From ArchWiki
Revision as of 02:49, 24 April 2011 by Mclaud2000 (Talk | contribs) (Connecting to the Root (:0) Desktop: Changed link to X11vnc use wiki format.)

Jump to: navigation, search

TightVNC is a VNC (Virtual Network Computing) Unix server and viewer. It is a remote display program that allows you to run totally parallel sessions on a machine which you can access from anywhere on a LAN or over the Internet. The server and all applications your start continue to run on it even when you disconnect. This is NOT the same as controlling the desktop that is being displayed on the local monitor/LCD. To do this, see the [connecting to the root desktop] section of this article.

Again, these vncserver run totally in parallel to your desktop session. You can also have multiple servers running simultaneously on the same machine (each on a different port). To improve security of sessions VNC can be piped through SSH (Secure SHell).

Note: The [AUR] contains a package for tigervnc which is an alternative to tightvnc. Tigervnc is more well behaved with regard to crashes invoked by resizing windows in my experience (graysky).

Running VNC Server

First Time Setup

Start tightvncserver to create your initial files and to assign your password(s) like so:

$ vncserver :1

The default port the server runs on is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number). In this case, it's running on 5900+1=5901.

With the password(s) assigned, kill the server to configure a desktop with the following command:

$ vncserver -kill :1
Note: On Linux systems one can have as many VNC servers as physical memory allows -- all of which running in parallel to each other.

In the future, one may wish to have multiple vncservers running in parallel. To kill a specific server, specify its specific port number in the kill statement.

The xstartup File

Tightvncserver gets its info from the Template:Filename which is created the first time tightvncserver runs. The xstartup file works just like an .xinitrc file. Edit to your liking. An example is provided here:

exec ck-launch-session startlxde	#for an lxde session
#exec ck-launch-session gnome-session	#for a gnome-session
#exec ck-launch-session openbox-session	#for an openbox desktop
#exec ck-launch-session startxfce4	#for an xfce desktop
#exec ck-launch-session icewm	#for an icewm desktop
#exec ck-launch-session startkde	#for a kde desktop

The export XKL_XMODMAP_DISABLE=1 line is needed to avoid keyboard mis-mapping. Do not omit it!

Users can also add a line here to autostart any script/program. For example, the latest version of lxde doesn't autoload the desktop wallpaper/icons by default. One must do so manually as shown in the last line of this example:

exec ck-launch-session startlxde
exec pcmanfm --desktop

Example Script

Below is a simple script one can use to start vncserver in a specific resolution, allowing multiple users to view/control simultaneously, and setting the dpi on the virtual server to 96:

vncserver -geometry 1440x900 -alwaysshared -dpi 96 :1

For a complete list of options, see the [Complete List of Tightvncserver Options] section of this article.

Note: One need not use a standard monitor resolution for vncserver; 1440x900 can be replaced with something odd like 1429x882 or 1900x200 etc.

Starting and Stopping VNC Server at Bootup and Shutdown

To have the VNC Server run automatically at startup simply, call it from the Template:Filename like so replacing USERNAME with the name of the user on the system who owns the VNC Server:

su USERNAME -c "vncserver -geometry 1440x900 -alwaysshared -localhost -dpi 96 :1"

Likewise, have the vncserver shutdown by killing it from the Template:Filename like so:

su USERNAME -c "/usr/bin/vncserver -kill :1"

Securing VNC Server by SSH Tunnels

On the Server

One wishing access to the vncserver should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. VNC Server is easily secured by ssh tunneling. Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN. It is highly recommended to use the -localhost switch when running vncserver in this scenario. This switch only allows connections from the localhost -- and by analogy only by users physically ssh'ed and authenticated on the box!

$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1

On the Client

With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For example:

$ ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901

This forwards the server port 5901 to your client box on port 8900. Once connected via SSH, leave that xterm or shell window open; it is acting as a secured tunnel to/from server. To connect via vnc, open a second xterm and connect not to the remote IP address, but to the localhost of the client thus using the secured tunnel:

$ vncviewer localhost:8900

From the ssh man page: -L [bind_address:] port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax:

[bind_address/] port/host/ hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.

Working with Clipboards

Cut and paste to/from the clipboard does not work out of the box, at least with tightvnc version 1.3.10. This feature is available through autocutsel which is in [community].

