How To Add SSH Secure VNC Server To Your Workstation


Last Modified: March 26, 20131


This document is also available on the WEB at

   http://jilawww.colorado.edu/~software/installs/sshvncserver.htm


[NOTE: Notation below referring to the “N:” drive means the samba drive served from node jilau1. Check your drive mappings and change the N: drive if necessary to be

   \\jilau1\apps

Note that this process may break some links for other applications. Contact Alan Dunwell or JR Raith if you have troubles making this drive change.]


If after reading over the following instructions you feel this is too complex, feel free to contact Alan Dunwell or anyone in the Computing group for assistance.


Concept:

VNC, or Virtual Network Computing, allows one to connect to a remote machine and work on it as if you are sitting at the console. This is accomplished by a ‘server’ application that runs on one machine. One then uses a ‘viewer’ application on a remote machine to talk back to the main machine’s ‘server’ application. This allows one to see, for example, a Linux desktop or Windows Desktop in all its full GUI glory on the server machine from a Windows XP remote machine . All computing takes place on the server, only the view is handed out to the remote machine. This is done in a ‘smart’ way so as to minimize the amount of data being passed and thus the operation is quite fast, even through a wireless network or over SSH2.


NOTE: This Installation sheet deals ONLY with the installation and setup of the server-side software on a Windows XP machine. For simple SSH VNC Viewer used to connect to SSH VNC servers please see

   http://jilawww.colorado.edu/~software/installs/sshvnc.htm


There are two parts to the installation, the SSH server and the VNC server.


SSH Server Part:

Installation

You must be logged in with Administrator privilege. Install is with Open SSH from Source Forge. Look in

   N:\Win\sshvnc\OpenSSH-SourceForge-Server

and double click on setupssh381-20040709.zip to access the executable and run it to do the install. Follow the prompts to complete the SSH Server installation. After install of ssh server there will be

   C:\Program Files\OpenSSH\usr\sbin\sshd.exe

which is the server executable part.


Configuration

Once it is installed you need to configure it. This describes how to get it set up and running.

There are several steps:

- add users to the workstation if necessary.

This is done from Start, Control Panel, User Accounts, Add to make sure that anyone that needs to access the computer via SSH VNC will have a login on the machine.


- make a group

Open a DOS/Command window with Start, Run, cmd.exe and enter

   cd “C:\Program Files\OpenSSH\bin”

including the double-quote marks. Then enter the command

   mkgroup -d >> ..\etc\group

This will create a file called

   C:\Program Files\OpenSSH\etc\group

(If you get an error message see the NOTE below.)

- make passwords for all users that will be coming in via ssh

In the same DOS window, now enter the command(s)

   mkpasswd -d -u joefoo >> ..\etc\passwd

   mkpasswd -d -u janefoo >> ..\etc\passwd

where joefoo and janefoo are users with accounts on the machine. This will make entries for each user in the file

   C:\Program Files\OpenSSH\etc\passwd

These are special SSH encryption passwords, NOT passwords that you set. Do not manually modify either the group or passwd files.


[NOTE: If you received any error messages when making the group/password files, you will have to use the following commands instead.

   mkgroup -l >> ..\etc\group

   mkpasswd -l -u joefoo >> ..\etc\passwd

where that -l is a “minus ell” and makes it use the Local groups and names rather the ones from a local domain.

This creation of group and user password with the -d will work only for machines inside JILA subnets because the “-d” parts of these commands make it look at the domain type logins. If you are trying to set up a stand-alone lab machine or a server at home where there is no domain login, then you must use a “-l” instead for a local group and password for a local user(s) on that machine.]


- edit the file sshd_config to allow TCP Forwarding

In

   C:\Program Files\OpenSSH\etc

first copy the file sshd_config to sshd_config-orig. Then open the sshd_config file with a text editor like Notepad or Wordpad (NOT Word or Wordperfect) and search for the line with "AllowTcpForwarding yes". Remove the pound/number sign symbol (#) from the front of the line to un-comment it. Exit and save the file.


