Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Tunelling VNC through two ssh hops
607 views
Skip to first unread message
Guillaume Dargaud
Oct 9, 2012, 3:47:44 AM10/9/12
to
Hello all,
I have to log through an intermediate machine, something like:
local $ ssh interim
interim $ ssh remote
remote $ ...
Or, shorter:
local $ ssh interim ssh remote
Pseudo-terminal will not be allocated because stdin is not a terminal.
This gets stuck so I do:
local $ ssh -t interim ssh remote
remote $ ...
Fine.
Now I am trying to tunnel a vnc session from remote to local and I can't
find the magic incantation, using one or two steps. I've tried variants of
that:
local $ ssh -tL 5900:localhost:5900 interim ssh -L 5900:localhost:5900
remote
bind: Address already in use
remote $ ...
Or this:
local $ ssh -tL 5900:localhost:5901 interim ssh -L 5901:localhost:5900
remote
What's the correct incantation ?
Thanks
--
Guillaume Dargaud
http://www.gdargaud.net/
I have to log through an intermediate machine, something like:
local $ ssh interim
interim $ ssh remote
remote $ ...
Or, shorter:
local $ ssh interim ssh remote
Pseudo-terminal will not be allocated because stdin is not a terminal.
This gets stuck so I do:
local $ ssh -t interim ssh remote
remote $ ...
Fine.
Now I am trying to tunnel a vnc session from remote to local and I can't
find the magic incantation, using one or two steps. I've tried variants of
that:
local $ ssh -tL 5900:localhost:5900 interim ssh -L 5900:localhost:5900
remote
bind: Address already in use
remote $ ...
Or this:
local $ ssh -tL 5900:localhost:5901 interim ssh -L 5901:localhost:5900
remote
What's the correct incantation ?
Thanks
--
Guillaume Dargaud
http://www.gdargaud.net/
Wolfgang Meiners
Oct 9, 2012, 5:34:24 AM10/9/12
to
Am 09.10.12 09:47, schrieb Guillaume Dargaud:
Does
local $ ssh -L 5900:remote:5900 interim
work for you? Than you can also do
local $ ssh -fN -L 5900:remote:5900 interim sleep 10
and then connect to your vnc within 10 seconds. But this approach does
not work if the remote vncserver is bound to localhost. Then you will
not be able to connect with this command. You can do then
local $ ssh -oProxyCommand="ssh interim nc %h %p" \
can also use ssh's -W option instead of nc:
local $ ssh -oProxyCommand="ssh -W %h:%p interim" \
man 5 ssh_config
and put these entries to your ~/.ssh/ssh_config, i.e.
Host remote_via_interim
ProxyCommand ssh interim nc -w1 %h %p
LocalForward 5900 localhost:5900
and then simply write
local $ ssh remote_via_interim
Hope it works for you
Wolfgang
local $ ssh -L 5900:remote:5900 interim
work for you? Than you can also do
local $ ssh -fN -L 5900:remote:5900 interim sleep 10
and then connect to your vnc within 10 seconds. But this approach does
not work if the remote vncserver is bound to localhost. Then you will
not be able to connect with this command. You can do then
local $ ssh -oProxyCommand="ssh interim nc %h %p" \
-L 5900:localhost:5900 remote
if there is nc on your interim host. If your ssh is recent enough, you
can also use ssh's -W option instead of nc:
local $ ssh -oProxyCommand="ssh -W %h:%p interim" \
-L 5900:localhost:5900 remote
If this is working for you, you should read the ProxyCommand part at
man 5 ssh_config
and put these entries to your ~/.ssh/ssh_config, i.e.
Host remote_via_interim
ProxyCommand ssh interim nc -w1 %h %p
LocalForward 5900 localhost:5900
and then simply write
local $ ssh remote_via_interim
Hope it works for you
Wolfgang
Guillaume Dargaud
Oct 12, 2012, 2:51:04 PM10/12/12
to
Thanks for the answers.
> Does
>
> local $ ssh -L 5900:remote:5900 interim
>
> work for you?
It logs me into interim. How do I launch the vnc server on remote from there
? (I normally use the command 'x11vnc -auth guess -find -localhost -once -
nopw -nodpms'). Yes, the vnc server does not run as root, it's launched
manually after login.
