Remote access to the Linux desktop with SSL encryption: x11vnc + SSVNC client
In the latest versions of the GNOME Desktop software is available that allows for remote access to the desktop with a simple client VNC from any other operating system. I'm talking about WINE. Although it is easy to set up, it does not guarantee a sufficiently strong encryption of data. In fact, we may be subject (for technical reasons that I am not here to explain) to attack man-in-the-middle attacks. For this reason I decided to show the configuration of another VNC server and a VNC client slightly more advanced: x11vnc (server) and SSVNC (clients). All topped off with an SSL tunnel that provides us shelter from prying eyes!
First, an introduction. The guide covers the installation of the server (x11vnc) on Debian Sid (unstable release), but the procedure is the same for Ubuntu and other Debian-based distribution with the appropriate changes to the commands to install the packages of interest. Also, it is very important to remember that after you install the server, you must open TCP port VNC (default 5900) on the firewall if installed on the server. Still, to be able to conveniently access from the outside (ie from the Internet) should evaluate to a free subscription with a service like Dyndns or no-ip that allow you to have a host name in network with our ADSL. At this point I would say that we are ready to start.
- Installing and configuring the server x11vnc + openssl
x11vnc openssl and are present in repositories of debian and ubuntu and then just type the usual apt-get command in a terminal and logged in as user root:
# Apt-get install x11vnc openssl
The openssl package is needed to create encryption certificates to use for remote connections protected by SSL. The next step will be to create certificates to be used for subsequent connections. I chose to use the most secure method, or the use of a Certification Authority (hereafter CA) to sign the various certificates. In this way we will be sure to use the client side of the original and not a counterfeit. Let's create the certificate and key to our CA (be careful, you have to type these commands from a simple user and not as root!)
When you have launched the command shown above, you will see that you will create all the necessary dir in your home dir of the user and then you will be asked to enter a passphrase. It 'a good idea to choose a password long and difficult and if you are anxious to forget it, think about starting to use some soft of password management such as those of which I have spoken on other occasions. After you type the passphrase, you will be prompted for all information regarding our CA. We carry a small sample of what you'll see on the terminal, and what I've typed:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information That will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
Country Name (2 letter code) [AU]: U.S.
State or Province Name (full name) [mystate]: Italy
Locality Name (eg, city) : Power
Organization Name (eg, company) [x11vnc server CA]:
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) [zeno x11vnc server CA]:
Email Address [x11vnc@CA.nowhere]:
Your public x11vnc CA cert is:
/ Home / zeno / .vnc / certs / CA / cacert.pem
It may be copied to other applications, eg Web browser, Java
Keystore applet, or stunnel cfg to use to verify signed server
or client certs, etc..
Your x11vnc CA private key is:
/ Home / zeno / .vnc / certs / CA / private / cakey.pem
It will be used to sign the server or client certs, keep it secret.
Now we are ready to proceed to the next step, namely the creation of Chavi and certificates for the VNC server. Then, again from the terminal and simple user, launch the following command:
$ X11vnc-server sslGenCert
You'll find yourself having to answer some questions in a manner very similar to what happened with the previous command. It 'important for you to insert a PEM passphrase for the certificate and, when prompted, to plug even the passphrase used previously for the CA certificate. Here is a small sample of what you will see where you have to act on the terminal and entering the passphrase:
Do you want to protect the generated private key with a passphrase?
Doing so will significantly decrease the chances Could someone steal
the key and pretend to be your x11vnc server. The downside is it is
inconvenient Because You will have to supply the passphrase every
time you start x11vnc using this key.
Protect key with a passphrase? [Y] / n
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Now signing the new key with the CA private key. You will need to supply
the CA key passphrase and reply "y" to sign and commit the key.
