Catalina: cannot use vnc://localhost:port to connect remote linux through SSH tunnel

Question

Level 1

5 points

Catalina: cannot use vnc://localhost:port to connect remote linux through SSH tunnel

Hello all!

In our university we have an students lab with 200+ Linux machines running Ubuntu-18.04 with Xvnc as vnc server listening in port 5900. Access to lab is only allowed by on demand opening port 22 (ssh) in lab's firewall

We want to allow students access those computers via VNC through SSH tunnels, so just open terminal in Mac and use the "standard recipe" to create such tunnel:

ssh -L 5999:127.0.0.1:5900 -N -f user@remote.linux.host

And then try to connect by mean of command "open vnc://127.0.0.1:5999"

But in OSX-Catalina "open vnc://127.0.0.1:5999" does not work: VNC connection is catched by Remote Sharing software and a password to get local screen access is requested. This allways happens, regardless of Remote Sharing or Remote Management activation state

I know that Mac Remote Sharing uses port 5900, so I've avoided these (local) port and checked different ports with no luck: vnc request is allways catched when either host 127.0.0.1 or localhost is typed, regardless port number

We've also tried vnc URI syntax as stated in RFC 7896 (RFC URI scheme)

https://tools.ietf.org/html/rfc7869 by mean of use parameters ChannelType, SshHost SshPort, and so with also no luck: Seems that MacOSX Catalina does not comply with RFC 7896

By the way: using and alternate VNC Viewer (TigerVNC+XQuartz) everything works as expected

with any of these commands: ( notice the double colon to select port, not display )

vncviewer localhost::5999 ( using the created ssh tunnel )
vncviewer remotehost::5900 -via user@remotehost ( create ssh tunnel "on the fly" )

So my questions:

Which parts of RFC 7896 are handled by Apple's OSX-Catalina implementation of vnc:// uri ?
How can I stablish a VNC-through-SSH-tunnel in Catalina to connect a remote Linux box _without_ using an alternate VNC Viewer, but native "open vnc://" mechanism ?
How Can I bypass catching of "vnc://localhost" request for the Remote Sharing engine to get it working as expected?

Thanks in advance

Juan Antonio Martínez

iMac 27″, macOS 10.13

Posted on Aug 3, 2020 12:35 PM

Reply

Answer 1

jonsito Author

Level 1

5 points

Aug 4, 2020 4:27 AM in response to jonsito

( cannot edit previous response :-( )

Yes: I can set "SecurityTypes=VncAuth,None" in Xvnc server, add "laboratorio" as public fake vnc password and use "open vnc://laboratorio:laboratorio@localhost:5999", to access from Mac to remote Ubuntu machines, but this seems to me too dirty,

So I ask for a way to set "SecurityTypes=None" in client vnc request

Reply

Answer 2

jonsito Author

Level 1

5 points

Aug 4, 2020 3:41 AM in response to jonsito

SOLVED (partially):

Seems that Apple's RemoteSharing VNC Client always request for server password regardless VNC server configuration

My server had SecurityTypes=None, as the students already provide username/password several times:

To request access in firewall to our lab by mean of our lab access webapp
To open SSH tunnel from user laptop to asigned computer in our students lab
To enter login/password in GDM session login on lab's assigned remote computer

So adding an additional password request for opening VNC session seems me ridiculous and redundant

With VncViewer I can add a command-line option "-SecurityTypes=None" to bypass password request.

So a new question:

How can I bypass password request from Remote Sharing when VNC server does not require password access?,

That is: what's the equivalent for "-SecurityTypes=None" command line option in vncviewer for "open vnc://" command

Thanks in advance

Juan Antonio

Reply

Catalina: cannot use vnc://localhost:port to connect remote linux through SSH tunnel

Similar questions