特殊:Badtitle/NS100:VNC

{{#ifexist: :VNC/zh | | {{#ifexist: VNC/zh | | {{#ifeq: {{#titleparts:VNC|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:VNC|1|-1|}} | zh | | }}

Virtual Network Computing (VNC) allows a computer to be seen and accessed remotely from other computers, who can see the screen and control the system using the keyboard and mouse. VNC is useful for remote technical support or remote access to personal/work computers. tip: If you need to access a Mac remotely, read Apple Remote Desktop instead.

Terminology

VNC Server = the computer you will connect to (log onto remotely). VNC Client = the computer you will connect with (use to log on to a server). With the default vnc server (vino) or x11vnc you will log into a shared desktop. With tightvnc server or with configuration of GDM you will have a separate session.

• If you are logging into a shared desktop you will not be able to connect if there is no user logged into the system.
• With a separate session you can log in even if either no one is logged into the server, or even if X is not running on the server at all.

Just a quick note about terminology. X sessions or desktops are numbered starting with 0 and is referred to on the command line as :0.

• So the desktop you have when you first log in can be referred to as
• localhost:0
• 172.0.0.1:0
• Your lan ip (ie 192.168.1.25:0)
• Your internet IP (128.220.223.246:0)

Not to be confused with ports. Servers listen on your computer via ports and vnc connections user 5900 + by default. So the first vnc session is port 5900. The second vnc server will use 5901.

• The default ports can of course be changed.

When you activate your vnc server via System -> Preferences -> Remote Desktop and tic off the "Allow other users to view your desktop" you are :

• Activating a server on your desktop which allows others to connect to your desktop (see "security issues" below).
• Your vnc server is listening for connections on your ip:5900 (ie 192.168.1.25:5900) or your internet IP :5900 (ie 128.220.223.246:5900).

When you start a new vnc server with tightvncsserver (see below) this second session starts on :1

• So the second vnc session is on localhost:1 (192.168.1.25:1 and on ...)
• And the port is :5901 (localhost:5901 or 192.168.1.25:5901)

When you connect to a vnc server you will use the server ip address and :0 or :1 to refer to the vnc session and 192.168.1.25:5900 or 192.168.1.25:5901 for configuration of routers/firewalls.

General Security

Security issues By default Ubuntu will allow all connections so at a minimum set a password when you activate Remote desktop. Without one people can watch your desktop from your LAN without any password. So if you are connected directly to the internet, without a router, if you do not set a password, anyone can access your computer. You may also consider:

• Purchasing a router.
• Create a user(s) specifically for vnc sessions without admin (sudo) access.
• Either logging out or locking your desktop if not in use (System -> Preferences -> Screensaver tic off the "Lock screen when screensaver is active"). If you screen is locked your log in password will be required to unlock the screen.
  • Kde Configure Desktop -> screen Saver tab -> tic off the "Require password to stop." option.
• Installing firestarter to help configure your firewall.
• Using ssh to log into vnc sessions VNC over SSH

Enabling VNC connections ~ Server setup

To allow other computers to access your desktop sessions, when your logged in, perform the following steps. Note: This is like MS Remote Assistance and only works when your are logged into the computer sharing that instance of your Xserv. See below for creating Xservs on the fly and allowing multiple loggings and XDM/GDM.

Using the default vnc servers

using GNOME / Ubuntu (vino)

System > Preferences > Remote Desktop 'Check' the first two boxes to activate the service: Allow other users to view your desktop (view only) Allow other users to control your desktop (view & control). Below you can set security. The two options are: Ask you for confirmation (ie; someone at the machine must click OK to grant remote access. This will be a problem if you plan on accessing your home machine from work or visa versa, as no one may be there to grant you access.) Require the user to enter this password: This will require a password from anyone trying to remotely connect to your machine. This is ALWAYS a good idea.

using KDE / Kubuntu

System Settings > Sharing > Desktop Sharing > Create & Manage Invitations ... Choose 'New Personal Invitation...' (you give the invitation by whichever means you prefer (Email, Instant Messaging, Written-Down Note) or 'New Email Invitation...'. The newly created invitation will last a default of 1 hour. tip If you don't see this option ensure that the package 'krfb' (Desktop Sharing for KDE) is installed. Sometimes it is installed but doesn't appear on the menu. If it is installed, type Alt-F2 and enter krfb or type it in the Konsole. You can manually add menu entries by righ clicking the KDE menu icon.

using XFCE / Xubuntu

There is not vnc server installed by default in Xubuntu. The default gnome vnc server is vino and you can install this package, X11vnc, or tightvncserver.

