For security, I always want to run VNC under SSH. There are a few articles on how to do this on various parts of the net, but most are either too wordy or to general or both. This shows how to do just one thing: run a VNC client locally that connects to a remote VNC server through SSH. This article assumes you already know something about running VNC and SSH, just not one on top of the other.
In brief, the way this works is that you log into the host machine over SSH as you normally do, but you tell that system that you are also going to tunnel the VNC port through your SSH session. On the client system, you then send VNC messages through the SSH tunnel you have already set up. For this example, I use "example.com" as the host machine, I assume that VNC is launched with "vncserver :1" there, and that port 15901 on your client machine is not in use.
There are three steps:
- On the host machine, add "-localhost" to the configuration file (which is normally ~/.vnc/config).
- On the client machine, use the command "ssh -l remoteusername -L 15901:localhost:5901 example.com" to log into the remote server and start the tunnel.
- Point your VNC client to localhost:15901 (that is, port 15901 on your client machine).
If you are like most people, you trust the security of your SSH setup on the server more than you do your VNC setup. For example, you might require RSA certificates for client authentication for SSH on that server, and you want to require that as well before you even get to the normal VNC authentication. Using "-localhost" in the server configuration, you lock down your VNC server by having it only accept local connections.
The above works fine for people running MacOS, Linux, or Windows as long as they have Cygwin installed. Other Windows users need to do something more. If you don't want to install Cygwin, you can get the wonderful PuTTY terminal program for Windows; putty comes with SSH. To set up PuTTY as above, first enter the basic information on the main page:
Then in the Connection → SSH → Tunnels panel, enter 15901 for the source port, localhost:5901 for the destination, and click Add.
Be sure to save your settings; PuTTY doesn't do so automatically. Also, check out some of PuTTY's other SSH options, like compression, automatically giving your user name, and using your public key to log in.
Hat tip to John Levine for the idea of using localhost.