个人工具

“UbuntuHelp:VNC”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
 
(未显示同一用户的5个中间版本)
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/VNC}}
 
{{From|https://help.ubuntu.com/community/VNC}}
 
{{Languages|UbuntuHelp:VNC}}
 
{{Languages|UbuntuHelp:VNC}}
Virtual Network Computing (VNC) allows a computer to be seen and accessed remotely from other computers, who can see the screen and control the system using the keyboard and mouse.
+
VNC is a protocol that allows a desktop to be viewed and controlled remotely over the Internet.  To use VNC, a [[UbuntuHelp:VNC/Servers|VNC server]] must be run on the computer sharing the desktop, and a [[UbuntuHelp:VNC/Clients|VNC client]] must be run on the computer that will access the shared desktop.
VNC is useful for remote technical support or remote access to personal/work computers.
+
== Common uses ==
<u>tip</u>: If you need to access a Mac remotely, read [[UbuntuWiki:AppleRemoteDesktop|Apple Remote Desktop]] instead.
+
The two most common uses for VNC are to control your own desktop from another computer and to let other people view/control your desktop while you're sitting at it.
== Terminology ==
+
=== Helping someone via VNC over the Internet ===
VNC Server = the computer you will connect to (log onto remotely).
+
A common usage scenario is helping another Ubuntu user over the internet via screen sharing. The problem usually is that the user you want to help is behind a NAT / firewall. There is however a simple solution available if:
VNC Client = the computer you will connect with (use to log on to a server).
+
* You are directly connected to the internet
With the default vnc server (vino) or x11vnc you will log into a shared desktop. With tightvnc server or with configuration of GDM you will have a separate session.
+
* OR
*If you are logging into a shared desktop you will not be able to connect if there is no user logged into the system.
+
* You have control over your NAT device and can set-up a port forwarding
*With a separate session you can log in even if either no one is logged into the server, or even if X is not running on the server at all.
+
The solution is to use ''reverse VNC'' to solve the NAT problems. Usually you have to establish a connection to the computer you would like to control. Reverse VNC does the opposite. You open a port where your vncviewer listens and the computer you would like to control connects to your computer.
Just a quick note about terminology. X sessions or desktops are numbered starting with 0 and is referred to on the command line as :0.
+
The security risks involved are that the content of the other user's computer screen is transmitted unencrypted over the internet.
*So the desktop you have when you first log in can be referred to as
+
Here are the steps to make it work:
*localhost:0
+
<ol><li>Install a VNC viewer on your machine (follow the steps below). Tested with the ``xvnc4viewer`` package.
*172.0.0.1:0
+
</li><li>If you are not directly connected to the internet, [[UbuntuHelp:ServersBehindNAT|set-up port-forwarding]] on your router for port 5500 to your PC.
*Your lan ip (ie 192.168.1.25:0)
+
</li><li>Make sure your firewall does not block port 5500 (see below)
*Your internet IP (128.220.223.246:0)
+
</li><li>Find out your public IP address, for example by visiting [http://www.whatismyip.com/]
Not to be confused with ports. Servers listen on your computer via ports and vnc connections uses 5900 + by default. So the first vnc session is port 5900. The second vnc server will use 5901.
+
</li><li>Start vnc in listen mode on your computer: `vncviewer -listen` (using Alt-F2 or via the shell)
*The default ports can of course be changed.
+
</li><li>Ask the user you are trying to help to install the ''x11vnc'' package.
When you activate your vnc server via System -> Preferences -> Remote Desktop and tic off the "Allow other users to view your desktop" you are :
+
</li><li>Ask the user to execute `x11vnc -connect YOURIPADDRESS` using Alt-F2 or via the shell</li></ol>
*Activating a server on your desktop which allows others to connect to your desktop (see "security issues" below).
+
*Your vnc server is listening for connections on your ip:5900 (ie 192.168.1.25:5900) or your internet IP :5900 (ie 128.220.223.246:5900).
+
When you start a new vnc server with tightvncsserver (see below) this second session starts on :1
+
*So the second vnc session is on localhost:1 (192.168.1.25:1 and on ...)
+
*And the port is :5901 (localhost:5901 or 192.168.1.25:5901)
+
When you connect to a vnc server you will use the server ip address and :0 or :1 to refer to the vnc session and 192.168.1.25:5900 or 192.168.1.25:5901 for configuration of routers/firewalls.
+
==== General Security ====
+
'''Security issues'''
+
By default Ubuntu will allow all connections so at a minimum set a password when you activate Remote desktop. Without one people can watch your desktop from your LAN ''without any password''.
+
So if you are connected directly to the internet, without a router, if you do not set a password, anyone can access your computer.
+
You may also consider:
+
*Purchasing a router.
+
*Create a user(s) specifically for vnc sessions ''without admin (sudo) access''.
+
*Either logging out or '''locking your desktop''' if not in use (System -> Preferences -> Screensaver tic off the "Lock screen when screensaver is active"). If you screen is locked your log in password will be required to unlock the screen.
+
**Kde Configure Desktop -> screen Saver tab -> tic off the "Require password to stop." option.
+
*Installing firestarter to help configure your firewall.
+
*Using ssh to log into vnc sessions [[UbuntuHelp:VNCOverSSH|VNC over SSH]]
+
== Enabling VNC connections ~ Server setup ==
+
To allow other computers to access your desktop sessions, when your logged in, perform the following steps. Note: This is like MS Remote Assistance and only works when your are logged into the computer sharing that instance of your Xserv. See below for creating Xservs on the fly and allowing multiple loggings and XDM/GDM.
+
=== Using the default vnc servers ===
+
==== using GNOME / Ubuntu (vino) ====
+
'''System''' > '''Preferences''' > '''Remote Desktop'''
+
'Check' the first two boxes to activate the service:
+
'''Allow other users to view your desktop''' (view only)
+
'''Allow other users to control your desktop''' (view & control).
+
Below you can set security.  The two options are:
+
'''Ask you for confirmation''' (ie; someone at the machine must click '''OK''' to grant remote access.  This will be a problem if you plan on accessing your home machine from work or visa versa, as no one may be there to grant you access.)
+
'''Require the user to enter this password:'''
+
This will require a password from anyone trying to remotely connect to your machine.  This is '''ALWAYS''' a good idea.
+
==== using KDE / Kubuntu ====
+
'''System Settings''' > '''Sharing''' > '''Desktop Sharing ''' > '''Create & Manage Invitations ...'''
+
Choose 'New Personal Invitation...' (you give the invitation by whichever means you prefer (Email, Instant Messaging, Written-Down Note) or 'New Email Invitation...'. The newly created invitation will last a default of 1 hour.
+
<u>tip</u> If you don't see this option ensure that the package 'krfb' (Desktop Sharing for KDE) is installed. Sometimes it is installed but doesn't appear on the menu. If it is installed, type Alt-F2 and enter krfb or type it in the Konsole. You can manually add menu entries by righ clicking the KDE menu icon.
+
==== using XFCE / Xubuntu ====
+
There is not vnc server installed by default in Xubuntu. The default gnome vnc server is ''vino'' and you can install this package, X11vnc, or tightvncserver.
+
=== VNC Server with Login Screen via GDM ===
+
This method is somewhat more complicated, but when connecting this way you get a login prompt and begin a new session.  This also works when no user is logged in and allows multiple parallel  loggings.
+
'''Step 1'''
+
Append the following line to /etc/services
+
<pre><nowiki>$> gksudo gedit /etc/services
+
  
