个人工具

“UbuntuHelp:VNC”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
 
(未显示同一用户的2个中间版本)
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/VNC}}
 
{{From|https://help.ubuntu.com/community/VNC}}
 
{{Languages|UbuntuHelp:VNC}}
 
{{Languages|UbuntuHelp:VNC}}
<<Include(Tag/TooLong)>>
+
VNC is a protocol that allows a desktop to be viewed and controlled remotely over the Internet.  To use VNC, a [[UbuntuHelp:VNC/Servers|VNC server]] must be run on the computer sharing the desktop, and a [[UbuntuHelp:VNC/Clients|VNC client]] must be run on the computer that will access the shared desktop.
VNC is a protocol that allows a desktop to be viewed and controlled remotely over the Internet.  To use VNC, you need to run a '''VNC server''' on the computer sharing a destkop, and a '''VNC client''' on the computer accessing the shared desktop.  VNC is a widely useful tool, although you'll need to do some work to set it up for your particular use case.
+
This page will discuss some common uses for VNC, present programs you can use to solve your particular problem, and then guide you through some example scenarios.  You may want to [[UbuntuHelp:[guide|skip straight to the examples]]].
+
 
== Common uses ==
 
== Common uses ==
The two most common uses for VNC are to control your own desktop from another computer and to let other people view your desktop while you're sitting at it.
+
The two most common uses for VNC are to control your own desktop from another computer and to let other people view/control your desktop while you're sitting at it.
 +
=== Helping someone via VNC over the Internet ===
 +
A common usage scenario is helping another Ubuntu user over the internet via screen sharing. The problem usually is that the user you want to help is behind a NAT / firewall. There is however a simple solution available if:
 +
* You are directly connected to the internet
 +
* OR
 +
* You have control over your NAT device and can set-up a port forwarding
 +
The solution is to use ''reverse VNC'' to solve the NAT problems. Usually you have to establish a connection to the computer you would like to control. Reverse VNC does the opposite. You open a port where your vncviewer listens and the computer you would like to control connects to your computer.
 +
The security risks involved are that the content of the other user's computer screen is transmitted unencrypted over the internet.
 +
Here are the steps to make it work:
 +
<ol><li>Install a VNC viewer on your machine (follow the steps below). Tested with the ``xvnc4viewer`` package.
 +
</li><li>If you are not directly connected to the internet, [[UbuntuHelp:ServersBehindNAT|set-up port-forwarding]] on your router for port 5500 to your PC.
 +
</li><li>Make sure your firewall does not block port 5500 (see below)
 +
</li><li>Find out your public IP address, for example by visiting [http://www.whatismyip.com/]
 +
</li><li>Start vnc in listen mode on your computer: `vncviewer -listen` (using Alt-F2 or via the shell)
 +
</li><li>Ask the user you are trying to help to install the ''x11vnc'' package.
 +
</li><li>Ask the user to execute `x11vnc -connect YOURIPADDRESS` using Alt-F2 or via the shell</li></ol>
 +
 
 +
You can find more information on the [http://ubuntuforums.org/showthread.php?t=299489 Ubuntu forums]
 
=== Accessing your desktop over the Internet ===
 
=== Accessing your desktop over the Internet ===
Although VNC has some optional security features, you should not run VNC directly over an untrusted network like the Internet.  Instead, you should set an SSH server up as discussed in the [[UbuntuHelp:SSHHowto|SSH guide]] and configure a VNC server that you can start in so-called '''once''' mode, as described below.  When you have set up your SSH and VNC servers, you can use SSH to log in to your computer over the Internet, start your VNC server, and use [[UbuntuHelp:[port-forwarding|port-forwarding]]] to securely access the VNC server.
+
Although VNC has some optional security features, you should not run VNC directly over an untrusted network like the Internet.  Instead, you should set an SSH server up as discussed in the [[UbuntuHelp:SSH|SSH guide]] and configure a VNC server that you can start in so-called '''once mode'''.  When you have set up your SSH and VNC servers, you can use SSH to log in to your computer over the Internet, start your VNC server, and use [[UbuntuHelp:[port-forwarding|port-forwarding]]] to securely access the VNC server.
 
<<Anchor(let-other-people)>>
 
<<Anchor(let-other-people)>>
 
=== Let other people view your desktop ===
 
=== Let other people view your desktop ===
At present, there is no easy, secure way of making your desktop available to others over the Internet.  However, an application called [https://launchpad.net/remote-help-assistant Remote Help Assistant] is being developed to fill this gap, and needs unskilled volunteers to help test new versions.  Contributing there might be the best use of your time, especially if you're not technically adept enough to reconfigure your system.
+
If a small group of people regularly want to access your desktop, the best solution might be to [[UbuntuHelp:SSH|set up an SSH server]], then add their public keys to your '''authorized_keys''' file, with very limited rights.  As [[UbuntuHelp:SSH/OpenSSH/Keys#keys-with-specific-commands|discussed]] in the SSH guide, you can limit the SSH features that each public key can use - typically, a user that should only have VNC access would have a line like the following in '''authorized_keys''':
If a small group of people regularly want to access your desktop, the best solution might be to [[UbuntuHelp:SSHHowto|set an SSH server up]], then add their public keys to your '''authorized_keys''' file, with very limited rights.  As [[UbuntuHelp:SSHHowto#public-key-auth|discussed]] in the SSH guide, you can limit the SSH features that each public key can use - typically, a user that should only have VNC access would have a line like the following in '''authorized_keys''':
+
 
<pre><nowiki>
 
<pre><nowiki>
 
command="/bin/sleep 4294967295":no-agent-forwarding:no-pty:no-user-rc:no-X11-forwarding:permitopen="localhost:5900" <public key>
 
command="/bin/sleep 4294967295":no-agent-forwarding:no-pty:no-user-rc:no-X11-forwarding:permitopen="localhost:5900" <public key>
第20行: 第34行:
 
* tell your VNC server to request permission before allowing anyone to see your desktop
 
* tell your VNC server to request permission before allowing anyone to see your desktop
 
* don't do anything that you wouldn't do in an Internet cafe
 
* don't do anything that you wouldn't do in an Internet cafe
If you're not comfortable with the risks, and the secure options discussed above aren't appropriate, you might be able to [[UbuntuWiki:TakingScreenshots|take|screenshots]] instead, and send them to the other person.
+
If you're not comfortable with the risks, and the secure options discussed above aren't appropriate, you might be able to [[UbuntuWiki:TakingScreenshots|take screenshots]] instead, and send them to the other person.
 
