"Remote-desktop to a host using VNC" guide under "Encrypt VNC traffic through an SSH tunnel" - Method 3

[headwhacker]

Under "Encrypt VNC traffic through an SSH tunnel" - Method 3, the document says "No change is needed to the xvnc@service script".

However, I can see the socket binds to all interface for port 5900. This means a vnc client can establish a direct connection to the xvnc server without an ssh tunnel established.

The document needs to be amended. Instead of changing xvnc@service, the xvnc.socket needs to be updated for Method 3.

[Socket]
ListenStream=127.0.0.1:5900
Accept=yes

This will force the socket to bind only with the localhost interface and remote connection from a vnc client will only work with an ssh tunnel. This will block direct connection to port 5900.

Environment (please complete the following):

• Clear Linux OS VERSION_ID=33300
• tigervnc: version: 33250

[github-actions]

Welcome to Clear Linux* OS Docs. Thanks for submitting your first issue.

[mvincerx]

Did changes in GDM have an impact on Method 3?
@mvincerx follow up @mrkz

[mvincerx]

@mrkz please see my email.

[eadamsintel]

Did changes in GDM have an impact on Method 3?

I can confirm that @headwhacker lightdm workaround mentioned at #1108 (comment) worked for me. However, I can't get the ListenStream=127.0.0.1:5900 to work and am not sure if it is a bug. If I just leave it as :5900 and SSH in with my local port 5900 remapped to <VNC server ip>:5900 and use a VNC address of localhost:5900 then I can ssh in securely through the encrypted tunnel.

I should also note that if I put ListenStream=<my windows ip>:5900 and restart the service it fails to restart.

[mvincerx]

@bktan8 please help out. Please try out using 127.0.0.1.