« Back to docs

Setting up interactive system authentication

If you have a Professional or Enterprise subscription and a Linux or Mac computer, you can specify interactive system authentication for VNC Server instead of system authentication. This means that connecting VNC Viewer users must first enter a user name from a user account that is registered with VNC Server. Then, they must provide one or more credentials, and/or perform one or more authorization operations, mandated by your choice of PAM authentication module(s).

Note

Choosing multiple PAM modules enables you to specify a comprehensive multi-factor authentication scheme for VNC Server.

../_images/VNC_Server_Options_Dialog_Interactive_System_Authentication.png

Note the following:

  • The user account of each prospective VNC Viewer user must be registered with VNC Server, and suitable session permissions assigned.
  • Connecting users cannot ask VNC Viewer to remember password(s) entered as part of the authentication process.
  • Connected users are not automatically reconnected if a session is interrupted. Re-authentication is mandatory.

Setting up the VNC Server computer

Perform the following steps:

  1. Specify the interactive system authentication scheme, either by:

    • Opening VNC Server’s Options > Security page and selecting the Interactive <platform> authentication option from the Authentication dropdown.
    • Setting the VNC Server Authentication parameter to InteractiveSystemAuth.
  2. Obtain the PAM module(s) that enable the functionality you want to provide. For example, pam_google_authenticator.so mandates that connecting users must enter a TOTP code. If you have a Duo account, pam_duo.so mandates that connecting users must respond to a push notification or SMS or phone call, and so on. Note these modules might require additional configuration to integrate with your system in a way not covered by this documentation.

    Note that, out-of-the-box, VNC Server is configured to interact with the local password store using pam_unix.so. You can retain this configuration in order to provide standard system authentication (user account password after user name), and augment it with other modules to add any number of additional factors.

  3. Reference the module(s), and specify appropriate account and authentication rules, in the following file:

    • For platforms using /etc/pam.d/vncserver, in /etc/pam.d/vncserver.custom. Create this file if it does not exist.
    • For platforms using /etc/pam.conf, edit this same file to create vncserver.custom rules pointing to the new PAM module(s).

    For example, for a Debian-compatible computer:

    #First, mandate standard system authentication
    auth required pam_unix.so
    #Second, require a TOTP code
    auth required pam_google_authenticator.so
    
  4. In an appropriate system-wide VNC Server configuration file (for example /etc/vnc/config.d/common.custom), specify the PamApplicationName parameter to register your changes with VNC Server:

    PamApplicationName=vncserver.custom

  5. Register the user accounts of all prospective VNC Viewer users with VNC Server, either by:

    Note prior configuration is required to register domain accounts under Linux. You may also need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe.

If you have already set up PAM to work with other services, you may be able to configure VNC Server to reference changes already made. For example, under Debian-compatible Linux, you may be able to edit /etc/pam.d/vncserver.custom as follows:

@include common-auth
@include common-account
@include common-session

For Red Hat-compatible Linux, the equivalent edits might be:

auth      include    password-auth
account   include    password-auth
session   include    password-auth
×