> Than you can also do
>
> local $ ssh -fN -L 5900:remote:5900 interim sleep 10
>
> and then connect to your vnc within 10 seconds. But this approach does
> not work if the remote vncserver is bound to localhost. Then you will
> not be able to connect with this command. You can do then
>
> local $ ssh -oProxyCommand="ssh interim nc %h %p" \
> -L 5900:localhost:5900 remote
This looks a bit more promising, but vnc server refuses to start on port
5900, using 5901 instead, which is usually a sign that the port is taken...
wrongly.
> if there is nc on your interim host. If your ssh is recent enough, you
> can also use ssh's -W option instead of nc:
>
> local $ ssh -oProxyCommand="ssh -W %h:%p interim" \
> -L 5900:localhost:5900 remote
Same here:
remote $ x11vnc -auth guess -find -localhost -once -nopw -nodpms
x11vnc version: 0.9.12 lastmod: 2010-09-09 pid: 12511
wait_for_client: WAIT:cmd=FINDDISPLAY
initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/2560
Autoprobing TCP port
Autoprobing selected port 5901
Listening also on IPv6 port 5901 (socket 5)
The VNC desktop is: remote:1
PORT=5901
...wrong port
I mean, logically, you should tunnel from port N (say 5900) on local to port
M (say 5900) on interim, and then tunnel from some other port O to port P
(typically 5900) on remote.
-L N:localhost:M takes care of the 1st part.
-L O:localhost:P takes care of the 2nd part (once you are logged on interim)
but I don't understand how you connect M to O. You can't use the same port,
so how do you do it ?
> If this is working for you, you should read the ProxyCommand part at
>
> man 5 ssh_config
>
> and put these entries to your ~/.ssh/ssh_config, i.e.
>
> Host remote_via_interim
> ProxyCommand ssh interim nc -w1 %h %p
> LocalForward 5900 localhost:5900
>
> and then simply write
> local $ ssh remote_via_interim
>
> Hope it works for you
> Wolfgang
> Does
>
> local $ ssh -L 5900:remote:5900 interim
>
> work for you?
? (I normally use the command 'x11vnc -auth guess -find -localhost -once -
nopw -nodpms'). Yes, the vnc server does not run as root, it's launched
manually after login.
> Than you can also do
>
> local $ ssh -fN -L 5900:remote:5900 interim sleep 10
>
> and then connect to your vnc within 10 seconds. But this approach does
> not work if the remote vncserver is bound to localhost. Then you will
> not be able to connect with this command. You can do then
>
> local $ ssh -oProxyCommand="ssh interim nc %h %p" \
> -L 5900:localhost:5900 remote
5900, using 5901 instead, which is usually a sign that the port is taken...
wrongly.
> if there is nc on your interim host. If your ssh is recent enough, you
> can also use ssh's -W option instead of nc:
>
> local $ ssh -oProxyCommand="ssh -W %h:%p interim" \
> -L 5900:localhost:5900 remote
remote $ x11vnc -auth guess -find -localhost -once -nopw -nodpms
x11vnc version: 0.9.12 lastmod: 2010-09-09 pid: 12511
wait_for_client: WAIT:cmd=FINDDISPLAY
initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/2560
Autoprobing TCP port
Autoprobing selected port 5901
Listening also on IPv6 port 5901 (socket 5)
The VNC desktop is: remote:1
PORT=5901
...wrong port
I mean, logically, you should tunnel from port N (say 5900) on local to port
M (say 5900) on interim, and then tunnel from some other port O to port P
(typically 5900) on remote.
-L N:localhost:M takes care of the 1st part.
-L O:localhost:P takes care of the 2nd part (once you are logged on interim)
but I don't understand how you connect M to O. You can't use the same port,
so how do you do it ?
> If this is working for you, you should read the ProxyCommand part at
>
> man 5 ssh_config
>
> and put these entries to your ~/.ssh/ssh_config, i.e.
>
> Host remote_via_interim
> ProxyCommand ssh interim nc -w1 %h %p
> LocalForward 5900 localhost:5900
>
> and then simply write
> local $ ssh remote_via_interim
>
> Hope it works for you
> Wolfgang
Wolfgang Meiners
Oct 12, 2012, 8:27:34 PM10/12/12
to
Am 12.10.12 20:51, schrieb Guillaume Dargaud:
local $ ssh -f -L 5900:remote:5900 interim sleep 10
because -N means there is no command but only a tunnel.
