Remote Desktop - "only accept from localhost" option does not work

Bug #275340 reported by komputes on 2008-09-28
42
This bug affects 6 people
Affects Status Importance Assigned to Milestone
vino
Expired
Medium
vino (Ubuntu)
Low
Ubuntu Desktop Bugs
Nominated for Lucid by komputes

Bug Description

Binary package hint: vino

Remote Desktop has an advanced option which does not work.

The option "only accept from localhost" should restrict connections. Yet, even with this option enabled I can access vnc from another computer on the network.

Ubuntu 8.04.1
2.6.24-19-generic
vino 2.22.2-0ubuntu1

My current worarround is to install a program like ufw to block all incoming ports. If this option does not work, please fix it or remove it.

Rich Wareham (richwareham) wrote :

Can you post the results of running the command

  netstat -nlp | grep vino

Both with and without the 'Only allow local connections' set. This option works for me on my machine and I get the following:

Local only:
  tcp6 0 0 ::1:5900 :::* LISTEN 7072/vino-server

All:
  tcp6 0 0 :::5900 :::* LISTEN 7072/vino-server

The '::1' in the former line shows it is listening on the local interface (although surprisingly via IPv6) and hence should not respond to remote connections.

Jonh Wendell (wendell) wrote :

As Rich commented, it works fine to me. Marking as 'incomplete' until you supply the information we asked for.

Changed in vino:
status: New → Incomplete
komputes (komputes) wrote :

This is still an issue for me. Even though the "only accept from localhost" option is selected, I am able to connect from other nodes on the network to this one using port 5900. It does not seem to only listen to itself.

As requested, here is the netstat outpout with the option on:
tcp6 0 0 :::5900 :::* LISTEN 6899/vino-server

and with the option off:
tcp6 0 0 :::5900 :::* LISTEN 6899/vino-server

As you can very well see, I am not getting the same (expected) results as you.

Changed in vino:
status: Incomplete → Confirmed
Jonh Wendell (wendell) wrote :

OK, this bug is already reported upstream, let's discuss it there: http://bugzilla.gnome.org/show_bug.cgi?id=500620

komputes, please, execute the instructions I asked for in upstream bug report and paste the results there.

Thanks.

Changed in vino:
importance: Undecided → Medium
status: Confirmed → Triaged
komputes (komputes) wrote :

Interesting. It would be great to find what is at the root of this bug.

So I did as you said on the gnome bug tracker and got the following output:

===========================

$ /usr/lib/vino/vino-server
22/10/2008 12:54:38 PM Listening for VNC
connections on TCP port 5900
22/10/2008 12:54:38 PM Advertising security
type: 'TLS' (18)
22/10/2008 12:54:38 PM Advertising
authentication type: 'VNC Authentication' (2)
22/10/2008 12:54:38 PM Advertising security
type: 'VNC Authentication' (2)
22/10/2008 12:54:49 PM Re-binding socket to
listen for local VNC connections on TCP port
5900
--
ON
LOCAL-ONLY ON
--
22/10/2008 12:56:10 PM Re-binding socket to
listen for all VNC connections on TCP port 5900
--
ABOVE - TURNING LOCAL-ONLY OPTION OFF
--
22/10/2008 12:57:18 PM Re-binding socket to
listen for local VNC connections on TCP port
5900
--
ABOVE - TURNING LOCAL-ONLY OPTION ON

===========================

Then when I run netstat I get the following:

tcp6 0 0 ::1:5900 :::* LISTEN 12748/vino-server

Thank you for your help.

