Difference between revisions of "TigerVNC"

From ArchWiki
Jump to: navigation, search
(Create Environment and Password Files)
(Starting and Stopping VNC Server at Bootup and Shutdown)
(19 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
[[Category:Daemons and system services]]
 
 
[[Category:Virtual Network Computing]]
 
[[Category:Virtual Network Computing]]
 +
[[de:VNC]]
 
{{Article summary start}}
 
{{Article summary start}}
{{Article summary text|Vncserver is a remote display program that allows users to run totally ''parallel'' sessions on a machine which can be accessed from anywhere.  All applications running under the server continue to run, even when the user disconnects. }}
+
{{Article summary text|Vncserver is a remote display daemon that allows users to run totally ''parallel'' sessions on a machine which can be accessed from anywhere.  All applications running under the server continue to run, even when the user disconnects. }}
 
{{Article summary heading|Related Articles}}
 
{{Article summary heading|Related Articles}}
 
{{Article summary wiki|x11vnc}} - Another flavor of VNC which allows connections to the root (:0) desktop.
 
{{Article summary wiki|x11vnc}} - Another flavor of VNC which allows connections to the root (:0) desktop.
Line 9: Line 9:
  
 
== Installation ==
 
== Installation ==
The following packages provide vncserver:
+
Vncserver is provided by {{pkg|tigervnc}} and {{pkg|tightvnc}} both of which can be installed from the [[official repositories]].
*community/tigervnc
+
*community/tightvnc
+
  
Install one as any other package:
+
== Running Vncserver ==
# pacman -S tigervnc
+
 
+
== Running vncserver ==
+
 
===First Time Setup===
 
===First Time Setup===
 
==== Create Environment and Password Files ====
 
==== Create Environment and Password Files ====
Vncserver will create its initial environment file and user password file the first time it is run.  In the below example, user "facade" is running vncserver on "mars."
+
Vncserver will create its initial environment file and user password file the first time it is run:
  facade@mars ~ $ vncserver
+
  $ vncserver
 
   
 
   
 
  You will require a password to access your desktops.
 
  You will require a password to access your desktops.
Line 33: Line 28:
 
  Log file is /home/facade/.vnc/mars:1.log
 
  Log file is /home/facade/.vnc/mars:1.log
  
The default port that vncserver runs on is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number).  In this case, it is running on 5900+1=5901.  Running vncserver a second time will create a second instance running on the next highest, free port, i.e :2 or 5902.
+
The default port on which vncserver runs is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number).  In this case, it is running on 5900+1=5901.  Running vncserver a second time will create a second instance running on the next highest, free port, i.e :2 or 5902.
  
{{Note|On Linux systems one can have as many VNC servers as physical memory allows -- all of which running in parallel to each other.}}
+
{{Note|Linux systems can have as many VNC servers as physical memory allows -- all of which running in parallel to each other.}}
  
 
Shutdown the vncserver by using the -kill switch:
 
Shutdown the vncserver by using the -kill switch:
Line 49: Line 44:
 
{{Note|The XKL_XMODMAP_DISABLE line is known to correct problems associated with "scrambled" keystrokes when typing in terminals under some virtualized DEs.}}
 
{{Note|The XKL_XMODMAP_DISABLE line is known to correct problems associated with "scrambled" keystrokes when typing in terminals under some virtualized DEs.}}
 
{{Note|As of 31-Oct-2012, usage of the command "exec ck-launch-session ..." in ~/.vnc/xstartup is depreciated since Arch has dropped consolekit.}}
 
{{Note|As of 31-Oct-2012, usage of the command "exec ck-launch-session ..." in ~/.vnc/xstartup is depreciated since Arch has dropped consolekit.}}
 +
 +
==== Permissions ====
 +
It is good practice to secure {{ic|~/.vnc}} just like {{ic|~/.ssh}} although this is not a requirement.  Execute the following to do so:
 +
$ chmod 700 ~/.vnc
  
 
== Running vncserver ==
 
== Running vncserver ==
Line 61: Line 60:
  
 
== Connecting to vncserver ==
 
== Connecting to vncserver ==
Any number of clients can connect to running vncserver.  A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:
+
Any number of clients can connect to a vncserver.  A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:
 