>>
>> and then connect to your vnc within 10 seconds. But this approach does
>> not work if the remote vncserver is bound to localhost. Then you will
>> not be able to connect with this command. You can do then
>>
>> local $ ssh -oProxyCommand="ssh interim nc %h %p" \
>> -L 5900:localhost:5900 remote
>
> This looks a bit more promising, but vnc server refuses to start on port
> 5900, using 5901 instead, which is usually a sign that the port is taken...
> wrongly.
>
>> if there is nc on your interim host. If your ssh is recent enough, you
>> can also use ssh's -W option instead of nc:
>>
>> local $ ssh -oProxyCommand="ssh -W %h:%p interim" \
>> -L 5900:localhost:5900 remote
>
> Same here:
> remote $ x11vnc -auth guess -find -localhost -once -nopw -nodpms
> x11vnc version: 0.9.12 lastmod: 2010-09-09 pid: 12511
> wait_for_client: WAIT:cmd=FINDDISPLAY
> initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/2560
> Autoprobing TCP port
> Autoprobing selected port 5901
> Listening also on IPv6 port 5901 (socket 5)
> The VNC desktop is: remote:1
> PORT=5901
>
> ...wrong port
when you get PORT 5901, you can do
~C
(on a new line and then give the command)
-L 5901:localhost:5901
then start your vncviewer as
vncviewer localhost:5901
>
> I mean, logically, you should tunnel from port N (say 5900) on local to port
> M (say 5900) on interim, and then tunnel from some other port O to port P
> (typically 5900) on remote.
No. Read how ProxyCommand works.
> -L N:localhost:M takes care of the 1st part.
> -L O:localhost:P takes care of the 2nd part (once you are logged on interim)
> but I don't understand how you connect M to O. You can't use the same port,
> so how do you do it ?
There is no need to do this, because you have a ssh-connection from
local to remote.
>
>> If this is working for you, you should read the ProxyCommand part at
>>
>> man 5 ssh_config
>>
>> and put these entries to your ~/.ssh/ssh_config, i.e.
>>
>> Host remote_via_interim
>> ProxyCommand ssh interim nc -w1 %h %p
>> LocalForward 5900 localhost:5900
>>
>> and then simply write
>> local $ ssh remote_via_interim
>>
>> Hope it works for you
>> Wolfgang
ok. The first steps are not simple.
1)
as far as i know, x11vnc needs a running x11server on the remote side.
This server is connected to a display, usually :0 (I hope i remember
this things right). But then you know the display and dont have to guess it.
If you dont have a x11server running, you might install vnc4server instead.
2)
if you want to start x11vnc then you need a connection to remote. You
should use the second method in this case.
3)
now try
local $ ssh -oProxyCommand="ssh interim nc -w1 %h %p" remote
this gives you a connection from local to remote which is tunneled
through interim. This _is_ a connection _from_ local _to_ remote and
this connection is tunneled through interim.
4)
if this works, then
local $ ssh -oProxyCommand="ssh interim nc -w1 %h %p" \
are some nice explanations how this works in the internet, you should
have a look at them.
5)
if there is someone working at the remote site with display :0 and you type
local $ ssh -f -oProxyCommand="ssh interim nc -w1 %h %p"\
-L 5900:localhost:5900 remote \
'x11vnc -localhost -display :0'
and then start your vncviewer, i.e. via
local $ vncviewer localhost:0
then you should get his screen on your local site.
You should read on the security risks of x11vnc and how to use a password.
If you dont know the display in advance, then you can use the ~C -method
to specify the tunnel (but then, of course, the option -f is not
possible, because ssh runs in the background, then. You need a second
terminal to start vncviewer)
Wolfgang
> Thanks for the answers.
>
>> Does
>>
>> local $ ssh -L 5900:remote:5900 interim
>>
>> work for you?
>
> It logs me into interim. How do I launch the vnc server on remote from there
> ? (I normally use the command 'x11vnc -auth guess -find -localhost -once -
> nopw -nodpms'). Yes, the vnc server does not run as root, it's launched
> manually after login.
