Monday, November 17, 2008

Secure Virtual Network Computing

With the ever increasing speed of internet data transfer, virtual network computing (VNC) has become a viable alternative to stand alone work stations with duplicate software installations. VNC enables users to access the desktop of a work station remotely via the internet through a slim client computer for the processing of data with heavy-weight applications. Commonly, a window server application needs to be installed on the work station and a viewer application needs to be installed on the client computer to display the work station's desktop. Once the client is connected to the server, the user can work on the server like on any other desktop. Modern VNC versions even allow drag-and-drop file transfer between client and server.

Commercial VNC software is available for Linux/Unix, Microsoft Windows, and Apple's OS X operating systems (e.g. RealVNC). Apple provides simple remote desktop connectivity for its computers in Leopard (ARD 3.2). Redstone Software offers only the Vine 3.0 server for OS X (formerly OSXvnc) free and charges for a sophisticated server/client combination with which you can drag and drop files. However, Chicken of the VNC can be used for viewing on OS X as a free complement to the Vine server.

A great advantage of VNC is that the connectivity between client and server is platform-independent. Their operating systems need not be identical. I currently use TightVNC. TightVNC is an award-winning open source project offering a highly functional package for UNIX- and Microsoft Windows-based operating systems. I installed the server on a computer running Microsoft Windows XP-64. I view the desktop on a machine running Ubuntu 8.10 or on Apple computers running OS X. TightVNC comes with a platform-independent, Java-based viewer that can be used as stand-alone application, provided the Java Runtime Environment (JRE) is installed. JRE is included with OS X and can be easily installed with the Synaptic Package Manager on Ubuntu. In addition, a viewer applet can be accessed on the server through the browser. The latter option does not require any install on the client.

VNC connections commonly use ports with numbers equal to or greater than 5900. The last digits identify the display number. The user needs to register a user account with username and password on the server. The regular login dialog is unencrypted, rendering the server vulnerable to break-ins. This hazard is perhaps tolerable on a local network protected by a firewall. However, if the server is slated to be accessible over the internet at large, unencrypted login exposes the server to excessive risk. Remote login to the server through a secure shell with RSA encryption is preferable and SSH protocols provide this option.

SSH encryption is fairly safe, particularly when passphrase encryption is employed. As additional precaution, the administrator may wish to ascertain that root login is disabled in the SSH configuration script. I once made the mistake to administer a computer with superuser privileges choosing a common English noun as password. I did not know that root was enabled by default as username on port 22 in the SSH configuration script. It took some miscreant five years to guess the password, turning my machine into a reflector for evil data transfer, until the gate keepers found out about it. To preempt complications of this nature in the future, I use sudo these days, if I need to execute commands with superuser privileges.

Remote login to a VNC server from a VNC viewer with SSH entails two steps: first the connection to the VNC server needs to be successfully established via the SSH protocol, and then the viewer has to be opened using the connection. I developed a Java-based application on the intel architecture from open sources for Apple's OS X 10.4 (Tiger) and 10.5 (Leopard) that achieves this goal in a convenient amalgamated process. This sVNC client combines jcraft's SSH login with the TightVNC viewer.

sVNCIf you like to use the sVNC client, you may wish to download the zipped folder containing the application bundle with a click on the logo on the left (trademark application #77642277, pending). Copy the application to a folder of your preference. Double-click on the application's icon to launch the SSH dialog. You are asked to enter your username @ the VNC server identified by name or IP address. Subsequently, you need to provide a listening port:host:remote port combination, specifying the local host and the ports for the displays. Commonly, you can use the default combination 5900:127.0.0.1:5900. This combination specifies the host and serves from and to displays with the number 0.  If the VNC server uses a different display number, e.g. display 1, change the first number to 5901. If you wish to use a different display on your home computer, you need to change the last number accordingly. There is no need to change the address for the local host.

After you provided this information, the SSH dialog generates RSA keys. Your consent is needed. You must enter your password for the VNC server. The connection is attempted. In case of success, you need to provide your password once more for the VNC viewer, the display of the remote desktop should pop up, and you are ready to go. The configuration options to the viewer can be found in the README file included with the application in the zipped folder.

The client works well for me. If the remote desktop seems unresponsive to clicks, hit the refresh button on the viewer's top panel. The viewer may crash when the server is accessed in a sleep state. Do not be discouraged. The viewer will work on the second attempt. I hope sVNC will be useful to you.



Build a Website in 30 minutes. Try Free, Click Here.

No comments:

Post a Comment