Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary wiki - Another flavor of VNC which allows connections to the root (:0) desktop. Template:Article summary end
- 1 Installation
- 2 Running vncserver
- 3 Running vncserver
- 4 Connecting to vncserver
- 5 Securing VNC Server by SSH Tunnels
- 6 Starting and Stopping VNC Server at Bootup and Shutdown
vncserver is provided by official repositories.and both of which can be installed from the
First Time Setup
Create Environment and Password Files
Vncserver will create its initial environment file and user password file the first time it is run. In the below example, user "facade" is running vncserver on "mars."
facade@mars ~ $ vncserver You will require a password to access your desktops. Password: Verify: New 'mars:1 (facade)' desktop is mars:1 Creating default startup script /home/facade/.vnc/xstartup Starting applications specified in /home/facade/.vnc/xstartup Log file is /home/facade/.vnc/mars:1.log
The default port that vncserver runs on is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number). In this case, it is running on 5900+1=5901. Running vncserver a second time will create a second instance running on the next highest, free port, i.e :2 or 5902.
Shutdown the vncserver by using the -kill switch:
$ vncserver -kill :1
Edit the xstartup File
~/.vnc/xstartup which functions like an .xinitrc file. At a minimum, users should define a DE to start if a graphical environment is desired. For example, starting xfce4:
#!/bin/sh export XKL_XMODMAP_DISABLE=1 exec startxfce4
It is good practice to secure
~/.vnc just like
~/.ssh although this is not a requirement. Execute the following to do so:
$ chmod 700 ~/.vnc
Vncserver offers flexibility via switches. The below example starts vncserver in a specific resolution, allowing multiple users to view/control simultaneously, and sets the dpi on the virtual server to 96:
$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 :1
For a complete list of options, pass the -badoption switch to vncserver.
$ vncserver -badoption
Connecting to vncserver
Any number of clients can connect to running vncserver. A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:
$ vncviewer 10.1.10.2:1
The -passwd switch allows one define the location of the sever's ~/.vnc/passwd file. It is expected that the user has access to this file on the server through ssh or through physical access. In either case, place that file on the client's filesystem in a safe location, i.e. one that has read access ONLY to the expected user.
$ vncviewer -passwd /path/to/server-passwd-file
Example GUI-based Clients
Securing VNC Server by SSH Tunnels
On the Server
One wishing access to vncserver from outside the protection of a LAN should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. vncserver is easily secured by ssh tunneling. Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN. It is highly recommended to use the -localhost switch when running vncserver in this scenario. This switch only allows connections from the localhost -- and by analogy only by users physically ssh'ed and authenticated on the box!
$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1
On the Client
With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For example:
$ ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901
This forwards the server port 5901 to the client box on port 8900. Once connected via SSH, leave that xterm or shell window open; it is acting as a secured tunnel to/from server. To connect via vnc, open a second xterm and connect not to the remote IP address, but to the localhost of the client thus using the secured tunnel:
$ vncviewer localhost:8900
From the ssh man page: -L [bind_address:] port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax:
[bind_address/] port/host/ hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.
Starting and Stopping VNC Server at Bootup and Shutdown
# The vncserver service unit file # # Quick HowTo: # 1. Copy this file to /etc/systemd/system/vncserver@:<display>.service # 2. Edit <USER> and vncserver parameters appropriately # ("runuser -l <USER> -c /usr/bin/vncserver -arg1 -arg2 -argn %i") # 3. Run `systemctl daemon-reload` # 4. Run `systemctl enable vncserver@:<display>.service` [Unit] Description=Remote desktop service (VNC) After=syslog.target network.target [Service] Type=forking ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' ExecStart=/bin/su <USER> -c "/usr/bin/vncserver %i" ExecStop=/bin/su <USER> -c "/usr/bin/vncserver -kill %i" [Install] WantedBy=multi-user.target