can't VNC to fedora 19

[mattgatto]

I have been unable to VNC (Secure VNC over SSH) from my nexus 4 to my Fedora 19 desktop since upgrading to fedora 19. I'm not sure if it was the Android 4.3 upgrade on my phone or the Fedora 18 -> 19 upgrade which did it. I get the error message: "Connection Failed! Connectionto VNC server 127.0.0.1 at port: 5900 failed. Reason: Server did not offer supported security type"

I have VNC, a.k.a. screen sharing turned on in Fedora as shown below.

[iiordanov]

Why do you not require a password?

What is your Connection Type set to in bVNC?

Thanks! iordan

On Wed, Sep 18, 2013 at 5:49 PM, mattgatto notifications@github.com wrote:

I have been unable to VNC (Secure VNC over SSH) from my nexus 4 to my Fedora 19 desktop since upgrading to fedora 19. I'm not sure if it was the Android 4.3 upgrade on my phone or the Fedora 18 -> 19 upgrade which did it. I get the error message: "Connection Failed! Connectionto VNC server 127.0.0.1 at port: 5900 failed. Reason: Server did not offer supported security type"

I have VNC, a.k.a. screen sharing turned on in Fedora as shown below.

[image: screenshot from 2013-09-18 14 46 57]https://f.cloud.github.com/assets/5490158/1169089/f28537ae-20ab-11e3-8385-9c6cf952d159.png

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13 .

The conscious mind has only one thread of execution.

[mattgatto]

I've tried both with a VNC password and without and get the same results. Connection Type = Secure VNC over SSH.

On Wed, 2013-09-18 at 15:03 -0700, iiordanov wrote:

Why do you not require a password?

What is your Connection Type set to in bVNC?

Thanks! iordan

On Wed, Sep 18, 2013 at 5:49 PM, mattgatto notifications@github.com wrote:

I have been unable to VNC (Secure VNC over SSH) from my nexus 4 to my Fedora 19 desktop since upgrading to fedora 19. I'm not sure if it was the Android 4.3 upgrade on my phone or the Fedora 18 -> 19 upgrade which did it. I get the error message: "Connection Failed! Connectionto VNC server 127.0.0.1 at port: 5900 failed. Reason: Server did not offer supported security type"

I have VNC, a.k.a. screen sharing turned on in Fedora as shown below.

[image: screenshot from 2013-09-18 14 46 57]https://f.cloud.github.com/assets/5490158/1169089/f28537ae-20ab-11e3-8385-9c6cf952d159.png

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13 .

[iiordanov]

OK, It looks like Fedora 19 does not offer plain VNC any more. Perhaps they offer only VNC over TLS now? When connecting through an SSH tunnel, bVNC assumes that the remote server offers unencrypted VNC, as it is assumed that the network to which it is tunnelling is trusted, so only plain VNC is expected.

Can you try connecting with bVNC without tunnelling? (i.e. be on the same network as the Fedora 19 computer). If so, please try both Basic VNC, and VNC over AnonTLS. Let me know your results.

Thanks!

On Wed, Sep 18, 2013 at 6:06 PM, mattgatto notifications@github.com wrote:

I've tried both with a VNC password and without and get the same results. Connection Type = Secure VNC over SSH.

On Wed, 2013-09-18 at 15:03 -0700, iiordanov wrote:

Why do you not require a password?

What is your Connection Type set to in bVNC?

Thanks! iordan

On Wed, Sep 18, 2013 at 5:49 PM, mattgatto notifications@github.com wrote:

I have been unable to VNC (Secure VNC over SSH) from my nexus 4 to my Fedora 19 desktop since upgrading to fedora 19. I'm not sure if it was the Android 4.3 upgrade on my phone or the Fedora 18 -> 19 upgrade which did it. I get the error message: "Connection Failed! Connectionto VNC server 127.0.0.1 at port: 5900 failed. Reason: Server did not offer supported security type"

I have VNC, a.k.a. screen sharing turned on in Fedora as shown below.

[image: screenshot from 2013-09-18 14 46 57]< https://f.cloud.github.com/assets/5490158/1169089/f28537ae-20ab-11e3-8385-9c6cf952d159.png>

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13 .

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24703424 .

The conscious mind has only one thread of execution.

[mattgatto]

I am on the same network. I'm connecting from my phone to my desktop through my LAN.

Connection Type = VNC over AnonTLS gives me this error: "Connection to VNC server: 192.168.2.101 at port: 5900 failed. Reason: failed to connect to /192.168.2.101 (port 5900): connect failed: EHOSTUNREACH (no route to host)" ... which is weird

and Connection Type = Basic VNC gives the same exact error message.

Normal SSH connections from my phone to my desktop work, so I know it's not a network/routing issue.

On Wed, 2013-09-18 at 15:09 -0700, iiordanov wrote:

OK, It looks like Fedora 19 does not offer plain VNC any more. Perhaps they offer only VNC over TLS now? When connecting through an SSH tunnel, bVNC assumes that the remote server offers unencrypted VNC, as it is assumed that the network to which it is tunnelling is trusted, so only plain VNC is expected.