Tightvncserver

This method will give you an independent desktop once you log in (ie independent of session started when you logged in via GDM). Step 1 - Install tightvncserver

sudo apt-get install vnc-common tightvncserver

Step 2 - Edit vncserver script

sudo vim /usr/bin/vncserver

First, you want a valid X11 font path for Xvnc. Add these lines for Feisty/Gutsy (you will see a fonts section with a number of font paths commented out):

$fontPath = join ',',qw(
/usr/share/X11/fonts/misc
/usr/share/X11/fonts/100dpi/:unscaled
/usr/share/X11/fonts/75dpi/:unscaled
/usr/share/X11/fonts/Type1
/usr/share/X11/fonts/100dpi
/usr/share/X11/fonts/75dpi
);

You may add additional font paths as needed.

• see this link for font paths with earlier versions of Ubuntu

Optional: Set display size and color depth (make this whatever you want):

$geometry = "1280x1024";
$depth = 16;

Optional: Uncomment the line:

$colorPath = "/usr/lib/X11/rgb";

Step 3 - Run vncserver for the first time

vncserver :1

The first time you run the server you will be asked to provide a name and password :

ubuntu@ubuntu:~$ vncserver :1
You will require a password to access your desktops.
Password: #Enter your desired password here
Verify:   #Confirm Password
New 'X' desktop is ubuntu:1
Starting applications specified in /etc/X11/Xsession
Log file is /home/ubuntu/.vnc/ubuntu:1.log
ubuntu@ubuntu:~$

This will create a new directory in your home directory ~/.vnc

• To change you password later use vncpasswd

vncpasswd ~/.vnc/passwd

Step 4 - Edit your VNC startup script We may want to edit the VNC (X) startup script in ~/.vnc/xstartup You can use these if you like : Gnome

xrdb $HOME/.Xresources
xsetroot -solid navy # Choose your color
x-window-manager &
gnome-panel 2> /dev/null &
xterm &

XFCE

xrdb $HOME/.Xresources
xfwm4 2> /dev/null &
xfce4-panel 2> /dev/null &
xfce4-terminal &

KDE

xrdb $HOME/.Xresources
xsetroot -solid navy # Choose your color
x-terminal-emulator -geometry 80x24+10+1- -ls -title "$VNCDESKTOP Desktop" &
x-window-manager &
kicker 2> /dev/null &

Step 5 - Restart the VNC server

killall Xtightvnc 
vncserver

Note that you can vary the screen size, depth, and number when starting vncserver:

vncserver -geometry 1288x1024 -depth 24 :3

• See vncserver manpage for additional options

FreeNX

See Ubuntu Wiki How to FreeNX

Tunnel VNC through SSH

If you wish to tunnel over ssh you need to install, setup, and secure the openssh server.

• Ubuntu Wiki How to SSH
• Ubuntu Wiki, Advanced SSH (security) settings

Enabling VNC connections ~ Client setup

Ubuntu clients

Terminal Server Client

This method works with both the default vino server and the tightvnc server This is the default method in Ubuntu and uses a gui (graphical interface). Use this if you are adverse to the command line. Go to Applications -> Internet -> Terminal Server client In the General tab :

• Put the server ip in the "Computer" box (ie 192.168.1.25:0 for the default vino server or 192.168.2.25:1 for a tightvnc server)
• Select VNC from the pull down menu in "Protocol"

Hit Connect Enter the password you set on your server.

