9

Given that VNC and X11 were not developed with security in mind, what do people typically see done to remotely connect to a Linux system where a GUI is required. While SSH access alone might be preferred, often times there are requirements where a developer or administrator needs GUI access to a Linux system.

So far, I see the following solutions:

  • Require VNC to be used over a secure SSH tunnel. However, I would have to rely on the dev/admin to setup a tunnel every time
  • Use X11Forwarding. X11 was not designed for security, and additionally is much slower than VNC is.
  • Nomachine remote desktop. I have not played around with it yet, but they purport to be a secure remote desktop solution

While many people advocate setting X11Forwarding to 'no' in the sshd_config, it seems to me that this is the most secure native alternative. However, I am more than open to ideas from the security gurus out here!

appsecguy
  • 435
  • 4
  • 12
  • 1
    FWIW, I find teamviewer to be a good solution for those rare cases when I need remote desktop access to a Linux machine. Maybe it's not the kind of solution you were looking for, but it's easy to set up, fast, and reasonably secure from what I can tell. – tlng05 Mar 23 '15 at 03:27
  • Thanks for the comment! Honestly, for some reason I thought that teamviewer was a Windows only solution. – appsecguy Mar 23 '15 at 03:33
  • X11Forwarding is over ssh to individual developers. When I read up on it, the NSA's discussion on X11 (with respect to SELinux) was primarily how hard it was to keep X11 isolated from, well...X11. Are you concerned about developers accessing each other's sessions? – ǝɲǝɲbρɯͽ Mar 23 '15 at 04:02
  • 1
    what do you mean have a dev/admin set up a tunnel every time? if there is a proper methodology in place with private keys, you could request the tunnel yourself each time. or am i missing something? – LvB Mar 24 '15 at 00:23

2 Answers2

7

NoMachine is more-or-less X11 over SSH with improvements in performance. So the two benefits there are that SSH is managed for you and that you don't have the ghastly performance of X11 over a network. (ISTR that SSH is not the default, but it's essentially a dropdown option, not a setup saga).

VNC also provides better performance than X11, and can be secured either over SSH or using one of the various hardened variants (like UltraVNC or RealVNC Enterprise or Personal). However, the hodgepodge of variants and manual nature of SSH integration (e.g., TightVNC basically says "do it yourself") it's not the most coherent of solutions.

X11Forwarding ranges from bad to abysmal across the network. It's essentially unusable across the WAN. And that's not because of SSH, it's because of the way latency impacts the X11 protocol. I wouldn't bother with it for that reason.

My personal advice is to look at NoMachine. It's a much more coherent, solid product than *VNC, and having the SSH bit work is easy and integrated.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • I have run some test mysql with nomachine vs tunneled tightVNC. and I find nomachine faster, more responsive, and er the line [no jpeg artifacts... yaay]). – LvB Mar 24 '15 at 00:20
  • Nomachine looks pretty awesome. Unfortunately, for Solaris it looks like we are stuck with just X11 over SSH – appsecguy Mar 24 '15 at 16:22
  • One con of the nomachine is that needs MUCH ram to start. I have been never refused to connect to the vnc/ssh, while it's being the norm with NX. I have to enter ssh EVERY time to shutdown some ungry processes to let the nxserver run. That's a really bad thing for me, and unless i found a way to solve it i'll fallback to vnc/ssh again. Apart of that, the configs and goodies from NX nomachines made it a good (maybe best) product in overall. – m3nda Apr 24 '17 at 11:20
0

A possible alternative might be a full VPN. This creates a secure network over insecure networks and would allow users to access the system as though they were on the local network.

There are, of course, dangers with this approach since you are extending your local network to potentially unknown locations. But it is highly secure when done correctly.

VPN's do take an overhead on network bandwidth and do add some latency as well so you would want to make sure that performance is acceptable.

Julian Knight
  • 7,092
  • 17
  • 23