Hello Guys,
Its been long time since I posted something here. I am trying to make time to write something and make this blog more active.
Lets see how to setup secure VNC
server using SSH tunnel in RHEL/OEL/CentOS based Oracle Cloud OCI instances.
As you know, VNC protocol is unencrypted. Even though the
log in process has some encryption, it is possible to sniff VNC traffic and
collect sensitive infomration. You can fully secure a VNC session by tunnelling
it via a SSH tunnel. Another advantage of tunnelling VNC via SSH is that you do
not need to open VNC ports – TCP 590X on your Subnet’s Security List. The
existing rule for SSH traffic will do fine.
I expect you have desktop environment installed on the
instance. By default, VNC is configured to use Xterm as the terminal emulator
and twm as the window manager for the X Window System.
RHEL 7/ OEL 7/ CentOS 7 OCI Instances
1.
Install VNC server.
$ sudo yum -y
install tigervnc-server pixman pixman-devel libXfont
2.
Setup vnc password for your user.
We are setting up VNC for the default user
‘opc’, if you want to set it up for another user, just change the steps
accordingly.
Log in to the user opc and set up VNC
password
$
su – opc
$
vncpasswd
3.
Add a VNC Service configuration file.
The VNC daemon configuration file is
available in systemd directory below:
$
ls /lib/systemd/system | grep -i vncserver
vncserver@.service
Copy and setup the VNC configuration file.
Backup the configuration file:
$
sudo cp /lib/systemd/system/vncserver@.service
/etc/systemd/system/vncserver@:1.service
Update/create configuration file as follows:
$
sudo cat /etc/systemd/system/vncserver@\:1.service | egrep -v "^#"
[Unit]
Description=Remote
desktop service (VNC)
After=syslog.target
network.target
[Service]
Type=forking
ExecStartPre=/bin/sh
-c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser
-l opc -c "/usr/bin/vncserver
%i -geometry 1280x1024 -localhost"
PIDFile=/home/opc/.vnc/%H%i.pid
ExecStop=/bin/sh
-c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.target
Do remember to change the user name if you
are setting VNC for a different user, here we are setting it up for user opc. Also,
please note that the parameter “-localhost” makes VNC server to listen on
loopback interface and accept connection from a tunnel only.
Make sure your VNC Xstartup file has the below contents:
$ cat /home/opc/.vnc/xstartup
#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
#exec /etc/X11/xinit/xinitrc
/bin/gnome-session &
Set permission:
$ chmod 755 /home/opc/.vnc/xstartup
You must reload the systemd system
initialization program after setting up the VNC server.
$
systemctl daemon-reload
4.
Start VNC server.
You can now start your VNC server using:
$
sudo systemctl start vncserver@:1
RHEL 6/ OEL 6/ CentOS 6 OCI Instances
The VNC configuration is different in previous versions on
RHEL based systems. You may follow the below steps to set up a secure VNC
server.
1.
Install VNC server packages
$ sudo yum install -y vnc-server xorg-x11-fonts-Type1
2.
Update VNC server parameters in
/etc/sysconfig/vncservers as follows:
$
cat /etc/sysconfig/vncservers
VNCSERVERS="1:opc"
VNCSERVERARGS[1]="-geometry 640x480 -localhost"
3.
Set VNC password
Log in to the user opc and set up VNC
password
$
su – opc
$
vncpasswd
4.
Start VNC server
# sudo service vncserver start
Setup your clients to
connect to the VNC server.
We
have set up the VNC server to be available only via a secure tunnel. As such,
we need to create an SSH tunnel from the client to the server before you can
access the VNC session.
1.
Setup SSH Tunnel on your client machine
On Mac OS/Linux based clients, you may set up an SSH
tunnel as follows:
$ ssh -i /path/to/key -L
5901:localhost:5901 -N -f opc@IP
On Windows
clients, you may set up SSH tunnelling using Putty.
Start
putty and under Connection -> SSH ->
Tunnels add:
Source port:
5901
Destination: localhost:5901
Then click
“Add” to create port forwarding.
And connect to your server at its IP address and
port 22 via PuTTY.
Don't forget to click "Add" after updating the forwarded port and destination.
You may access your instance using VNC using any
VNC client using localhost:5901 now.