VNC Viewer

This method uses the command line. Open a terminal an enter vncviewer and you will be asked to enter the ip address and password. If you know the ip address you can use the ip in conjunction, like this :

vncviewer 192.168.1.25:0

Or if you want to get fancy, copy ~/.vnc/passwd from the server to the client (saving it in ~/.vnc/passwd on both the server and client). Now you can connect directly with :

vncviewer 192.168.2.25:0 -passwd ~/.vnc/passwd

• If you like, you can re-name the ~/.vnc/passwd to any name you like and keep one file for each server (each with a unique name).

Logging into a Tight VNC server

If desired you will need to configure your desktop. Ubuntu I do not know how to set the background image on the tightvnc server, but the gnome panel works. XFCE Applications -> Settings -> Desktop Settings

• Tic off the "Allow Xfce to manage the desktop"

KDE The kicker works fine, as with gnome I could not get set the backgound image.

XDM/GDM

This method is somewhat more complicated, but when connecting this way you get a login prompt and begin a new session. This also works when no user is logged in and allows multiple parallel loggings. Step 1 Append the following line to /etc/services

$> gksudo gedit /etc/services
vnc             5901/tcp                        # VNC with GDM

Step 2 Create the following file /etc/xinetd.d/vnc

$> sudo pico /etc/xinetd.d/vnc
service vnc
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -inetd :1 -query localhost -broadcast -once -fp /usr/share/X11/fonts/misc/ -securitytypes=none -desktop=vnc://MyDesktop/
}

• Note: In 6.10 the default fount's were not found. The -fp /usr/share/X11/fonts/misc/ line should resolve this error.
• Note: -desktop=vnc://MyDesktop/ is the title that appears to the user when connecting.
• Note: -query localhost is optional, it may fix a problem when clients get "connection unexpectedly closed"

Step 3 Enable XDMCP in your login configuration to allow remote logins to GDM (the gnome login screen). Edit /etc/gdm/gdm.conf

$> sudo pico /etc/gdm.conf

find the section [xdmcp] and set the enable to true:

[xdmcp]
....
Enable=true

uncomment this line:

RemoteGreeter=/usr/lib/gdm/gdmlogin

Step 4 Stop and restart Xinetd

$> sudo /etc/init.d/xinetd restart

Problems

• If you cant connect check your router/port forwarding, firewall, or try running the following to start a session without Xinetd to verify Xvnc is working.

$>  Xvnc :1 -fp /usr/share/fonts/X11/misc/

• Make sure you connect to the proper port, in this case vnc://localhost:5901. In some clients this is set by choosing display 1.

Windows Clients

This method works with Windows 2000 and XP. I am not sure about other versions. Connecting with a windows client is fairly straight forward, all you need to do is download the tight vnc viewer for windows. You then run the viewer and enter the server address and password very similar to connecting from Ubuntu. Tight VNC viewer for windows

• The tight vnc viewer is available without installation ( tightvnc-1.3.9_x86_viewer.zip "Viewer executable, does not require installation")

I have also used Ultra and Real vnc viewers

• You can set up tight, ultra, or real vnc servers on windows and connect just as easily from ubuntu.

VNC Access over the Internet

Strongly consider tunneling over ssh VNC Over SSH , using a router (rather then connecting your server directly to the internet), and configuring your firewall Firestarter. The most difficult part of internet access is configuring your router and firewall ...

Server IP

The IP address of your VNC server is different on a LAN vs an internet connection. The internet IP address is assigned by your internet provider.

• You can check your IP address here (or elsewhere).

The problem can occur if you use DHCP (rather then a static IP address) the internet IP address can change from time to time. The solution is to register at dyndns or other providers. dyndns will provide free service. You can then determine your vnc server address via ping.

Router

You must configure your router to forward the ports. The details vary by router. tip: if you are connecting through a router you'll need to forward port 5900 to the machine you need to connect to. (VNC can use other ports as well. If you have multiple machines you would like to connect to you can forward 5900 to the first, 5901 to the second, 5902 to the third, etc.) If you are using a non-standard port (ie; other than 5900) you will need to specify the port in the connection command. You can simplify this step some what by tunneling though ssh (which also increases security). See the ssh section below.

