VNC Policy Violation

FNAL Policy Violation
FNAL Policy Violation
Platform: All
Product: VNC
Exploitation: Remote
Patch By: No patch
Remediation: Disable VNC or setup for Localhost access only and use an SSH tunnel
Blocking: Immediate


Services such as VNC cannot accept connections from either the FNAL network or the Internet. These services can only be used when encapsulated within a Kerberos authenticated session and provided over an encrypted transport (e.g. VNC can be used inside of a Kerberos authenticated SSH tunnel).  See the FNAL Remote Access/Remote Desktop Policy Abbreviated Technical Details or  search Google for help on tunneling VNC through SSH.

Example of tunneling VNC over a SSH tunnel (excerpt from gentoo-wiki.com):

$ ssh -X -f username@machine2 -N -L 1111:machine1:5900

Here are the parts of the command in detail:
  • ssh is the base command
  • -f tells ssh to fork to the background
  • username is the name you use to login on the remote system
  • machine2 is the hostname of the remote ssytem. This could be a FQDN (like machine2.fnal.gov), a hostname (if your host configuration allows it), or an IP address
  • -N tells ssh not to open a remote port
  • -L performs the actual forwarding, with its arguments being
    • 1111, a port on which your client will listen. This can be any 'high' port number
    • machine1, the hostname of your client
    • 5900, the port on Machine 1 on which to connect. The last digit of this is equal to the display number of SSH. Common defaults are '0' and '1' ('5900' and '5901' respectively)
Next, launch vncviewer against your local host which will forward over SSH to the remote VNC server:
$ vncviewer localhost::1111

Be sure to prohibit the VNC service from listening on your default (or all) network interfaces, but instead bind to localhost (127.0.0.1). You may need to consult your VNC distribution documentation on what parameters to change in the configuration file to accomplish this. If you cannot change the configuration, be sure to install a local firewall to block access to the remote desktop ports.

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by FJN on October 7, 2008.
(Address comments about page to the Computer Security Team.)