vnc            5901/tcp                        # VNC with GDM
+
You can find more information on the [http://ubuntuforums.org/showthread.php?t=299489 Ubuntu forums]
</nowiki></pre>
+
=== Accessing your desktop over the Internet ===
'''Step 2'''
+
Although VNC has some optional security features, you should not run VNC directly over an untrusted network like the Internet. Instead, you should set an SSH server up as discussed in the [[UbuntuHelp:SSH|SSH guide]] and configure a VNC server that you can start in so-called '''once mode'''.  When you have set up your SSH and VNC servers, you can use SSH to log in to your computer over the Internet, start your VNC server, and use [[UbuntuHelp:[port-forwarding|port-forwarding]]] to securely access the VNC server.
Create the following file /etc/xinetd.d/vnc
+
<<Anchor(let-other-people)>>
<pre><nowiki>$> sudo pico /etc/xinetd.d/vnc
+
=== Let other people view your desktop ===
 
+
If a small group of people regularly want to access your desktop, the best solution might be to [[UbuntuHelp:SSH|set up an SSH server]], then add their public keys to your '''authorized_keys''' file, with very limited rights. As [[UbuntuHelp:SSH/OpenSSH/Keys#keys-with-specific-commands|discussed]] in the SSH guide, you can limit the SSH features that each public key can use - typically, a user that should only have VNC access would have a line like the following in '''authorized_keys''':
service vnc
+
{
+
        disable = no
+
        socket_type = stream
+
        protocol = tcp
+
        wait = no
+
        user = nobody
+
        server = /usr/bin/Xvnc
+
        server_args = -inetd :1 -query localhost -broadcast -once -fp /usr/share/X11/fonts/misc/ -securitytypes=none -desktop=vnc://MyDesktop/
+
}
+
</nowiki></pre>
+
*Note: In 6.10 the default fount's were not found. The -fp /usr/share/X11/fonts/misc/ line should resolve this error.
+
*Note: -desktop=vnc://MyDesktop/ is the title that appears to the user when connecting.
+
*Note: -query localhost is optional, it may fix a problem when clients get "connection unexpectedly closed"
+
'''Step 3'''
+
Enable XDMCP in your login configuration to allow remote logins to GDM (the gnome login screen).
+
Edit /etc/gdm/gdm.conf
+
<pre><nowiki>$> sudo pico /etc/gdm/gdm.conf
+
</nowiki></pre>
+
find the section [xdmcp] and set the enable to true:
+
 
<pre><nowiki>
 
<pre><nowiki>
[xdmcp]
+
command="/bin/sleep 4294967295":no-agent-forwarding:no-pty:no-user-rc:no-X11-forwarding:permitopen="localhost:5900" <public key>
....
+
Enable=true
+
 
</nowiki></pre>
 
</nowiki></pre>
uncomment this line:
+
This will allow the specified person to log in to your computer using your username and their public key instead of your password.  The long list of ''no-xyz'' statements disallow them from doing just about anything except connect to a VNC server.
 +
Because the Internet is a high speed public network, an attacker anywhere in the world could connect to an unsecured VNC server and start guessing passwords at a rate of thousands per minute.  Even if they couldn't guess your password, they could snoop on the VNC session much like someone in an Internet cafe might peer over your shoulder.  If securing your connection is not an option, it's possible to provide an unsecured VNC connection with a fairly low risk of disaster, so long as you follow three basic safety precautions:
 +
* only allow the other person to view your desktop, '''not''' to control it
 +
* tell your VNC server to request permission before allowing anyone to see your desktop
 +
* don't do anything that you wouldn't do in an Internet cafe
 +
If you're not comfortable with the risks, and the secure options discussed above aren't appropriate, you might be able to [[UbuntuWiki:TakingScreenshots|take screenshots]] instead, and send them to the other person.
 +
Whichever of the above techniques you use, you might find that you can connect to your VNC server from computers on your local network, but that other people can't connect to your server over the Internet.  If that happens, you might need to [[UbuntuHelp:ServersBehindNAT|reconfigure your router]].
 +
An application called [https://launchpad.net/remote-help-assistant Remote Help Assistant] is being developed to help smooth the setup of remote connections, and needs unskilled volunteers to help test new versions.
 +
<<Anchor(port-forwarding)>>
 +
=== SSH port-forwarding ===
 +
SSH has a feature called [[UbuntuHelp:SSH/OpenSSH/PortForwarding|local port forwarding]].  Among many other things, this lets you securely connect to a computer over the Internet, then access that computer's VNC server over the secure connection.  Using the command-line SSH client that comes with Ubuntu, you would normally do something like the following:
 