# pacman -S autocutsel

Make sure it is executed with the -fork option, either interactively or from your Template:Filename

autocutsel -fork 
exec ck-launch-session startlxde	#for an lxde session
#exec ck-launch-session gnome-session	#for a gnome-session
#exec ck-launch-session openbox-session	#for an openbox desktop
#exec ck-launch-session startxfce4	#for an xfce desktop
#exec ck-launch-session icewm	#for an icewm desktop
#exec ck-launch-session startkde	#for a kde desktop

Connecting to the Root (:0) Desktop

When you connect to vncserver with your client, by default you are given a new X session with your own desktop. This means that a person who is physically sitting in front of the server will not see your remote session, and vice-versa you cannot see or interact with the root (:0) or physical desktop.

If you would like to remote into a machine with vnc and actually see and interact with the root desktop you can use x11vnc, which provides access to the root (:0) desktop by default. A person sitting in front of the server will see your actions, such as the mouse moving etc.

x11vnc is very similar to setup, and you can use the same clients as vncserver.

Complete List of Tightvncserver Options

Additional options may be defined by the user, for a complete list enter a bad option which forces vncserver to display all available options.

vncserver -tit
$ vncserver -tit
Couldn't start Xvnc; trying default font path.
Please set correct fontPath in the vncserver script.
Couldn't start Xvnc process.

Unrecognized option: -tit
use: X [:<display>] [option]
-a #                   mouse acceleration (pixels)
-ac                    disable access control restrictions
-audit int             set audit trail level
-auth file             select authorization file
bc                     enable bug compatibility
-bs                    disable any backing store support
-c                     turns off key-click
c #                    key-click volume (0-100)
-cc int                default color visual class
-co file               color database file
-core                  generate core dump on fatal error
-dpi int               screen resolution in dots per inch
-deferglyphs [none|all|16] defer loading of [no|all|16-bit] glyphs
-f #                   bell base (0-100)
-fc string             cursor font
-fn string             default font name
-fp string             default font path
-help                  prints message with these options
-I                     ignore all remaining arguments
-ld int                limit data space to N Kb
-lf int                limit number of open files to N
-ls int                limit stack space to N Kb
-nolock                disable the locking mechanism
-logo                  enable logo in screen saver
nologo                 disable logo in screen saver
-nolisten string       don't listen on protocol
-p #                   screen-saver pattern duration (minutes)
-pn                    accept failure to listen on all ports
-nopn                  reject failure to listen on all ports
-r                     turns off auto-repeat
r                      turns on auto-repeat 
-s #                   screen-saver timeout (minutes)
-su                    disable any save under support
-t #                   mouse threshold (pixels)
-terminate             terminate at server reset
-to #                  connection time out
-tst                   disable testing extensions
ttyxx                  server started from init on /dev/ttyxx
v                      video blanking for screen-saver
-v                     screen-saver without video blanking
-wm                    WhenMapped default backing-store
-x string              loads named extension at init time 
-query host-name       contact named host for XDMCP
-broadcast             broadcast for XDMCP
-indirect host-name    contact named host for indirect XDMCP
-port port-num         UDP port number to send messages to
-once                  Terminate server after one session
-class display-class   specify display class to send in manage
-cookie xdm-auth-bits  specify the magic cookie for XDMCP
-displayID display-id  manufacturer display ID for request
-geometry WxH          set framebuffer width & height
-depth D               set framebuffer depth
-pixelformat format    set pixel format (BGRnnn or RGBnnn)
-udpinputport port     UDP port for keyboard/pointer data
-rfbport port          TCP port for RFB protocol
-rfbwait time          max time in ms to wait for RFB client
-nocursor              don't put up a cursor
-rfbauth passwd-file   use authentication on RFB protocol
-httpd dir             serve files via HTTP from here
-httpport port         port for HTTP
-deferupdate time      time in ms to defer updates (default 40)
-economictranslate     less memory-hungry translation
-lazytight             disable "gradient" filter in tight encoding
-desktop name          VNC desktop name (default x11)
-alwaysshared          always treat new clients as shared
-nevershared           never treat new clients as shared
-dontdisconnect        don't disconnect existing clients when a new non-shared
                       connection comes in (refuse new connection instead)
-viewonly              let clients only to view the desktop
-localhost             only allow connections from localhost
-interface ipaddr      only bind to specified interface address
-inetd                 Xvnc is launched by inetd
-compatiblekbd         set META key = ALT key as in the original VNC
-version               report Xvnc version on stderr