HOWTO Configure VNC Server on RHEL5 / CentOS 5
From Consultancy.EdVoncken.NET
Contents |
Overview
On Unix, the X Window System already offers remote graphical access. On low-bandwidth or high-latency connections, or when you are using another client OS, VNC may be a better option than X11.
The VNC server as supplied with Red Hat Enterprise Linux / CentOS offers two ways of accessing the graphical desktop:
- Using a VNC Client (TCP port 590x)
- Using a Web Browser (TCP port 580x)
The Web Browser functionality is based on a Java applet.
Note: The VNC Server must be configured separately for each user that wishes to connect.
VNC Server Configuration
Enable the VNC Server to automatically start after a reboot:
# chkconfig vncserver on
The systemwide configuration lives in /etc/sysconfig/vncservers. In this file, a display number is allocated to a VNC server for a particular user. The following settings are made to associate display number 2 with user "ed":
VNCSERVERS="2:ed" VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -nohttpd -localhost"
User Configuration
A VNC-password must be set for any user that wishes to access the VNC Server. Log in as the proper user, and run "vncpasswd" to do so:
$ vncpasswd Password: Verify:
Your VNC password is stored in $HOME/.vnc/passwd.
Note: This password is not encrypted securely. File permissions are the only protection here!
Starting the VNC Server
We will start, then restart the VNC server. On first start, a user startup script is automatically created. This file has to be modified. Afterwards, the VNC server is restarted to activate the changes.
Initial startup
# service vncserver start
Starting VNC server: 2:ed xauth: creating new authority file /home/ed/.Xauthority
New 'myhost.example.com:2 (ed)' desktop is myhost.example.com:2
Creating default startup script /home/ed/.vnc/xstartup
Starting applications specified in /home/ed/.vnc/xstartup
Log file is /home/ed/.vnc/myhost.example.com:2.log
[ OK ]
Modify user startup script
The ~/.vnc/startup script should be modified if you want to enable the regular Gnome desktop environment. By default, only a very basic desktop environment is shown. Make the following settings to enable a full desktop environment:
unset SESSION_MANAGER exec /etc/X11/xinit/xinitrc
Restart the VNC server
# service vncserver start
Connect to the VNC Server
Connect to the VNC server using the following parameters:
myhost.example.com:5902 (display 2)
In this example, I will set up a TCP port forwarding from "localhost" (my client laptop) to "localhost" (the server). Yes, this is confusing. But the port forwarding is set up after logging in to the destination host, which happens to be the VNC server.
$ ssh -A -L 5902:localhost:5902 ed@myhost.example.com
Now, use your favourite VNC client (Screen Sharing on Mac OS X) to connect to localhost, port 5902:
vnc://localhost:5902/
Security Considerations
- VNC traffic can be intercepted since it is not encrypted. Sensitive information, including the root password, can be exposed.
- The VNC user passwords are not securely encrypted.
The first threat can be mitigated by using a Secure Shell tunnel:
- Establish an SSH tunnel from the client to localhost:vncport on the server
- This replaces weak VNC authentication with strong SSH authentication methods.
- This can be automated using an SSH client like PuTTY.
- Start the VNC viewer, and connect to the client side of the tunnel (usually, also localhost:vncport).
- All traffic is now encrypted and optionally compressed for better throughput.
Navigation
- HOWTO Configure remote desktop sessions on Linux
- HOWTO Configure VNC Server on RHEL5 / CentOS 5
- HOWTO Configure NX Server on RHEL5 / CentOS 5