Product SiteDocumentation Site

9.2.3. Connecting to VNC Server Using SSH

VNC is a clear text network protocol with no security against possible attacks on the communication. To make the communication secure, you can encrypt your server-client connection by using the -via option. This will create an SSH tunnel between the VNC server and the client.
The format of the command to encrypt a VNC server-client connection is as follows:
~]$ vncviewer -via user@host:display_number
Example 9.2. Using the -via Option
  1. To connect to a VNC server using SSH, enter a command as follows:
    ~]$ vncviewer -via USER_2@192.168.2.101:3
  2. When you are prompted to, type the password, and confirm by pressing Enter.
  3. A window with a remote desktop appears on your screen.

Restricting VNC Access

If you prefer only encrypted connections, you can prevent unencrypted connections altogether by using the -localhost option in the systemd.service file, the ExecStart line:
ExecStart=/sbin/runuser -l user -c "/usr/bin/vncserver -localhost %i"
This will stop vncserver from accepting connections from anything but the local host and port-forwarded connections sent using SSH as a result of the -via option.
For more information on using SSH, see Chapter 8, OpenSSH.