Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
General
GeneralPortable MacsHardwareNetworking
Applications
Mac ApplicationsEudoraFirefox / MozillaInternet ExplorerOutlook ExpressMS OfficeEntourageExcelPowerPointWordVirtual PCMedia PlayerOther MS Products
Programming
Mac ProgrammingCodeWarriorPerl
Country Specific
Australian Mac GroupUK Mac Group

Mac Forum / General / General / March 2006


Tip: Looking for answers? Try searching our database.

VNC Security And SSH

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Kurt R. Todoroff - 31 Mar 2006 21:54 GMT
I've been using OSXVNC on my two G4 iMacs at home, and TightVNC Viewer
on my office Windows machines for two years.  The two Windows machines
are in my two offices at my two companies (that I own).  Nobody else has
access to these two Windows machines.

I access both Macs from both Windows machines.  This has really
simplified and streamlined my work, thus freeing up valuable time for me
in the evening since I now take a lot less work home.

I've read various articles about VNC security.  Some authors claim that
my simple setup is secure enough, while others claim that they would
never run VNC without SSH.  I'd like to cut through the noise and get
some opinions from this forum.

My home Macs are behind a D-Link DI-524 router.  I have turned wireless
off.  I have opened only ports 5900 and 5901 for the two Macs using VNC.

Thank you.

Signature

Kurt Todoroff
kurt.r.todoroff@comcast.net

    Markets, not mandates and mob rule.
    Consent, not coercion.

Reply to this Message
D P Schreber - 31 Mar 2006 22:53 GMT
> My home Macs are behind a D-Link DI-524 router.  I have turned wireless
> off.  I have opened only ports 5900 and 5901 for the two Macs using VNC.

There are vnc-specific two security issues here.  First, since the data
on an established vnc connection is unencrypted, a snooper could watch
all your virtual keystrokes once the connection is established (the data
stream is compressed but that's easy for an evil-doer to deal with).  If
you happen to type in a password during your vnc session, it would be
compromised in this scenario.

Second, this way of running vnc is vulnerable to automated password
crackers.

A third issue is not specific to vnc.  Any service ports exposed to the
net at large are going to be hammered by port scanners looking for entry
points.  The fewer of these you have, the better.

If you tunnel vnc through ssh and configure the vnc server to accept
connections only from localhost, these issues go away.  Everything is
encrypted, the ports are not exposed, and a password guesser has nothing
to talk to. The downside is that ssh adds overhead, which means slower
response time.  
Reply to this Message
Tom Stiller - 31 Mar 2006 22:54 GMT
In article
<kurt.r.todoroff-E9E35A.15545331032006@comcast.dca.giganews.com>,

> I've been using OSXVNC on my two G4 iMacs at home, and TightVNC Viewer
> on my office Windows machines for two years.  The two Windows machines
[quoted text clipped - 14 lines]
>
> Thank you.

So, you're using the well-known VNC ports and opened them to the general
population.  Unless you leave the macs logged in, an intruder would need
to guess two passwords: one for the VNC connection and another to
establish a login on the target machine.  If the Mac is left in the
logged-in state, only one password need be guessed.

You could tighten security by using ssh and disabling password
authentication.  With two target machines, you would either configure
the machines to run sshd on different ports, forwarded by your router,
or only open one machine and have it tunnel to the second machine.  
Either way would work and, once configured, remote usage would look the
same.

I use and recommend the ssh with public key authentication method, but
that's just me.

Signature

Tom Stiller

PGP fingerprint =  5108 DDB2 9761 EDE5 E7E3
                  7BDA 71ED 6496 99C0 C7CF

Reply to this Message
johnny bobby bee - 31 Mar 2006 22:58 GMT
> I've read various articles about VNC security.  Some authors claim that
> my simple setup is secure enough, while others claim that they would
[quoted text clipped - 3 lines]
> My home Macs are behind a D-Link DI-524 router.  I have turned wireless
> off.  I have opened only ports 5900 and 5901 for the two Macs using VNC.

Well, the fact that you're not using wireless is a good thing since
essentially all your communication is not encrypted. So, passwords etc.
are sent over as clear text, unless TightVNC has changed since i last
used it.

You can set up OSXvnc to allow only 'local' (localhost) connections. And
then tunnel your TightVNC session through SSH using Putty on your
Windows boxes. Much safer. Lots of google comes up with SSH tunneling
using Putty.

Signature

vuja de:
The feeling that you've *never*, *ever* been in this situation before.

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.