Whichever of the above techniques you use, you might find that you can connect to your VNC server from computers on your local network, but that other people can't connect to your server over the Internet.  If that happens, you might need to [[UbuntuHelp:ServersBehindNAT|reconfigure your router]].
 
Whichever of the above techniques you use, you might find that you can connect to your VNC server from computers on your local network, but that other people can't connect to your server over the Internet.  If that happens, you might need to [[UbuntuHelp:ServersBehindNAT|reconfigure your router]].
 +
An application called [https://launchpad.net/remote-help-assistant Remote Help Assistant] is being developed to help smooth the setup of remote connections, and needs unskilled volunteers to help test new versions.
 
<<Anchor(port-forwarding)>>
 
<<Anchor(port-forwarding)>>
 
=== SSH port-forwarding ===
 
=== SSH port-forwarding ===
SSH has a feature called '''local port forwarding''' that allows programs on a computer running an SSH client to transparently connect to servers over the SSH connection. This works by setting up a dummy server on the computer running the SSH client (the '''local''' computer) that sends everything it hears ('''forward'''s it) to a real server on the other side of the SSH connection.
+
SSH has a feature called [[UbuntuHelp:SSH/OpenSSH/PortForwarding|local port forwarding]].  Among many other things, this lets you securely connect to a computer over the Internet, then access that computer's VNC server over the secure connection. Using the command-line SSH client that comes with Ubuntu, you would normally do something like the following:
It's called '''port''' forwarding because different types of server listen on virtual "ports", a bit like USB ports on the back of your computer. Like with USB, any server can be plugged in to any port; but unlike USB, ports are numbered and there are strong conventions about which port you're supposed to use for which server. The convention for VNC servers is to listen on port numbers starting at 5,900 - so a computer that shared three different desktops would normally listen on ports 5,900, 5,901 and 5,902.
+
Port-forwarding is a widely useful technique that is supported in all major SSH clients, although you will have to consult your client's documentation to find out exactly how your client does it. The command-line ssh client uses the '''-L''' option, so if you typed this for example:
+
 
<pre><nowiki>
 
<pre><nowiki>
 
ssh -L 5900:localhost:5900 joe@laptop
 
ssh -L 5900:localhost:5900 joe@laptop
 
</nowiki></pre>
 
</nowiki></pre>
you would log in to Joe's laptop and forward his shared desktop to your computer. You could then start your VNC client and connect to port 5,900 on your computer to see his shared desktop. `5900:localhost:5900` means ''start a dummy server on port 5,900 on this computer, and forward it to port 5,900 on the computer that Joe's laptop calls "localhost"''. The word "localhost" is the computer equivalent of the word "yourself", so the SSH server on Joe's laptop will think you mean Joe's laptop when you tell it to connect to `localhost` port `5900`, but a VNC client on your computer will think you mean your computer when you tell it to connect to `localhost` port `5900`.
+
This would log in to Joe's laptop and forward his shared desktop to your computer. You could then start your VNC client and connect to port 5900 on your computer to see his shared desktop. This is covered in more detail on the [[UbuntuHelp:SSH/OpenSSH/PortForwarding|SSH port forwarding page]].
 
