How to set up VNC over SSH, for Windows NTx
(aka. VNC SSH tunnelling)
***

Stuff you need to know how to do (before even thinking of doing this):

* How to set up VNC Server on Windows
* Managing servers with confidence
* Usage of puTTY as a basic SSH client

If you don't know about one or both of the above, then you need to go 
somewhere else and learn about that first :-)

Although this is one of those things, given a reasonable amount of sysadmin 
knowledge, seems daunting the first time you think about trying it, but given 
this *GREAT* :-) guide, it is relatively easy.

Stuff you need to download:

OpenSSH Server for Windows : http://sshwindows.sourceforge.net/
VNC Server for Windows, eg : http://www.realvnc.com/
puTTY, a Windows SSH client: http://www.chiark.greenend.org.uk/~sgtatham/putty/


Quick note - I did the server config entirely over VNC the entire time, no local 
access required *IF DONE PROPERLY*.  I did this the first time without having to 
salvage a mistake and log in with keyboard/monitor.  Don't blame me if you don't 
take reasonable precautions (eg. a live server you don't have easy/quick local 
access to), if you're going to try it like this.


***
A quick overview
***

Here's what is going to be accomplished:

Server side:
* VNC configured to only accept connection requests from localhost
	(so people can't bypass the ssh tunnel protection, or a firewall)

* OpenSSH installed and configured
	(the easy part, surprisingly)

Client side:
* PuTTY (ssh client) configured to "ssh tunnel" the VNC traffic

* VNC client configured to use the ssh tunnel
	(another easy part)

I've only set this up for a single user (an admin) to use VNC by.  You're on your 
own if you want multiple user access to this, but this guide should initially 
help.

SSH servers have a feature to do ssh tunnelling.  It's that feature that we're 
using, and the SSH client needs the most configuring.

Basic run-down of what happens:

* Install a basic install and setup of OpenSSH
* Configure VNC Server to point at localhost only
* (Client-end) Configure puTTY to ssh tunnel
* (Client-end) Point VNC Viewer at localhost

***
Step-by-step
*****

(all server side until noted otherwise)

1.  Have VNC Server configured just for normal usage, all working nicely.

(I'll go through OpenSSH first, that's an easy bit)

2.  Download OpenSSH (URL provided at top of article)

3.  Run OpenSSH installer.  Installation EXE in a zip file.  If you're stumped 
    by that, give up now :).

4.  Install OpenSSH to desired location.  I'd advise installing everything it 
    has to offer.  Untested otherwise.

4a. When installation finishes, open the quickstart guide and keep that handy just
    in case.

5.  Get up a command prompt, CD your way to the OpenSSH directory, and CD into the 
    'bin' directory inside that.

5a. Run the following commands:
	mkgroup -l >> ..\etc\group
	mkpasswd -l -u administrator here> >> ..\etc\passwd
    ('administrator' is an example.  But the desired username to log into the
     machine)

6.  Start the OpenSSH Server (net start opensshd).

7.  Test OpenSSH.  Use puTTY to connect to the server as you would a normal 
    SSH server.  If puTTY immediately exits after login, there are two possible 
    things wrong:
	* You didn't type the two commands correctly in step 5a (try them again)
	* Restart the computer (so sayeth the quickstart guide)

Once that works, you should be able to log in to a standard Win2k command prompt.  
Logout when done.

(Now for VNC Server configuration)

Please note the following changes only take place with VNC is restarted.  Here's the 
plan: Configure it right first time, restart, new changes are applied, and SSH tunnelling
will be the only way to talk to VNC remotely.

VNC Server by default accepts connections on all interfaces, but *doesn't* allow 
loopback connections.  So a few things need to be configured.  These are all done 
via the registry.

There are a few different versions of VNC, so implementations do differ slightly.
If you're not using RealVNC, check the documentation for your flavour of VNC for the 
following settings:

* AllowLoopback
	(allows loopback connections (localhost) to VNC)
* LoopbackOnly
	(makes it so that only loopback connections work)


8.  REGEDIT.
8a. Go to HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3

8b. Create the following keys:
	(DWORD) AllowLoopback
	(DWORD) LoopbackOnly
    Change both values to 1.

(Now for client-end configuration... a bit of a bugger)

9. Set up puTTY how you would to connect to the server in question, to get an SSH prompt.
   Don't connect yet!

10.  Right down the bottom of the category list, there's a 'SSH' subcategory, and another
     'tunnels' category inside that.  Go into the 'tunnels' category.
     (if you can't see that category, you're using an old version of puTTY)

11.  In the 'tunnels' section, there's some options down the bottom which need to be 
     configured:

11a. 'Source port'.  Type in '5900'.
     'Destination'.  Type in 'localhost:5900'.
     Radio buttons underneath that, select 'Local'.
     Hit 'Add'.
     The large white box above the ones we've just been playing with should read:
	L5900	localhost:5900

11b. You might want to save those settings :)  Go into the top category on the left hand 
     side 'Session'.  Give the stored session a name, such as 'hostname ssh tunnel'.
     Hit 'Open'.

12.  Log in to your server via ssh.  Leave that prompt open/running.

13.  Fire up the VNC Viewer/client.  Type in 'localhost', hit return.  As you haven't 
     restarted yet, you should get a error along the lines of 'loopback connections not 
     allowed'.

14.  Get rid of the error, VNC Viewer, and log out of the SSH session.
     Log in via VNC how you would have done before (unencrypted), and restart the server.

15.  When the server has fully restarted, fire up puTTY, load the saved settings for the 
     SSH tunnel, hit 'Open', log in to the server via SSH, then fire up VNC viewer, pointing
     at localhost.  You should then get a password prompt on the server and log in, all 
     wonderfully encrypted.


TIP: You may want to create a user that will be used to connect via ssh, and then an admin
	account to log in on afterwards.  Otherwise, when you log out of VNC, you'll lose
	the ssh connection as well.  One workaround (if you just want to use one account for
	both) is to lock the workstation after your VNC session then exit, then the ssh
	session stays open and gets closed down properly when you log out of it.

Modified: 16/03/2005, Mike Coppins.
Thanks to Mike Dixson for assistance/testing.
Tested on: Win2k.
www.mikeymike.org.uk