Can you try connecting with bVNC without tunnelling? (i.e. be on the same network as the Fedora 19 computer). If so, please try both Basic VNC, and VNC over AnonTLS. Let me know your results.

Thanks!

On Wed, Sep 18, 2013 at 6:06 PM, mattgatto notifications@github.com wrote:

I've tried both with a VNC password and without and get the same results. Connection Type = Secure VNC over SSH.

On Wed, 2013-09-18 at 15:03 -0700, iiordanov wrote:

Why do you not require a password?

What is your Connection Type set to in bVNC?

Thanks! iordan

On Wed, Sep 18, 2013 at 5:49 PM, mattgatto notifications@github.com wrote:

I have been unable to VNC (Secure VNC over SSH) from my nexus 4 to my Fedora 19 desktop since upgrading to fedora 19. I'm not sure if it was the Android 4.3 upgrade on my phone or the Fedora 18 -> 19 upgrade which did it. I get the error message: "Connection Failed! Connectionto VNC server 127.0.0.1 at port: 5900 failed. Reason: Server did not offer supported security type"

I have VNC, a.k.a. screen sharing turned on in Fedora as shown below.

[image: screenshot from 2013-09-18 14 46 57]<

https://f.cloud.github.com/assets/5490158/1169089/f28537ae-20ab-11e3-8385-9c6cf952d159.png>

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13 .

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24703424 .

[iiordanov]

1) Try flushing the firewall rules on your Fedora 19 machine. Upon reboot they will be restored.

sudo iptables -F

2) If (1) doesn't help, try seeing if there is anywhere an option to make the VNC server listen on "all interfaces".

On Wed, Sep 18, 2013 at 6:21 PM, mattgatto notifications@github.com wrote:

I am on the same network. I'm connecting from my phone to my desktop through my LAN.

Connection Type = VNC over AnonTLS gives me this error: "Connection to VNC server: 192.168.2.101 at port: 5900 failed. Reason: failed to connect to /192.1168.2.101 (port 5900): connect failed: EHOSTUNREACH (no route to host)" ... which is weird

and Connection Type = Basic VNC gives the same exact error message.

Normal SSH connections from my phone to my desktop work, so I know it's not a network/routing issue.

On Wed, 2013-09-18 at 15:09 -0700, iiordanov wrote:

OK, It looks like Fedora 19 does not offer plain VNC any more. Perhaps they offer only VNC over TLS now? When connecting through an SSH tunnel, bVNC assumes that the remote server offers unencrypted VNC, as it is assumed that the network to which it is tunnelling is trusted, so only plain VNC is expected.

Can you try connecting with bVNC without tunnelling? (i.e. be on the same network as the Fedora 19 computer). If so, please try both Basic VNC, and VNC over AnonTLS. Let me know your results.

Thanks!

On Wed, Sep 18, 2013 at 6:06 PM, mattgatto notifications@github.com wrote:

I've tried both with a VNC password and without and get the same results. Connection Type = Secure VNC over SSH.

On Wed, 2013-09-18 at 15:03 -0700, iiordanov wrote:

Why do you not require a password?

What is your Connection Type set to in bVNC?

Thanks! iordan

On Wed, Sep 18, 2013 at 5:49 PM, mattgatto notifications@github.com wrote:

I have been unable to VNC (Secure VNC over SSH) from my nexus 4 to my Fedora 19 desktop since upgrading to fedora 19. I'm not sure if it was the Android 4.3 upgrade on my phone or the Fedora 18 -> 19 upgrade which did it. I get the error message: "Connection Failed! Connectionto VNC server 127.0.0.1 at port: 5900 failed. Reason: Server did not offer supported security type"

I have VNC, a.k.a. screen sharing turned on in Fedora as shown below.

[image: screenshot from 2013-09-18 14 46 57]<

https://f.cloud.github.com/assets/5490158/1169089/f28537ae-20ab-11e3-8385-9c6cf952d159.png>

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13 .

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24703424

.

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24704285 .

The conscious mind has only one thread of execution.

[mattgatto]

I guess that not being able to connect via VNC over AnonTLS was a firewall issue, because after enabling "vnc-server" for the default public zone in the firewall-config tool, I can connect OK. Thanks for your help and the nice app!

[iiordanov]

So, just to make things painfully clear, fedora 19 enforces TLS for VNC connections, and Basic VNC no longer works, correct?

On Thu, Sep 19, 2013 at 8:09 AM, mattgatto notifications@github.com wrote:

I guess that not being able to connect via VNC over AnonTLS was a firewall issue, because after enabling "vnc-server" for the default public zone in the firewall-config tool, I can connect OK. Thanks for your help and the nice app!

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24733990 .

The conscious mind has only one thread of execution.

[mattgatto]

That appears to be the case, yes. Basic VNC still won't work, even after opening the firewall port for 'vnc-server', but VNC over AnonTLS works.

This leads me wonder though, how would I connect over the Internet to my home desktop with AnonTLS? With a SSH tunnel it would be straightforward and secure. I've never used the AnonTLS to do this. I'm assuming I'd have to open up and forward port 5900 on the router to the desktop? That doesn't seem nearly as secure as using a SSH tunnel.

