Native X display support
Overview
The vncserver program creates a new, virtual, VNC desktop—one that is not attached to any physical display hardware. While this is convenient under many circumstances, it is sometimes also necessary to get remote access to the console X server—the one you would see if you were sitting in front of the computer. There are two ways this can be done:
The x0vncserver program
The simplest way to remote the native X Server is using the
x0vncserver command. In fact, this is the only method if
your operating system or X Server is not supported by the
vnc.so module (see below). x0vncserver is a
non-invasive VNC server that allows any X display to be controlled via
VNC.
x0vncserver has been updated for version 4.4 to
address performance and usability issues. For many users, it may be
the preferred method of remoting the native X Server. For full details
of how to use x0vncserver, please see the man page.
The vnc.so module
One shortcoming of x0vncserver is that it is not
straightforward to run it when the computer is at the login screen,
nor to configure it to start automatically when the computer is
switched on. The vnc.so module addresses these
issues.
The vnc.so module is supported on Linux-based
platforms running an XFree86 X Server version 4.2 and above or an XOrg
X Server up to version 7.2. Currently, XOrg version 7.3, found in
Ubuntu 8.04, Fedora Core 9 and OpenSUSE 11.0 among others, is
unsupported.
To enable or disable the vnc.so module you need to
edit the Module section of the X Server configuration file as
illustrated below. You will need to add the lines in red. The location
and format of the X Server configuration file will be described in the
documentation that came with your X Server. Often this will be in the
XF86Config or xorg.conf man pages. We
strongly recommend taking a backup of your X Server configuration file
before editing it as an error in this file can cause your X Server
to fail to load. After editing the X Server configuration file, you
will need to restart your X Server by pressing Ctrl+Alt+Backspace.
Section "Module"
Subsection "vnc"
Option "RSA_Private_Key_File" "/root/.vnc/private.key"
EndSubSection
...
EndSection
|
The file /root/.vnc/private.key is created when the software is installed, and the location may vary depending on your Linux distribution. If the file does not exist in this location, you will need to change the above configuration accordingly.
Modern X Servers
On modern X Servers, the Module section might not be present, in which case you will need to add it. Doing so may mean that certain default modules are no longer loaded; if so then you will need to add the following lines to the newly-created Module section:
Load "extmod" Load "dbe" Load "glx" Load "freetype" Load "record" Load "dri" Load "dri2" |
Note that, on modern Linux systems, the default location of the
vnc.so module is probably wrong. The easiest way to fix
this is to create a symbolic link in the appropriate place, which is
typically /usr/lib/xorg/modules/extensions. To do this,
run the following command as root:
ln -s /usr/X11R6/lib/modules/extensions/vnc.so /usr/lib/xorg/modules/extensions/vnc.so |
On some 64-bit systems, the correct location is
/usr/lib64/xorg/modules/extensions. Consult your X Server
documentation for details.
Common configuration scenarios
The configuration above tells the vnc.so module where
to load the RSA private keys from, and so allows encrypted
connections, but does not set any other configuration
parameters. Parameters can be set by running the vncconfig applet, however
any changes made this way will not be saved across restarts of the X
Server.
To make permanent changes to the vnc.so module's
configuration, add them as Option lines to the
vnc subsection of the X Server configuration file. Below
are some common configuration scenarios; for full details of the
parameters supported by the vnc.so module, see the Xvnc man page or look at the Expert
tab of the vncconfig user interface.
Allow other users to connect
With the example configuration above, only the root user is allowed to connect. On systems where the root user has no password by default, this is no good and there are many other situations where it might be necessary to configure the set of users allowed to connect. To do this, the AllowedUsers parameter must be configured:
Subsection "vnc" Option "RSA_Private_Key_File" "/root/.vnc/private.key" Option "AllowedUsers" "*:d" EndSubSection |
This gives all users permission to connect. For full details of the AllowedUsers parameter, see the Xvnc man page. For a more restrictive example, see below.
Maximum security
For maximum security, you should configure the VNC server to use an encrypted connection. You should also restrict the allowed users, and configure VNC Server to prompt the user to approve new connections:
Subsection "vnc" Option "RSA_Private_Key_File" "/root/.vnc/private.key" Option "SecurityTypes" "RA2" Option "UserPasswdVerifier" "UnixAuth" Option "AllowedUsers" "root:f,bob:f" Option "AllowedGroups" "staff:d" Option "QueryConnect" "1" EndSubSection |
With the above configuration, only encrypted connections are
supported. This could be relaxed by changing the
SecurityTypes parameter from RA2 to
RA2,RA2ne, ensuring that the password is always
encrypted, but allowing viewers to request an unencrypted
session. Both bob and the superuser are granted full
access rights and can connect without approval; members of the
staff group can also connect, but must be approved. All
users must enter their UNIX password in order to connect.
Note that in order for querying of connections to work, you must
be running the vncconfig applet on the desktop.
You can also restrict access to the server based on IP address
using the Hosts parameter, for example:
Option "Hosts" "192.168.0.0/255.255.0.0" |
Support legacy viewers
To support legacy viewers, you will need to disable encryption and use VNC authentication. You will also need to specify where the password is stored:
Subsection "vnc" Option "RSA_Private_Key_File" "/root/.vnc/private.key" Option "SecurityTypes" "VncAuth" Option "PasswordFile" "/root/.vnc/passwd" EndSubSection |
Note that this configuration does not allow encrypted connections (legacy viewers do not support encryptyion). In order to allow both encrypted connections from Enterprise Edition viewers and unencrypted connections from legacy viewers, you would use the following:
Subsection "vnc" Option "RSA_Private_Key_File" "/root/.vnc/private.key" Option "SecurityTypes" "RA2,VncAuth" Option "UserPasswdVerifier" "VncAuth" Option "PasswordFile" "/root/.vnc/passwd" EndSubSection |
In either case, you will also need to run the vncpasswd command as root
and enter a password with which to access your VNC desktops:
$ sudo vncpasswd Password: Verify: |