Oracle Cloud VPS VNC Console Connection - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, August 8, 2021

Oracle Cloud VPS VNC Console Connection

Oracle Cloud Infrastructure Compute service provides console connections that enable a user to remotely troubleshooting malfunctioning instances using:

  • Serial Console Connections
  • VNC Console Connections

In this post, I am going to focus on VNC console connections. 

The VNC console connection uses SSH port forwarding to create a secure connection from your local system to the VNC server attached to your instance's console.


Use Cases

  • Add or reset SSH Keys for the OPC user
  • Edit system configuration files
  • An imported or customized image that does not complete a successful boot (such as DD another image)
  • A previously working instance that stops responding


Linux Topology





Pre-requisites for Creating VNC Console Connection

1. Install VNC Viewer on client machine from : https://www.realvnc.com/en/connect/download/viewer/

2. Follow following steps from jump machine, a Linux Server which is  for SSH Tunneling

2.1 Generate SSH Key using ssh-keygen command. Press enter until completed.

2.2 Copy  /root/.ssh/id_rsa.pub content, which is the public key we will paste it into Oracle cloud platform instance's VNC console connection. Just need to press enter for all options:

root@gcp-jn-ubunutu1:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:B3V3/3bmiLuJ4UhPooR95SX+TuGe4GEBPRW2Snn6ll4 root@gcp-jn-ubunutu1
The key's randomart image is:
+---[RSA 3072]----+
|          . =.. .|
|         o = o ..|
|        o = o   .|
|         + =    .|
|        S B o   =|
|     o   = * + =.|
|    . o + O B E .|
|     . + O @ =   |
|      . . =.X.   |
+----[SHA256]-----+
root@gcp-jn-ubunutu1:~# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOh6MW+y5xlXP4YkOT/eWcdImgamsHIzQRcYvFcrUAq56EqFtLoKOSOfRR78VcRhh7UnFKlG8QiUc2L4YftB9owj4pu3NyUolrOLylAuuHo5PxQM+lWkGncH23rsf7A0ZSO2DawnuxS91jFs06nBxCH6R6nnNKY4rotpg58J46vInDnywfHJcLh3tLPDI4Rw+zrkpJIXYvpGMk9U2mkNWAZE4H+nI7okTEeUHfirNGy3v7nhH4cj4jnVdaVw3CeYSfPpqf1AMFt2QNRNyfS3nJaLNCaH5SFTfS62kmuSuO7NCKycq1AyyP/t261vl69BbhxpYbEGFFVsq5kUQMsxVMbCi1Ch9NjDuO2+mitvF7CSyMWvFlonfAgiAivzZAxgYemqz7U8JEhOB6Y0jVFXlVcd9zrn8MEfm7eqvl3brnW/LYX97kuuH2DqCv4BBxxdcHcbSmXn+jD3OEFup8TZxWQ20OB9Ic17hOVNqmiLTxRPdisvaT+nBTP+L0QAJSeZU= root@gcp-jn-ubunutu1
root@gcp-jn-ubunutu1:~# 

2.3 Stop Linux firewall or add an firewall rule to allow VNC traffic

# systemctl status firewalld
# service firewalld stop
OR
# systemctl stop firewalld

For Ubuntu:

root@gcp-jn-ubunutu1:~# sudo ufw status
Status: inactive

Oracle Linux Machine

In OCI, navigate to your instance. In the lower left you’ll notice the Resources menu. Choose the Console Connections option.


This brings up the Create Console Connections dialog. Click on the “Create local connection” button to create a new connection. You’ll see the connection being provisioned and created.


Paste the public key you got from previous step, which was generated by command ssh-keygen

At this point look to the far right of the connection and notice three dots. Hover over them to reveal the connection options. You’ll see Connect with SSH and Connect with VNC listed.

For users that need a graphical connection to the host, use VNC. The steps to establish a VNC connection are the similar to those for connecting to SSH. Create a connection and hover over the three dots at the far right of the connection. Here, choose Connect with VNC. A very similar dialog box appears, with similar choices for selecting Linux/Mac or Windows.

Again, copy the connection string.



This command is slightly different. Rather than creating a connection, it builds an SSH tunnel to OCI by adding an additional option to the SSH command in the middle:

ssh -o ProxyCommand='ssh -W %h:%p -p 443 ocid1.instanceconsoleconnection.oc1.ca-toronto-1.an2g6ljrj7xw6qyctvjlznddiuci4olyx3kiu2hsq53kvukbll6o3uvojzfa@instance-console.ca-toronto-1.oci.oraclecloud.com' -N -L localhost:5900:ocid1.instance.oc1.ca-toronto-1.an2g6ljrj7xw6qyczmpx2ntlkwbnzgnx2ekxwwbqfnr7narfaeeydbj3jwaa:5900 ocid1.instance.oc1.ca-toronto-1.an2g6ljrj7xw6qyczmpx2ntlkwbnzgnx2ekxwwbqfnr7narfaeeydbj3jwaa
There is one small change we need to make to this command: 

