Chaining ssh's:
Note that for use of a ssh gateway and
-L redirection to an internal host
(e.g. "-L 5900:otherhost:5900") the VNC traffic inside
the firewall is not encrypted and you have to manually log into
otherhost to start x11vnc.
Kyle Amon shows a method where you chain two ssh's together
that encrypts all network traffic and also automatically starts up
x11vnc on the internal workstation:
#!/bin/sh
#
gateway="example.com" # or "user@example.com"
host="labyrinth" # or "user@hostname"
user="kyle"
# Need to sleep long enough for all of the passwords and x11vnc to start up.
# The </dev/null below makes the vncviewer prompt for passwd via popup window.
#
(sleep 10; vncviewer -encodings "copyrect tight zrle zlib hextile" \
localhost:0 </dev/null >/dev/null) &
# Chain the vnc connection thru 2 ssh's, and connect x11vnc to user's display:
#
exec /usr/bin/ssh -t -L 5900:localhost:5900 $gateway \
/usr/bin/ssh -t -L 5900:localhost:5900 $host \
sudo /usr/bin/x11vnc -localhost -auth /home/$user/.Xauthority \
-rfbauth .vnc/passwd -display :0
Also note the use of sudo(1) to switch to root so that
the different user's .Xauthority file can
be accessed. See the visudo(8) manpage for details on
how to set this up (remove the sudo if you do not want to do this).
One can also chain together ssh's for reverse connections
with vncviewers using the -listen option. For this case
-R would replace the -L (and 5500 the 5900,
see the #2 example script above). If the gateway machine's
sshd is configured with GatewayPorts=no
(the default) then the double chaining of "ssh -R ..."
will be required for reverse connections to work.