Starting a new VNC® desktop

Unlike its Windows and Mac counterparts, the vncserver command creates a new, virtual, VNC desktop—one that is not attached to any physical display hardware. For details of how to make the console X server accessible using VNC, please see Native X display support.

To start a new VNC desktop, run the vncserver command. If this is the first time you have run the command, it will probably generate secure encryption keys: 

$ vncserver
VNC Server Enterprise Edition E4.4.0 - built May 2 2008 12:05:53
Copyright (C) 2002-2008 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.
Generating primes:
  p: ...............
  q: ......................
A new secure key has been generated and stored.
Running applications in /home/jpw/.vnc/xstartup
Log file is /home/user/.vnc/host:1.log
New desktop is host:1

The most important lines are the last three:

Common configuration scenarios

Server configuration settings can be changed by running the vncconfig applet, which is started by default on all new VNC desktops. However any changes made this way affect only that desktop, and do not apply to any desktops started subsequently.

To make permanent changes to the VNC server's configuration, you can specify them in one of two places:

  • /etc/vnc/config for system-wide settings.
  • ~/.vnc/config for per-user settings.

You can also specify settings on the vncserver command-line; in this case they will affect only the VNC desktop started by that command.

Below are some common configuration scenarios; for full details of the parameters supported, see the Xvnc man page or look at the Expert tab of the vncconfig user interface.

Allow other users to connect

By default, only the user who started the VNC desktop is allowed to connect. To change this, the AllowedUsers parameter must be configured:

AllowedUsers=*:d

This gives all users permission to connect. For full details of the AllowedUsers parameter, see the Xvnc man page. For a more restrictive example, see below.

Maximum security

For maximum security, you should configure the VNC server to use an encrypted connection. You should also restrict the allowed users, and configure VNC Server to prompt the user to approve new connections:

SecurityTypes=RA2
AllowedUsers=root:f,:f
AllowedGroups=staff:d
QueryConnect=1

With the above configuration, only encrypted connections are supported. This could be relaxed by changing the SecurityTypes parameter from RA2 to RA2,RA2ne, ensuring that the password is always encrypted, but allowing viewers to request an unencrypted session. Both the desktop owner and the superuser are granted full access rights and can connect without approval; members of the staff group can also connect, but must be approved. All users must enter their UNIX password in order to connect.

Note that in order for querying of connections to work, you must be running the vncconfig applet on the desktop. Note also that since the desktop is not attached to any physical display hardware, there must already be someone connected in order to accept the new incoming connection.

You can also restrict access to the server based on IP address using the Hosts parameter, for example:

Hosts=192.168.0.0/255.255.0.0

Support legacy viewers

To support legacy viewers, you will need to disable encryption and use VNC authentication:

SecurityTypes=VncAuth

Note that this configuration does not allow encrypted connections (legacy viewers do not support encryptyion). In order to allow both encrypted connections from Enterprise Edition viewers and unencrypted connections from legacy viewers, you would use the following:

SecurityTypes=RA2,VncAuth
UserPasswdVerifier=VncAuth

Either way, you will also need to run the vncpasswd command and enter a password with which to access your VNC desktops:

$ vncpasswd
Password:
Verify:

© RealVNC Limited