Remote assistance for X

Karl J. Runge runge at karlrunge.com
Sat Jan 2 03:41:48 UTC 2010


On Fri, 1 Jan 2010, Warren Block <wblock at wonkity.com> wrote:
> 
> ssh -t -c blowfish -N -f -L 5500:$supporterhost:5500 $supporterhost && \
> x11vnc -display :0 -localhost -connect localhost -ncache 10

I think that will work, but I believe (for extra safety/clarity if nothing
else) you really want:

   -L 5500:localhost:5500

in the ssh command.

Note that for -L the ending host:port part is relative to the *sshd*
(ssh-server) side.

So, if I understand what you want, you might as well use localhost:5500
instead of $supporterhost:5500.  Also, if $supporterhost is that of an
internet firewall/router doing port forwarding, $supporterhost might
not resolve properly on the "supporterhost", or leak back out to the
internet in a weird way.

Symmetrically: for -R the ending host:port part is relative to the ssh
(ssh-client) side.


Here are some examples that should work, I provide "prompt>" to indicate
which machine the command is run on (and I skip your -c preference):

   supportee_host> ssh -t -N -f -L 5500:localhost:5500 $supporter_host && \
                   x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0

which should be the same as:

   supportee_host> x11vnc -display :0 -proxy ssh://$supporter_host \
                   -connect_or_exit localhost:0 -rfbport 0

i.e. x11vnc has a built-in -proxy that already does what you want it
to do; it runs ssh(1) for you:

   http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-proxy

Note how I use -connect_or_exit instead of -connect to try to avoid
problems if the connection fails:

   http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-connect_or_exit

I also use the '-rfbport 0' described there to prevent x11vnc from listening
for any connections (which I think is what you want.)

Aside: Originally I thought you could ssh into supportee_host, for anyone
looking to do that here is the analogous command:

   supporter_host> ssh -t -N -f -R 5500:localhost:5500 $supportee_host \
                   x11vnc -display :0 -connect_or_exit localhost:0 -rfbport 0


In all cases supporter_host is running:

   supporter_host> vncviewer -listen 0

(or ssvncviewer -listen 0 if you have SSVNC)

> ...
> That looks more elegant.  Are the security and speed comparable to ssh?

Speed shouldn't be a problem; I believe both ssh and 'x11vnc -ssl' use
OpenSSL for encrypting the session traffic.  If a machine is *really*
slow the choice of encryption cipher may be noticable (I don't see a
big effect even on a 300MHz test machine I have.)

Security-wise, of course 'ssh' is used much more than 'x11vnc -ssl'.

For both ssh and 'x11vnc -ssl' if the certificate/key is not verified
by an external means one is susceptible to man-in-the-middle-attack.
However w/o verification at least both are safe against passive network
sniffing.



More information about the freebsd-questions mailing list