[Gloucs] SSH forwarding without a shell

[Glyn Davies]

Glyn Davies wrote:
> Matthew Booth wrote:
>> On Mon, 2007-07-02 at 22:40 +0100, Glyn Davies wrote:
>>  
>>> Can anyone think of a way of doing this.
>>>
>>> I need to let someone in behind my firewall to a VNC server. Rather 
>>> than expose the VNC port to the Internet, I'd rather tunnel the VNC 
>>> session over SSH and let the SSH server be responsible for the 
>>> security side of things. The final thing is I want the user 
>>> connecting in to only be able to tunnel a VNC session to the chosen 
>>> VNC server and nothing else (i.e. no getting a shell on the SSH 
>>> server, etc). OK, once inside on the VNC server it's open season on 
>>> the network, but at least the server will be 'safe'. If it's not 
>>> clear from the above, the Linux box running SSH and the Windows box 
>>> (boo!) runing VNC server are seperate machines.
>>>     
>>
>> For pt 1, have a look in 'man vncviewer' at the -via option. Pt 2 will
>> require me to setup VNC to play with options ;)
>>
>> Matt
>>   
> Hmmm. Not seen the -via option before. However, given the client is 
> Windows that option may or may not be available. But cheers. Learn 
> something new etc etc.
>
> I think Pt 2 is more to do with the SSH server rather than VNC server. 
> The best I can think of so far is a restricted account.
>
Hmmmm and Hmmmm again. Just had another thought. The person connecting 
in has a fixed IP so I could set the Internet facing router to forward 
TCP packets on port 5901 from the fixed IP (and only that IP) to the 
Windows box. No SSH required. Question is, is that secure enough. The 
modem/router is pretty cheap (Zoom X5) so I doubt it set any records for 
security. Also, as described can it be easily fooled. One for all you 
security dudes.


-- 
Best Regards
Glyn Davies