from:www.penlug.org/twiki/bin/view/Main/TightVNC
Using VNC
vncserver
allows you to run additional X servers on a single machine. These X servers don't display anywhere, but instead you need to connect to them using vncviewer
. The additional servers come up as :1
, :2
, etc.Installing VNC
On Debian, to install the packages for running VNC, use:
apt-get install tightvncserver xtightvncviewer
On the server
Let's say your server is called your_server
. On this server, as your userid, run:
vncserver :1 -geometry 1024x768 -depth 16 -pixelformat rgb565
1024x768
, with a color depth of 16 bits, and with the color format for pixels passed set to use 5 bits for red and blue, and six bits for green. For a full explanation of all the options, use man vncserver
. The first time vncserver is started up, it will also create a configuration file, in your home directory, called $HOME/.vnc/xstartup
vncserver -kill :1
The reason for killing the session is that you may need to edit the default configuration file thatvncserver
creates for you, for example to get the vncserver to run the K desktop environment instead of twm
, you may want to edit the $HOME/.vnc/xstartup
file to replace the line:
twm &
startkde &
gnome-session &
vncserver :1 -geometry 1024x768 -depth 16 -pixelformat rgb565
On the client
$ vncviewer your_server:1
This will prompt you for a password, then bring up a window showing you the current state of the X session running within the VNC server on the machine your_server
. Note that even if you connect to the VNC server from a different client machine, the same session will be seen.
Full Screen
If your current X server's display size matches the setting for the geometry you chose when starting up the vncserver, this will result in a fairly good illusion that you are actually sitting at a regular X session on the console of the remote machine. There will be a little square dot at the end of the mouse cursor to remind you that you are within a vncviewer session.
vncviewer
is running as a window, you may find that it exits with the following error when you try to move it to other virtual desktops in KDE. A workaround for this, suggested by Philip Lijnzaad, is to "shade" the window (by double-clicking on its title bar along the top of the window) before moving it to another virtual desktop, and then "unshading" it once you have selected the new virtual desktop. Note that depending on your KDE settings, another action than double-clicking may be needed to shade a window. You'll know that the window is shaded because it will minimize to just the titlebar whenever it has no focus.CleanupXErrorHandler called
ShmCleanup called
X Error of failed request: BadMatch (invalid parameter attributes)
Major opcode of failed request: 42 (X_SetInputFocus)
Serial number of failed request: 81551
Current serial number in output stream: 81557
vncviewer
again, and of course your VNC session is just as you left it a few moments ago.VMware with VNC
What if you have a server machine tucked away an a datacenter somewhere, and you would like to use it to run the desktop version of VMware? This is fine according to the VMware license, but the normal method of working with X applications where you simply set your DISPLAY
back to your local workstation, doesn't work with VMware, unfortunately. Nor do they suggest any workaround.
Running VNC as your "desktop"
Since running VNC in loopback mode on your local desktop machine is so fast, instead of running an X server on their primary workstation, some folks prefer to instead simply run the "vncviewer". A method for doing this was described in a post to the svlug mailing list by Nathan Myers (ncm@cantrip.org), as follows:
1. Quit out of X.
2. Start the VNC server.
vncserver :0 -geometry 1024x768 -depth 16 -pixelformat rgb565
You may need to change the geometry to match your video card, e.g., it might be:
vncserver :0 -geometry 1280x1024 -depth 32
If you use -depth 8, meaning only 8 bits per pixel, it is less pretty. This creates an invisible X desktop with all your gadgets.
3. Start the viewer.
xinit `which xvncviewer` -passwd ~/.vnc/passwd \
-geometry 1024x768 -display localhost:1.0 localhost:0.0 -- :1
Again, maybe the geometry specification for your screen might need to be different. This allows you to see your desktop gadgets in the server.
4. Enjoy infinitely accessible desktop
Your screen looks pretty much the same as before, except the mouse pointer has a little square in it and everything is a bit slower. To view your desktop from another machine on the network, use:
xvncviewer -shared yourmachine:0.0
Now you have a second view of the same desktop. You can quit (or crash) out of both viewers, and the desktop is still there waiting to be connected to. By the way, since the first viewer is running on an X server with no window manager, you'll have to kill the viewer, to get out of it.
VNC with KDE
Some linux distributions have integrated VNC into their X server under KDE. For example, in Mandrake linux, if you want remote users to be able to share your mandrake linux desktop, then select the menu option:
Mandrake Start Menu -> Internet -> Remote Access -> Virtual Network Connection
Allow control of my machine (linux server)
You will need to enter a password for remote users. Press the button launch server
, and a new window will appear on your desktop with the letters RFB
in it. Remote users will then be able to access your desktop over VNC using the password you provided, until you close the RFB
window.
