3 Replies Latest reply: Mar 30, 2011 11:15 AM by BobHarris
nebulous_force Level 1 Level 1 (0 points)
I am attempting to tunnel a VNC connection over ssh. I'm a bit of a noob here, so don't expect that I know everything about it here. I've read up on it and watched some tutorials. I'm doing this through a university network, so I guess there might be issues with that. Basically I have an Ubuntu desktop running Maverick 10.10 with the Remote Desktop Preferences enabled to do remote administration. I also have ssh enabled and running. I can ssh into from my mac fine using the Ubuntu IP address. I get the shell and everything. But once I enter this:

ssh -NL 1234:laptopmac:5900 ubuntubox@my.public.ip.address

Then try to connect on the localhost port using Chicken of the VNC, I get this:

channel 2: open failed: administratively prohibited: open failed

I tried disabling the firewall on my Mac as well as Little Snitch. My Ubuntu desktop is connected to a router, but I did open and enable ports 22 and 5900. I have read through some other sites that say maybe I have to edit the ssh config file, but it doesn't seem clear if it applies in this case.

Another thing is that I'm able to connect using Screen Sharing over my own network when at the dorm. I also am able to connect with Chicken of the VNC over the local network. I just can't do this over the internet tunneled over ssh. I haven't tried without tunneling yet. I also tried to log into my administrator account and it was giving me the same error. I'm not sure if I tried logging in with sudo yet from the Mac terminal. I know that you can basically do the same thing with TeamViewer (on iPhone too). I plan on using that as well in the future, but I want to learn how to use this as well as tunnel with ssh.

MacBook Pro 17" 2.53 GHz Intel Core i5 4GB Ram 500GB HD Early 2010, Mac OS X (10.6.7), iPhone 3G S 32GB-Ubuntu PC 2.7 GHz AMD Athlon Dual Core, 500GB 7200RPM, 4GB RAM
  • BobHarris Level 6 Level 6 (15,385 points)
    The ssh tunnel should look like:

    ssh -N -L 22590:localhost:5900 username@ubuntu.public.address

    If you were really using 1234, then you were most likely trying to use a privileged port without being root. I think the current privileged port range is 1-4096 (I could be wrong).

    Instead of laptopmac use localhost.

    Then connect using:

    vnc://localhost:22590

    Or in Chicken specify Host: localhost, and port as 22590.

    NOTE: 22590 can be any port greater than the privileged port range. I choose the 22 to remind me it is associated with ssh, and the 590 to remind me it is related to the 5900 VNC port. You can choose any high numbered port as long as it is not a privileged port and does not steal a port that is currently in use on your local system.

    The first port number is the port for the client system's end of the tunnel (eg. 22590).

    The localhost:5900 pair are sent to the ubuntu system, where they are resolved.

    The reason for localhost:5900 being passed to the ubuntu system is that ssh allows the ubuntu system to be a gateway to a 3rd system. So you could have said -L 22590:system.visible.to.ubuntu:5900, which would allow the ubuntu system to forward your tunnel traffic to a system that is only visible to the ubuntu system. However, if the ubuntu system is the destination for the tunnel traffic, then you specify 'localhost' so that the ubuntu system passes your port 5900 traffic to itself.

    So the vnc://localhost:22590 'localhost' is NOT the same as the -L 22590:localhost:5900 'localhost' The first is being resolved on the client system so that your VNC client will talk to the local end of your tunnel. The second tells the ubuntu system that tunnel traffic it receives should be sent to its own port 5900, and not to some 3rd system.

    By the way, Terminal, Unix, X11, and command line command, ssh, rsync, etc... questions are best asked in the Mac OS X Technologies > Unix Forum
    <http://discussions.apple.com/forum.jspa?forumID=735>
  • nebulous_force Level 1 Level 1 (0 points)
    Seems to be working. Thanks a bunch. This will be so cool to do. I shall remember to post about these kinds of topics in those forums from now on. So this is a secure way of doing it, correct? If I were to command-k then enter

    vnc://localhost:22590

    it would be using the localhost tunnel end, right? Either way is just as secure? You're saying I could have my Ubuntu system go into yet another system? VNC within VNC or something? Crazy. Sorry about the questions. It's working. I'll test a few different areas and see if it stays working.
  • BobHarris Level 6 Level 6 (15,385 points)
    So this is a secure way of doing it, correct?

    Yes
    If I were to command-k then enter

    vnc://localhost:22590

    it would be using the localhost tunnel end, right?

    Yes

    You can also (from a 2nd terminal session window) enter

    open vnc://localhost:22590

    Either way is just as secure?

    Yes
    You're saying I could have my Ubuntu system go into yet another system? VNC within VNC or something? Crazy.

    The Ubuntu system can be a gateway to a 3rd system. But NOT VNC within VNC. Rather using

    ssh -L 22590:3rd.system.address:5900 username@ubuntu.public.address

    Will create a secure tunnel between you and the ubuntu system. As your VNC packets come out of the remote end of the tunnel, the ubuntu system will forward those packets to the 3rd.system.address port 5900. From the ubuntu system to the 3rd.system.address these packets will NOT be in the tunnel. They will be just ordinary packets on the network from ubuntu to 3rd.system.address.

    The use of this gateway configuration is when the middle system is acting as a gateway between the public network and systems not normally visible, and it is assumed that the network between the gateway system and the 3rd system is in a secure environment (that is to say, everyone behind the gateway is trusted, just like you would trust the other members of your family at home).
    Sorry about the questions. It's working. I'll test a few different areas and see if it stays working.

    No problem.