© David Both 2020

D. BothUsing and Administering Linux: Volume 3https://doi.org/10.1007/978-1-4842-5485-1_14

14. Remote Desktop Access

David Both¹ 

(1)

Raleigh, NC, USA

 

Objectives

In this chapter, you will learn

• To define remote desktop access

• To install and configure TigerVNC, a remote desktop system

• To connect to the remote VNC server and perform typical desktop tasks

• To configure an encrypted VNC connection to a remote server

Introduction

Sometimes there is a need for remote desktop access (RDA) that cannot be fulfilled in any other way. This type of access connects to a remote computer using tools that enable you as the user to work on a graphical desktop as easily as if you were sitting in front of the remote host with physical access to it. VNC¹ stands for Virtual Network Computing and it is the tool that enables use of remote graphical desktops. TigerVNC² is the VNC of choice for Fedora and RHCE as well as other distributions.

In Chapter 5 of this volume, we explored X-forwarding in which we used SSH to login to a remote host using the -X option and then started a single GUI application whose window appeared on our local host. The vast majority of the time, if I need remote GUI access, it is usually for a single application so that is a perfect solution.

However, using VNC can be useful if I need to perform multiple GUI-based tasks on a remote host. In a case such as this, I must set up a VMC server, such as TigerVNC,³ on the remote host and then use a client to connect with that server. The result is that a GUI desktop hosted by that remote host is displayed on my local desktop.

VNC works by transmitting keyboard and mouse events that originate on the VNC client to the remote VNC server. The VNC server performs the necessary tasks and returns any screen updates back to the client so that the VNC client window may be updated.

TigerVNC

TigerVNC is a fairly standard implementation of VNC. The VNC protocols were originally developed by the Olivetti & Oracle Research Lab in Cambridge, England.⁴ VNC allows multiple clients to connect to the server, and is platform-independent in that it allows compatible VNC clients for different operating systems to connect to the server. TigerVNC clients can also connect to compatible VNC servers on other operating systems.

The TigerVNC installation instructions are available in the Fedora⁵ specifically the Infrastructure Services section of the System Administrator’s Guide. This information can be found in the same location for RHEL 7 in the Red Hat documentation.⁶ I have not found VNC in the RHEL 8 documentation, possibly because the documentation structure has been changed significantly.

Experiment 14-1

Start this experiment as root on StudentVM2. We will install the TigerVNC server, the client, and configure the server and the firewall. Install the server with the following command.

[root@studentvm2 ~]# dnf -y install tigervnc-server tigervnc

It is necessary to add a rule to the /etc/sysconfig/iptables file. Add the following lines to the Filter table INPUT chain. Note that this one rule allows a range of six ports.

# This line is for TigerVNC

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5905 -j ACCEPT

Be sure to save the revised IPTables rule set.

There is very little configuration required for Tiger VNC, but one thing you must do is to create a VNC password that the remote clients will use.

As the user student on StudentVM2, issue the vncpasswd command and set the password. Answer n for No to the question about a view-only password. That would allow you to see what was happening on the remote desktop but not to interact with it. This would be useful for viewing the user’s actions on the host but would prevent the remote TigerVNC viewer from interacting with the desktop in any way.

[student@studentvm2 ~]$ vncpasswd

Password:<Enter Password>

Verify:<Enter Password>

Would you like to enter a view-only password (y/n)? n

[student@studentvm2 ~]$

Warning This password is not encrypted. Anyone with access to your home directory on the server will be able to read this file and your password.

There are a couple ways in which you can test the VNC server. You can go to another host and connect to the VNC server from there or you can connect to your own server using the client. Let’s start by testing on StudentVM2, which is why we also installed the client on it.

As user student on StudentVM2, start the VNC server in the background with its simplest form. The ampersand (&) causes the server to run in the background. This allows us to log in using SSH to a remote host and start the server and then to log out.