  $ vncviewer 10.1.10.2:1
 
  $ vncviewer 10.1.10.2:1
 +
 +
=== Passwordless Authentication ===
 +
The -passwd switch allows one define the location of the sever's ~/.vnc/passwd file.  It is expected that the user has access to this file on the server through ssh or through physical access.  In either case, place that file on the client's filesystem in a safe location, i.e. one that has read access ONLY to the expected user.
 +
 +
$ vncviewer -passwd /path/to/server-passwd-file
  
 
=== Example GUI-based Clients ===
 
=== Example GUI-based Clients ===
Line 73: Line 77:
 
== Securing VNC Server by SSH Tunnels ==
 
== Securing VNC Server by SSH Tunnels ==
 
=== On the Server ===
 
=== On the Server ===
One wishing access to vncserver from outside the protection of a LAN should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. vncserver is easily secured by ssh tunneling.  Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN.  It is highly recommended to use the -localhost switch when running vncserver in this scenario.  This switch only allows connections ''from the localhost'' -- and by analogy only by users physically ssh'ed and authenticated on the box!
+
One wishing access to vncserver from outside the protection of a LAN should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. Vncserver is easily secured by ssh tunneling.  Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN.  It is highly recommended to use the -localhost switch when running vncserver in this scenario.  This switch only allows connections ''from the localhost'' -- and by analogy only by users physically ssh'ed and authenticated on the box!
  
 
  $ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1
 
  $ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1
Line 95: Line 99:
  
 
== Starting and Stopping VNC Server at Bootup and Shutdown ==
 
== Starting and Stopping VNC Server at Bootup and Shutdown ==
To have the VNC Server run automatically at startup simply, call it from the {{ic|/etc/rc.local}} like so replacing USERNAME with the name of the user on the system who owns the VNC Server:
+
{{hc|/etc/systemd/system/vncserver:1@.service|
 +
<nowiki># The vncserver service unit file
 +
#
 +
# 1. Copy this file to /etc/systemd/system/vncserver:x@.service
 +
#  Note that x is the port number on which the vncserver will run.  The default is 1 which
 +
#  corresponds to port 5901.  For a 2nd instance, use x=2 which corresponds to port 5902.
 +
# 2. Edit User=
 +
#  ("User=foo")
 +
# 3. Edit  and vncserver parameters appropriately
 +
#  ("/usr/bin/vncserver %i -arg1 -arg2 -argn")
 +
# 4. Run `systemctl --system daemon-reload`
 +
# 5. Run `systemctl enable vncserver@:<display>.service`
 +
#
 +
# DO NOT RUN THIS SERVICE if your local area network is untrusted!
 +
#
 +
# See the wiki page for more on security
 +
# https://wiki.archlinux.org/index.php/Vncserver
 +
 
 +
[Unit]
 +
Description=Remote desktop service (VNC)
 +
After=syslog.target network.target
 +
 
 +
[Service]
 +
Type=forking
 +
User=
  
su USERNAME -c "vncserver -geometry 1440x900 -alwaysshared -localhost -dpi 96 :1"
+
# Clean any existing files in /tmp/.X11-unix environment
 +
ExecStartPre=-/usr/bin/vncserver -kill %i
 +
ExecStart=/usr/bin/vncserver %i
 +
ExecStop=/usr/bin/vncserver -kill %i
  
Likewise, have the vncserver shutdown by killing it from the {{ic|/etc/rc.local.shutdown}} like so:
+
[Install]
su USERNAME -c "/usr/bin/vncserver -kill :1"
+
WantedBy=multi-user.target
 +
</nowiki>}}

Revision as of 02:02, 1 January 2013

Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary wiki - Another flavor of VNC which allows connections to the root (:0) desktop. Template:Article summary end

Installation

Vncserver is provided by tigervnc and tightvnc both of which can be installed from the official repositories.

Running Vncserver

First Time Setup

Create Environment and Password Files

Vncserver will create its initial environment file and user password file the first time it is run:

$ vncserver

You will require a password to access your desktops.

