vncserver -localhost and ssh tunneling

I'm trying to setup a ssh tunneled vnc connection from my centos 5.10 machine and I've been following some online tutorials such as this one: https://wiki.archlinux.org/index.php/Vncserver. I'm running the server like this: $ vncserver -geometry 1024x768 -localhost :1 and connecting with an openssh client like this: ssh -f [email protected] -L 5900:vnc.machine:5901 -N. Then I connect with realvnc viewer to localhost:5900. For some reason this doesn't work if I use the -localhost param, but it works great if I leave it out. All of the guides say that it's more secure to use it. I'm thinking this might be a configuration issue on the server side, but I'm pretty much stumped at this point and I've tried a lot of stuff. Can anybody tell me why this is happening?

Solution 1:

The -localhost option is telling the VNC server to bind only to the loopback interface, so that you can only connect to the VNC server from the machine it's running on. This means that anyone trying to break into your VNC session would have to be able to get on that particular machine. Without -localhost, your VNC server would accept non-local connections, so an attacker could use another machine to try to break into your VNC session.

If you're going to use -localhost, then you should be passing -L 5900:localhost:5901, not -L 5900:vnc.machine:5901, since your VNC server is listening only on the loopback (localhost) interface.

Solution 2:

jjlin's answer covers troubleshooting, but to really make it secure you should also pass -nolisten tcp to vncserver. This ensures that there won't be an open TCP listener on the X side of things.