Lab #12: VNC Lab
Date: March 26, 2008
In this lab, we'll learn how to access a desktop remotely using VNC. A variety of VNC clients and servers exist for both UNIX and Windows systems, allowing you to share desktops from different platforms. To secure VNC, we'll use ssh as a tunneling protocol.
You will need two machines for this lab, one for the VNC server, and the other for the VNC client, so you will need to work with another student. Both machines will be used in client and server roles, one at a time. You will use your own machine as the client, and you will need the IP address of the other person's machine to use it as the VNC server. Coordinate with the other student to decide which person is the server first so that there are no conflicts.
Before we use VNC to get a complete desktop on the remote machine, we'll use the basic features of X-Windows to run applications on the remote machine while displaying their interfaces on your local machine. This technique is useful when you only need to run a single application on a remote host, especially if you want to run a single application on many remote hosts, as these windows are treated like any other window on your desktop.
- Forward X from server to client.
- Connect to your server from your client using ssh with the X-forwarding option (-X).
ssh -X student@IP_ADDRESS
- Check your DISPLAY environment variable in the ssh session to verify that it's pointing back to your machine.
echo $DISPLAY
- Instead of running a complete windowing system on the server, using a large amount of CPU and memory resources, we can simply run a single X application and forward its display back to our client since X is a network-transparent windowing system and ssh will forward the X protocol securely. For most system administration tasks, you only need a window or two, not an entire desktop. Start a couple of X applications on the server and view them on your client.
xclock &
xterm &
- Check the IP address from within the xterm to verify that the xterm is running on the other machine.
ifconfig eth0
- Create an ssh tunnel from the client to the server.
- As VNC does not encrypt its connections, we'll tunnel our VNC connection through an ssh connection so that it's encrypted. When our tunnel is done, we'll be able to point to port 5901 (the standard VNC port) of our client and have our connection automatically forwarded through an ssh tunnel to port 5901 on the server. Let's first verify that port 5901 doesn't do anything yet on the client.
telnet localhost 5901
- Now let's create an ssh tunnel to the server using the VNC port 5901 on both sides.
ssh -N -L 5901:SERVER_IP_ADDRESS:5901 student@SERVER_IP_ADDRESS
- Let's try that telnet command again. It will still fail, but we'll see a "Connection closed" message this time instead of a "Connection refused" error. This indicates that the command connected to the other machine, but there was no server process running on port 5901 since we haven't started VNC server yet. This means that our tunnel is working, so we'll be ready for the next step of the lab. You'll also see an error message in the terminal where you ran your ssh command.
telnet localhost 5901
- Start VNC server
- Check if the VNC is installed on your machine.
rpm -qa | grep vnc
- If the previous command doesn't list the vnc-server package, install it.
yum install vnc-server
- Use rpm -ql to list the files that are part of vnc-server to figure out which command to use to start your VNC server process, then start it as student. Do NOT start it as root.
- When you ran the VNC server command, it asked you to set a password and created some files. Look in your ~/.vnc directory to see those files. If there were any errors, they are recorded in the log file in that directory. Check the xstartup file to see what window manager your VNC session is using. Note that the stored password is encrypted.
cd ~/.vnc
ls -l
cat *log
cat xstartup
cat passwd
od -c passwd
- Verify that your VNC processes are running with ps.
ps auxw|grep vnc
- Initiate a VNC connection to the server
- Start your VNC client, pointing it at localhost (the tunnel will forward your connection to the server) display 1. If more than one user was using VNC at once, then you might end up with a different display (and a different port--display 2 corresponds to port 5902, 3 to 5903, and so forth.)
vncviewer localhost:1
- In your xterm, verify that your VNC session really is running on your server by checking the IP address. Note that in this window manager, you can bring up the root menu by clicking the left mouse button over an empty area of the desktop. This was one of the first X window managers and is quite limited compared to Gnome or KDE.
ifconfig eth0
- Changing the Window Manager
- We would like a better window manager, but Gnome and KDE are rather heavy for a network connection. As a compromise, let's install XFCE for use with VNC. The grouplist command to yum will list all installable package groups, while groupinstall will install the group. It should be obvious which group we need.
yum grouplist
yum groupinstall PACKAGE_NAME
- Modify your xstartup file on the server to start XFCE4, saving your old version of the file.
cd ~/.vnc
cp -p xstartup xstartup.dist
cat >xstartup
# Uncomment the following two lines for normal desktop:
# unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
startxfce4 &
- Kill your old VNC server process on display 1.
vncserver -kill :1
- Start VNC server again.
vncserver
- Kill your old VNC client process, then start a new one on the client.
vncviewer localhost:1
- Now switch client and server roles and repeat this with the other student being the server.
©2008 James Walden, Ph.D.