Changed in vino:
status: Unknown → Incomplete
komputes (komputes) wrote :

With further testing on Intrepid, I found that this bug was still not resolved, even with John's fix of "flashing" the program (for the sake of a better term) which makes it localhost only (as seen from nstat output). The following commands were ran consecutively from the host itself as well as over ssh:

ubuntu@ubuntu-desktop:~$ netstat -nlp | grep vino
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp6 0 0 ::1:5900 :::* LISTEN 10315/vino-server
unix 2 [ ACC ] STREAM LISTENING 55407 10315/vino-server /tmp/orbit-ubuntu/linc-284b-0-1b22e24bb4edc
ubuntu@ubuntu-desktop:~$ vncviewer localhost:0
vncviewer: ConnectToTcpAddr: connect: Connection refused
Unable to connect to VNC server
ubuntu@ubuntu-desktop:~$ vncviewer localhost
vncviewer: ConnectToTcpAddr: connect: Connection refused
Unable to connect to VNC server

Then I turned the localhost option...

ubuntu@ubuntu-desktop:~$ netstat -nlp | grep vino
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp6 0 0 :::5900 :::* LISTEN 10315/vino-server
unix 2 [ ACC ] STREAM LISTENING 55407 10315/vino-server /tmp/orbit-ubuntu/linc-284b-0-1b22e24bb4edc
unix 2 [ ACC ] STREAM LISTENING 704130 19943/vino-preferen /tmp/orbit-ubuntu/linc-4de7-0-21908543bd579
ubuntu@ubuntu-desktop:~$ vncviewer localhost:0
Connected to RFB server, using protocol version 3.7
Performing standard VNC authentication
Password:

komputes (komputes) wrote :

Could this be related to Bug #228370?

Changed in vino:
status: Incomplete → Invalid
komputes (komputes) wrote :

The localhost option seems to have been removed from the project in vino 2.26.0-0ubuntu1 (Jaunty).
I'm guessing they couldn't make it work properly so they just took it out.

Changed in vino:
importance: Unknown → Undecided
status: Invalid → New
importance: Undecided → Unknown
status: New → Unknown
Sebastien Bacher (seb128) wrote :

the option is a gconf key option now but still there

Changed in vino (Ubuntu):
assignee: nobody → desktop-bugs
importance: Medium → Low
Changed in vino:
status: Unknown → Invalid
Jacques Perrier (perrier-j) wrote :

Still broken for me, using ubuntu Jaunty (vino version 2.26.1-0ubuntu1) :

I can confirm that when the gconf key option "desktop/gnome/remote_access/network_interface" is set to "lo" (local loopback), vino seems to listen only to localhost :

sudo netstat -plutn | grep vino
tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 4936/vino-server
tcp6 0 0 ::1:5900 :::* LISTEN 4936/vino-server

But in fact, connecting through an ssh tunnel doesn't work.

And yes, the connection through ssh tunnel works when the "lo" value is removed.

komputes (komputes) wrote :

Jacques, I do not think gnome developers are looking to fix/patch the old version which does not work (meaning it will remain broken in 8.04, and 8.10 until end-of-life).

As mention in the upstream bug by Jonh Wendell :

"local_only preference is now obsolete. Now you are able to select a network interface which vino must listen to."

I opened up Remote Desktop Preferences and I do not see this option in vino-preferences, part of the vino package 2.26.1 (Jaunty) or 2.26.2 (Karmic). Maybe I am missing something, but I do not know how I am able to select a network interface which vino must listen to.

komputes (komputes) wrote :
anatoly techtonik (techtonik) wrote :

Without an option to listen to localhost only it is impossible to securely connect to vino server through SSH tunnel. I would say Ubuntu is insecure with such kind of default client. It usually a matter of hours before you get scanned by some roaming droid that will try to break the pass next try. I do not know what is the normal rate of password probing for vino, but there are always ways to sniff you traffic, so I would raise the status to rather critical security issue.

komputes (komputes) wrote :

@ anatoly techtonik

I completely agree with your statement. Keep in mind that you can simply block all ports but 22 (ssh) as a workaround.

As I said in comment #8:
The localhost option seems to have been removed from the project in vino 2.26.0-0ubuntu1 (Jaunty).
I'm guessing they couldn't make it work properly so they just took it out.

And in comments #11 & 12:
As mention in the upstream bug by Jonh Wendell :
"local_only preference is now obsolete. Now you are able to select a network interface which vino must listen to."

The select network interface is not available (I do not see it) but when this is fixed you should should be able to say select localhost and that will block all requests from the outside.

komputes (komputes) wrote :

I had a short jabber talk with Jonh Wendell. It seems the option to select interface is available in the back end but not directly in vino-preferences.

