Native X display support
Overview
Both the Xvnc and vncserver programs create a new VNC desktop. It is also possible to remote the native X server (i.e. the ":0" X display). There are two ways this can be done. For XFree86 version 4 X servers, a loadable module is provided which adds the VNC server functionality. A less efficient but non-invasive method is the VNC server called x0vncserver, which continuously polls any X display, allowing it to be controlled via VNC.
XFree86 module
If your native X server is an XFree86 version 4 server, then the
vnc.so module should be copied to the /usr/X11R6/lib/modules/extensions
directory. It can be enabled like any other module by adding a Load
or SubSection entry to the Module section of
XF86Config. The parameters listed in the Xvnc
manual page can be set as options in XF86Config. For VNC Enterprise
Edition 4.1.7 and later this can be done by using SubSection.
For example:
Section "Module"
...
Subsection "vnc"
Option "Desktop" "Bob's Workstation"
Option "IdleTimeout" "600"
...
EndSubSection
EndSection
For earlier versions of VNC Enterprise Edition, parameters cannot
be set in the Module section of XF86Config—use the Screen
section instead:
Section "Module" ... Load "vnc" EndSection ... Section "Screen" ... Option "Desktop" "Bob's Workstation" Option "IdleTimeout" "600" ... EndSection
Parameters
Most VNC parameters are optional and have sensible defaults. However to allow connections in to the module or to x0vncserver you must set some parameters. It is intentionally the case that if unconfigured then no connections will be allowed.
The configuration scenarios in the following sections should give some guidelines as to what will work best for you. The parameters are given as option entries to be put in the XF86Config file but are equally applicable to x0vncserver when specified as command-line arguments.
Maximum security
For maximum security, you should configure the VNC server to use
an encrypted connection. In order to use an encrypted connection, you
must first generate a secure key using the vnckeygen
command (this will put a file called private.key in the user's .vnc
directory):
# vnckeygen Generating primes: p: ...................................... q: ...................
You should also use UNIX authentication, restrict the allowed users, and enable the query connection mechanism to manually approve new connections:
Option "SecurityTypes" "RA2" Option "RSA_Private_Key_File" "/root/.vnc/private.key" Option "UserPasswdVerifier" "UnixAuth" Option "AllowedUsers" "root:f,bob:f" Option "AllowedGroups" "staff:d" Option "QueryConnect" "1"
With the above configuration, only encrypted connections are
supported. This could be relaxed by changing the first option from "RA2"
to "RA2,RA2ne", ensuring that the password is
always encrypted, but allowing viewers to request an unencrypted
session. Both bob and the superuser are granted full access
rights and can connect without approval; members of the staff
group can also connect, but must be approved. All users must enter their
UNIX password in order to connect.
Note that in order for querying of connections to work, you must be running the vncconfig program on the desktop when using the module (it is not necessary for x0vncserver).
Support legacy viewers
To support legacy viewers, you will need to use VNC
authentication and disable encryption. VNC authentication requires that
you set a VNC password using the vncpasswd program:
# vncpasswd Password: Verify:
You will also need to tell the VNC module where the password is stored, and disable encryption:
Option "SecurityTypes" "VncAuth" Option "UserPasswdVerifier" "VncAuth" Option "PasswordFile" "/root/.vnc/passwd"