<<Anchor(vnc-clients)>>
 
<<Anchor(vnc-clients)>>
== VNC Clients ==
+
<pre><nowiki>#!wiki comment
A VNC client lets you connect to a desktop that's been shared on another computer.  Excellent VNC clients are available for every major Linux distribution and other operating system.  Some popular clients include:
+
The above anchor was put here long ago, when this page had separate "VNC Servers" and "VNC Clients" sectionsI don't know whether anything links to it any more, but I don't see any benefit in deleting it
* [[UbuntuHelp:Vinagre|Vinagre]] is the remote desktop viewer that comes by default with Ubuntu
+
* krdc is the standard KDE client, and can also act as a Windows Terminal Services client
+
* xvnc4viewer is a simplistic client recommended for Xubuntu users.<<BR>>
+
xvnc4viewer is available in the Universe repository
+
* xtightvncviewer is a simplistic client recommended for use with tightvncserver<<BR>>
+
xtightvncviewer is available in the Universe repository
+
* [http://sourceforge.net/projects/cotvnc/ Chicken of the VNC] is a popular VNC client for Mac OS X<<BR>>
+
Other Mac clients can be found on [http://www.apple.com/downloads/macosx/networking_security/ Apple's website]
+
* [http://www.tightvnc.com/ TightVNC] has a Windows version available
+
* TightVNC Java client is a multiplatform Java client that can run in a web browser<<BR>>
+
If you can't install software on the machine you'll log in from, you can make this available through a web server.  It's available in the vnc-java package in the Multiverse repository
+
{|border="1" cellspacing="0"
+
|https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconTip.png||If you accidentally display the remote desktop fullscreen, try pressing ''F8'' or ''F11'' to exit.
+
|}
+
To connect a VNC client to a VNC server, you need to know the name or the IP address of the computer you'll connect to, and the port or display number of its VNC server.  By convention, port numbers start at 5,900 and go up, so a computer that shared three different desktops would normally listen on ports 5,900, 5,901 and 5,902.  Display numbers use the 5,900 convention to try to make things easier - port number 5,900 is display number :0, port number 5,901 is display number :1, and so on.
+
=== Similar applications ===
+
* [https://launchpad.net/remote-help-assistant Remote Help Assistant] is an application being developed to make it easier to securely acces a VNC server
+
* '''rdesktop''' is a client for Windows Terminal Services, available in the Main repository
+
* '''qtnx''' is an [http://en.wikipedia.org/wiki/NX_technology NX] client for KDE, available in the Universe repository
+
== VNC Servers ==
+
A VNC server is a program that shares a desktop with other computers over the Internet.  You will need a VNC server if you want other people to see your desktop.  Every VNC server has different strengths and weaknesses and is appropriate for different uses.  This section will discuss each of the VNC servers available in Ubuntu, and ways to configure them for most common uses of VNC.
+
The most important thing when setting up a VNC server is to only let the right people access your desktop.  The safest way to do that is usually to have someone sitting at the desktop deciding who gets to use it, but that's not always practical - for example, if you want to log in to your own computer from somewhere else.
+
If you want to confirm each connection manually, you should look for these options:
+
* '''Request access each time''' - pop a window up asking whether to allow each connection as it comes in.
+
* '''view-only access''' - allow VNC clients to view the destkop, but not to change anything.  As well adding a little security, this avoids problems with both of you fighting over control of the mouse.
+
If you want to access your desktop when nobody is sitting at it, these options will be more useful:
+
* '''Only allow local connections''' - only let people connect if they already have access to your computer. 
+
* '''Start your VNC server in "once" mode''' - tell your VNC server to allow one connection, then block anything after that
+
* '''Set a password''' - require people to send a password before they can connect.
+
These options should give you a secure set-up, so long as they're used with  [[UbuntuHelp:[port-forwarding|port-forwarding]]], as discussed above.  Only allowing local connections means that only people with user accounts on your computer can access your desktop.  Starting the server in "once" mode means that people with user accounts on your computer would have to log in to your desktop between the time you start your VNC server and the time you connect from your VNC client.  Setting a password means that, if anyone did try to connect in that brief interval, they probably wouldn't be able to get in before you noticed and stopped the server.
+
Although passwords add some security, [[UbuntuHelp:StrongPasswords|hard-to-guess passwords]] are as difficult to create as they are to remember.  If nobody else has access to your computer, you might want to skip passwords altogether.
+
=== Vino ===
+
Vino is the default VNC server in Ubuntu to share your existing desktop with other users.  Unfortunately, a [https://bugs.launchpad.net/ubuntu/+source/vino/+bug/196675 bug] in the version that comes with Hardy makes it incompatible with most networks and VNC clients.
+
To configure vino from within GNOME, go to System > Preferences > Remote Desktop
+
* To set vino to request access each time, tick '''Allow other users to view your destkop''' in the Remote Desktop configuration window
+
* There's no way to set vino to only listen for the next connection
+
* To set a password, tick '''Require the user to enter this password:''', and enter a [[UbuntuHelp:StrongPasswords|hard-to-guess password]]
+
* To put vino in view-only mode, untick '''Allow other users to control your desktop'''
+
* To only allow local connections, click on the tab marked '''Advanced''', then tick '''Only allow local connections'''.
+
=== krfb ===
+
Krfb is the default VNC server in Kubuntu, and is recommended for KDE users.  Because it's highly integrated with KDE, running it in other environments is difficult.
+
To configure krfb, go to System Settings > Sharing > Desktop Sharing > Configure....
+
* To set krfb to request access each time, tick '''Confirm uninvited connections before accepting'''
+
* There's no official way to set krfb to only listen for the next connection, although see below for an unofficial solution
+
* To set a password, type a [[UbuntuHelp:StrongPasswords|hard-to-guess password]] into the '''Password''' input box
+
* To put krfb in view-only mode, untick '''Allow uninvited connections to control the desktop'''
+
* There's no official way to only allow local connections, although see below for an unofficial solution
+
==== Once mode ====
+
Krfb doesn't have any official way to accept the next connection then stop listening for connection attempts.  However, the following Python script will listen for a single connection then exit krfb:
+
<pre><nowiki>#!python numbers=off
+
#!/usr/bin/python
+
 
+
# Load extra functionality from the 'socket' and 'os' modules
+
from socket import socket, AF_INET, SOCK_STREAM
+
from os import execl
+
 
+
# Listen for a connection
+
server = socket(AF_INET, SOCK_STREAM) # This is an Internet (TCP) connection
+
server.bind(('127.0.0.1', 5900))      # Listen for a local connection on port 5,900
+
server.listen(1)                      # Listen for exactly 1 connection
+
sock = server.accept()[0]            # Accept the connection
+
 