- make two batch files to start and stop the server.

The server files are configured now but we need to be able to start and stop the server itself. It will run as a service that shows up in the system services list once it is initialized. Again using a simple text editor make two files, call the first StartSSHServer.bat with text

  @echo off

  net start opensshd

  pause

  exit

and a second called StopSSHServer.bat with text

  @echo off

  net stop opensshd

  pause

  exit

and save these files in your local server subdirectory

   C:\Program Files\OpenSSH\


Then in the DOS window enter

   StartSSHServer.bat

which will run the batch file and start the service. Note: Under Vista or Win7 you may get a System 5 type error of Access Denied. In this case use a WinExplorer window and browse to the .bat file. Then R.Click on it and select Run as Administrator. This should run it.


The above may install the service, but it may not be running. Select Control Panel, Administrator Tools, Services and look for OpenSSH Server to see if it shows as Started. If it fails to start with a message of

   “Could not start the OpenSSH Server service on Local Computer. Error 1067: The process terminated unexpectedly.”

you will need to check the Path variables. See the detailed info at

   N:\Win\sshvnc\OpenSSH-SourceForge-Server\OpenSSH-Error-1067.htm

which will walk you through the process of searching for the cygwin1.dll file(s) and making sure that they are not in any of your Path variables.


VNC Server Part:

The previous SSH part has set up an SSH Server that will allow secure connections to/from the machine via port 22, the SSH port. However, we now need to install the VNC Server and configure it to talk over SSH.


Look in

   N:\Win\sshvnc\VNC4.x

and double click on the most recent version of VNC installer executable and follow the prompts to install the software. This is the same executable used to install the Viewer, but it gives you the option of also installing the Server as well. Check that box in the screen when you come to it. In the next screen for VNC Server Configuration check both boxes. One will run the configuration after the setup and the other will install it as a service. Continue with the install.


Once the server is installed it will pop up the configuration screen. There are two tabs you need to access

- Authentication tab

Click the radio button for VNC Password Authentication. Then click on the Configure button and enter a password. All users will need to know this password and it can be changed later on as needed.

- Connection tab

accept connections on port 5900, idle=3600. In Access Control put in only 127.0.0.1. This one entry forces it to deny all others and allow only the local host. That way regular non-ssh vnc gets rejected. If there are no entries here then everyone get in.

- leave all other tab settings as default. Exit and save.


At this point both the SSH and VNC servers should be running and you should be able to connect to the machine using the SSH VNC Viewer. The process of setting up the viewer is described in

   http://jilawww.colorado.edu/~software/installs/sshvnc.htm


This finishes the actual SSH and VNC server install/configuration but you will most likely need to adjust your firewall as well, see the next section. You should now have a VNC server icon in your SystemTray at the bottom right of your Windows screen. If you double click on it you can get to the tabs for setting the password or configuring the connections as needed. You should also see it as a service in Start, Control Panel, Administrative Tools, Services.


Firewall Issues

On the first pass of trying to connect to the server you will most likely get messages of the form “Host unavailable” or “Server timeout” or similar. These are almost always issues with the firewall on the server or on your workstation trying to connect to the server. To determine which is causing the problems, set them into Wizard mode or similar so that they will allow you to create rules. If your firewall doesn’t have this, temporarily disable them one at a time while creating the rules. I will describe here what was necessary on my server machine.


- I use Outpost firewall. In Outpost under Applications for sshd.exe, the SSH Server executable, I have one rule where I set

   TCP, Inbound, allow, remote host 127.0.0.1, and all other hosts IP

    addresses that might connect to this machine.

This rule was made initially by Outpost Rules Wizard when the first connection was made and the I added in the additional hosts and the localhost 127. part.


I don't have any other rules in System or elsewhere that are specific to ssh or vnc. In particular, DO NOT make a firewall rule for WINVNC4.EXE, settings in that rule will override settings later that you make in the vnc server configuration screen itself.