-N -L localhost:5900:ocid1.instance.oc1.redacted:5900

changed to

-N -L 0.0.0.0:5900:ocid1.instance.oc1.redacted:5900

ssh -o ProxyCommand='ssh -W %h:%p -p 443 ocid1.instanceconsoleconnection.oc1.ca-toronto-1.an2g6ljrj7xw6qyctvjlznddiuci4olyx3kiu2hsq53kvukbll6o3uvojzfa@instance-console.ca-toronto-1.oci.oraclecloud.com' -N -L 0.0.0.0:5900:ocid1.instance.oc1.ca-toronto-1.an2g6ljrj7xw6qyczmpx2ntlkwbnzgnx2ekxwwbqfnr7narfaeeydbj3jwaa:5900 ocid1.instance.oc1.ca-toronto-1.an2g6ljrj7xw6qyczmpx2ntlkwbnzgnx2ekxwwbqfnr7narfaeeydbj3jwaa
Without going into too much detail, (-N) tells SSH not to run a command; and (-L) redirects (forwards) traffic sent to port 5900 on the local host to port 5900 on the OCI host. Edit these values If VNC is running on a different port either locally or remotely. 

One thing you will need to do to make VNC connection working is to open Firewall port 5900 on your middle linux server for tunneling. I am using Google Cloud VM. Here is a firewall inbound rule for port tcp 5900 .


If your VPS is in the cloud, certain cloud providers might use NAT method to assign your VPS an ip address, in that case you might need to use your local ip address instead localhost. 


For most situation, you can just copy the modified connection string into your VPS (e.g. my GCP vm) for tunneling. 

root@gcp-jn-ubunutu1:~# ssh -o ProxyCommand='ssh -W %h:%p -p 443 ocid1.instanceconsoleconnection.oc1.ca-toronto-1.an2g6ljri4i7kwaclbhm4vnbr43rx6a7iu6jyb2n22zloyu5a4imgek52ata@instance-console.ca-toronto-1.oci.oraclecloud.com' -N -L 0.0.0.0:5900:ocid1.instance.oc1.ca-toronto-1.an2g6ljri4i7kwacriyhni73xz6554l6fcowoc7zg4fymlhe4gbhs4kz3oca:5900 ocid1.instance.oc1.ca-toronto-1.an2g6ljri4i7kwacriyhni73xz6554l6fcowoc7zg4fymlhe4gbhs4kz3oca
The authenticity of host '[instance-console.ca-toronto-1.oci.oraclecloud.com]:443 ([140.204.0.243]:443)' can't be established.
RSA key fingerprint is SHA256:05pszgB3mRSkK3C5ATFHM4nKTY1JhM7qKPI4ldHkdIo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[instance-console.ca-toronto-1.oci.oraclecloud.com]:443,[140.204.0.243]:443' (RSA) to the list of known hosts.

=================================================
IMPORTANT: Use a console connection to troubleshoot a malfunctioning instance. For normal operations, you should connect to the instance using a Secure Shell (SSH) or Remote Desktop connection. For steps, see https://docs.cloud.oracle.com/iaas/Content/Compute/Tasks/accessinginstance.htm

For more information about troubleshooting your instance using a console connection, see the documentation: https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/References/serialconsole.htm#four
=================================================
The authenticity of host 'ocid1.instance.oc1.ca-toronto-1.an2g6ljri4i7kwacriyhni73xz6554l6fcowoc7zg4fymlhe4gbhs4kz3oca (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is SHA256:3XfHLSK8zllj/f97bmT8Yr0r//QZFHnz9R2uygiqULk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ocid1.instance.oc1.ca-toronto-1.an2g6ljri4i7kwacriyhni73xz6554l6fcowoc7zg4fymlhe4gbhs4kz3oca' (RSA) to the list of known hosts.
When you run this command it won’t appear to do anything. That’s normal. It’s actively tunneling traffic as long as it’s running. Ctl-C will return control of the session but any VNC session running locally will be lost.


Windows VNC Connection

There are many VNC clients you can use to connect to your remote OCI console. But it actually is connecting to that middle Linux machine first, then the VNC traffic will be tunneled to OCI VM's console. 

I am using MobaXterm to do this connection in following screenshot. 

Only thing you will need to put it into VNC configuration is the IP address of the remote linux server (Jump server). For other tabs, Network settings and Bookmark settings, you can keep them as default. 

You can use VNCViewer to make this connection as show in following video. 





References



1 comment:

  1. Web facilitating suppliers make the space accessible on their workers. Web workers are only PCs with enormous assets which are associated with the web so they can speak with other such web workers and accordingly guests all throughout the planet can discover your site.
    https://onohosting.com/

    ReplyDelete