[student@studentvm2 ~]$ vncserver &

[1] 24984

[student@studentvm2 ~]$

New 'studentvm2.example.com:1 (student)' desktop is studentvm2.example.com:1

Creating default startup script /home/student/.vnc/xstartup

Creating default config /home/student/.vnc/config

Starting applications specified in /home/student/.vnc/xstartup

Log file is /home/student/.vnc/studentvm2.example.com:1.log

<Press the Enter key>

[1]+  Done                    vncserver

[student@studentvm2 ~]$ ps -ef | grep vnc

student  24997     1  0 11:06 pts/0    00:00:00 /usr/bin/Xvnc :1 -auth /var/run/lightdm/student/xauthority -desktop studentvm2.example.com:1 (student) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/student/.vnc/passwd -rfbport 5901 -rfbwait 30000

student  25484 22352  0 11:07 pts/0    00:00:00 grep --color=auto vnc

[student@studentvm2 ~]$

We can see that the server is running and the default geometry of the screen as well as the port number and the display number. Be sure to make note of the display number assigned to the session. It should be :1. Multiple displays are possible, and if you run the above command again, the next display would be :2.

This invocation of the VNC Server defaults to a remote screen size of 1024x768.

Using the application launcher, open Applications ➤ Internet and click the TigerVNC Viewer icon. In the small VNCViewer Connection Details window shown in Figure 14-1, type the name of your VNC server and the display number, that is, studentvm2:1, and press the Connect button.

Figure 14-1

Enter the DNS name of the VNC server and the display number, and then press the Connect button

The VNC authentication window is displayed. Notice that it has a red band at the top with a message to indicate that the connection is not secure. In the VNC authentication window, type the password you previously set. The remote desktop window will open on your desktop as shown in Figure 14-2.

Figure 14-2

The VNC desktop

I received an error in the TigerVNC desktop window. You may see this also, but it is fine to ignore it and click Close.

Now that the window is open, you can resize it to the dimensions of your liking. You can use the remote desktop just as you would if you were sitting in front of the physical screen with a keyboard and mouse for the remote host.

Launch a couple programs like a terminal emulator and the file manager. You should explore the home directory a bit and you will see that the files and directories are those of the student user. When you have finished your explorations, close all of the programs running in the TigerVNC viewer window.

Now close the remote desktop simply by clicking the “X” button to close the TigerVNC viewer window. Terminate the VNC Server. You must use the display number to ensure that you kill the correct display.

[student@studentvm2 ~]$ vncserver -kill :1

Killing Xvnc process ID 24997

[student@studentvm2 ~]$

As the root user on StudentVM1, install the TigerVNC viewer. We don’t need to install the server on this host.

[root@studentvm1 ~]# dnf -y install tigervnc

As the student user on StudentVM2, start the VNC server and set the initial screen geometry for the VNC Server to 1100x1200 with the following command. As we have seen, the screen can be resized after it is started.

[student@studentvm2 ~]$ vncserver -geometry 1100x900 &

Back as the student user on StudentVM1, launch the TigerVNC viewer and log in to the VNC server on StudentVM2 as we did above.

You will see the TigerVNC viewer window similar to that in Figure 14-3. This shows the StudentVM1 desktop and the TigerVNC remote desktop viewer connected to the StudentVM2 host. I have resized the windows to be small enough that they fit the page in a readable size.

Figure 14-3

The StudentVM1 desktop with the TigerVNC viewer containing the remote desktop for StudentVM2

Security

VNC uses unencrypted connections by default. In fact, remote desktop access in general adds a security risk to your environment, but the unencrypted connection is horrible. This could result in your data being intercepted and easily accessed. We can use the via option of the vncviewer utility to create an SSH tunnel to encrypt the connection from the client to the server.

Experiment 14-2

In this experiment, we will use SSH to encrypt our connection to the server. To begin, as the student user on StudentVM2, ensure that the vncserver is running for display :1.

As the student user on StudentVM1, create an encrypted SSH tunnel to the server using the following command. We have specifically created this tunnel to port 5901 on the VNC server.

[student@studentvm1 ~]$ ssh -L 5901:localhost:5901 studentvm2

Last login: Sat Aug 24 09:47:26 2019 from 192.168.56.21

[student@studentvm2 ~]$

This terminal session is now a tunnel to for the student user to the StudentVM2 host.

In another terminal session as the student user, connect to the VNC server.

[student@studentvm1 ~]$ vncviewer -via localhost

TigerVNC Viewer 64-bit v1.9.0

Built on: 2018-09-25 10:36

Copyright (C) 1999-2018 TigerVNC Team and many others (see README.rst)

See http://www.tigervnc.org for information on TigerVNC.

