Remote assistance for X
Karl J. Runge
runge at karlrunge.com
Sat Jan 2 03:41:48 UTC 2010
On Fri, 1 Jan 2010, Warren Block <wblock at wonkity.com> wrote:
>
> ssh -t -c blowfish -N -f -L 5500:$supporterhost:5500 $supporterhost && \
> x11vnc -display :0 -localhost -connect localhost -ncache 10
I think that will work, but I believe (for extra safety/clarity if nothing
else) you really want:
-L 5500:localhost:5500
in the ssh command.
Note that for -L the ending host:port part is relative to the *sshd*
(ssh-server) side.
So, if I understand what you want, you might as well use localhost:5500
instead of $supporterhost:5500. Also, if $supporterhost is that of an
internet firewall/router doing port forwarding, $supporterhost might
not resolve properly on the "supporterhost", or leak back out to the
internet in a weird way.
Symmetrically: for -R the ending host:port part is relative to the ssh
(ssh-client) side.
Here are some examples that should work, I provide "prompt>" to indicate
which machine the command is run on (and I skip your -c preference):
supportee_host> ssh -t -N -f -L 5500:localhost:5500 $supporter_host && \
x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0
which should be the same as:
supportee_host> x11vnc -display :0 -proxy ssh://$supporter_host \
-connect_or_exit localhost:0 -rfbport 0
i.e. x11vnc has a built-in -proxy that already does what you want it
to do; it runs ssh(1) for you:
http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-proxy
Note how I use -connect_or_exit instead of -connect to try to avoid
problems if the connection fails:
http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-connect_or_exit
I also use the '-rfbport 0' described there to prevent x11vnc from listening
for any connections (which I think is what you want.)
Aside: Originally I thought you could ssh into supportee_host, for anyone
looking to do that here is the analogous command:
supporter_host> ssh -t -N -f -R 5500:localhost:5500 $supportee_host \
x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0
In all cases supporter_host is running:
supporter_host> vncviewer -listen 0
(or ssvncviewer -listen 0 if you have SSVNC)
> ...
> That looks more elegant. Are the security and speed comparable to ssh?
Speed shouldn't be a problem; I believe both ssh and 'x11vnc -ssl' use
OpenSSL for encrypting the session traffic. If a machine is *really*
slow the choice of encryption cipher may be noticable (I don't see a
big effect even on a 300MHz test machine I have.)
Security-wise, of course 'ssh' is used much more than 'x11vnc -ssl'.
For both ssh and 'x11vnc -ssl' if the certificate/key is not verified
by an external means one is susceptible to man-in-the-middle-attack.
However w/o verification at least both are safe against passive network
sniffing.
More information about the freebsd-questions
mailing list