search

TurboVNC / turbovnc

Main TurboVNC repository
https://TurboVNC.org
GNU General Public License v2.0
761 stars 138 forks source link

could not support non-standard sshd port for Turbovnc session manager. #312

Closed wanlinwang closed 2 years ago

wanlinwang commented 2 years ago

My Linux host's sshd listen on non-standard port rather than 22. It could not be used for Turbovnc session manager. Could it support customized port for sshd using by Turbovnc session manager?

wanlinwang commented 2 years ago

I could you .ssh/config file to specify the port. Thank you!

dcommander commented 2 years ago

You can configure a host entry in the OpenSSH config file (~/.ssh/config on Un*x or %USERPROFILE%/.ssh/config on Windows), such as:

Host my_host
  HostName my_actual_host_name
  Port 2222

and then enter my_host rather than my_actual_host_name in the TurboVNC Viewer.

You can also use the SSHPort parameter on the TurboVNC Viewer command line. For example:

/opt/TurboVNC/bin/vncviewer my_actual_host_name -sshport 2222

I intend to eventually add the ability to configure the SSH port using the TurboVNC Viewer Options dialog and also the ability to store settings on a per-host basis, but I ran out of time and funding to include those features in TurboVNC 3.0. For now, OpenSSH config file entries are probably the most straightforward solution if you need to connect repeatedly to the same host using a non-standard SSH port.

wanlinwang commented 2 years ago

Got, thank you very much!

jmakov commented 6 months ago

I'd like to reopen the issue. Neither solution is working for me:

  1. if I just enter in vncviewer my_host, I get Auth fail. If I SSH, start the server and get the display number, then enter my_host:display_number, I get Could not resolve hostname: node4: Name or service not known.
  2. same behavior when using vncviewer srv_ip -sshport myport
  3. using vncviewer -config myfile.turbovnc with SSHUser=jonny and SSHPort=1234 also doesn't help

What finally is working is vncviewer myip:display_number -sshport 1234. And only after manually SSHing and starting the server. Otherwise I get Connection refused. This also only seems to work on LAN. If instead of myip I enter a domain name, vncviewer just jumps on 100% CPU usage and nothing happens. With vncviewer mydomain:1 -tunnel -sshport 1234 I get Auth fail. Not really sure what other options to use to connect via mydomain other than 1. manually SSHing and starting the server, 2. manually binding the port.

I'd expect the same workflow as e.g. x2go - select auth method e.g. SSH and that's it. A lot of fiddling around and experimenting to get a simple example working.

Not sure if previous options are deprecated but I miss more documentation. Also can you help me understand the point of having a passw login when one is already authenticating with a SSH key?

dcommander commented 6 months ago

I'd like to reopen the issue. Neither solution is working for me:

  1. if I just enter in vncviewer my_host, I get Auth fail. If I SSH, start the server and get the display number, then enter my_host:display_number, I get Could not resolve hostname: node4: Name or service not known.
  2. same behavior when using vncviewer srv_ip -sshport myport
  3. using vncviewer -config myfile.turbovnc with SSHUser=jonny and SSHPort=1234 also doesn't help

What finally is working is vncviewer myip:display_number -sshport 1234. And only after manually SSHing and starting the server. Otherwise I get Connection refused. This also only seems to work on LAN. If instead of myip I enter a domain name, vncviewer just jumps on 100% CPU usage and nothing happens. With vncviewer mydomain:1 -tunnel -sshport 1234 I get Auth fail. Not really sure what other options to use to connect via mydomain other than 1. manually SSHing and starting the server, 2. manually binding the port.

I'd expect the same workflow as e.g. x2go - select auth method e.g. SSH and that's it. A lot of fiddling around and experimenting to get a simple example working.

Not sure if previous options are deprecated but I miss more documentation. Also can you help me understand the point of having a passw login when one is already authenticating with a SSH key?

Let me explain what is supposed to happen. As documented in the TurboVNC User's Guide, if you pass only a hostname or IP address to the TurboVNC Viewer, the TurboVNC Viewer will start the TurboVNC Session Manager, which connects to the specified hostname/IP address using SSH (subject to the values of the SSHUser and SSHPort parameters.) Once you successfully authenticate using SSH, the TurboVNC Session Manager will start a new TurboVNC session if one isn't already started under your user account. Otherwise it will show a dialog with all of your running sessions, allowing you to connect to or kill one of them or start a new one. When the TurboVNC Session Manager starts a new session, that session will automatically be configured to tunnel the RFB connection through SSH and to use one-time password (OTP) authentication. When connecting to a TurboVNC session, the TurboVNC Session Manager invokes /opt/TurboVNC/bin/vncpasswd through SSH in order to generate a new OTP for the session, it reads that OTP through the SSH console output, and it passes the OTP to the TurboVNC session via the SSH-tunneled RFB connection. If the TurboVNC Session Manager is working correctly, then it is effectively single-sign-on. You won't be asked for a VNC password or any other authentication credentials.

However, when you pass a hostname or IP address and a VNC display number to the TurboVNC Viewer, it will try to act like a "normal" VNC viewer, which means that it will:

The core of the issue is that SSH authentication failed for some reason, so the TurboVNC Session Manager didn't start. After that, you tried several things that wouldn't have worked:

  1. If I SSH, start the server and get the display number, then enter my_host:display_number, I get Could not resolve hostname: node4: Name or service not known.
  2. same behavior when using vncviewer srv_ip -sshport myport
  3. using vncviewer -config myfile.turbovnc with SSHUser=jonny and SSHPort=1234 also doesn't help

my_host refers to an entry in the OpenSSH config file, which has no relevance to the TurboVNC Viewer unless SSH tunneling is enabled. Since you passed a display number to the viewer, it operated as a normal VNC viewer, so SSH tunneling wasn't enabled by default. Because SSH tunneling wasn't enabled, the viewer had no idea what my_host was, and it ignored the SSHPort and SSHUser parameters.

Let's focus on the SSH authentication issue, since that is at the core of the problem. Please try /opt/TurboVNC/bin/vncviewer my_host -loglevel 110 and post the output.

jmakov commented 6 months ago 
JSch: Next authentication method: publickey
JSch: Trying private key: user@user (decrypted)
JSch: rsa-sha2-512 preauth failure
JSch: Trying private key: user@user (decrypted)
JSch: ssh-ed25519 cannot be used as public key type for identity user@user
JSch: Disconnecting from 192.168.1.2 port 1234
Session Manager Error:
Auth fail

From what I can tell it isn't satisfied with the ssh key type for some reason - ed25519. Saw your comment on a workaround. Works. Would be nice if that was a part of the docs. Anyhow, think that's the best support I got in last years. Happy user, thank you again.

dcommander commented 6 months ago

I intend to add Ed25519 support in the next major TurboVNC release (#323), and I would like to support external SSH clients with the Session Manager as well (#148.) However, I'll see if there is a logical place to include a blurb about the workaround in the meantime.