Firewall

This is very easy to do via firestarter, a gui front end to IP Tables.

• Be sure to configure firestarter to allow pings.

Open the firestarter gui (Applications -> Internet -> Firestarter) In the "Policy" tab, under the "Allow service" section, right click anywhere in the white space. Select "Add rule"

• Under "Port" enter the ports you want to enable (5900 and/or 5901)

Allow "Anyone"

Method 1 ~ Using vncviewer from the command line

• Using tightvncserver - See the Tightvncserver section above.
• If you are using the default vnc server, vino, for a shared desktop, use 5900 or :0

Open a terminal and start vncviewer with this command

vncviewer

Enter the ip address :1 Example:

192.168.1.25:1

Enter the vnc password

Method 2 ~ Ubuntu clients ~ Tunnel over ssh directly

You can use this method with Ubuntu clients. Use the -via flag -via <server_IP> = use ssh authentication. vncviewer -via <server_ip> <name_of_vnc_session>

vncviewer -via 192.168.1.25 ubuntu:1

Enter ssh password, enter vnc password

• You are given the name of the vncserver by tight vnc when you start it up, see the tight vnc server section above

Method 3 ~ Windows or Ubuntu ~ Tunnel over ssh manually

This is a quick guide and assumes you have a ssh server set up on the vnc server. See this link for a more detailed description : VNC Over SSH The trick is to forward the ports over ssh. In this example I will use 5900 , the default path for the defalut VNC server vino. If you use tightvnc you will need to change the forwarded port to 5901. Step 1 Make the ssh connection :

ssh -fCNT [email protected] -L 5901:127.0.0.1:5901

-f = Allows ssh to close after the connection is established.
-C = Use Compression
-N = No commands will be issued
-T = No terminal session will be started
-L = Port forwarding. The terminology is <server_port>:<client_port> the trick is we are using 127.0.0.1:<port> for the client. 127.0.0.1 must be used (not localhost or the client ip address)

Step 2 Make the vnc connection. Now we make the vnc connection, but now we use localhost:1 as the server ip.

vncviewer localhost:1

Enter your password. Step 3 To disconnect, close the vnc viewer, and enter killall ssh in the terminal.

Method 4 ~ Via a web browser (firefox for example)

This does not work with the default vnc server, vino. You will need to install and configure the tight vnc server as above. You will need to enable the commercial repositories on both the server and client (or download the debs) :

deb http://archive.canonical.com/ubuntu gutsy commercial
deb-src http://archive.canonical.com/ubuntu gutsy commercial

Server setup

Install by any means vnc-common, tightvncserver, and tightvnc-java

sudo apt-get install vnc-common tightvncserver tightvnc-java

Configure the tight vnc server as above. You will likely want to reduce the resolution as the java applet will run in a firefox window :

vncserver -geometry 800x600 -depth 24 :1

• If you have a large monitor you may be able to increase the server resolution.

The java server will start automatically

Client setup

On an Ubuntu client install by any means sun-java6-jre and sun-java-6-plugin

sudo aptitude install sun-java6-jre sun-java-6-plugin

Allow java : In Firefox Edit -> Preferences Select the "Content" tab, tic off the "Load images automatically" "Enable JavaScript" and "Enable Java" boxes.

Connect

Open Firefox, in the address bar type vnc server ip : 5801 Example:

192.168.1.25:5801

The java applet will start automatically. If you use NoScript (or other java blockers) you will need to allow 192.168.1.25:5801 Click the connect button.

• If you reload the firefox window you will need to log in again.

Connecting with a Windows XP client

You may use any of the above methods with Windows.

• VNC - See the windows section above.
• SSH - For windows I have used both Putty and Cygwin with success. See here for details vnc over ssh Windows clients
• For firefox just be sure to install java and the java plugins on the windows client.

Note: If you tunnel ssh connections on a windows client, you must first ssh method (ie start ssh first, then connect with tightvnc viewer). Note: Cygwin offers a ssh server so you could potentially tunnel vnc connections from a Windows vnc server.