+
# Attach krfb to this connection
+
execl('/usr/bin/krfb', 'krfb', '--kinetd', str(sock.fileno()))
+
</nowiki></pre>
+
To use this script, open your favourite text editor and paste the contents in.  Make sure that the initial '#' character is the very first character in the file, save the file as '''krfb.py''', and set the file's permissions to make it executable.  Although this simple program won't open a window of any kind, it will quietly wait for the next VNC client to connect to your computer, then pass the connection through to krfb.
+
This script will only listen for local connections.  To allow connections from anywhere, change `127.0.0.1` to `0.0.0.0` in the script.
+
==== Invitations ====
+
Krfb lets you create "invitations" - individual passwords that are deactivated after an hour or after one use.  These are a handy way of giving people one-time access to a computer, but only provide limited security.  For example, if you send someone an invitation by e-mail or instant messaging, an attacker could read your invitation message as it went over the Internet and use it to log in.
+
Invitations can be useful when you want to let other people view your desktop, but you still need to follow the precautions discussed [[UbuntuHelp:[let-other-people|above]]].
+
=== x11vnc ===
+
X11vnc is a VNC server that doesn't depend on GNOME or KDE, and is recommended for use by Xubuntu users. It's designed to be run from the command-line, which makes it flexible but difficult to learn. The few graphical parts of the interface are quite unattractive, because they're designed to work even on a very minimal installation. X11vnc is available in the '''x11vnc''' package in the Universe repository.
+
Although x11vnc does have a simple configuration file, it's generally easier to specify options on the command-line.  To start x11vnc, type:
+
<pre><nowiki>
+
x11vnc -safer <options>
+
</nowiki></pre>
+
'''<options>''' is a series of commands separated by spaces.  X11vnc has a lot of options, which are discussed fully in the [http://linux.die.net/man/1/x11vnc x11vnc man page].  Common options include:
+
* To set x11vnc to request access each time, include the '''-nopw -accept popup:0''' options
+
* To set x11vnc to only listen for the next connection, include the '''-once''' option
+
* To set x11vnc to continually listen for connections, include the '''-forever''' option
+
* To set a password, include the '''-usepw''' option (and remove the '''-nopw''' option above)
+
* To put x11vnc in view-only mode, include the '''-viewonly''' option
+
* To set x11vnc to only allow local connections, include the '''-localhost''' option
+
For example, if you want x11vnc to grant view-only access to the next local connection after asking your permission, type this on the command-line:
+
<pre><nowiki>
+
x11vnc -safer -localhost -nopw -accept popup:0 -once -viewonly -display :0
+
</nowiki></pre>
+
If you use a password, you will first need to create a password file by doing:
+
<pre><nowiki>
+
x11vnc -storepasswd
+
</nowiki></pre>
+
Make sure to use a [[UbuntuHelp:StrongPasswords|hard-to-guess password]]
+
<<Anchor(x11vnc-before-login)>>
+
==== Connecting to your login screen ====
+
Because X11vnc is run from the command-line, it can be started while your computer is still showing a login screen.  Exactly how to do this depends on which derivative of Ubuntu you use.  In Ubuntu (but not Kubuntu or Xubuntu), x11vnc needs superuser access, and needs the ` -auth /var/lib/gdm/:0.Xauth -display :0` options to be specified on the command-line.  You will also need superuser access to edit your `/etc/gdm/gdm.conf-custom` file, to stop your computer from closing your VNC session after you've typed your username and password.
+
To edit `/etc/gdm/gdm.conf-custom`, type the following on a command-line:
+
<pre><nowiki>
+
sudo gedit /etc/gdm/gdm.conf-custom
+
</nowiki></pre>
+
Add the following under the "[daemon]" heading:
+
<pre><nowiki>
+
#to get remote vnc to not die after login
+
KillInitClients=false
+
</nowiki></pre>
+
Restart gdm to pick up the change with:
+
<pre><nowiki>
+
sudo /etc/init.d/gdm restart
+
</nowiki></pre>
+
Then you can run x11vnc before you've logged in by typing something like this:
+
<pre><nowiki>
+
sudo x11vnc -safer -localhost -once -nopw -auth /var/lib/gdm/:0.Xauth -display :0
+
</nowiki></pre>
+
(Thanks to [http://www.karlrunge.com/x11vnc/#faq-display-manager the x11vnc FAQ] for this tip)
+
=== tightvncserver ===
+
Whereas most VNC servers share your desktop, tightvnc creates a completely new desktop, not attached to any actual screenThis makes it much less useful for some things (like remote help), but much more useful for others (like creating a public area for collaboration).  If tightvncserver won't start, you might need to uncomment the `$fontpath` lines in `/etc/vnc.conf`.
+
Like x11vnc, tightvnc is designed to be run from the command-line. To start it, type:
+
<pre><nowiki>
+
tightvncserver -nolisten tcp :1
+
</nowiki></pre>
+
This will tell tightvnc to listen for VNC connections on port 5,901 from anywhere on the Internet.  Without the '''-nolisten tcp''' option, tightvnc will also listen for a different type of connection (X11 instead of VNC), which isn't usually very useful.  Tightvnc's unusual design means that it can't create a remote desktop on the standard VNC port (5,900) if you have an ordinary desktop running on your computer.
+
* There's no way to set tightvncserver to request access each time
+
* There's no way to set tightvncserver only to accept the next connection, although see below for a similar solution
+
* Tightvncserver always requires a password, and will ask you to specify one the first time it's run
+
* There's no way to put tightvncserver in view-only mode
+
* To set tightvncserver to only allow local connections, include the '''-localhost''' option
+
==== Once mode ====
+
Tightvncserver can't be set to accept the next connection then stop listening for connection attempts.  But it can be set to automatically disconnect each client when the next client connects, and can be stopped after your connection is disconnected.  To only allow local connections and automatically disconnect clients, start tightvnc by typing:
+
<pre><nowiki>
+
tightvncserver -nolisten tcp -localhost -nevershared :1
+
</nowiki></pre>
+
Then when your client is disconnected by the next client connecting, type:
+
<pre><nowiki>
+
tightvncserver -kill :1
+
 
</nowiki></pre>
 
</nowiki></pre>
=== Similar applications ===
+
== VNC Software ==
* [http://www.gnu.org/software/screen/ GNU Screen] allows you to open, share, disconnect, and later return to a text-based terminal.
+
To view a desktop remotely, you need a VNC server to share the desktop, and a VNC client to view the shared desktop.  There are many [[UbuntuHelp:VNC/Servers|VNC Servers]] and [[UbuntuHelp:VNC/Clients|VNC Clients]]for every operating system.
* '''directvnc''' is a VNC server that shares a Linux framebuffer instead of a desktop
+
* '''linuxvnc''' is a VNC server that shares a text-based console instead of a desktop
+
* '''xrdp''' is a server for Microsoft's Remote Desktop protocol, a client for which comes with all modern versions of Windows
+
* '''xserver-xephyr''' allows you to create a desktop within a desktop on a single computer
+
* [[UbuntuHelp:AppleRemoteDesktop|Apple Remote Desktop]] is a desktop sharing application for Mac OS that includes a VNC server
+
 
<<Anchor(guide)>>
 
<<Anchor(guide)>>
 
== Guide to example scenarios ==
 
== Guide to example scenarios ==
This section discusses some situations where you would want to use VNC, and how to set a server up for that situation.  The first scenario ("Accessing your PC") describes how to set VNC up for a computer that logs in automatically as soon as it starts up. Because accessing a shared login screen requires more security privileges than accessing your personal desktop, the second scenario ("Accessing a family PC") describes the extra steps you need to take in order to access your computer before you've logged in.
+
This section discusses some situations where you would want to use VNC, and how to set a server up for that situation.  The first scenario [[UbuntuHelp:[accessing-your-pc| Accessing your desktop over the internet]]] describes how to set VNC up for a computer that logs in automatically as soon as it starts up. As accessing a shared login screen requires more security privileges than accessing your personal desktop, the second scenario [[UbuntuHelp:[accessing-family-pc|Accessing a family PC over the Internet]]]  describes the extra steps you need to take in order to access your computer before you've logged in.
 