<pre><nowiki>
 
<pre><nowiki>
RemoteGreeter=/usr/lib/gdm/gdmlogin
+
ssh -L 5900:localhost:5900 joe@laptop
 
</nowiki></pre>
 
</nowiki></pre>
'''Step 4'''
+
This would log in to Joe's laptop and forward his shared desktop to your computer. You could then start your VNC client and connect to port 5900 on your computer to see his shared desktop.  This is covered in more detail on the [[UbuntuHelp:SSH/OpenSSH/PortForwarding|SSH port forwarding page]].
Stop and restart Xinetd
+
<<Anchor(vnc-clients)>>
<pre><nowiki>$> sudo /etc/init.d/xinetd restart
+
<pre><nowiki>#!wiki comment
 +
The above anchor was put here long ago, when this page had separate "VNC Servers" and "VNC Clients" sections. I don't know whether anything links to it any more, but I don't see any benefit in deleting it
 
</nowiki></pre>
 
</nowiki></pre>
'''Problems'''
+
== VNC Software ==
*If you cant connect check your router/port forwarding, firewall, or try running the following to start a session without Xinetd to verify Xvnc is working.
+
To view a desktop remotely, you need a VNC server to share the desktop, and a VNC client to view the shared desktopThere are many [[UbuntuHelp:VNC/Servers|VNC Servers]] and [[UbuntuHelp:VNC/Clients|VNC Clients]]for every operating system.
<pre><nowiki>$> Xvnc :1 -fp /usr/share/fonts/X11/misc/
+
<<Anchor(guide)>>
</nowiki></pre>
+
== Guide to example scenarios ==
*Make sure you connect to the proper port, in this case vnc://localhost:5901.  In some clients this is set by choosing display 1.
+
This section discusses some situations where you would want to use VNC, and how to set a server up for that situation.  The first scenario [[UbuntuHelp:[accessing-your-pc| Accessing your desktop over the internet]]] describes how to set VNC up for a computer that logs in automatically as soon as it starts up. As accessing a shared login screen requires more security privileges than accessing your personal desktop, the second scenario [[UbuntuHelp:[accessing-family-pc|Accessing a family PC over the Internet]]]  describes the extra steps you need to take in order to access your computer before you've logged in.
=== Tightvncserver Server with Login Screen Via GDM ===
+
<<Anchor(accessing-your-pc)>>
This method will give you an independent desktop once you log in (ie independent of session started when you logged in via GDM).
+
=== Accessing your PC over the Internet ===
'''Step 1 - Install tightvncserver'''
+
This section describes how to connect to your own desktop computer from somewhere else on the Internet. See below for instructions about logging in to a shared computer.
<pre><nowiki>
+
To set your VNC server up, follow these steps.  You should only need to do this once:
sudo apt-get install vnc-common tightvncserver
+
<ol><li>[[UbuntuHelp:InstallingSoftware|Install]] the ''x11vnc'' and ''openssh-server'' packages on your PC ([[UbuntuHelp:apt:x11vnc,openssh-server|click here to install x11vnc and openssh-server]])
</nowiki></pre>
+
</li><li>If you have previously reconfigured the firewall on your PC, make sure the firewall allows incoming connections on port `22` from anywhere, and on port `5900` from `localhost` (also known as `127.0.0.1`)
'''Step 2 - Edit vncserver script'''
+
</li><li>If your PC is behind a home router, or any other device that uses NAT, [[UbuntuHelp:ServersBehindNAT#Procedure|configure your router]] to send connection attempts on port `22` (but '''not''' port `5900`) to your PC
<pre><nowiki>
+
</li><li>[[UbuntuHelp:SSH/OpenSSH/ConnectingTo|Choose an SSH client]] for the computer you'll log in from, and create a public key for that computer
sudo vim /usr/bin/vncserver
+
</li><li>In a text editor on your PC, open the file ''`<home>`''`/.ssh/authorized_keys`, then add the public key you just created to the bottom of the file</li></ol>
</nowiki></pre>
+
First, you want a valid X11 font path for Xvnc.
+
Add these lines for Feisty/Gutsy (you will see a fonts section with a number of font paths commented out):
+
<pre><nowiki>
+
$fontPath = join ',',qw(
+
/usr/share/fonts/X11/misc
+
/usr/share/fonts/X11/100dpi/:unscaled
+
/usr/share/fonts/X11/75dpi/:unscaled
+
/usr/share/fonts/X11/Type1
+
/usr/share/fonts/X11/100dpi
+
/usr/share/fonts/X11/75dpi
+
);
+
</nowiki></pre>
+
You may add additional font paths as needed.
+
* see [[UbuntuHelp:VNCOverSSH|this link]] for font paths with earlier versions of Ubuntu
+
''Optional:'' Set display size and color depth (make this whatever you want):
+
<pre><nowiki>
+
$geometry = "1280x1024";
+
$depth = 16;
+
</nowiki></pre>
+
''Optional:'' Uncomment the line:
+
<pre><nowiki>
+
$colorPath = "/usr/lib/X11/rgb";
+
</nowiki></pre>
+
Save file and close vim:
+
<pre><nowiki>
+
:wq</nowiki></pre>
+
'''Step 3 - Run vncserver for the first time'''
+
<pre><nowiki>
+
vncserver :1
+
</nowiki></pre>
+
The first time you run the server you will be asked to provide a name and password :
+
<pre><nowiki>
+
ubuntu@ubuntu:~$ vncserver :1
+
  
  You will require a password to access your desktops.
+
Each time you want to connect to your PC, follow these steps:
 +
<ol><li>Find your PC's public name or IP address.  Unless your PC has been assigned a memorable name, the easiest way to do this is to go to [http://whatismyip.com/ whatismyip.com] from your PC. You can assign your PC a name by getting one from a [[UbuntuHelp:DynamicDNS|dynamic DNS]] provider
 +
</li><li>Start the SSH client on the computer you'll log in from.
 +
</li><li>Tell the SSH client to use local port-forwarding to connect port 5,900 on your desktop to port 5,900 on localhost.
 +
</li><li>Via the SSH client, run the command `x11vnc -safer -localhost -nopw -once -display :0` on the computer whose desktop you will view.
 +
</li><li>Tell the SSH client to connect to your PC (in case it's not already connected).
 +
</li><li>Start a VNC client on the computer you'll log in from, and tell the VNC client to connect to port 5,900 on `localhost`.</li></ol>
  