VNC differences across platforms: VNC on Microsoft Windows
On Microsoft Windows, the WinVNC server provides a similar service, but there, of course, the display numbering starts with :0, because Microsoft Windows doesn't have an X server of its own.
heXoNet
allow remote control of an existing X server's display by means of a remote instance of vncviewer
(or in the case of x0rfbserver
, preferably by means of xrfbviewer
).apt-get install rfb
apt-get install x11vnc
x11vnc
and the older x0rfbserver
appear to be the only complete remote control solutions for the X windowing system, but maybe there are others. By remote control, I mean being able to use the mouse, keyboard and display of a separate machine to interact with the X display of another system.synergy
is a very handy application to be aware of. It lets your mouse seamlessly "travel" over to the other display. It's a little tricky to describe, but it's almost like being able to throw away the keyboard and mouse of the other machine.VNC on Apple MacOS
There are several pre-built Mac VNC clients available, which can be found using:http://www.versiontracker.com Ivan Poddubny suggests building TightVNC from source. For that, you'll need to have X11 for MacOS installed.
VNC over OpenSSH
The following is just a summary of the full explanation.
ssh
session on the machine where you will be running the vncviewer, to request that ssh
listen on a particular port on your local machine, and forward communication on that port down the secure connection to a port on the machine running the vncserver.ssh -L x:localhost:y vncserver_machine
means "Start an SSH connection to the vncserver_machine
, and also listen on port x
on my machine, and forward any connections there to port y
on the vncserver_machine
."
59xx
, where xx
is the display number of the server. So a VNC server on a Windows machine, which normally uses display number 0
, will listen on port 5900
. The first VNC server on linux will probably use display number 1
, and subsequent servers would use 2
, 3
, etc. and so the vncservers on linux will be listening on ports 5901
, 5902
and so forth.vncserver
, you can make the remote VNC server appear to be a server running on your local machine.:1
on vncserver_machine
, and you wanted a secure connection to it from your local machine. You could start the ssh
session using:ssh -CL 5902:localhost:5901 vncserver_machine
After that, starting up the vncviewer
as follows on your local machine:
vncviewer -encodings "copyrect hextile" localhost:2
would actually connect to display :1
on the vncserver_machine
.
ssh
connection that we have just set up, we must connect to it from the same machine, using the special name localhost
, rather than using the local machine's own unique name.Choosing the appropriate compression method for using VNC over OpenSSH
When you use the linux VNC viewer to connect to a local machine, for best performance VNC selects whatever is available from the following list of compression methods to encode screen updates, in this order:
raw copyrect tight hextile zlib corre rre
As you can see, for local connections, VNC's raw
pixel encoding is first in this list, and although it generally gives better performance for local access, when the vncserver is actually remote (i.e. when you are really accessing it over an ssh tunnel), then if the raw
encoding is used, a lot more data will be sent over the network than is necessary. The order of the list of compression methods that VNC chooses from when the connection is to a remote vncserver, is as follows:
copyrect tight hextile zlib corre rre raw
So, when using vnc over ssh, let's use the compression methods copyrect
and hextile
, and of course leave out raw
, as follows:
vncviewer -encodings "copyrect hextile" localhost:2
Using vnc over ssh with ssh compression enabled
OpenSSH can compress the data it transfers. This is particularly useful if the link between the vncviewer and the vncserver is a slow one, such as a modem, but even on a faster network it can help make up for the fact that the encryption takes a certain amount of time and so can slow the link down a little. To add simple compression, use the -C
option to ssh
(or the +C
option for ssh v2). To see how much your data is actually being compressed, you can use the -v
option to ssh
.
Using vnc in a Java-enabled browser
John McCaughey suggested that for Apple Macintosh machines, it might be simplest to use vnc
within a Web browser. The VNC server also serves a Java applet that should run within any Java-enabled browser. Let's say you have a VNC server set up as session :1
on vncserver_machine
, and you fire up your web browser, and go to:
http://vncserver_machine:5801
the browser will then prompt you for the VNC server password as usual, and the VNC viewer session will start up within the browser in a Java applet.
