The officially official Devuan Forum!

You are not logged in.

#1 2023-01-01 14:26:16

entropyagent
Member
Registered: 2020-05-15
Posts: 48  

SSH tunnel from PC's VNC client to a VM's desktop on separate VM Host

G'day and Good Year.

I have encountered the idea that there might be security benefits from keeping my adventurous Internet browsing and my Internet commercial transactions (e.g. shopping, banking) on separate machines. I wondered if these separate machines could be VMs.

I also read that while it is convenient to access these VMs using VNC, VNC's access is less secure than it might be, and can be improved by a mysterious magic called "SSH tunneling". This would offer some protection against others on my network (guests, neighbours, wardrivers in the street outside, miscreants infiltrating my media player(s) or IoT lightbulbs, etc) possibly reading the unencrypted VNC traffic.

This hypothesis was stated on the Internet, so it must be true. I mean, all Internet statements are true, not so?

So...trying the VM route, I have at my disposal

1) A Linux computer I refer to as my "PC" (it's a bit feeble to be a VM Host)

2) A Linux computer I refer to as my "VM Host"  (Powerful, noisy, clumsy to work with)

3) A number (1 is a number, OK?) of "VM"s which can be run on the "VM Host"

Currently, to set the scene: I sit at my PC, and connect to my VM Host with an SSH tunnel via the incantation:

ssh -L 5901:localhost:5901 -l <VM Host userid> <VM Host IP>

This gives me a terminal on the VM Host, where I spin up a live VM thusly:

qemu-system-x86_64 <..so..many..parameters..> -vnc :1

To access the desktop (and therefore the browser) on this VM, I fire up remmina on the PC, select VNC connection method, and point this at

localhost:5901

This opens up the VM's desktop in the PC's VNC client window and I can browse OR transact. With multiple VMs, I could keep these activities separate.

My question is:

1) Am I benefitting from the magical protection of "SSH tunneling" in my interactions all the way between my PC VNC client and the VM desktop?

or

2) Does this protection only extend to the connection between the PC VNC client and the VM Host, leaving communication between the VM Host and the VM itself protected only by VNC security? Perhaps I need to create another SSH tunnel on the VM host?

My interpretation is that it is the first option. That is: SSH tunneling covers the comms between remmina i.e. the VNC client on my PC, to qemu-system on the VM Host, and that is everything I need, because the VM exists only in qemu-system. There is no unsecured comms between qemu-system and the VM, because the VM does not exist outside qemu-system.

I understand that a lot of other threats are being ignored, but my interest, for now, is in the extent of the SSH tunnel's protection.

I hope I've explained it clearly enough to receive some feedback that I can actually understand, though my powers of understanding are quite feeble.

Offline

#2 2023-04-12 00:27:52

danuan
Member
Registered: 2020-08-30
Posts: 16  

Re: SSH tunnel from PC's VNC client to a VM's desktop on separate VM Host

Try virt-manager , not only does it make the whole setup easier for beginners on the host.

It can run remotely to manage (over ssh) multiple other hosts vms 
and then connect to remote vm displays/shells over ssh also.

(on a a remote managment machine you do not need to install the whole kvm/qemu bundle )

for client machine that will connect to the server (on chimaera i used)

apt install --no-install-recommends virt-manager ssh-askpass-gnome 
apt install spice-client-gtk gir1.2-spiceclientgtk-3.0 gir1.2-spiceclientglib-2.0

passwordless ssh settup is convinient.

and also it will create the qemu .xml files for your vms so you can start them from virsh interface
without the manual way of starting them trough qemu and that mess of a commandline.

virt-manager helped me learn kvm/qemu libvirt at a much leaner learning curve , and then you can transition to
comandline/headless much faster.

PS: using qemu manualy is the hardest possible way to do to all of this , at the very least
start using libvirts virsh interface to crate/launch/edit virtual machines. virt-manager is the
visual way of doing what virsh interface does on top of libvirt.

Last edited by danuan (2023-04-12 02:27:56)

Offline

#3 2023-04-12 05:22:19

steve_v
Member
Registered: 2018-01-11
Posts: 381  

Re: SSH tunnel from PC's VNC client to a VM's desktop on separate VM Host

entropyagent wrote:

1) Am I benefitting from the magical protection of "SSH tunneling" in my interactions all the way between my PC VNC client and the VM desktop?

or

2) Does this protection only extend to the connection between the PC VNC client and the VM Host, leaving communication between the VM Host and the VM itself protected only by VNC security? Perhaps I need to create another SSH tunnel on the VM host?

There is no "magic protection" here, security is both an ongoing process and a matter of understanding what it is you are doing. SSH encryption extends between SSH client and SSH server, nothing more and nothing less. Likewise SSH authentication.

An SSH tunnel is exactly what the name implies, encapsulating and tunnelling other arbitrary TCP traffic through an SSH connection, where it benefits from whatever encryption your SSH session is using.
This is very useful for protecting unencrypted traffic over the open 'net (or as an ad-hoc "VPN"), but of questionable benefit on a trusted LAN. Operative word there is of course "trusted". If your LAN is not secure, you likely have bigger fish to fry... Such as isolating (or better, disposing of) internet-of-trash devices, and putting guest wireless connections on a restricted VLAN and/or dedicated access point.

In your scenario, the VNC client (remmina or whatever) makes an unencrypted VNC connection to port 5901 on localhost, where your SSH client is listening. SSH tunnels the connection inside it's encrypted channel to the remote machine, where the SSH server forwards it (unencrypted) to whatever is listening on the remote machine's port 5901 - in this case qemu's built-in VNC server.
Anything relating to the security of qemu (and it's VNC server) or the VM it is running is out of SSH's influence. It's simply passing network traffic from one machine to another.

Bear in mind that if the SSH server on the VM host can make a VNC connection to qemu, so can other processes or users on that machine.
You will still need to ensure the VNC server is configured to listen only on localhost and/or firewalled, and it has some kind of authentication enabled.
Local connections between processes (i.e. VNC client -> SSH client, SSH server -> qemu) are generally safe without any encryption, as they never leave the machine anyway. That said, if someone else has root on the server (i.e. it's not yours), all bets are off.

Last edited by steve_v (2023-04-12 05:55:46)


Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

Offline

Board footer