Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Given that VNC and X11 were not developed with security in mind, what do people

ID: 654771 • Letter: G

Question

Given that VNC and X11 were not developed with security in mind, what do people typically see done to remotely connect to a Linux system where a GUI is required. While SSH access alone might be preferred, often times there are requirements where a developer or administrator needs GUI access to a Linux system.

So far, I see the following solutions:

+ Require VNC to be used over a secure SSH tunnel. However, I would have to rely on the dev/admin to setup a tunnel every time
+ Use X11Forwarding. X11 was not designed for security, and additionally is much slower than VNC is.
Nomachine remote desktop. I have not played around with it yet, but they purport to be a secure remote desktop solution

While many people advocate setting X11Forwarding to 'no' in the sshd_config, it seems to me that this is the most secure native alternative. However, I am more than open to ideas from the security gurus out here!
What is considered an acceptable, secure method of remotely connecting to a Linux system?

Explanation / Answer

NoMachine is more-or-less X11 over SSH with improvements in performance. So the two benefits there are that SSH is managed for you and that you don't have the ghastly performance of X11 over a network. (ISTR that SSH is not the default, but it's essentially a dropdown option, not a setup saga).

VNC also provides better performance than X11, and can be secured either over SSH or using one of the various hardened variants (like UltraVNC or RealVNC Enterprise or Personal). However, the hodgepodge of variants and manual nature of SSH integration (e.g., TightVNC basically says "do it yourself") it's not the most coherent of solutions.

X11Forwarding ranges from bad to abysmal across the network. It's essentially unusable across the WAN. And that's not because of SSH, it's because of the way latency impacts the X11 protocol. I wouldn't bother with it for that reason.

My personal advice is to look at NoMachine. It's a much more coherent, solid product than *VNC, and having the SSH bit work is easy and integrated.

Related Questions

Given situation as of January 1: Number of shifts per work day = 1 Scheduled pro
Question #462834
Given small samples of three liquids, you are asked to determine their refractiv
Question #1344942
Given small samples of three liquids, you are asked to determine their refractiv
Question #1344962
Given small samples of three liquids, you are asked to determine their refractiv
Question #1345023
Given small samples of three liquids, you are asked to determine their refractiv
Question #1365158
Given small samples of three liquids, you are asked to determine their refractiv
Question #1365178
Given small samples of three liquids, you are asked to determine their refractiv
Question #1365238
Given some strings (in any set or sequence type), filter out any non-alphabetic
Question #3857873
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Given that Utilitarianism would have us judge an action based on the consequence
Next
Given that ZSTAT-+2.49, suppose you are testing the null hypothesis Ho: ?= 0.40

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.