Intro to Remote Access with VNC

For remote management when a GUI is desired or required, Red Hat provides VNC (Virtual Network Computing) services with 'tigervnc'. The X server runs on the remote computer, the one to be accessed. The local Linux or Windows workstation displays a copy of the real or virtual display that is running on the remote machine.

It will be necessary to install a window manager in order to get a full-featured GUI desktop. Run the command `yum groupinstall "GNOME Desktop Environment"` to install the Gnome Desktop and requirements. One can also install XFCE, which is more light-weight than Gnome or KDE.

Installing VNC

VNC installation is accomplished with the following commands:

  • On the server: `yum -y install tigervnc-server tigervnc`
  • On the client: `yum -y install tigervnc`

VNC Configuration

The following sections address configuration of the VNC server and client, respectively.

VNC Server Configuration

Once the service has been installed on the server with the above command, the following configuration will be necessary.

  1. Configure VNC at '/etc/sysconfig/vncservers' to provide the remote desktop. Configure the file as shown below:
            VNCSERVERS="1:<username>"
            VNCSERVERARGS[1]="-geometry 800x600 -nolisten tcp -localhost"
    
  2. Start the service with the command `service vncserver start`.
  3. Log in as the user who will connect and set a VNC password with `vncpasswd`.[19]
  4. Configure the service to survive a reboot with the command `chkconfig vncserver on`.
  5. Address the firewall appropriately.

VNC Client Configuration

VNC configuration setup on the client machine is accomplished with the steps below.

  1. Install the tigervnc package using the command above.
  2. Connect to the remote system using a VNC client. There are several ways to do this. One is through the GUI desktop: go to "Applications -> Internet -> TigerVNC Viewer".[20]

Bear in mind the critical file locations on the VNC client:

  • ~/.vnc/*
  • ~/.vnc/xstartup

The default installation of VNC may only enable the twm (Tom's Window Manager) desktop, which is a very limited facility. While this may satisfy some requirements, it won't be conducive to productivity. Consider editing /home/<user>/.vnc/xstartup per the following configuration to enable a Gnome desktop.

  #!/bin/sh

  # Uncomment the following two lines for normal desktop:
  unset SESSION_MANAGER
  exec /etc/X11/xinit/xinitrc

  [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
  [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
  # xsetroot -solid grey
  xsetroot -solid black
  vncconfig -iconic &
  xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
  # twm &
  exec gnome-session

VNC as a Service

The VNC service binary (on the server) is most likely located at '/usr/bin/vncserver'.

Commands to Manipulate VNC

The critical commands to manipulate VNC are listed below.

Table 8.3. Critical VNC Commands

Command Description
`service vncserver {start|stop|restart}` Start/stop/restart the service on the server.
`chkconfig --level {3,5} vncserver on` Configure the server to persistently run the service at boot.
`vncpasswd` Set the password for a VNC user. Must be run from the user/client login.
`vncviewer <host:display>` Connect to remote host.
`vncserver -kill :1` Stop VNC client processes on the indicated display.
`vncconfig` Used to configure and control a running instance of the VNC server. It is possible to support clipboard transfer to and from the VNC viewer if configured properly. See `man vncconfig` for details.
`xauth` Used to edit and display the authorization information used in connecting to the X server. See `man xauth` for details.
`xauth list` Check that X has access opened for displays.
`xauth add <hostname:display>` If you dont see your display listed.
`vncviewer localhost:<n> -via <ip-address>` Secure way to connect to VNC session by SSH tunnel. 'n' is the display number and <ip-address> is the IP address of the remote machine.

Securing VNC

There will be firewall and SELinux considerations for VNC. The following commands will provide the tools necessary for securing and accessing VNC.

  • To find SELinux file contexts that might affect VNC: `semanage fcontext -l | grep "vnc"`
  • To find SELinux port contexts that might affect VNC: `semanage port -l | grep "vnc"`
  • To find SELinux booleans that might affect VNC: `getsebool -a | grep vnc`
  • VNC typically runs on port 590X, with X being the number of the desktop that is configured. Open the firewall port(s) as necessary.

Additional Notes & Considerations for VNC

Check to see if the VNC service was compiled with support for TCP Wrappers. If so, verify that '/etc/hosts.deny' & '/etc/hosts.allow' files permit the external VNC user to connect. If VNC has support for TCP Wrappers, that facility can be used to limit access to this service, as well as generate other actions upon initiation of a connection.



[19] This step assumes that the user exists on the system. Once this command has been run, check the contents of '/home/<user>/.vnc' for the contents to verify that the appropriate files have been created.

[20] It's possible to configure the setup for secure login. The connection is then made with the '-via' option, see Table 8.3, "Critical VNC Commands".