  Password: #Enter your desired password here
+
If you have a dial-up Internet connection, your IP address will change every time you connect to the Internet. If you have a broadband Internet connection, your address will probably only change once every few months - usually right around the day you forget to check your address.
  Verify:   #Confirm Password
+
If the VNC connection is terribly slow, then you may want to try compressing the session using <code><nowiki>vncviewer -encodings "tight" localhost:0</nowiki></code> instead of <code><nowiki>vncviewer localhost:0</nowiki></code>.
 +
Exactly how to perform the above steps depends on the SSH client you use. Here are some examples.
 +
==== Logging in from another Ubuntu PC ====
 +
Rebecca wants to connect to her Ubuntu desktop from her Ubuntu laptop.  She is using the standard software that comes with Ubuntu.
 +
Before her first connection, she creates a shell script:
 +
<ol><li>She sets up a [[UbuntuHelp:DynamicDNS|dynamic DNS]] address for her desktop computer: ''rebeccas-pc.dyndns.org''
 +
</li><li>From her laptop, she goes to ''Applications > Accessories > Text Editor''
 +
</li><li>In ''Text Editor'', she types in the following shell script:</li></ol>
  
New 'X' desktop is ubuntu:1
 
 
Starting applications specified in /etc/X11/Xsession
 
Log file is /home/ubuntu/.vnc/ubuntu:1.log
 
 
ubuntu@ubuntu:~$
 
</nowiki></pre>
 
This will create a new directory in your home directory '''~/.vnc'''
 
* To change you password later use ''vncpasswd''
 
<pre><nowiki>
 
vncpasswd ~/.vnc/passwd
 
</nowiki></pre>
 
'''Step 4 - Edit your VNC startup script'''
 
We may want to edit the VNC (X) startup script in ''~/.vnc/xstartup''
 
You can use these if you like :
 
'''Gnome'''
 
 
<pre><nowiki>
 
<pre><nowiki>
 +
#!sh
 +
#!/bin/sh
  
xrdb $HOME/.Xresources
+
ssh -f -L 5900:localhost:5900 [email protected].org \
xsetroot -solid navy # Choose your color
+
x11vnc -safer -localhost -nopw -once -display :0 \
x-window-manager &
+
&& sleep 5 \
gnome-panel 2> /dev/null &
+
&& vncviewer localhost:0
xterm &
+
 
</nowiki></pre>
 
</nowiki></pre>
'''XFCE'''
+
<ol><li>In ''Text Editor'', she saves the script to her Desktop as ''Connect to rebeccas-pc.sh''
<pre><nowiki>
+
</li><li>From her laptop, she right-clicks on the desktop icon she's created, and clicks ''Properties''
 +
</li><li>From the ''Properties'' window, she clicks ''Permissions'', then ''Allow executing file as program''
 +
</li><li>From the ''properties'' window, she clicks ''Close''</li></ol>
  
xrdb $HOME/.Xresources
+
Then each time she connects to her desktop PC, she double-clicks on ''Connect to rebeccas-pc.sh'', and waits about 5 seconds.
xfwm4 2> /dev/null &
+
==== Logging in from a Windows PC ====
xfce4-panel 2> /dev/null &
+
Simon wants to connect to his Ubuntu PC from his work computer, running Windows.  He has installed [http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] and [http://www.tightvnc.com/ TightVNC Viewer] on his work computer.
xfce4-terminal &
+
Before his first connection, he sets up PuTTY:
</nowiki></pre>
+
<ol><li>From his home computer, he visits [http://whatismyip.com/ www.whatismyip.com], and finds that his computer's IP address is 1.2.3.4
'''KDE'''
+
</li><li>From his work computer, he runs PuTTY.
<pre><nowiki>
+
</li><li>In the PuTTY configuration window, he goes to ''Connection > SSH > Tunnels''
 +
</li><li>In the ''Tunnels'' section of PuTTY, he types ''5900'' for ''Source port'', ''localhost:5900'' for ''Destination'', then clicks ''Add''
 +
</li><li>He goes back to the ''Session'' section of the PuTTY configuration window
 +
</li><li>He types ''[email protected]'' for ''Host Name (or IP address)'', and clicks ''SSH''
 +
</li><li>He types ''Home'' for ''Saved Sessions'' and clicks ''Save''</li></ol>
  