To set up localhost only, you have to open up gconf-editor and modify the following string value to be "lo" (without the quotes):

/desktop/gnome/remote_access/network_interface

@ anatoly techtonik (and anyone willing to test) - Can you test this out and make sure it works for you? I will try to test this later today.

komputes (komputes) wrote :

I tested this, and it seems to work as expected. Do not be frightened that your desktop sharing is still being advertised on your network and is picked up by vinaigre (vnc client). I believe this is avahi advertising the service. I nmap'd the host and port 5900 is not exposed unless the eth0 interface is set.

Jacques Perrier (perrier-j) wrote :

Hello komputes.
Did you test the connection through SSH tunnel from the outside with the option set to "lo" ? (see #10 above)

Gaspar (gmhoward) wrote :

Hello Jacques,

I did test the connection thru SSH and it worked successfully with the option set to "lo". Here is what I did:
1. Configure vino to only use localhost interface, as detailed in #15.
2. Connect from a host with public IP address (a.b.e.f) to vino server on remote host (a.b.c.d). Connection was tunneled using SSH.

Here is the output from netstat on the vino server:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 a.b.c.d:22 a.b.e.f:44168 ESTABLISHED
tcp6 0 0 ::1:5900 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN

slashbin (slashbin) wrote :

I had a similar failure as Jacques in #10 and I found it was caused by the
way I started ssh forwarding: for vino server on remote a.b.c.d, I used to run

    ssh -L 5902:a.b.c.d:5900 a.b.c.d

Now I run

    ssh -L 5902:localhost:5900 a.b.c.d

This works when network_interface is "lo".

Jacques Perrier (perrier-j) wrote :

Well I gave it another try, and still no joy... (on Jaunty with vino version 2.26.1-0ubuntu1) )

Connecting from a host with address (a.b.c.f) to vino server on remote a.b.c.d :

ssh -L 5902:localhost:5900 a.b.c.d

vinagre localhost:5902

- with network_interface = blank : works fine
- with network_interface = lo : doesn't work (black screen). doesn't give any error message on host and no pop-up to accept connection on vino server side

Here is the output from netstat on the vino server (sudo netstat -patn) :
Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 5924/vino-server
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7982/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3106/cupsd
tcp 0 0 a.b.c.d:22 a.b.c.f:58358 ESTABLISHED 7986/sshd
tcp6 0 0 ::1:5900 :::* LISTEN 5924/vino-server
tcp6 0 0 :::22 :::* LISTEN 7982/sshd
tcp6 0 0 ::1:631 :::* LISTEN 3106/cupsd
tcp6 0 0 ::1:39311 ::1:5900 ESTABLISHED 7994/2
tcp6 0 0 ::1:5900 ::1:39311 ESTABLISHED

I will try again with Karmic as soon as RC is out.
Cheers.

komputes (komputes) wrote :

Hi Jacques,

Sorry I haven't responded to Comment #17 yet. Today, I had time to test it in Karmic, and it works for me.

Here is what I had to do:

On the server:
1) $ sudo apt-get install openssh-server
2) Go to System > Preferences > Remote Desktop and enable the service
3) Open gconf-editor and change the value of /desktop/gnome/remote_access/network_interface = lo

On the client (Option 1):
1) $ ssh -N -L 5900:localhost:5900 ubuntu@10.10.10.69
2) Open Applications > Internet > Remote Desktop viewer and connect to "localhost"

On the client (Option 2):
1) $ sudo apt-get install vncviewer
2) vncviewer -via ubuntu@10.10.10.69 localhost:0
3) Password will be requested in the terminal and a vncviewer window will launch afterwards

Both of these seemed to work for me. Can anyone report having issue using these instructions?

Nigel Stewart (nigels) wrote :

It would be nice to have this hidden feature return to the preferences GUI. I'd also want the avahi broadcasting limited to the same network interface (ie: local) or the option to disable avahi broadcast.

Changed in vino:
importance: Unknown → Medium
status: Invalid → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.