<<Anchor(accessing-your-pc)>>
 
<<Anchor(accessing-your-pc)>>
 
=== Accessing your PC over the Internet ===
 
=== Accessing your PC over the Internet ===
 
This section describes how to connect to your own desktop computer from somewhere else on the Internet.  See below for instructions about logging in to a shared computer.
 
This section describes how to connect to your own desktop computer from somewhere else on the Internet.  See below for instructions about logging in to a shared computer.
 
To set your VNC server up, follow these steps.  You should only need to do this once:
 
To set your VNC server up, follow these steps.  You should only need to do this once:
<ol><li>[[UbuntuHelp:InstallingSoftware|Install]] the ''x11vnc'' and ''openssh-server'' packages on your PC.
+
<ol><li>[[UbuntuHelp:InstallingSoftware|Install]] the ''x11vnc'' and ''openssh-server'' packages on your PC ([[UbuntuHelp:apt:x11vnc,openssh-server|click here to install x11vnc and openssh-server]])
</li><li>If you have previously reconfigured the firewall on your PC, make sure the firewall allows incoming connections on port `22` from anywhere, and on port `5900` from `localhost` (also known as `127.0.0.1`).
+
</li><li>If you have previously reconfigured the firewall on your PC, make sure the firewall allows incoming connections on port `22` from anywhere, and on port `5900` from `localhost` (also known as `127.0.0.1`)
</li><li>If your PC is behind a home router, or any other device that uses NAT, [[UbuntuHelp:ServersBehindNAT#Procedure|configure|your router]] to send connection attempts on port `22` (but '''not''' port `5900`) to your computer.
+
</li><li>If your PC is behind a home router, or any other device that uses NAT, [[UbuntuHelp:ServersBehindNAT#Procedure|configure your router]] to send connection attempts on port `22` (but '''not''' port `5900`) to your PC
</li><li>[[UbuntuHelp:SSHHowto#Logging_in_from_other_computers|Choose an SSH client]] for the computer you'll log in from, and create a public key for that computer.
+
</li><li>[[UbuntuHelp:SSH/OpenSSH/ConnectingTo|Choose an SSH client]] for the computer you'll log in from, and create a public key for that computer
</li><li>In a text editor on your PC, open the file ''`<home>`''`/.ssh/authorized_keys`, then add the public key you just created to the bottom of the file.</li></ol>
+
</li><li>In a text editor on your PC, open the file ''`<home>`''`/.ssh/authorized_keys`, then add the public key you just created to the bottom of the file</li></ol>
  
 
Each time you want to connect to your PC, follow these steps:
 
Each time you want to connect to your PC, follow these steps:
<ol><li>Find your PC's public name or IP address.  Unless your computer has been assigned a memorable name, the easiest way to do this is to go to [http://whatismyip.com/ www.whatismyip.com] from your PC.  You can assign your computer a name by getting one from a [[UbuntuHelp:DynamicDNS|dynamic DNS]] provider.
+
<ol><li>Find your PC's public name or IP address.  Unless your PC has been assigned a memorable name, the easiest way to do this is to go to [http://whatismyip.com/ whatismyip.com] from your PC.  You can assign your PC a name by getting one from a [[UbuntuHelp:DynamicDNS|dynamic DNS]] provider
</li><li>Start an SSH session on your PC with your SSH client, use local port-forwarding to connect port 5,900 on your desktop to port 5,900 on localhost, and run the command `x11vnc -safer -localhost -nopw -once -display :0`
+
</li><li>Start the SSH client on the computer you'll log in from.
</li><li>Start your VNC client, and tell it to connect to port 5,900 on localhost</li></ol>
+
</li><li>Tell the SSH client to use local port-forwarding to connect port 5,900 on your desktop to port 5,900 on localhost.
 +
</li><li>Via the SSH client, run the command `x11vnc -safer -localhost -nopw -once -display :0` on the computer whose desktop you will view.
 +
</li><li>Tell the SSH client to connect to your PC (in case it's not already connected).
 +
</li><li>Start a VNC client on the computer you'll log in from, and tell the VNC client to connect to port 5,900 on `localhost`.</li></ol>
  
 
If you have a dial-up Internet connection, your IP address will change every time you connect to the Internet.  If you have a broadband Internet connection, your address will probably only change once every few months - usually right around the day you forget to check your address.
 
If you have a dial-up Internet connection, your IP address will change every time you connect to the Internet.  If you have a broadband Internet connection, your address will probably only change once every few months - usually right around the day you forget to check your address.
If you were connecting from an Ubuntu computer with a command-line VNC client, you could do the following on a command-line:
+
If the VNC connection is terribly slow, then you may want to try compressing the session using <code><nowiki>vncviewer -encodings "tight" localhost:0</nowiki></code> instead of <code><nowiki>vncviewer localhost:0</nowiki></code>.
 +
Exactly how to perform the above steps depends on the SSH client you use.  Here are some examples.
 +
==== Logging in from another Ubuntu PC ====
 +
Rebecca wants to connect to her Ubuntu desktop from her Ubuntu laptop.  She is using the standard software that comes with Ubuntu.
 +
Before her first connection, she creates a shell script:
 +
<ol><li>She sets up a [[UbuntuHelp:DynamicDNS|dynamic DNS]] address for her desktop computer: ''rebeccas-pc.dyndns.org''
 +
</li><li>From her laptop, she goes to ''Applications > Accessories > Text Editor''
 +
</li><li>In ''Text Editor'', she types in the following shell script:</li></ol>
 +
 
 
<pre><nowiki>
 
<pre><nowiki>
ssh -f -L 5900:localhost:5900 <your-name>@<your-computer> \
+
#!sh
 +
#!/bin/sh
 +
 
