Advertisement
Promo

Office applications Toolkit

Use SSH to secure remote admin

Peter Parsons

Published: 17 Mar 2003 11:56 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The TightVNC enhancement to the original VNC freeware application from AT&T research labs in the UK adds secure communication channels for remote administration sessions. TightVNC secures these communication channels using Secure Shell (SSH).

Unix and Linux administrators have used SSH for years, and now Windows administrators can take advantage of it using TightVNC. To demonstrate how it works, I'll show you how to implement TightVNC and SSH on a Windows NT server. You can use the same logic to secure communications on other TightVNC supported systems.

First though, a few words on SSH. Not only does SSH encrypt authentication parameters, it also encrypts all the session traffic. SSH is meant to replace insecure session protocols such as telnet, rsh, and rlogin. It allows the secure movement of data and files across insecure channels, (e.g., the Internet). In the case of TightVNC, SSH can secure remote administration commands.

SSH is in widespread use across 60 or more countries. SSH comes in two flavors, SSH1 and SSH2. Both encrypt different parts of a packet. Both are different protocols -- SSH2 is basically a rewrite of SSH1 with improvements in security, portability, and performance. SSH1 is no longer under development, but SSH2 is still being developed.

SSH on NT

In terms of licensing, noncommercial use of SSH is generally free. But if you're going to use SSH commercially, you should buy the software. There are various vendors including SSH Communications Security and VanDyke Software.

Although it's outside of the scope of this article, installing an SSH daemon onto an NT box is pretty straightforward -- you can refer to the vendor's documentation for this. Once you have the SSH NT server host up and running, you'll also need an SSH client on the administration workstation you'll use to access the remote sites.

Securing the link

Start off by installing the TightVNC server on your target server or workstation and the TightVNC client on your administration workstation. For details about how to do this, see the article "Remote administration -- with security!" Test the communications on an unsecured channel between the server and workstation to make sure that VNC works properly.

After you've confirmed that everything works, you must make a change to TightVNC's Advanced Properties. Double-click the TightVNC icon in the system tray. When the dialog box opens, select the Advanced button. In the Advanced Properties dialog box, be sure to check the Allow Loopback Connections and Allow Only Loopback Connections check boxes, as shown in Figure A. This ensures that TightVNC works through only the SSH secure pipe.

Figure A
Set loopback connections to allow TightVNC to use secure channels.

Once you're up and running with TightVNC in loopback mode, and both the SSH daemon and client are installed, you can initiate a secure session. When you do this, a dummy server will be created on your client machine that listens on the VNC port and moves all connections to that port into the SSH tunnel. The SSH tunnel in turn transports the connections to the remote server. Because you've selected the loopback mode above, TightVNC will think that the connection is a local one and allow a secure session to be built. Your remote admin traffic will then be secure.

Final thoughts

SSH can be used through firewalls, and you can also use it to protect FTP, POP, and IMAP sessions going through a firewall. Most SSH sessions through a firewall use port 22, but you can change this to go through another open port on the firewall, such as SSL port 443, which is usually open anyway.


For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.

Tell us what you think in the Enterprise Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
51 out of 89 people found this useful


Full Talkback thread

0 comments

Company/Topic Alerts

Create a new alert from the list below:








Video icon

Video

Discussions

NoThomas NoThomas

yea I read that article the other day

Tuesday 17 November 2009, 3:53 AM

24 comments
NoThomas NoThomas

I am sorry Lezlow..

Tuesday 17 November 2009, 3:22 AM

24 comments
KellySnow KellySnow

the truth is males are even worse

Tuesday 17 November 2009, 2:33 AM

35 comments
chrisranjana.com chrisranjana.com

opensource and M

Tuesday 17 November 2009, 2:33 AM

1 comment

Vista Upgrade Blog

homer

lets show everyone that labour has compasion[whilst there counting the votes] running upto march/april 2010...http://tinyurl.co...nus very good nb gordon brown said today on our... More

Post a comment

This Crap Site

How utterly stupid - I am ranked #40 in the top 100 - as a member of this site..... I mean HOW utterly stupid.... I have done sweet FA, I have only rejoined this site after a 3 or... More

Post a comment

Microsoft Security Update: November Pa...

Apologies for this late update to our core Patch Tuesday update. Here is a summary of the update .... The November Patch Tuesday update from Microsoft follows the largest patch and... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters