0

The question is similar to How come I can login to another person's session over vnc just by changing the port number?

I have several (say, 10) users who connect via ssh to a remote server. Every user has associated prestarted VNC server (Xtigervnc on port 5901, 5902, etc.) They connect with port forwarding and can access their own virtual desktop. The users typically use PuTTY+VNCviewer,

The problem is: users have also an access to other users' desktops just by changing the port number in connection options. How to resolve it?

Is there a way to restrict port forwarding with a specific port to a specific user? Or may be something different?

sas
  • 101
  • Hi @sas - have you considered configuring differently per instance? Not sure about tiger, but normal VNC look at sshd_config - here's an example restricting IPs specific users are from - https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address. – Mr R Apr 12 '21 at 21:40
  • @MrR, thank you. I would rather want it to be not IP specific, but user specific. Is it possible? SSH has key based auth and users typically have several personal gadgets to access server with. – sas Apr 12 '21 at 21:46
  • Are you using the configuration described here? https://github.com/TigerVNC/tigervnc/blob/master/unix/vncserver/HOWTO.md if so, the users need to run`vncpasswd` to set a session password. – jsbillings Apr 13 '21 at 00:30
  • @jsbillings, it is -SecurityTypes None currently. I understand that password is better, than no password, but vnc password is short and somehow insecure based on man. Additionally, users will have to remember two passwords which is more than enough for them to start setting "qwerty" as a password for everything. If it is the only option, so be it, but is it? – sas Apr 13 '21 at 09:24
  • Is it may be possible to prohibit all port forwarding, but after user is connected via ssh add some user-specific port forwarding automatically? – sas Apr 13 '21 at 09:25

1 Answers1

0

Just use a VNC client with TLS client authentication and put a proxy doing TLS in front of that, ie. you could use haproxy which would authenticate each client TLS cert and based on CN in the cert it would forward to only his own Xtigervnc instance.

Jiri B
  • 511
  • 1
  • 7
  • 16