Using configuration from / home/zeno/.vnc/certs/tmp/cnf.11234
Enter pass phrase for. / CA / private / cakey.pem:
Check That the request matches the signature
Up to now we have created the keys and certificates to encrypt the connection and, therefore, there rirtoveremo with the following files in our home directory:
~ / .vnc / Certs / CA / cacert.pem -> the public certificate from our CA
~ / .vnc / Certs / CA / private / cakey.pem -> the private key of our CA
~ / .vnc / Certs / server.crt -> the VNC server's public certificate
~ / .vnc / Certs / server.pem -> the private key + certificate of our VNC server
At this point we have to copy the cacert.pem file on your PC with a secure method on which we will use the VNC client. Of course I leave it to you to decide what to do, but it really is essential that this step is done in the safest way possible. Personally I transfer it via a USB stick or through the use of scp. If you need to use the VNC client on another Linux machine, you can copy the files in the home dir of the user who will launch the client itself (~ / .vnc / certs / CA / cacert.pem). In addition, we must ensure that our CA certificate is then used by the VNC client that we will use in our case and we will see how to proceed with the client SSVNC.
We have not yet finished with the configuration of the server, we are missing the last step which consists in the creation of the password to access the server. In fact, the current state of configuration, the server is running, but is not required to use any password from the client to access and, therefore, it is sufficient to have the certificate. Obviously this is not very secure and for this reason we insert a password to access the server:
The command you typed earlier you return the following prompt:
Enter VNC password:
Write password to / home / zeno / .vnc / passwd? [Y] / ny
Password written to: / home / zeno / .vnc / passwd
Now the server is ready to be started. To do this we can type the following command:
$ X11vnc-usepw-ssl SAVE-display: 0
You will be prompted to enter the pass phrase chosen during the creation of the certificates of the server (the server does not CA!) And then the VNC server will be started and listening on port 5900. If desired we can choose to start the server on a port other than the standard adding to the boot command the following parameter:
We have finished with the server. Proceed with the installation of the client.
- Installation and use of client SSVNC
In fact the client to the server will not be installed And 'possible to directly download the binaries available for Windows, MAC OS and Unix / Linux. We can grab the file from here . If you want you can collect the files containing the binaries of the operating system only in our interest or those containing the source code of the client by going to this page . I decided to use SSVNC also because downloading on a USB stick all the binaries for various operating systems can access our desktop with any computer available in the world without having to install anything! ... Also for example in an Internet Cafe in London ... Of course, mind you as stored in the encryption certificates and do not miss the USB stick!
After downloading the file of interest to us, we need to unpack and inside it, having downloaded the file with the tracks that I mentioned in the first link, we will find different folders for different operating systems. We identify what interests us and we start "ssvnc." We will be facing this screen (the client was started on Win XP):
First click on the button "Certs ..." that allows us to open the window to enter the SSL certificate for our server to the client. Obviously, this certificate must be previously copied to the computer where the client is started, exactly as described a moment ago when we talked about the configuration of the server. Here is shielded interest:
In the row for "ServerCert" we have to load our certificate "cacert.pem". When we did that we can click on the "Done" button and return to the previous screen. Here we must first enter the IP address or hostname of the server into our line. You'll have to find yourself qulcosa look like this:
Click if you want (not required) to file "Fetch Cert"
And the client will connect to the server and acquire the certificate from the server:
When you finish viewing the certificate, click on "Dismiss". This last step is used to maintain control of congruity between the server certificate and the certificate that we have just uploaded manually to ensure that the server certificate that is loaded manually on the client or has been compromised. This manual control can be avoided SSVNC leave unchecked the option to "Verify all certs." Now I would say that it is time to start the VNC session itself. So, click on the "Connect" button and it will start trying to connect to the server:
If everything went well, in a few moments you will see the screen that asks for the password to access:
We enter the password you chose earlier and finally we are ready to use our Remote Desktop protected by an encrypted connection SSL tunnel!
If you have any questions, especially on how to access the Internet and how to configure NAT on your router, ask!
Did you like this article? Subscribe to our newsletter to receive information about updates to the blog: