[Gloucs] SSH forwarding without a shell

David Corking lists at dcorking.com
Tue Jul 3 14:00:34 BST 2007 

On 7/3/07, Glyn Davies <glynd at walmore.com> wrote:
> Glyn Davies wrote:
> > Matthew Booth wrote:
> >> On Mon, 2007-07-02 at 22:40 +0100, Glyn Davies wrote:
> >>
> >>> Can anyone think of a way of doing this.
> >>>
> >>> I need to let someone in behind my firewall to a VNC server. Rather
> >>> than expose the VNC port to the Internet, I'd rather tunnel the VNC
> >>> session over SSH and let the SSH server be responsible for the
> >>> security side of things. The final thing is I want the user
> >>> connecting in to only be able to tunnel a VNC session to the chosen
> >>> VNC server and nothing else (i.e. no getting a shell on the SSH
> >>> server, etc). OK, once inside on the VNC server it's open season on
> >>> the network, but at least the server will be 'safe'. If it's not
> >>> clear from the above, the Linux box running SSH and the Windows box
> >>> (boo!) runing VNC server are seperate machines.
> >>>
> >>
> >> For pt 1, have a look in 'man vncviewer' at the -via option. Pt 2 will
> >> require me to setup VNC to play with options ;)
> >>
> >> Matt
> >>
> > Hmmm. Not seen the -via option before. However, given the client is
> > Windows that option may or may not be available. But cheers. Learn
> > something new etc etc.
> >
> > I think Pt 2 is more to do with the SSH server rather than VNC server.
> > The best I can think of so far is a restricted account.
> >
> Hmmmm and Hmmmm again. Just had another thought. The person connecting
> in has a fixed IP so I could set the Internet facing router to forward
> TCP packets on port 5901 from the fixed IP (and only that IP) to the
> Windows box. No SSH required. Question is, is that secure enough. The
> modem/router is pretty cheap (Zoom X5) so I doubt it set any records for
> security. Also, as described can it be easily fooled. One for all you
> security dudes.

Hopefully AndyC's suggestion of forced commands can do what you want -
I am afraid I have never tried that.

If not, did you eliminate the option of running sshd on the Windows
box?  If so, why?

David

More information about the gloucs mailing list