The Connection Details dialog window is displayed. Click the Connect button. In the terminal session, you will be asked for the student user’s password. Enter the password for the student user to continue.

student@localhost's password: <Enter Paswword>

Sat Aug 24 10:05:37 2019

 DecodeManager: Detected 2 CPU core(s)

 DecodeManager: Creating 2 decoder thread(s)

 CConn:       connected to host localhost port 40013

Sat Aug 24 10:05:38 2019

 CConnection: Server supports RFB protocol version 3.8

 CConnection: Using RFB protocol version 3.8

 CConnection: Choosing security type VeNCrypt(19)

 CVeNCrypt:   Choosing security type TLSVnc (258)

Now the VNC Authentication dialog is displayed. Note that, for me at least, it still has the red banner proclaiming the connection as insecure. Type the VNC authentication password for the student user – this is a different password than the student user’s Linux login password – and click the OK button.

At this point, the VNC session window to StudentVM2 is displayed. Experiment with this for a bit, but the remote desktop should work no differently than it did when it was not encrypted.

When finished, terminate all VNC viewer and server sessions.

Problems

I have run into one perplexing problem when using TigerVNC.

Blank TigerVNC view screen

I had installed TigerVNC on one of my smaller hosts to do some experimentation and research before starting work on this course. I had a problem accessing the VNC session after getting everything set up, including the firewall. All the VNC viewer would display was a black screen and sometimes an “X” cursor. A lot of research on Google did not provide an exact solution, primarily due to the age of some of the information and the various configuration files that appear in different distributions and at different times. That research did lead me to synthesize my own related solution to the problem.

When using TigerVNC to log in as a user on a remote host, the VNC configuration is maintained in some files in the ~/.vnc directory. The ~/.vnc/xstartup script file on the server, SudentVM2 in this case, needs to be modified to start a specific desktop rather than the default xinitrc script. Add or modify the lines highlighted in bold as required to resolve this problem if you encounter it.

#!/bin/sh

unset SESSION_MANAGER

unset DBUS_SESSION_BUS_ADDRESS

# comment out the following line

# exec /etc/X11/xinit/xinitrc

# Add the following line to resolve the blank screen problem

startxfce4

You can see in the ~/.vnc/xstartup file that I have commented out the xinitrc line and added the startxfce4 statement at the bottom of the file. This will start the Xfce desktop. Use the start command for your favorite desktop in your own file. The VNC desktop can be different from the default login desktop.

I did not see this problem when using Xfce, or LXDE as the desktops on my hosts, but I did see it with KDE on the TigerVNC server. I did not experience this during my research for this course, but you may run into it “in the wild.”

Note

This solution only works for the specific user account for which this change has been made.

Chapter summary

This chapter has guided us through our exploration of configuring VNC remote desktop sessions. We used TigerVNC for this, but other VNC tools are available. Some of those tools are commercial.

TigerVNC is the default VNC software for many Linux distributions including Fedora. It provides us with the capability to create encrypted or unencrypted desktop connections to one or more remote servers. The server also allows multiple incoming connections so that multiple users can simultaneously use a VNC desktop on the server.

VNC is not always the correct solution for remote GUI access, but it can be the best option for some uses.

Exercises

Perform the following exercises to complete this chapter.

1. 1.

   Is the client server terminology used in VNC consistent with its use in the standard X-Window system and X-forwarding? Why do you think that might be?

    
2. 2.

   On StudentVM2, start two VNC servers using screen :1 and screen :2. Use the TigerVNC viewer to connect to one screen from the localhost, StudentVM2. Also connect to StudentVM2 from StudentVM1 so that you have two VNC sessions running simultaneously.

    
3. 3.

   View the TCP packet stream as you open a VNC session from StudentVM1 to StudentVM2 and perform some simple tasks.

    

Footnotes

1

Wikipedia, VNC, https://en.wikipedia.org/wiki/Virtual_Network_Computing

 

2

TigerVNC Web site, https://tigervnc.org

 

3

Wikipedia, TigerVNC, https://en.wikipedia.org/wiki/TigerVNC

 

4

Wikipedia, Olivetti Research Laboratory, https://en.wikipedia.org/wiki/Olivetti_Research_Laboratory

 

5

Fedora Documentation, https://docs.fedoraproject.org/en-US/docs/

 

6

RHEL Documentation, https://access.redhat.com/documentation/