On Thu, 2013-09-19 at 06:46 -0700, iiordanov wrote:

So, just to make things painfully clear, fedora 19 enforces TLS for VNC connections, and Basic VNC no longer works, correct?

On Thu, Sep 19, 2013 at 8:09 AM, mattgatto notifications@github.com wrote:

I guess that not being able to connect via VNC over AnonTLS was a firewall issue, because after enabling "vnc-server" for the default public zone in the firewall-config tool, I can connect OK. Thanks for your help and the nice app!

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24733990 .

[iiordanov]

AnonTLS offers the same level of encryption as SSH, which guarantees the anonymity of data travelling in the channel. However, it DOES NOT check the identity of the remote machine with a certificate. This means that it is possible for a man-in-the-middle attack to occur.

Another deficiency of non-tunnelled VNC is that the password is limited to 8 characters, leaving it more vulnerable to brute-force attacks.

What I will do to deal with this issue is to look into allowing the "Basic VNC" mode to work with both TLS and non-TLS connections. This way, the separate VNC over AnonTLS mode will serve as an enforcement of TLS mode.

Obviously this is a future improvement, so in the meanwhile, try to see how to disable TLS on Fedora 19. It's probably a command-line option to the vino server. You can try seeing the output of "ps auxww | grep vino".

I'll leave the rest to you, but will be grateful if you do post any workarounds for others to see.

Cheers! iordan

[mattgatto]

Okay, I figured it out thanks to your help. Just run this at the command-line (or use dconf-editor to do it graphically): gsettings set org.gnome.Vino require-encryption false

And I can tunnel through SSH again.

[iiordanov]

Great, thanks for the feedback!

iordan

On Thu, Sep 19, 2013 at 11:44 AM, mattgatto notifications@github.comwrote:

Okay, I figured it out thanks to your help. Just run this at the command-line (or use dconf-editor to do it graphically): gsettings set org.gnome.Vino require-encryption false

And I can tunnel through SSH again.

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24749361 .

The conscious mind has only one thread of execution.

[iiordanov]

Please try this version and let me know if the problem is resolved even when Vino requires encryption.

Thanks! iordan

On Thu, Sep 19, 2013 at 11:50 AM, i iordanov iiordanov@gmail.com wrote:

Great, thanks for the feedback!

iordan

On Thu, Sep 19, 2013 at 11:44 AM, mattgatto notifications@github.comwrote:

Okay, I figured it out thanks to your help. Just run this at the command-line (or use dconf-editor to do it graphically): gsettings set org.gnome.Vino require-encryption false

And I can tunnel through SSH again.

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24749361 .

The conscious mind has only one thread of execution.

The conscious mind has only one thread of execution.

[iiordanov]

Joke's on me, github throws out attachments sent by email. Please email me directly at iiordanov --at-server-- gmail --dot-- com

Thanks! iordan

[mattgatto]

Yes that apk works even with 'require encryption' on in Fedora 19. Nice job. What was the fix?

On Fri, 2013-09-20 at 00:32 -0700, iiordanov wrote:

Joke's on me, github throws out attachments sent by email. Please email me directly at iiordanov --at-server-- gmail --dot-- com

Thanks! iordan

— Reply to this email directly or view it on GitHub.

[iiordanov]

As I mentioned previously, I planned to make Basic VNC also allow a TLS connection if it's the only option, but prioritizes non-encrypted methods above it. The AnonTLS mode enforces encryption and will refuse to connect if TLS is not available as an option.

Thanks! Iordan

On Fri, Sep 20, 2013 at 12:34 PM, mattgatto notifications@github.comwrote:

Yes that apk works even with 'require encryption' on in Fedora 19. Nice job. What was the fix?

On Fri, 2013-09-20 at 00:32 -0700, iiordanov wrote:

Joke's on me, github throws out attachments sent by email. Please email me directly at iiordanov --at-server-- gmail --dot-- com

Thanks! iordan

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24823185 .

The conscious mind has only one thread of execution.

[iiordanov]

I've released v3.3.4 with the fix in Google Play. Thanks for reporting!

On Fri, Sep 20, 2013 at 1:57 PM, i iordanov iiordanov@gmail.com wrote:

As I mentioned previously, I planned to make Basic VNC also allow a TLS connection if it's the only option, but prioritizes non-encrypted methods above it. The AnonTLS mode enforces encryption and will refuse to connect if TLS is not available as an option.

Thanks! Iordan

On Fri, Sep 20, 2013 at 12:34 PM, mattgatto notifications@github.comwrote:

Yes that apk works even with 'require encryption' on in Fedora 19. Nice job. What was the fix?

On Fri, 2013-09-20 at 00:32 -0700, iiordanov wrote:

Joke's on me, github throws out attachments sent by email. Please email me directly at iiordanov --at-server-- gmail --dot-- com

Thanks! iordan

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/iiordanov/bVNC/issues/13#issuecomment-24823185 .

The conscious mind has only one thread of execution.

The conscious mind has only one thread of execution.