xrdb $HOME/.Xresources
+
Then each time he connects to his home PC, he does this:
xsetroot -solid navy # Choose your color
+
<ol><li>From his work computer, he runs PuTTY
x-terminal-emulator -geometry 80x24+10+1- -ls -title "$VNCDESKTOP Desktop" &
+
</li><li>From PuTTY, he clicks the ''Home'' saved session, then clicks ''Open''
x-window-manager &
+
</li><li>In the PuTTY window, he types his password and presses ''Return''
kicker 2> /dev/null &
+
</li><li>In the PuTTY window, he types `x11vnc -safer -localhost -nopw -once -display :0` and presses ''Return''
</nowiki></pre>
+
</li><li>From his work computer, he runs TightVNC Viewer
'''Step 5 - Restart the VNC server'''
+
</li><li>In TightVNC Viewer, he types ''localhost::5900'' for ''VNC server'' and presses Connect.</li></ol>
<pre><nowiki>
+
killall Xtightvnc
+
vncserver
+
</nowiki></pre>
+
Note that you can vary the screen size, depth, and number when starting '''vncserver''':
+
<pre><nowiki>
+
vncserver -geometry 1288x1024 -depth 24 :3
+
</nowiki></pre>
+
* See vncserver manpage for additional options
+
=== [[UbuntuHelp:FreeNX|FreeNX]] ===
+
See  [[UbuntuHelp:FreeNX| Ubuntu Wiki How to FreeNX]]
+
=== Tunnel VNC through SSH ===
+
If you wish to tunnel over ssh you need to install, setup, and secure the openssh server.
+
*[[UbuntuHelp:SSHHowto| Ubuntu Wiki How to SSH]]
+
*[[UbuntuHelp:AdvancedOpenSSH| Ubuntu Wiki, Advanced SSH (security) settings]]
+
== Enabling VNC connections ~ Client setup ==
+
=== Ubuntu clients ===
+
==== Terminal Server Client ====
+
'''This method works with both the default vino server ''and'' the tightvnc server'''
+
This is the default method in Ubuntu and uses a gui (graphical interface). Use this if you are averse to the command line.
+
Go to Applications -> Internet -> Terminal Server client
+
In the ''General tab'' :
+
*Put the server ip in the "Computer" box (ie 192.168.1.25:0 for the default vino server or 192.168.2.25:1 for a tightvnc server)
+
*Select ''VNC'' from the pull down menu in "Protocol"
+
Hit Connect
+
Enter the password you set on your server.
+
==== VNC Viewer ====
+
This method uses the command line. Open a terminal an enter ''vncviewer'' and you will be asked to enter the ip address and password.
+
If you know the ip address you can use the ip in conjunction, like this :
+
<pre><nowiki>
+
vncviewer 192.168.1.25:0
+
</nowiki></pre>
+
Or if you want to get fancy, copy ~/.vnc/passwd ''from the server to the client'' (saving it in ~/.vnc/passwd on ''both'' the server and client). Now you can connect directly with :
+
<pre><nowiki>
+
vncviewer 192.168.2.25:0 -passwd ~/.vnc/passwd
+
</nowiki></pre>
+
*If you like, you can re-name the ~/.vnc/passwd to any name you like and keep one file for each server (each with a unique name).
+
==== Logging into a Tight VNC server ====
+
If desired you will need to configure your desktop.
+
'''Ubuntu'''
+
I do not know how to set the background image on the tightvnc server, but the gnome panel works.
+
'''XFCE'''
+
Applications -> Settings -> Desktop Settings
+
*Tic off the "Allow Xfce to manage the desktop"
+
'''KDE'''
+
The kicker works fine, as with gnome I could not get set the backgound image.
+
=== Windows Clients ===
+
This method works with Windows 2000 and XP. I am not sure about other versions.
+
Connecting with a windows client is fairly straight forward, all you need to do is download the tight vnc viewer for windows. You then run the viewer and enter the server address and password very similar to connecting from Ubuntu.
+
[http://www.tightvnc.com/download.html Tight VNC viewer for windows]
+
*The tight vnc viewer is available without installation ( tightvnc-1.3.9_x86_viewer.zip "Viewer executable, does not require installation")
+
I have also used [http://www.uvnc.com/download/ Ultra] and [http://www.realvnc.com/download.html Real] vnc viewers
+
*You can set up tight, ultra, or real vnc servers on windows and connect just as easily from ubuntu.
+
== VNC Access over the Internet ==
+
'''Strongly consider''' tunneling over ssh [[UbuntuHelp:VNCOverSSH| VNC Over SSH]] , using a router (rather then connecting your server directly to the internet),  and configuring your firewall [[UbuntuHelp:Firestarter| Firestarter]].
+
The most difficult part of internet access is configuring your router and firewall ...
+
==== Server IP ====
+
The IP address of your VNC server is different on a LAN vs an internet connection. The internet IP address is assigned by your internet provider.
+
* You can check your IP address [http://whatismyip.com/ here] (or elsewhere).
+
The problem can occur if you use DHCP (rather then a static IP address) the internet IP address can change from time to time.
+
The solution is to register at [https://www.dyndns.com/services/dns/dyndns/ dyndns] or other providers. dyndns will provide free service.
+
You can then determine your vnc server address via ping.
+
==== Router ====
+
You must configure your router to forward the ports. The details vary by router.
+
<u>tip</u>: if you are connecting through a router you'll need to forward port 5900 to the machine you need to connect to.  (VNC can use other ports as well.  If you have multiple machines you would like to connect to you can forward 5900 to the first, 5901 to the second, 5902 to the third, etc.)
+
If you are using a non-standard port (ie; other than 5900) you will need to specify the port in the connection command.
+
You can simplify this step some what by tunneling though ssh (which also increases security). See the ssh section below.
+
==== Firewall ====
+
This is very easy to do via firestarter, a gui front end to IP Tables.
+
* Be sure to configure firestarter to allow pings.
+
Open the firestarter gui (Applications -> Internet -> Firestarter)
+
In the "Policy" tab, under the "Allow service" section, right click anywhere in the white space.
+
Select "Add rule"
+
*Under "Port" enter the ports you want to enable (5900 and/or 5901)
+
Allow "Anyone"
+
=== Method 1 ~ Using vncviewer from the command line ===
+
* Using tightvncserver - See the ''Tightvncserver'' section above.
+
*If you are using the default vnc server, vino, for a shared desktop, use 5900 or :0
+
Open a terminal and start vncviewer with this command
+
<pre><nowiki>
+
vncviewer
+
</nowiki></pre>
+
Enter the ip address :1
+
Example:
+
<pre><nowiki>
+
192.168.1.25:1
+
</nowiki></pre>
+
Enter the vnc password
+
=== Method 2 ~ Ubuntu clients ~ Tunnel over ssh directly ===
+
You can use this method with Ubuntu clients.
+
Use the -via flag -via <server_IP> = use ssh authentication.
+
vncviewer -via <server_ip> <name_of_vnc_session>
+
<pre><nowiki>
+
vncviewer -via 192.168.1.25 ubuntu:1
+
</nowiki></pre>
+
Enter ssh password, enter vnc password
+
*You are given the name of the vncserver by tight vnc when you start it up, see the tight vnc server section above
+
=== Method 3 ~ Windows or Ubuntu ~ Tunnel over ssh manually ===
+
This is a quick guide and assumes you have a ssh server set up on the vnc server.
+
See this link for a more detailed description : [[UbuntuHelp:VNCOverSSH|VNC Over SSH]]
+
The trick is to forward the ports over ssh. In this example I will use 5900 , the default path for the defalut VNC server ''vino''. If you use tightvnc you will need to change the forwarded port to 5901.
+
'''Step 1'''
+
Make the ssh connection :
+
<pre><nowiki>
+
ssh -fCNT user@192.168.1.25 -L 5901:127.0.0.1:5901
+
</nowiki></pre>
+
<pre><nowiki>
+
-f = Allows ssh to close after the connection is established.
+
-C = Use Compression
+
-N = No commands will be issued
+
-T = No terminal session will be started
+
  
-L = Port forwarding. The terminology is <server_port>:<client_port> the trick is we are using 127.0.0.1:<port> for the client. 127.0.0.1 must be used (not localhost or the client ip address)
+
<<Anchor(accessing-family-pc)>>
</nowiki></pre>
+
=== Accessing a family PC over the Internet ===
'''Step 2'''
+
Accessing a family PC is a similar problem to accessing your own PC, except that the VNC server needs more security privileges in order to show your login screen.
Make the vnc connection.
+
First, make sure that you can [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]] - once you've logged in, accessing a shared PC is no different to accessing your own PC.
Now we make the vnc connection, but now we use '''localhost:1''' as the server ip.
+
Second, follow the instructions to [[UbuntuHelp:VNC/Servers#x11vnc-before-login|get x11vnc working before you log in]].
<pre><nowiki>
+
Finally, go through the procedure to [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]], but instead of running the command `x11vnc -safer -localhost -nopw -once -display :0`, use  `sudo x11vnc -safer -localhost -nopw -once -auth /var/lib/gdm/:0.Xauth -display :0`.
vncviewer localhost:1
+
If the computer you'll log in from is an Ubuntu PC, you could do:
</nowiki></pre>
+
Enter your password.
+
'''Step 3'''
+
To disconnect, close the vnc viewer, and enter '''killall ssh''' in the terminal.
+
=== Method 4 ~ Via a web browser (firefox for example) ===
+
This does not work with the default vnc server, vino. You will need to install and configure the tight vnc server as above.
+
You will need to enable the commercial repositories on both the server and client (or download the debs) :
+
<pre><nowiki>
+
deb http://archive.canonical.com/ubuntu gutsy commercial
+
deb-src http://archive.canonical.com/ubuntu gutsy commercial
+
</nowiki></pre>
+
==== Server setup ====
+
Install by any means '''vnc-common, tightvncserver, and tightvnc-java'''
+
<pre><nowiki>
+
sudo apt-get install vnc-common tightvncserver tightvnc-java
+
</nowiki></pre>
+
Configure the tight vnc server as above.
+
You will likely want to reduce the resolution as the java applet will run in a firefox window :
+
<pre><nowiki>
+
vncserver -geometry 800x600 -depth 24 :1
+
</nowiki></pre>
+
* If you have a large monitor you may be able to increase the server resolution.
+
The java server will start automatically
+
==== Client setup ====
+
On an Ubuntu client install by any means '''sun-java6-jre and sun-java-6-plugin'''
+
<pre><nowiki>
+
sudo aptitude install sun-java6-jre sun-java-6-plugin
+
</nowiki></pre>
+
Allow java : In Firefox Edit -> Preferences Select the "Content" tab, tic off the "Load images automatically" "Enable JavaScript" and "Enable Java" boxes.
+
==== Connect ====
+
Open Firefox, in the address bar type vnc server ip : 5801
+
Example:
+
 
<pre><nowiki>
 
<pre><nowiki>
192.168.1.25:5801
+
ssh -L 5900:localhost:5900 <your-name>@<your-computer> \
 +
sudo x11vnc -safer -localhost -nopw -once \
 +
            -auth /var/lib/gdm/:0.Xauth -display :0 \
 +
; bg \
 +
&& vncviewer localhost:0
 
</nowiki></pre>
 
</nowiki></pre>
The java applet will start automatically.
+
After you log in, you will be asked to type your password. Once you've typed your password in, you should press ctrl-Z to continue.
If you use NoScript (or other java blockers) you will need to allow 192.168.1.25:5801
+
== Further information ==
Click the connect button.
+
Remote desktop solutions are a broad and complex topic.  The following links provide more detail about the technologies involved:
*If you reload the firefox window you will need to log in again.
+
* [[UbuntuHelp:WikiPedia:Vnc|Wikipedia's VNC page]]
=== Connecting with a Windows XP client ===
+
* [[UbuntuHelp:WikiPedia:Remote_administration|Wikipedia's remote administration page]]
You may use any of the above methods with Windows.
+
* [[UbuntuHelp:WikiPedia:Remote_Desktop_Protocol|The Remote Desktop Protocol]] is a similar protocol, popular in Windows
*VNC - See the windows section above.
+
* [[UbuntuHelp:WikiPedia:NX_technology|The NX Protocol]] is another similar protocol
*SSH - For windows I have used both [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Putty] and [http://www.cygwin.com/mirrors.html Cygwin] with success. See here for details [[UbuntuHelp:VNCOverSSH#head-8b36ee1084a8123627a915fe0329534788cb11a7|vnc over ssh Windows clients]]
+
* [[UbuntuHelp:WikiPedia:XDMCP|XDMCP]] is a protocol which also enables remote login
*For firefox just be sure to install java and the java plugins on the windows client.
+
* [http://tldp.org/HOWTO/XDMCP-HOWTO/ The XDMCP How-to] and two Ubuntu [http://ubuntuforums.org/showpost.php?p=5229232&postcount=458 forum] [http://ubuntuforums.org/showpost.php?p=4963842&postcount=1 posts] give explanations about how to use XDMCP
<u>Note</u>: If you tunnel ssh connections on a windows client, you must first ssh method (ie start ssh first, then connect with tightvnc viewer).
+
* [[UbuntuHelp:DynamicDNS|DynamicDNS]] is a way to obtain a stable DNS name even if your IP changes dynamically
<u>Note</u>: Cygwin offers a ssh server so you could potentially tunnel vnc connections from a Windows vnc server.
+
* [[UbuntuHelp:WikiPedia:KVM_switch|KVM switches]] are hardware devices that switch a keyboard, monitor and mouse between two or more computers
[[category:CategoryDocumentation]] [[category:CategoryCleanup]]
+
* [[UbuntuHelp:Xen|Xen]] is a way of running a virtual machine in Linux
 +
* [[UbuntuHelp:WikiPedia:Wake-on-LAN||Wake-on-LAN]] is a way of powering a computer on over a network or the Internet.
 +
* [http://ubuntuguide.org/wiki/Ubuntu:Karmic#Remote_Access Ubuntuguide Remote Access] -- clear, concise, up-to-date information about VNC, XDMCP, SSH, and the alternatives
 +
[[category:CategoryNetworking]] [[category:CategoryInternet]]
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2010年5月20日 (四) 00:47的最新版本

Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/VNC

Geographylogo.png 点击翻译: 

English

请不要直接编辑翻译本页,本页将定期与来源同步。

VNC is a protocol that allows a desktop to be viewed and controlled remotely over the Internet. To use VNC, a VNC server must be run on the computer sharing the desktop, and a VNC client must be run on the computer that will access the shared desktop.

Common uses

The two most common uses for VNC are to control your own desktop from another computer and to let other people view/control your desktop while you're sitting at it.

Helping someone via VNC over the Internet

A common usage scenario is helping another Ubuntu user over the internet via screen sharing. The problem usually is that the user you want to help is behind a NAT / firewall. There is however a simple solution available if:

  • You are directly connected to the internet
  • OR
  • You have control over your NAT device and can set-up a port forwarding

The solution is to use reverse VNC to solve the NAT problems. Usually you have to establish a connection to the computer you would like to control. Reverse VNC does the opposite. You open a port where your vncviewer listens and the computer you would like to control connects to your computer. The security risks involved are that the content of the other user's computer screen is transmitted unencrypted over the internet. Here are the steps to make it work:

  1. Install a VNC viewer on your machine (follow the steps below). Tested with the ``xvnc4viewer`` package.
  2. If you are not directly connected to the internet, set-up port-forwarding on your router for port 5500 to your PC.
  3. Make sure your firewall does not block port 5500 (see below)
  4. Find out your public IP address, for example by visiting [1]
  5. Start vnc in listen mode on your computer: `vncviewer -listen` (using Alt-F2 or via the shell)
  6. Ask the user you are trying to help to install the x11vnc package.
  7. Ask the user to execute `x11vnc -connect YOURIPADDRESS` using Alt-F2 or via the shell

You can find more information on the Ubuntu forums

Accessing your desktop over the Internet

Although VNC has some optional security features, you should not run VNC directly over an untrusted network like the Internet. Instead, you should set an SSH server up as discussed in the SSH guide and configure a VNC server that you can start in so-called once mode. When you have set up your SSH and VNC servers, you can use SSH to log in to your computer over the Internet, start your VNC server, and use [[UbuntuHelp:[port-forwarding|port-forwarding]]] to securely access the VNC server. <<Anchor(let-other-people)>>

Let other people view your desktop

If a small group of people regularly want to access your desktop, the best solution might be to set up an SSH server, then add their public keys to your authorized_keys file, with very limited rights. As discussed in the SSH guide, you can limit the SSH features that each public key can use - typically, a user that should only have VNC access would have a line like the following in authorized_keys: 

command="/bin/sleep 4294967295":no-agent-forwarding:no-pty:no-user-rc:no-X11-forwarding:permitopen="localhost:5900" <public key>

This will allow the specified person to log in to your computer using your username and their public key instead of your password. The long list of no-xyz statements disallow them from doing just about anything except connect to a VNC server. Because the Internet is a high speed public network, an attacker anywhere in the world could connect to an unsecured VNC server and start guessing passwords at a rate of thousands per minute. Even if they couldn't guess your password, they could snoop on the VNC session much like someone in an Internet cafe might peer over your shoulder. If securing your connection is not an option, it's possible to provide an unsecured VNC connection with a fairly low risk of disaster, so long as you follow three basic safety precautions:

  • only allow the other person to view your desktop, not to control it
  • tell your VNC server to request permission before allowing anyone to see your desktop
  • don't do anything that you wouldn't do in an Internet cafe

If you're not comfortable with the risks, and the secure options discussed above aren't appropriate, you might be able to take screenshots instead, and send them to the other person. Whichever of the above techniques you use, you might find that you can connect to your VNC server from computers on your local network, but that other people can't connect to your server over the Internet. If that happens, you might need to reconfigure your router. An application called Remote Help Assistant is being developed to help smooth the setup of remote connections, and needs unskilled volunteers to help test new versions. <<Anchor(port-forwarding)>>

SSH port-forwarding

SSH has a feature called local port forwarding. Among many other things, this lets you securely connect to a computer over the Internet, then access that computer's VNC server over the secure connection. Using the command-line SSH client that comes with Ubuntu, you would normally do something like the following: 

ssh -L 5900:localhost:5900 joe@laptop

This would log in to Joe's laptop and forward his shared desktop to your computer. You could then start your VNC client and connect to port 5900 on your computer to see his shared desktop. This is covered in more detail on the SSH port forwarding page. <<Anchor(vnc-clients)>> 

#!wiki comment
The above anchor was put here long ago, when this page had separate "VNC Servers" and "VNC Clients" sections.  I don't know whether anything links to it any more, but I don't see any benefit in deleting it

VNC Software

To view a desktop remotely, you need a VNC server to share the desktop, and a VNC client to view the shared desktop. There are many VNC Servers and VNC Clientsfor every operating system. <<Anchor(guide)>>

