connection; then all that can get through is screen-grabbing horrors (don't do those) and VNC tunneled connections. It's probably wise to enable this at some point, but not necessary.

Those are the only relevant options I'm aware of.

G'luck in your struggles!

Re: A couple more SSH / VNC questions
 

In fact, in my diagram only two machines are depicted, but you are right, each of the four processes depicted could be running in a different machine.

For example, you could have two secure LANs, but an insecure WAN connecting the two LANs. You can use ssh/sshd to provide a secure tunnel through the WAN, and thus allowing a secure communication between any machine on the first LAN with any machine on the second LAN.

The following convolved example is not really neccesary, but for the sake of the completness, let me elaborate it.

Llet us assume that you have a secure LAN at your home, with two machines, with IPs: 145.24.12.10 and 145.24.12.11, The first one is a WindowsXP in which you have installed Cygwin/sshd. The second one is an old Windows98, without any ssh software installed, but with a VNC server running on display 0.

At your work, you have a secure LAN, in which it is your desktop PC, running Windows2000, with IP 220.30.140.100. You have a VNC client in this PC, but no ssh software. You would like to connect this VNC client in the Windows2000 machine, with the VNC server of your Windows98 PC, at home. However, the insecure WAN connecting the two LANs is intimidating you...

Fortunately, you have your Nokia n810 with you, in which you have a ssh client installed. You connect your n810 to the LAN of your office (and it gots the IP 220.30.140.101), and then you use the ssh in your nokia to make a tunnel to your Windows98 machine at home. Then, you connect the VNC client of your Windows2000 through this tunnel, and you got the desired and secured connection.

How could this be done? I left it as an exercise to the reader.. :-)

Yes, you got it. You should be able to solve the above exercise.

The only possible reason, IMHO, is that your VNC server forbides clients coming from localhost. Check the options of the server. The router cannot interfere, because, as you realized, you got the ssh/sshd connection.

Most likely anyone can connect to your XP box directly, unless your router is blocking port 5900. This is why is a good idea to configure your VNC server either for asking a password, or alternatively for accepting only clients coming from localhost (i.e., in our case, coming from the ssh tunnel).