Secure Linux Remote Desktop Management Using SSH + VNC

VNC can compress data so that the amount of data transmitted is smaller than that encrypted using SSH. However, one or two chances are that computers in the same network segment can use sniffer to eavesdrop the user name and password. Data after authentication can be encrypted, so if configured during use, it is safe. Otherwise, the transmitted content cannot be completely confidential. If necessary, you can use SSH to perform encrypted port ing to ensure that the user name and password for transmission are encrypted. This operation consumes a very small amount of extra bandwidth.

To protect the security of VNC through SSH, you must use the port forwarding function of SSH. Generally, when the client uses Linux, you can create a link using SSH. In syntax, you should add the "-L local port: Local Address: Remote port remote address" parameter, for example, the local file is X.Y. z. w. The server is A. B .C.D, the local port to be forwarded is 5901, and the remote port is 5901, the command should be: ssh-L 5901: X.Y. z. w: 5901 A. B .C.D

Most other parameters can be used at the same time. After the execution is complete, an encrypted tunnel for server port 5901 and local port 5901 has been created. If the VNC desktop number on the server to be linked is 2, run the following command: vncviewer A. B .C.D: 2.

In this way, all data in the opened VNC window is encrypted by SSH.

Generally, SSH is used for Windows clients, that is, SSH Secure Shell. The following describes how to configure SSH Secure Shell in Windows to implement Secure Linux Remote Desktop Management with VNC.

First, select Tunneling under Settings on the main interface of SSH Secure Shell ,.

Then, select Add a configuration, where Listen is the local port, Destination is the remote address and port, and Display can set its own description.

Set Tunneling for SSH Secure Shell

Specific Tunneling settings

Finally, run vncviewer to connect. Note: The Server address is not the address of the VNC Server to be connected, but the address of the SSH listening port of the local machine set earlier, because all traffic to the VNC Server needs to be forwarded through the local SSH, generally set to localhost and port. This port is the SSH listening port set in the figure.

Use VNC Viewer in Windows to connect to the VNC Server in Linux

The result of packet capture using Wireshark for the above communication is clearly given. We can see that the VNC traffic from the client to the server is encrypted over SSH, therefore, traditional VNC communication without SSH encryption is much safer and can effectively avoid eavesdropping and man-in-the-middle attacks:

Packet capture results for the preceding communication process are displayed.