Skip to content →

HOWTO: Set up a Windows SSH server for VNC tunneling

This tutorial will walk you through the steps to running a SSH server on your Windows machine and using it to create a secure tunnel through the Internet to use VNC.

SETUP: Server

Install the SSH server:

  1. Log into Windows with Administrative privileges
  2. If there is no password set for this user, set one in the Control Panel. *(a password is required)
  3. Create a cygwin folder in the C: drive (C:\cygwin)
  4. Download setup.exe from cygwin.com and save it to C:\cygwin
  5. Run C:\cygwin\setup.exe
  6. Install from the Internet and save to C:\cygwin\
  7. For Local Package Directory, use C:\cygwin\
  8. Select a download site from the large list.
  9. On the Select Package screen, click View once so “Full” appears.
  10. Scroll down to openssh in the package column, and click on “Skip” so an “X” will appear in column “Bin?”.
  11. After the packages have been downloaded, finish the installation
  12. Right click My Computer, Properties > Advanced > Environment Variables
  13. Under System Variables, click New, add CYGWIN as the variable name, add ntsec as the variable value
  14. Under System Variables, scroll down to Path, click Edit, add ;c:\cygwin\bin to the end of the string already in the field
  15. Open Cygwin on the desktop and type in ssh-host-config
  16. “Privilege Separation?” Yes
  17. “Create local user SSHd?” Yes
  18. “Install SSHd as a service?” Yes
  19. “CYGWIN = ” enter ntsec
  20. While in the same Cygwin window, enter net start sshd to start the SSH server
  21. If you ever need to stop the SSH server, enter net stop sshd
  22. In the Cygwin window enter mkpasswd –local > /etc/passwd to copy over the Windows user settings to Cygwin
  23. In the Cygwin window enter mkgroup –local > /etc/group to copy over the Windows group settings to Cygwin

Test the SSH server:

  1. Enter ssh localhost in a Cygwin window
  2. Any time you SSH into a server for the first time, you will get an authenticity warning. The RSA key will be listed and it will ask you if you want to continue. Type in ‘yes‘ to continue.
  3. If you get a prompt without any errors, enter ls -lh /cygdrive/c
  4. If you see a directory listing of your C:\ drive, everything went right

Install the VNC server:

  1. Install your VNC client of choice. Make sure you install the server portion of the client
  2. If you are given the option to “allow loopback connections” choose Yes
  3. Make sure you register the VNC Server as a system service. Various clients do this in different ways
  4. Once it’s registered as a service, it will auto-run at Windows startup as a service

Tweak your firewall (if applicable) to allow port 22:

  1. In your firewall, open TCP port 22 for SSH use
  2. Example: in Norton Internet Security, Personal Firewall > Configure button > Advanced tab > General button > click Add. Permit to and from connections for TCP port 22. Name the rule something like SSH
  3. Example: in Windows Firewall for SP2, Start > Control Panel > Windows Firewall > Exceptions Tab > Add port > port name SSH, port 22 TCP

Tweak your router (if applicable) to forward port 22:

  1. If you’re behind a router, forward TCP port 22 to your internal IP
  2. This means that any traffic coming in through port 22 (the SSH port) will be passed through the router and directed (forwarded) to your internal IP

SETUP: Remote machine

Install the SSH client and create a tunnel:

  1. Install your SSH client of choice (mine is PuTTY)
  2. Create a tunnel to your SSH server
  3. In PuTTY, click the Add button under the tunnels section
  4. Make the source port = 5900 and the destination = 127.0.0.1:5900
  5. In the SSH Secure Shell client, edit your profile and go to the Tunneling tab
  6. Make the listen port 5900, the Destination host 127.0.0.1 and the destination port 5900. Choose TCP for the type and uncheck “Allow local connections only.”

Configure PuTTY for auto-login (if you choose to use PuTTY):

  1. Make a shortcut to putty.exe on your Desktop
  2. Right click the shortcut, Properties > Shortcut tab > Target field
  3. Add the following to the end of the string in the field: -load “[your profile name]” -l [login name] -pw [password]
  4. Example: -load “home” -l Mark -pw mypassword

Install the VNC viewer:

  1. Find a VNC program of your choice and install the VNC Viewer portion of the package.

EXECUTE: VNC over SSH

  1. Open your SSH client, connect to your remote IP address
  2. Open your VNC viewer, connect to 127.0.0.1:5900

Published in security windows

13 Comments

  1. Kay Kay

    Wow, you published this a while ago. It’s almost like Lifehacker copyed your how to and made it into a Geek to Live.

