vncserver -localhost and ssh tunneling

I'm trying to setup a ssh tunneled vnc connection from my centos 5.10 machine and I've been following some online tutorials such as this one: https://wiki.archlinux.org/index.php/Vncserver. I'm running the server like this: $ vncserver -geometry 1024x768 -localhost :1 and connecting with an openssh client like this: ssh -f me@vnc.machine -L 5900:vnc.machine:5901 -N. Then I connect with realvnc viewer to localhost:5900. For some reason this doesn't work if I use the -localhost param, but it works great if I leave it out. All of the guides say that it's more secure to use it. I'm thinking this might be a configuration issue on the server side, but I'm pretty much stumped at this point and I've tried a lot of stuff. Can anybody tell me why this is happening?

shwoseph

Posted 2014-02-11T23:15:50.403

Reputation: 151

Answers

The -localhost option is telling the VNC server to bind only to the loopback interface, so that you can only connect to the VNC server from the machine it's running on. This means that anyone trying to break into your VNC session would have to be able to get on that particular machine. Without -localhost, your VNC server would accept non-local connections, so an attacker could use another machine to try to break into your VNC session.

If you're going to use -localhost, then you should be passing -L 5900:localhost:5901, not -L 5900:vnc.machine:5901, since your VNC server is listening only on the loopback (localhost) interface.

jjlin

Posted 2014-02-11T23:15:50.403

Reputation: 12 964

strange -localhost doesn't seem to do anything – thang – 2019-08-18T08:08:29.803

Maybe I'm confused, but wouldn't that just forward port 5900 from the client machine to 5901 on the client machine? – shwoseph – 2014-02-12T02:59:55.727

3No, it forwards 5900 on the client machine to 5901 on localhost -- from the point of view of the server, not the client. So localhost would refer to the server. – jjlin – 2014-02-12T05:37:56.547

jjlin's answer covers troubleshooting, but to really make it secure you should also pass -nolisten tcp to vncserver. This ensures that there won't be an open TCP listener on the X side of things.

DepressedDaniel

Posted 2014-02-11T23:15:50.403

Reputation: 131

I dont think this makes any significant improvement in security with @jjlin's answer. In his answer explicitly isn't listening on anything but localhost (which is what OP wants). At that point, I don't see how blocking tcp access would make it any more secure – user71931 – 2017-03-03T22:31:33.780

1@user71931 vncserver launches X as part of its operation. The -localhost option of vncserver doesn't do anything to the X server which may listen on, e.g., TCP port 6001 for clients. Since the vncserver process is running on the same machine, it can connect to the X server using unix domain sockets, and this is what it does by default. However, without -nolisten tcp the X server will still listen on TCP port (for X clients rather than VNC clients). – DepressedDaniel – 2017-03-03T22:43:37.503

Ah I see, thanks for explaining. You might want to add that to your answer, that's seems like a pretty big gotcha. Didn't know this, thanks for sharing – user71931 – 2017-03-06T17:38:30.893