That's a neat Xvnc switch , the -localhost, thanks
for bringing it up. I'm finding that the ssh command
must specify "localhost" (without quotes) as the
server host in
http://www.geocrawler.com/lists/3/SourceForge/17280/0/8368314/
http://www.uk.research.att.com/vnc/sshwin.html
ie. if you use the explicit name of the server host
machine, the server doesn't seem to recognize
the connection as a local loop
even if the ssh daemon host (gateway) is on the same
machine. And the same applies when using the tightvnc
viewer's -VIA option for ssh.
There is one problem, though, by imposing -localhost
and/or ssh2 requirements....its requires that the
viewer host be capable of ssh2, which departs from
the thin client model. Say I'm roaming around town
looking for a used chair and drop by the library to
see if anyone responded to my "seeking used chair"
ad (this is a real example). I could just use internet
explorer to connect my vncserver. Now, I can't
because in order to do so, the library computers must
have ssh2 *and* allow patrons to use the command
line *and* allow them the appropriate sysadmin
privileges to install tightvncviewer. Even if I wasn't
using the library's facilities (say I was visiting a friend
in another city), I'd still have to install ssh.
Of course, with security comes diminished
accessibility, but protecting against repeated
connection attempts can be done without ssh
(though session won't be encrypted, which often
isn't a concern). It can be done the same way as
the solaris login does ie. by putting a discouraging
delay between password attempts, and a nice
*long* delay after 3 or 5 attempts.
Would it be acceptable to build this into the server?
Fred
-------------------------------------------
Fred Ma
Department of Electronics
Carleton University, Mackenzie Building
1125 Colonel By Drive
Ottawa, Ontario
Canada K1S 5B6
[EMAIL PROTECTED]
===========================================
> Message: 19
> From: "Alex K. Angelopoulos" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Re: Security...
> Date: Fri, 31 May 2002 20:42:26 -0500
> Reply-To: [EMAIL PROTECTED]
>
> One approach that I almost always take these days with VNC setups for remote
> LANs is to make sure that they are only accessible via a VPN connection. This
> is a far from perfect security measure, but in terms of overall security for
> most Windows LANs it is a good technique to use. I can then do direct
> Windows-based connections to the network and the infrastructure is in place to
> do things for the clients which involved direct remote connections.
>
> This still has huge security holes. It does not prevent internal hack attempts,
> and someone with VPN or internal access and admin rights could still do remote
> regreads and back out the password - but at least it introduces a
> single-point-of-administration choke point for control over remote VNC access.
> For tight VNC security, one would still want SSH2 and source address
> restrictions.
>
> ----- Original Message -----
> From: "Coyle, Joe" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, 2002-05-31 14:26
> Subject: RE: Security...
>
> > People are foolish if they do not use SSH2 tunneling with VNC. If you want
> > to employ good security measures then you should only have VNC set to "Allow
> > Loopback Connections" with "Only Allow Loopback"
> >
> > SSH2 adds another layer of security and encryption. Even if you do not
> > allow VNC connections from the outside world, it is still a good practice on
> > a LAN or WAN.
> >
> > SSH2 tunneling only adds a few extra steps to the process.
> >
> > I also recommend that you do not allow any SSH protocol 1 connections. This
> > is very easy to disable on any Unix or Windows type system. Of course this
> > means that you need to have an updated SSH2 compliant server installed.
> >
> > Happy VNCing
> >
> > Joe Coyle
> > Systems Administrator
> > Weather Services International
> > 978-670-5166
> >
> > -----Original Message-----
> > From: Jacob Hoover [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, May 31, 2002 2:37 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Security...
> >
> >
> > I didn't see the post, but VNC only uses the first
> > eight characters of any given password. Working on the
> > whole security idea, it wouldn't be that difficult to
> > modify the server (Win version at least) to automatically
> > disable itself after a defined number of authentication
> > failures. This would keep out most brute force or word
> > list hackers, but it would also stop the authorized user
> > if the hacker triped the safe guard.
> >
> > Jacob Hoover
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
http://www.realvnc.com/mailman/listinfo/vnc-list