Password:
Verify:

New 'mars:1 (facade)' desktop is mars:1

Creating default startup script /home/facade/.vnc/xstartup
Starting applications specified in /home/facade/.vnc/xstartup
Log file is /home/facade/.vnc/mars:1.log

The default port on which vncserver runs is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number). In this case, it is running on 5900+1=5901. Running vncserver a second time will create a second instance running on the next highest, free port, i.e :2 or 5902.

Note: Linux systems can have as many VNC servers as physical memory allows -- all of which running in parallel to each other.

Shutdown the vncserver by using the -kill switch:

$ vncserver -kill :1

Edit the xstartup File

Vncserver sources ~/.vnc/xstartup which functions like an .xinitrc file. At a minimum, users should define a DE to start if a graphical environment is desired. For example, starting xfce4:

#!/bin/sh
export XKL_XMODMAP_DISABLE=1
exec startxfce4
Note: The XKL_XMODMAP_DISABLE line is known to correct problems associated with "scrambled" keystrokes when typing in terminals under some virtualized DEs.
Note: As of 31-Oct-2012, usage of the command "exec ck-launch-session ..." in ~/.vnc/xstartup is depreciated since Arch has dropped consolekit.

Permissions

It is good practice to secure ~/.vnc just like ~/.ssh although this is not a requirement. Execute the following to do so:

$ chmod 700 ~/.vnc

Running vncserver

Vncserver offers flexibility via switches. The below example starts vncserver in a specific resolution, allowing multiple users to view/control simultaneously, and sets the dpi on the virtual server to 96:

$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 :1
Note: One need not use a standard monitor resolution for vncserver; 1440x900 can be replaced with something odd like 1429x882 or 1900x200 etc.

For a complete list of options, pass the -badoption switch to vncserver.

$ vncserver -badoption

Connecting to vncserver

Any number of clients can connect to a vncserver. A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:

$ vncviewer 10.1.10.2:1

Passwordless Authentication

The -passwd switch allows one define the location of the sever's ~/.vnc/passwd file. It is expected that the user has access to this file on the server through ssh or through physical access. In either case, place that file on the client's filesystem in a safe location, i.e. one that has read access ONLY to the expected user.

$ vncviewer -passwd /path/to/server-passwd-file

Example GUI-based Clients

  • extra/gtk-vnc
  • extra/vinagre
  • extra/rdesktop
  • community/remmina
  • community/vncviewer-jar

Securing VNC Server by SSH Tunnels

On the Server

One wishing access to vncserver from outside the protection of a LAN should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. Vncserver is easily secured by ssh tunneling. Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN. It is highly recommended to use the -localhost switch when running vncserver in this scenario. This switch only allows connections from the localhost -- and by analogy only by users physically ssh'ed and authenticated on the box!

$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1

On the Client

With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For example:

$ ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901

This forwards the server port 5901 to the client box on port 8900. Once connected via SSH, leave that xterm or shell window open; it is acting as a secured tunnel to/from server. To connect via vnc, open a second xterm and connect not to the remote IP address, but to the localhost of the client thus using the secured tunnel:

$ vncviewer localhost:8900

From the ssh man page: -L [bind_address:] port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax:

[bind_address/] port/host/ hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.

Starting and Stopping VNC Server at Bootup and Shutdown

/etc/systemd/system/vncserver:1@.service
# The vncserver service unit file
#
# 1. Copy this file to /etc/systemd/system/vncserver:x@.service
#  Note that x is the port number on which the vncserver will run.  The default is 1 which 
#  corresponds to port 5901.  For a 2nd instance, use x=2 which corresponds to port 5902.
# 2. Edit User=
#   ("User=foo")
# 3. Edit  and vncserver parameters appropriately
#   ("/usr/bin/vncserver %i -arg1 -arg2 -argn")
# 4. Run `systemctl --system daemon-reload`
# 5. Run `systemctl enable vncserver@:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is untrusted! 
#
# See the wiki page for more on security
# https://wiki.archlinux.org/index.php/Vncserver

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
User=

# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=-/usr/bin/vncserver -kill %i
ExecStart=/usr/bin/vncserver %i
ExecStop=/usr/bin/vncserver -kill %i

[Install]
WantedBy=multi-user.target