>
>> Than you can also do
>>
>> local $ ssh -fN -L 5900:remote:5900 interim sleep 10
this is a mistake, it should read
>
>> Does
>>
>> local $ ssh -L 5900:remote:5900 interim
>>
>> work for you?
>
> It logs me into interim. How do I launch the vnc server on remote from there
> ? (I normally use the command 'x11vnc -auth guess -find -localhost -once -
> nopw -nodpms'). Yes, the vnc server does not run as root, it's launched
> manually after login.
>
>> Than you can also do
>>
>> local $ ssh -fN -L 5900:remote:5900 interim sleep 10
local $ ssh -f -L 5900:remote:5900 interim sleep 10
because -N means there is no command but only a tunnel.
>>
>> and then connect to your vnc within 10 seconds. But this approach does
>> not work if the remote vncserver is bound to localhost. Then you will
>> not be able to connect with this command. You can do then
>>
>> local $ ssh -oProxyCommand="ssh interim nc %h %p" \
>> -L 5900:localhost:5900 remote
>
> This looks a bit more promising, but vnc server refuses to start on port
> 5900, using 5901 instead, which is usually a sign that the port is taken...
> wrongly.
>
>> if there is nc on your interim host. If your ssh is recent enough, you
>> can also use ssh's -W option instead of nc:
>>
>> local $ ssh -oProxyCommand="ssh -W %h:%p interim" \
>> -L 5900:localhost:5900 remote
>
> Same here:
> remote $ x11vnc -auth guess -find -localhost -once -nopw -nodpms
> x11vnc version: 0.9.12 lastmod: 2010-09-09 pid: 12511
> wait_for_client: WAIT:cmd=FINDDISPLAY
> initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/2560
> Autoprobing TCP port
> Autoprobing selected port 5901
> Listening also on IPv6 port 5901 (socket 5)
> The VNC desktop is: remote:1
> PORT=5901
>
> ...wrong port
~C
(on a new line and then give the command)
-L 5901:localhost:5901
then start your vncviewer as
vncviewer localhost:5901
>
> I mean, logically, you should tunnel from port N (say 5900) on local to port
> M (say 5900) on interim, and then tunnel from some other port O to port P
> (typically 5900) on remote.
> -L N:localhost:M takes care of the 1st part.
> -L O:localhost:P takes care of the 2nd part (once you are logged on interim)
> but I don't understand how you connect M to O. You can't use the same port,
> so how do you do it ?
local to remote.
>
>> If this is working for you, you should read the ProxyCommand part at
>>
>> man 5 ssh_config
>>
>> and put these entries to your ~/.ssh/ssh_config, i.e.
>>
>> Host remote_via_interim
>> ProxyCommand ssh interim nc -w1 %h %p
>> LocalForward 5900 localhost:5900
>>
>> and then simply write
>> local $ ssh remote_via_interim
>>
>> Hope it works for you
>> Wolfgang
1)
as far as i know, x11vnc needs a running x11server on the remote side.
This server is connected to a display, usually :0 (I hope i remember
this things right). But then you know the display and dont have to guess it.
If you dont have a x11server running, you might install vnc4server instead.
2)
if you want to start x11vnc then you need a connection to remote. You
should use the second method in this case.
3)
now try
local $ ssh -oProxyCommand="ssh interim nc -w1 %h %p" remote
this gives you a connection from local to remote which is tunneled
through interim. This _is_ a connection _from_ local _to_ remote and
this connection is tunneled through interim.
4)
if this works, then
local $ ssh -oProxyCommand="ssh interim nc -w1 %h %p" \
-L 5900:localhost:5900 remote
will also work _and_ gives you a tunnel from _local_ to _remote_. There
are some nice explanations how this works in the internet, you should
have a look at them.
5)
if there is someone working at the remote site with display :0 and you type
local $ ssh -f -oProxyCommand="ssh interim nc -w1 %h %p"\
-L 5900:localhost:5900 remote \
'x11vnc -localhost -display :0'
and then start your vncviewer, i.e. via
local $ vncviewer localhost:0
then you should get his screen on your local site.
You should read on the security risks of x11vnc and how to use a password.
If you dont know the display in advance, then you can use the ~C -method
to specify the tunnel (but then, of course, the option -f is not
possible, because ssh runs in the background, then. You need a second
terminal to start vncviewer)
Wolfgang
0 new messages