    Keep them coming!

  2. I tried this so many times and it doesn’t work.

    First, for some reason, all of the tutorials I saw (like this one) ommit the login process; jumping from ssh localhost to the ls -lh /cygdrive/c.

    After synchronising Windows user accounts with Cygwin I use my Windows user password but I get “Permission Denied”.

    My windows 2000 server is not on a domain, but I couldn’t see the group GID in /etc/passwd records, so I tried editing /etc/group as described on http://pigtail.net/LRP/printsrv/passwd-group.html but it didn’t work either.

    Also, by default, when sshd Windows user account is created on my system, it is disabled by default.

  3. Thomas Everett Thomas Everett

    I’m not sure how all this works. In my setup I have ssh running and tested. From my remote workstation I can use ssh. On my PC I can see that ssh works only when Windows Firewall has port 22 listed as an exception. This all seems fine.
    My problem is getting my remote workstation to connect using VNC.
    1.) What needs to be setup on the PC in order for my workstation vncviewer to connect?
    2.) What if anything needs to change on the remote workstation setup?

    My goal is to have the PC setup to allow remote secure VNC connections via ssh.

  4. Ann Ann

    Hi. This is very helpful material! Just a question. In configuring Putty, what are the profile name, login name, and passwords that I should use? Thanks 🙂

  5. Mark Mark

    Ann,

    When you first set up PuTTY, enter in the server info and use the Saved Session section to save the profile. That’s what your profile is called. The login and password are the actual values you use on your SSH server.

  6. Ryan Johnson Ryan Johnson

    whenever i want to test the ssh
    i type in ssh localhost
    it asks for the password
    but i cant type anything
    no password nothin
    i just can click enter and get permission denied
    i removed my user password and sync’ed it again
    so now m not supposed to have any passwords
    and type in nothing and click enter
    i still get permission denied

    i tried doin same thing from dos using other commands
    same thing happens when it asks for my password
    inactive keyboard

    matter of fact this message comes

    Permission denied (publickey,password,keyboard-interactive).

    help and thank u

  7. Dear Ryan Dear Ryan

    One little trick that i have found out is opening the onscreen keyboard and then typing your password will work. The only problem is that it doesn’t show what you have typed and it is very annoying to do everytime you login. Hopefully this will help solve your problem until they fix the program(if it is a program error), or until i find out a way to fix this(although i have searched the web up and down and can’t seem to find anything)…….Cheers!

  8. shay shay

    I have configured tunneling via PuTTy as well as manually by entering ssh -C -L 5902:192.168.1.200:5902 -l 1shay 192.168.1.250 from a command prompt. Everything appears fine from a connection perspective. I am logged in as expected ps -ef | grep vnc shows that I have the process listening on port 2:1shay as expected.

    The problem I am having is that once I initiate the session from VNC [127.0.0.1:2 or localhost:2] on my XP client, nothing happens. No password prompt, no remote window opens…nothing. output from /var/log/secure indicates the following:
    Received request to connect to host 192.168.1.200 port 5902, but the request was denied.
    This would indicate that I can’t open the 5902 connection on my XP client. I’ve searched over a hundred different sites attempting to nail down this issue but haven’t found any answer yet. Anyone have any ideas? Anyone seen this happen before?

  9. Very useful tutorial for helping my users setup their first SSH server …

    thanks
    JDaus

  10. Anon Anon

    There has got to be an easier way to do this.

  11. Keith Law Keith Law

    Hi,

    I have set up the ssh server and it works fine for “ssh [username]@localhost” in my command prompt at server but it doesn’t work for “ssh [username]@192.168.x.xx” which is also localhost. I have turned off all the windows firewall.

    The error message is:
    ssh: connect to host 192.168.x.xx port 22: Connection timed out

    Would appreciate if there is any advice.
    Thanks.

  12. Guven Guven

    It works perfectly even though I am new to CYGWIN.
    Thanks a lot!!

Comments are closed.