 +
ssh -f -L 5900:localhost:5900 rebecca@rebeccas-pc.dyndns.org \
 
x11vnc -safer -localhost -nopw -once -display :0 \
 
x11vnc -safer -localhost -nopw -once -display :0 \
 
&& sleep 5 \
 
&& sleep 5 \
 
&& vncviewer localhost:0
 
&& vncviewer localhost:0
 
</nowiki></pre>
 
</nowiki></pre>
If the above VNC connection is terribly slow, then you may need to enable a compression mechanism, e.g., <code><nowiki>vncviewer -encodings "tight" localhost:0</nowiki></code>.  Alternatively, if your VNC viewer supports the "-via" option (e.g., xtightvncviewer does so) then you need neither manual port-forwarding nor manual settings for compressionInstead, you SSH into the remote computer, start the VNC server with <code><nowiki>x11vnc -safer -localhost -nopw -once -display :0</nowiki></code> and, again on your client machine, start the client with the following command line:
+
<ol><li>In ''Text Editor'', she saves the script to her Desktop as ''Connect to rebeccas-pc.sh''
<pre><nowiki>
+
</li><li>From her laptop, she right-clicks on the desktop icon she's created, and clicks ''Properties''
vncviewer -via <your-name>@<your-computer> localhost:0
+
</li><li>From the ''Properties'' window, she clicks ''Permissions'', then ''Allow executing file as program''
</nowiki></pre>
+
</li><li>From the ''properties'' window, she clicks ''Close''</li></ol>
In Ubuntu, the ''vncviewer'' command will run whichever VNC client you have installed.
+
 
 +
Then each time she connects to her desktop PC, she double-clicks on ''Connect to rebeccas-pc.sh'', and waits about 5 seconds.
 +
==== Logging in from a Windows PC ====
 +
Simon wants to connect to his Ubuntu PC from his work computer, running WindowsHe has installed [http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] and [http://www.tightvnc.com/ TightVNC Viewer] on his work computer.
 +
Before his first connection, he sets up PuTTY:
 +
<ol><li>From his home computer, he visits [http://whatismyip.com/ www.whatismyip.com], and finds that his computer's IP address is 1.2.3.4
 +
</li><li>From his work computer, he runs PuTTY.
 +
</li><li>In the PuTTY configuration window, he goes to ''Connection > SSH > Tunnels''
 +
</li><li>In the ''Tunnels'' section of PuTTY, he types ''5900'' for ''Source port'', ''localhost:5900'' for ''Destination'', then clicks ''Add''
 +
</li><li>He goes back to the ''Session'' section of the PuTTY configuration window
 +
</li><li>He types ''[email protected]'' for ''Host Name (or IP address)'', and clicks ''SSH''
 +
</li><li>He types ''Home'' for ''Saved Sessions'' and clicks ''Save''</li></ol>
 +
 
 +
Then each time he connects to his home PC, he does this:
 +
<ol><li>From his work computer, he runs PuTTY
 +
</li><li>From PuTTY, he clicks the ''Home'' saved session, then clicks ''Open''
 +
</li><li>In the PuTTY window, he types his password and presses ''Return''
 +
</li><li>In the PuTTY window, he types `x11vnc -safer -localhost -nopw -once -display :0` and presses ''Return''
 +
</li><li>From his work computer, he runs TightVNC Viewer
 +
</li><li>In TightVNC Viewer, he types ''localhost::5900'' for ''VNC server'' and presses Connect.</li></ol>
 +
 
 +
<<Anchor(accessing-family-pc)>>
 
=== Accessing a family PC over the Internet ===
 
=== Accessing a family PC over the Internet ===
 
Accessing a family PC is a similar problem to accessing your own PC, except that the VNC server needs more security privileges in order to show your login screen.
 
Accessing a family PC is a similar problem to accessing your own PC, except that the VNC server needs more security privileges in order to show your login screen.
 
First, make sure that you can [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]] - once you've logged in, accessing a shared PC is no different to accessing your own PC.
 
First, make sure that you can [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]] - once you've logged in, accessing a shared PC is no different to accessing your own PC.
Second, follow the instructions to [[UbuntuHelp:[x11vnc-before-login|get x11vnc working before you log in]]]. After this step, you should start the VNC server on the family PC with superuser privileges:
+
Second, follow the instructions to [[UbuntuHelp:VNC/Servers#x11vnc-before-login|get x11vnc working before you log in]].
 +
Finally, go through the procedure to [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]], but instead of running the command `x11vnc -safer -localhost -nopw -once -display :0`, use  `sudo x11vnc -safer -localhost -nopw -once -auth /var/lib/gdm/:0.Xauth -display :0`.
 +
If the computer you'll log in from is an Ubuntu PC, you could do:
 
<pre><nowiki>
 
<pre><nowiki>
ssh -L 5900:localhost:5900 <your-name>@<your-computer>
+
ssh -L 5900:localhost:5900 <your-name>@<your-computer> \
sudo x11vnc -safer -localhost -nopw -once -auth /var/lib/gdm/:0.Xauth -display :0
+
sudo x11vnc -safer -localhost -nopw -once \
 +
            -auth /var/lib/gdm/:0.Xauth -display :0 \
 +
; bg \
 +
&& vncviewer localhost:0
 
</nowiki></pre>
 
</nowiki></pre>
Then connect your VNC client in the same way you did before.
+
After you log in, you will be asked to type your password.  Once you've typed your password in, you should press ctrl-Z to continue.
 
== Further information ==
 
== Further information ==
 
Remote desktop solutions are a broad and complex topic.  The following links provide more detail about the technologies involved:
 
Remote desktop solutions are a broad and complex topic.  The following links provide more detail about the technologies involved:
第221行: 第136行:
 
* [[UbuntuHelp:WikiPedia:Remote_Desktop_Protocol|The Remote Desktop Protocol]] is a similar protocol, popular in Windows
 
* [[UbuntuHelp:WikiPedia:Remote_Desktop_Protocol|The Remote Desktop Protocol]] is a similar protocol, popular in Windows
 
* [[UbuntuHelp:WikiPedia:NX_technology|The NX Protocol]] is another similar protocol
 
* [[UbuntuHelp:WikiPedia:NX_technology|The NX Protocol]] is another similar protocol
* [[UbuntuHelp:WikiPedia:X_display_manager|The XDMCP protocol]] also enables remote login
+
* [[UbuntuHelp:WikiPedia:XDMCP|XDMCP]] is a protocol which also enables remote login
 
* [http://tldp.org/HOWTO/XDMCP-HOWTO/ The XDMCP How-to] and two Ubuntu [http://ubuntuforums.org/showpost.php?p=5229232&postcount=458 forum] [http://ubuntuforums.org/showpost.php?p=4963842&postcount=1 posts] give explanations about how to use XDMCP
 
