Remote GUI access with ssh and vnc

It is a simple matter to set up secure fully encrypted remote access to one or more of your machines and control its desktop from a remote site.

Obviously your servers should be non-gui machines, both for security and bandwidth reasons. But there are times when you may wish to securely access one of the machines behind your firewall utilizing its desktop gui. Here's how (as always, I assume you are using a real OS rather than, well, the  stuff that comes preinstalled on most computers):

remote machine = the one you will be using to control server
server machine = the one running the desktop you will be controlling remotely
ssh = (free open source) software which will securely encrypt any communication between the two machines
vnc = (free open source) software which allows one machine to control another through the command line
krc = (free open source) software to run a remote desktop session
For this example, I assume you are running the KDE desktop on the remote and server machines:

  1. First click here to make sure you have encrypted command line communication.
  2. Next make sure the base software is installed on the server. I have found tightvnc to be a good vnc version.
    apt-get install tightvncserver
  3. edit ~/.vnc on the server to contain:
    #!/bin/sh
    [blank line]
    startkde &

Okay - installation is no complete. To actually set up the connection once you have installed things:

  1. On the remote make an ssh connection as follows:
    ssh -p 22 -L 5902:localhost:5901 x.x.x.y
    where x.x.x.y is the IP of the server
    you will be asked for a password - enter it (the channel is secure)
  2. You will now be connected via the command line from the remote to the server over an encrypted channel.
    All that is left is to make the connection into a gui rather than command line:
    On the server type
    tightvncserver :1 -nevershared -name the-name-of-your-server
  3. And finally, on the remote start KRC running, and enter this into the box that appears:
    localhost:5902

Congratulations, you can now securely control your server's desktop from anywhere in the world as if you were sitting right at its console. SSH assures that even if someone is monitoring the line, they will not be able to do anything since the connection is tightly encrypted.

Other things you might want to do:

  • Set up ssh to use very high encryption (modify /etc/ssh/sshd.config)
  • Set up ssh to refuse any and all attempts at a root connection (ibid)
  • Set up tightvnc to minimize bandwidth use
  • Use non-standard ports. Switch ssh to some port unlikely to be monitored (ie. not port 22 - see here)

All of this is very straight foreward but when in doubt, you may wish to RTFM