Using VNC over OpenSSH in a Java-enabled browser
To use the Java applet method over an OpenSSH tunnel, two tunnels need to be set up, one on port 5801
and another on 5901
. Note that the local side of the 5901
port must be forwarded with the same number, as unfortunately the vncserver software sends back the Java applet server's port number incremented by100
to the Java applet running in the client browser, to establish the communication channel. So forwarding the ports over ssh
would look like this:
ssh -L 5802:localhost:5801 -L 5901:localhost:5901 vncserver_machine
Piotr Zbiegiel suggests that instead of listing so many port forwardings, it might be more convenient to put the settings into your local $HOME/.ssh/config
file as follows:
Host vncserver_machine
ForwardX11 no
LocalForward 5802 localhost:5801
LocalForward 5901 localhost:5901
To launch the VNC client Java applet, put the following url in the client browser:
http://localhost:5802
Note: when using port forwarding, remember that if you ssh or scp over to the same machine name again, ssh will try to establish the same port forwardings again a second time, and fail with a "port busy" message. To avoid this, use an alias for the remote machine (add the alias to your /etc/hosts
file), and ssh or scp to the alias instead. This works because ssh is very literal-minded about reading its config file. Lucky for us.
Port-forwarding firewall considerations
If you are trying to run VNC over an SSH tunnel into a machine (on a private network) located behind a port-forwarding firewall, then this section may be just what the doctor ordered. Thanks to Bill Crooke for this guide.
localhost
.24.4.252.118
, the firewall is forwarding port 22
to the VNC server machine, and the VNC server machine has a private address of 192.168.0.200
, then you would need to use the following ssh command to set up the OpenSSH tunnel for VNC. In plain English, this command means "Start an SSH connection to the firewall machine at 24.4.252.118
, and at the same time listen on port 5903
of my local machine and forward any connections you see there to port 5905
on the remote VNC server machine at =192.168.0.200=".ssh -CL 5903:192.168.0.200:5905 24.4.252.118
The above command would be used in place of:
ssh -CL 5903:localhost:5905 24.4.252.118
Brute forcing vnc passwords
Only the first eight characters of the vncserver
password are used for authentication, and there is no concept of user accounts in vncserver. Apssword guessing is very fast, and the vncserver
does not generate any failed login messages. A patch to rfbproto.c
in the vncviewer sources (specifically vnc-3.3.3r1_unixsrc.tgz
) to enable brute forcing vnc passwords can be found here.
vncviewer
source code enables it to crack its way into a vncserver
instead of simply requesting the password from the local user.vnc server password encryption vulnerabilities
In November 1999, Conde Vampiro reported the following vulnerability related to VNC: VNC 3.3.2 R6 uses a weak password protection mechanism. The VNC password protection uses DES encryption, but the way WinVNC does the encryption is rather poor and can be easily decrypted by anyone with read access to the Microsoft operating system's registry.
Fixed password length vulnerability
The fixed password length (up to 8 characters) that VNC uses is vulnerable. This vulnerability also applies to the linux vncserver. When the WinVNC server is installed on a Microsoft operating system, the encrypted password can be found under the following registry keys (look for the word "password"):
\HKEY_CURRENT_USER\Software\ORL\WinVNC3
\HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3
Fixed encryption key vulnerability
The fixed encryption key that VNC uses is insecure. When the WinVNC server encrypts a password it always uses the same fixed key, so the DES encrypted output is always the same for any given password. Since the software is open-source, the fixed key is publicly available, making the encryption pointless. The WinVNC server always uses the same fixed key in the current version:
("23 82 107 6 35 78 88 7")
This mean that an attacker with read access to the Microsoft operating system's registry can simply decode the password and obtain the plain-text version of it.
Welcome to Hollywood - Recording your VNC session as a Shockwave animation
vnc2swf is a cross-platform screen recording tool developed by Yusuke Shinyama. It's a way to record your VNC session as an Adobe/Macromedia Shockwave Flash animation format file (swf), so that you can later play it back in Firefox, or using a standalone flash player e.g. gnash or swfdec or gplflash. For Debian stable, to build vnc2swf proceed something like this:
sudo apt-get install libxmu-dev
sudo apt-get install libxaw7-dev
wget http://www.unixuser.org/~euske/vnc2swf/vnc2swf-0.5.0.tar.gz
tar zxvf vnc2swf-0.5.0.tar.gz
cd vnc2swf-0.5.0
./configure
make
./vnc2swf -startrecording outfile.swf your_vnc_server:1 > outfile.html
This will bring up a VNC client which is recording everything from your VNC server into the outfile.swf and once you quit by pressing F8 Q it will also build outfile.html which you can open in Firefox to review your captured animation, or should I say your next blockbuster.
sudo apt-get install python2.3-tk
sudo apt-get install python-pygame
wget http://www.unixuser.org/~euske/vnc2swf/pyvnc2swf-0.8.2.tar.gz
tar zxvf pyvnc2swf-0.8.2.tar.gz
cd pyvnc2swf-0.8.2
./vnc2swf.py
This brings up a nice friendly dialog box, with a "Start" button, which initiates the recording of the VNC server session, so you just control the VNC session you're recording using your regular VNC viewer.