* [http://tldp.org/HOWTO/XDMCP-HOWTO/ The XDMCP How-to] and two Ubuntu [http://ubuntuforums.org/showpost.php?p=5229232&postcount=458 forum] [http://ubuntuforums.org/showpost.php?p=4963842&postcount=1 posts] give explanations about how to use XDMCP
 
* [[UbuntuHelp:DynamicDNS|DynamicDNS]] is a way to obtain a stable DNS name even if your IP changes dynamically
 
* [[UbuntuHelp:DynamicDNS|DynamicDNS]] is a way to obtain a stable DNS name even if your IP changes dynamically
第227行: 第142行:
 
* [[UbuntuHelp:Xen|Xen]] is a way of running a virtual machine in Linux
 
* [[UbuntuHelp:Xen|Xen]] is a way of running a virtual machine in Linux
 
* [[UbuntuHelp:WikiPedia:Wake-on-LAN||Wake-on-LAN]] is a way of powering a computer on over a network or the Internet.
 
* [[UbuntuHelp:WikiPedia:Wake-on-LAN||Wake-on-LAN]] is a way of powering a computer on over a network or the Internet.
 +
* [http://ubuntuguide.org/wiki/Ubuntu:Karmic#Remote_Access Ubuntuguide Remote Access] -- clear, concise, up-to-date information about VNC, XDMCP, SSH, and the alternatives
 
[[category:CategoryNetworking]] [[category:CategoryInternet]]
 
[[category:CategoryNetworking]] [[category:CategoryInternet]]
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2010年5月20日 (四) 00:47的最新版本

Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/VNC

Geographylogo.png 点击翻译: 

English

请不要直接编辑翻译本页,本页将定期与来源同步。

VNC is a protocol that allows a desktop to be viewed and controlled remotely over the Internet. To use VNC, a VNC server must be run on the computer sharing the desktop, and a VNC client must be run on the computer that will access the shared desktop.

Common uses

The two most common uses for VNC are to control your own desktop from another computer and to let other people view/control your desktop while you're sitting at it.

Helping someone via VNC over the Internet

A common usage scenario is helping another Ubuntu user over the internet via screen sharing. The problem usually is that the user you want to help is behind a NAT / firewall. There is however a simple solution available if:

  • You are directly connected to the internet
  • OR
  • You have control over your NAT device and can set-up a port forwarding

The solution is to use reverse VNC to solve the NAT problems. Usually you have to establish a connection to the computer you would like to control. Reverse VNC does the opposite. You open a port where your vncviewer listens and the computer you would like to control connects to your computer. The security risks involved are that the content of the other user's computer screen is transmitted unencrypted over the internet. Here are the steps to make it work:

  1. Install a VNC viewer on your machine (follow the steps below). Tested with the ``xvnc4viewer`` package.
  2. If you are not directly connected to the internet, set-up port-forwarding on your router for port 5500 to your PC.
  3. Make sure your firewall does not block port 5500 (see below)
  4. Find out your public IP address, for example by visiting [1]
  5. Start vnc in listen mode on your computer: `vncviewer -listen` (using Alt-F2 or via the shell)
  6. Ask the user you are trying to help to install the x11vnc package.
  7. Ask the user to execute `x11vnc -connect YOURIPADDRESS` using Alt-F2 or via the shell

You can find more information on the Ubuntu forums

Accessing your desktop over the Internet

Although VNC has some optional security features, you should not run VNC directly over an untrusted network like the Internet. Instead, you should set an SSH server up as discussed in the SSH guide and configure a VNC server that you can start in so-called once mode. When you have set up your SSH and VNC servers, you can use SSH to log in to your computer over the Internet, start your VNC server, and use [[UbuntuHelp:[port-forwarding|port-forwarding]]] to securely access the VNC server. <<Anchor(let-other-people)>>

Let other people view your desktop

If a small group of people regularly want to access your desktop, the best solution might be to set up an SSH server, then add their public keys to your authorized_keys file, with very limited rights. As discussed in the SSH guide, you can limit the SSH features that each public key can use - typically, a user that should only have VNC access would have a line like the following in authorized_keys: 

command="/bin/sleep 4294967295":no-agent-forwarding:no-pty:no-user-rc:no-X11-forwarding:permitopen="localhost:5900" <public key>

This will allow the specified person to log in to your computer using your username and their public key instead of your password. The long list of no-xyz statements disallow them from doing just about anything except connect to a VNC server. Because the Internet is a high speed public network, an attacker anywhere in the world could connect to an unsecured VNC server and start guessing passwords at a rate of thousands per minute. Even if they couldn't guess your password, they could snoop on the VNC session much like someone in an Internet cafe might peer over your shoulder. If securing your connection is not an option, it's possible to provide an unsecured VNC connection with a fairly low risk of disaster, so long as you follow three basic safety precautions:

  • only allow the other person to view your desktop, not to control it
  • tell your VNC server to request permission before allowing anyone to see your desktop
  • don't do anything that you wouldn't do in an Internet cafe

If you're not comfortable with the risks, and the secure options discussed above aren't appropriate, you might be able to take screenshots instead, and send them to the other person. Whichever of the above techniques you use, you might find that you can connect to your VNC server from computers on your local network, but that other people can't connect to your server over the Internet. If that happens, you might need to reconfigure your router. An application called Remote Help Assistant is being developed to help smooth the setup of remote connections, and needs unskilled volunteers to help test new versions. <<Anchor(port-forwarding)>>

SSH port-forwarding

SSH has a feature called local port forwarding. Among many other things, this lets you securely connect to a computer over the Internet, then access that computer's VNC server over the secure connection. Using the command-line SSH client that comes with Ubuntu, you would normally do something like the following: 

ssh -L 5900:localhost:5900 joe@laptop

This would log in to Joe's laptop and forward his shared desktop to your computer. You could then start your VNC client and connect to port 5900 on your computer to see his shared desktop. This is covered in more detail on the SSH port forwarding page. <<Anchor(vnc-clients)>> 

#!wiki comment
The above anchor was put here long ago, when this page had separate "VNC Servers" and "VNC Clients" sections.  I don't know whether anything links to it any more, but I don't see any benefit in deleting it

