My 2 cents:

I am always confused too by ssh tunnel... so I keep reading the man page each time :-). In any case the original proposed method (not using localhost) create a secure tunnel:

From man ssh:

-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocat-
ing a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.

Local (client) host means the machine executing the ssh. However, the :host: (i.e. the vnc server then) and the ssh server (the machine name at the end of the ssh command) should be the same otherwise the data between them will be in clear...

Is it clearer? ( I am not even sure it is for me ;-) )




[ Reply to This | # ]

Just to clarify a bit my previous post...

when host-X executes
ssh -L port:host-Y:hostport host-Z

then local packet sent to port are tunneled to host-Z which then decrypt them and pass them to host-Y in clear. Moreover, host-Y is "resolved" from host-Z point of view (so if it is localhost or 127.0.0.1, it means host-Z itself)

(I hope I did not add to much confusion again)




[ Reply to This | # ]