[Pidgin] #6071: Pidgin VNC integration

Pidgin trac at pidgin.im
Mon Jun 16 00:12:22 EDT 2008 

#6071: Pidgin VNC integration
-----------------------------+----------------------------------------------
  Reporter:  manishmahabir   |       Owner:  lschiere
      Type:  plugin request  |      Status:  new     
  Priority:  minor           |   Milestone:          
 Component:  unclassified    |     Version:  2.4.2   
Resolution:                  |    Keywords:          
   Pending:  0               |  
-----------------------------+----------------------------------------------
Comment (by manishmahabir):

 This blueprint is taken from brainstorm:
 http://brainstorm.ubuntu.com/idea/6389/

 The guy has planned to work on it and is looking for developers who would
 like to help and anyone who might know how to restrict SSH reverse
 tunnels.


 The current problem:
 Vino is installed by default, but is usually inaccessible due to routers
 (NAT more specifically).
 Because these users are often behind a firewall, getting access would
 traditionally require opening a port in the firewall which presents a
 series of problems.

 * Many users will not choose a secure password for vino and someone can
 brute force the password and take over their computer.
 * Many users don't know how to open a port in their firewall because
 they've never done it/don't remember the password/don't know what a router
 is/etc.
 * This also leaves the connection unencrypted.


 proposed solution:

 I think the best solution would be to have a server that the person
 requesting help (referred to as User) and the person helping (referred to
 as Support) can both connect to that will bridge the connections.

 Both sides will have a program that connects them in a chat room where
 there is a bot available, If they need remote desktop support they both
 tell the bot (maybe through a button in the applicatin) they need to
 bridge a connection between the two. Both of the programs generate
 public/private ssh key pairs (if they don't already have them) and send
 them to the bot. The bot then prepares a user account on the SSH server so
 that User can only listen on a specific port (reverse tunnel) and Support
 can only get to that same port (forward tunnel). Once the server is
 prepared User's program creates a reverse tunnel (ssh -R
 5980:localhost:5900 help at example.com), then Support's program automaticly
 creates a forward tunnel (ssh -L 5999:localhost:5980 help at example.com),
 then runs "vnc localhost:99". At this point the SSH server has created a
 bridge between both user's firewalls.

 *In the example above, the server decided that these users would use port
 5980 on the SSH server to connect to each other, and user is running
 Ubuntu and is the first user logged in which listens on port 5900
 *vnc displays listen on port numbers that are port+5900, so display 0
 listens on 5900, display 80 listens on 5980


 One user can be shared on the SSH server with different options per SSH
 key. The following line would be used for the support user in this example
 to make sure that they can't run any commands on the server, and can only
 create a forward connection to their assigned port (5980).
 command="/bin/sleep 20",no-X11-forwarding,no-port-forwarding,no-agent-
 forwarding,permitopen="localh ost:5980" ssh-rsa AAAA....
 I can't seem to find a command to do the same thing in reverse to enforce
 the rule that user must listen on port 5980.


 Does this help?

-- 
Ticket URL: <http://developer.pidgin.im/ticket/6071#comment:2>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list