VNC Software

To view a desktop remotely, you need a VNC server to share the desktop, and a VNC client to view the shared desktop. There are many VNC Servers and VNC Clientsfor every operating system. <<Anchor(guide)>>

Guide to example scenarios

This section discusses some situations where you would want to use VNC, and how to set a server up for that situation. The first scenario [[UbuntuHelp:[accessing-your-pc| Accessing your desktop over the internet]]] describes how to set VNC up for a computer that logs in automatically as soon as it starts up. As accessing a shared login screen requires more security privileges than accessing your personal desktop, the second scenario [[UbuntuHelp:[accessing-family-pc|Accessing a family PC over the Internet]]] describes the extra steps you need to take in order to access your computer before you've logged in. <<Anchor(accessing-your-pc)>>

Accessing your PC over the Internet

This section describes how to connect to your own desktop computer from somewhere else on the Internet. See below for instructions about logging in to a shared computer. To set your VNC server up, follow these steps. You should only need to do this once:

  1. Install the x11vnc and openssh-server packages on your PC (click here to install x11vnc and openssh-server)
  2. If you have previously reconfigured the firewall on your PC, make sure the firewall allows incoming connections on port `22` from anywhere, and on port `5900` from `localhost` (also known as `127.0.0.1`)
  3. If your PC is behind a home router, or any other device that uses NAT, configure your router to send connection attempts on port `22` (but not port `5900`) to your PC
  4. Choose an SSH client for the computer you'll log in from, and create a public key for that computer
  5. In a text editor on your PC, open the file `<home>``/.ssh/authorized_keys`, then add the public key you just created to the bottom of the file

Each time you want to connect to your PC, follow these steps:

  1. Find your PC's public name or IP address. Unless your PC has been assigned a memorable name, the easiest way to do this is to go to whatismyip.com from your PC. You can assign your PC a name by getting one from a dynamic DNS provider
  2. Start the SSH client on the computer you'll log in from.
  3. Tell the SSH client to use local port-forwarding to connect port 5,900 on your desktop to port 5,900 on localhost.
  4. Via the SSH client, run the command `x11vnc -safer -localhost -nopw -once -display :0` on the computer whose desktop you will view.
  5. Tell the SSH client to connect to your PC (in case it's not already connected).
  6. Start a VNC client on the computer you'll log in from, and tell the VNC client to connect to port 5,900 on `localhost`.

If you have a dial-up Internet connection, your IP address will change every time you connect to the Internet. If you have a broadband Internet connection, your address will probably only change once every few months - usually right around the day you forget to check your address. If the VNC connection is terribly slow, then you may want to try compressing the session using vncviewer -encodings "tight" localhost:0 instead of vncviewer localhost:0. Exactly how to perform the above steps depends on the SSH client you use. Here are some examples.

Logging in from another Ubuntu PC

Rebecca wants to connect to her Ubuntu desktop from her Ubuntu laptop. She is using the standard software that comes with Ubuntu. Before her first connection, she creates a shell script:

  1. She sets up a dynamic DNS address for her desktop computer: rebeccas-pc.dyndns.org
  2. From her laptop, she goes to Applications > Accessories > Text Editor
  3. In Text Editor, she types in the following shell script:
#!sh
#!/bin/sh

ssh -f -L 5900:localhost:5900 [email protected] \
	x11vnc -safer -localhost -nopw -once -display :0 \
	&& sleep 5 \
	&& vncviewer localhost:0
  1. In Text Editor, she saves the script to her Desktop as Connect to rebeccas-pc.sh
  2. From her laptop, she right-clicks on the desktop icon she's created, and clicks Properties
  3. From the Properties window, she clicks Permissions, then Allow executing file as program
  4. From the properties window, she clicks Close

Then each time she connects to her desktop PC, she double-clicks on Connect to rebeccas-pc.sh, and waits about 5 seconds.

Logging in from a Windows PC

Simon wants to connect to his Ubuntu PC from his work computer, running Windows. He has installed PuTTY and TightVNC Viewer on his work computer. Before his first connection, he sets up PuTTY:

  1. From his home computer, he visits www.whatismyip.com, and finds that his computer's IP address is 1.2.3.4
  2. From his work computer, he runs PuTTY.
  3. In the PuTTY configuration window, he goes to Connection > SSH > Tunnels
  4. In the Tunnels section of PuTTY, he types 5900 for Source port, localhost:5900 for Destination, then clicks Add
  5. He goes back to the Session section of the PuTTY configuration window
  6. He types [email protected] for Host Name (or IP address), and clicks SSH
  7. He types Home for Saved Sessions and clicks Save

Then each time he connects to his home PC, he does this:

  1. From his work computer, he runs PuTTY
  2. From PuTTY, he clicks the Home saved session, then clicks Open
  3. In the PuTTY window, he types his password and presses Return
  4. In the PuTTY window, he types `x11vnc -safer -localhost -nopw -once -display :0` and presses Return
  5. From his work computer, he runs TightVNC Viewer
  6. In TightVNC Viewer, he types localhost::5900 for VNC server and presses Connect.

<<Anchor(accessing-family-pc)>>

Accessing a family PC over the Internet

Accessing a family PC is a similar problem to accessing your own PC, except that the VNC server needs more security privileges in order to show your login screen. First, make sure that you can [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]] - once you've logged in, accessing a shared PC is no different to accessing your own PC. Second, follow the instructions to get x11vnc working before you log in. Finally, go through the procedure to [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]], but instead of running the command `x11vnc -safer -localhost -nopw -once -display :0`, use `sudo x11vnc -safer -localhost -nopw -once -auth /var/lib/gdm/:0.Xauth -display :0`. If the computer you'll log in from is an Ubuntu PC, you could do: 

ssh -L 5900:localhost:5900 <your-name>@<your-computer> \
	sudo x11vnc -safer -localhost -nopw -once \
	            -auth /var/lib/gdm/:0.Xauth -display :0 \
	; bg \
	&& vncviewer localhost:0

After you log in, you will be asked to type your password. Once you've typed your password in, you should press ctrl-Z to continue.

Further information

Remote desktop solutions are a broad and complex topic. The following links provide more detail about the technologies involved:

取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:VNC&oldid=139581