Guide to example scenarios

This section discusses some situations where you would want to use VNC, and how to set a server up for that situation. The first scenario [[UbuntuHelp:[accessing-your-pc| Accessing your desktop over the internet]]] describes how to set VNC up for a computer that logs in automatically as soon as it starts up. As accessing a shared login screen requires more security privileges than accessing your personal desktop, the second scenario [[UbuntuHelp:[accessing-family-pc|Accessing a family PC over the Internet]]] describes the extra steps you need to take in order to access your computer before you've logged in. <<Anchor(accessing-your-pc)>>

Accessing your PC over the Internet

This section describes how to connect to your own desktop computer from somewhere else on the Internet. See below for instructions about logging in to a shared computer. To set your VNC server up, follow these steps. You should only need to do this once:

  1. Install the x11vnc and openssh-server packages on your PC (click here to install x11vnc and openssh-server)
  2. If you have previously reconfigured the firewall on your PC, make sure the firewall allows incoming connections on port `22` from anywhere, and on port `5900` from `localhost` (also known as `127.0.0.1`)
  3. If your PC is behind a home router, or any other device that uses NAT, configure your router to send connection attempts on port `22` (but not port `5900`) to your PC
  4. Choose an SSH client for the computer you'll log in from, and create a public key for that computer
  5. In a text editor on your PC, open the file `<home>``/.ssh/authorized_keys`, then add the public key you just created to the bottom of the file

Each time you want to connect to your PC, follow these steps:

  1. Find your PC's public name or IP address. Unless your PC has been assigned a memorable name, the easiest way to do this is to go to whatismyip.com from your PC. You can assign your PC a name by getting one from a dynamic DNS provider
  2. Start the SSH client on the computer you'll log in from.
  3. Tell the SSH client to use local port-forwarding to connect port 5,900 on your desktop to port 5,900 on localhost.
  4. Via the SSH client, run the command `x11vnc -safer -localhost -nopw -once -display :0` on the computer whose desktop you will view.
  5. Tell the SSH client to connect to your PC (in case it's not already connected).
  6. Start a VNC client on the computer you'll log in from, and tell the VNC client to connect to port 5,900 on `localhost`.

If you have a dial-up Internet connection, your IP address will change every time you connect to the Internet. If you have a broadband Internet connection, your address will probably only change once every few months - usually right around the day you forget to check your address. If the VNC connection is terribly slow, then you may want to try compressing the session using vncviewer -encodings "tight" localhost:0 instead of vncviewer localhost:0. Exactly how to perform the above steps depends on the SSH client you use. Here are some examples.

Logging in from another Ubuntu PC

Rebecca wants to connect to her Ubuntu desktop from her Ubuntu laptop. She is using the standard software that comes with Ubuntu. Before her first connection, she creates a shell script:

  1. She sets up a dynamic DNS address for her desktop computer: rebeccas-pc.dyndns.org
  2. From her laptop, she goes to Applications > Accessories > Text Editor
  3. In Text Editor, she types in the following shell script:
#!sh
#!/bin/sh

ssh -f -L 5900:localhost:5900 [email protected] \
	x11vnc -safer -localhost -nopw -once -display :0 \
	&& sleep 5 \
	&& vncviewer localhost:0
  1. In Text Editor, she saves the script to her Desktop as Connect to rebeccas-pc.sh
  2. From her laptop, she right-clicks on the desktop icon she's created, and clicks Properties
  3. From the Properties window, she clicks Permissions, then Allow executing file as program
  4. From the properties window, she clicks Close

Then each time she connects to her desktop PC, she double-clicks on Connect to rebeccas-pc.sh, and waits about 5 seconds.

Logging in from a Windows PC

Simon wants to connect to his Ubuntu PC from his work computer, running Windows. He has installed PuTTY and TightVNC Viewer on his work computer. Before his first connection, he sets up PuTTY:

  1. From his home computer, he visits www.whatismyip.com, and finds that his computer's IP address is 1.2.3.4
  2. From his work computer, he runs PuTTY.
  3. In the PuTTY configuration window, he goes to Connection > SSH > Tunnels
  4. In the Tunnels section of PuTTY, he types 5900 for Source port, localhost:5900 for Destination, then clicks Add
  5. He goes back to the Session section of the PuTTY configuration window
  6. He types [email protected] for Host Name (or IP address), and clicks SSH
  7. He types Home for Saved Sessions and clicks Save

Then each time he connects to his home PC, he does this:

  1. From his work computer, he runs PuTTY
  2. From PuTTY, he clicks the Home saved session, then clicks Open
  3. In the PuTTY window, he types his password and presses Return
  4. In the PuTTY window, he types `x11vnc -safer -localhost -nopw -once -display :0` and presses Return
  5. From his work computer, he runs TightVNC Viewer
  6. In TightVNC Viewer, he types localhost::5900 for VNC server and presses Connect.

<<Anchor(accessing-family-pc)>>

Accessing a family PC over the Internet

Accessing a family PC is a similar problem to accessing your own PC, except that the VNC server needs more security privileges in order to show your login screen. First, make sure that you can [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]] - once you've logged in, accessing a shared PC is no different to accessing your own PC. Second, follow the instructions to get x11vnc working before you log in. Finally, go through the procedure to [[UbuntuHelp:[accessing-your-pc|access your own desktop after logging in]]], but instead of running the command `x11vnc -safer -localhost -nopw -once -display :0`, use `sudo x11vnc -safer -localhost -nopw -once -auth /var/lib/gdm/:0.Xauth -display :0`. If the computer you'll log in from is an Ubuntu PC, you could do: 

ssh -L 5900:localhost:5900 <your-name>@<your-computer> \
	sudo x11vnc -safer -localhost -nopw -once \
	            -auth /var/lib/gdm/:0.Xauth -display :0 \
	; bg \
	&& vncviewer localhost:0

After you log in, you will be asked to type your password. Once you've typed your password in, you should press ctrl-Z to continue.

Further information

Remote desktop solutions are a broad and complex topic. The following links provide more detail about the technologies involved:

取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:VNC&oldid=139581