from:www.penlug.org/twiki/bin/view/Main/TightVNC

Using VNC

The tool vncserver allows you to run additional X servers on a single machine. These X servers don't display anywhere, but instead you need to connect to them using vncviewer. The additional servers come up as :1, :2, etc.

Installing VNC

On Debian, to install the packages for running VNC, use:

  apt-get install tightvncserver xtightvncviewer

The general method is as follows:

On the server

Let's say your server is called your_server. On this server, as your userid, run:

  vncserver :1 -geometry 1024x768 -depth 16 -pixelformat rgb565

It will prompt you for a password, which will be used when you log in later from the client. Here, we're just setting it up to run at a size of 1024x768, with a color depth of 16 bits, and with the color format for pixels passed set to use 5 bits for red and blue, and six bits for green. For a full explanation of all the options, use man vncserver. The first time vncserver is started up, it will also create a configuration file, in your home directory, called $HOME/.vnc/xstartup

Even though we've just learned how to launch a vnc server session, surprisingly the first thing we need to learn is how to kill it again. To do this, use:

  vncserver -kill :1

The reason for killing the session is that you may need to edit the default configuration file thatvncserver creates for you, for example to get the vncserver to run the K desktop environment instead of twm, you may want to edit the $HOME/.vnc/xstartup file to replace the line:

twm &

with this line is you use KDE:

startkde &

and with this line if you use GNOME:

gnome-session &

before launching the vncserver again using:

  vncserver :1 -geometry 1024x768 -depth 16 -pixelformat rgb565

On the client

$ vncviewer your_server:1

This will prompt you for a password, then bring up a window showing you the current state of the X session running within the VNC server on the machine your_server. Note that even if you connect to the VNC server from a different client machine, the same session will be seen.

Initially, the vncviewer client runs as a window within your regular X sesion. Consulting the manual using "man vncviewer", you quicky discover that pressing the function key F8 brings up a "popup" menu, where you can choose the option:

  Full Screen

If your current X server's display size matches the setting for the geometry you chose when starting up the vncserver, this will result in a fairly good illusion that you are actually sitting at a regular X session on the console of the remote machine. There will be a little square dot at the end of the mouse cursor to remind you that you are within a vncviewer session.

Note that when vncviewer is running as a window, you may find that it exits with the following error when you try to move it to other virtual desktops in KDE. A workaround for this, suggested by Philip Lijnzaad, is to "shade" the window (by double-clicking on its title bar along the top of the window) before moving it to another virtual desktop, and then "unshading" it once you have selected the new virtual desktop. Note that depending on your KDE settings, another action than double-clicking may be needed to shade a window. You'll know that the window is shaded because it will minimize to just the titlebar whenever it has no focus.

CleanupXErrorHandler calledShmCleanup calledX Error of failed request:  BadMatch (invalid parameter attributes)  Major opcode of failed request:  42 (X_SetInputFocus)  Serial number of failed request:  81551  Current serial number in output stream:  81557

In the case where the above workaround doesn't work and you still get the error, or if you forget to shade the window before moving it, you can simply restart the vncviewer again, and of course your VNC session is just as you left it a few moments ago.

To shut down the KDE window manager running inside the vncserver session, you can of course simply log out in the usual way. If you select the option:

"login as another user"

a KDM login screen won't appear. Instead, to get a new session you'll need to kill the vncserver sesion and start again as described earlier.

VMware with VNC

What if you have a server machine tucked away an a datacenter somewhere, and you would like to use it to run the desktop version of VMware? This is fine according to the VMware license, but the normal method of working with X applications where you simply set your DISPLAY back to your local workstation, doesn't work with VMware, unfortunately. Nor do they suggest any workaround.

One option is of course to haul a keyboard, mouse and monitor over to the datacenter and connect it up to your server, configure the graphics card, and with a bit of luck start up an X session. Then launch VMware as usual, while you sit in front of the server wondering if there was a better way.

By now, you are probably realizing that VNC provides a far easier way. The method of running VNC described in the previous section works with VMware. It works especially well in the case where you are only running server software within the VMware virtual machine, and are not particularily interested in the display of the virtual machine itself (except perhaps at boot time). The method is very satisfactory given that large pools of physical memory and multi-processor capabilities tend to be readily available on server machines.

Running VNC as your "desktop"

Since running VNC in loopback mode on your local desktop machine is so fast, instead of running an X server on their primary workstation, some folks prefer to instead simply run the "vncviewer". A method for doing this was described in a post to the svlug mailing list by Nathan Myers (ncm@cantrip.org), as follows:

1. Quit out of X.

2. Start the VNC server.

     vncserver :0 -geometry 1024x768 -depth 16 -pixelformat rgb565

You may need to change the geometry to match your video card, e.g., it might be:

     vncserver :0 -geometry 1280x1024 -depth 32 

If you use -depth 8, meaning only 8 bits per pixel, it is less pretty. This creates an invisible X desktop with all your gadgets.

3. Start the viewer.

      xinit `which xvncviewer` -passwd ~/.vnc/passwd \         -geometry 1024x768 -display localhost:1.0 localhost:0.0 -- :1

Again, maybe the geometry specification for your screen might need to be different. This allows you to see your desktop gadgets in the server.

4. Enjoy infinitely accessible desktop

Your screen looks pretty much the same as before, except the mouse pointer has a little square in it and everything is a bit slower. To view your desktop from another machine on the network, use:

      xvncviewer -shared  yourmachine:0.0

Now you have a second view of the same desktop. You can quit (or crash) out of both viewers, and the desktop is still there waiting to be connected to. By the way, since the first viewer is running on an X server with no window manager, you'll have to kill the viewer, to get out of it.

VNC with KDE

Some linux distributions have integrated VNC into their X server under KDE. For example, in Mandrake linux, if you want remote users to be able to share your mandrake linux desktop, then select the menu option:

  Mandrake Start Menu -> Internet -> Remote Access -> Virtual Network Connection

In the dialog box, select the

  Allow control of my machine (linux server)

You will need to enter a password for remote users. Press the button launch server, and a new window will appear on your desktop with the letters RFB in it. Remote users will then be able to access your desktop over VNC using the password you provided, until you close the RFB window.

VNC differences across platforms: VNC on Microsoft Windows

On Microsoft Windows, the WinVNC server provides a similar service, but there, of course, the display numbering starts with :0, because Microsoft Windows doesn't have an X server of its own.

Both Karl J. Runge's x11vnc and x0rfbserver from heXoNet allow remote control of an existing X server's display by means of a remote instance of vncviewer (or in the case of x0rfbserver, preferably by means of xrfbviewer).

To install these packages for Debian, use:

apt-get install rfbapt-get install x11vnc

The applications x11vnc and the older x0rfbserver appear to be the only complete remote control solutions for the X windowing system, but maybe there are others. By remote control, I mean being able to use the mouse, keyboard and display of a separate machine to interact with the X display of another system.

If you just want gain remote mouse and keyboard control of a separate machine (whose display you can see locally because it is actually sitting on your desk), then synergy is a very handy application to be aware of. It lets your mouse seamlessly "travel" over to the other display. It's a little tricky to describe, but it's almost like being able to throw away the keyboard and mouse of the other machine.

VNC on Apple MacOS

There are several pre-built Mac VNC clients available, which can be found using:http://www.versiontracker.com Ivan Poddubny suggests building TightVNC from source. For that, you'll need to have X11 for MacOS installed.

VNC over OpenSSH

The following is just a summary of the full explanation.

To use VNC over OpenSSH, first you need to run an ssh session on the machine where you will be running the vncviewer, to request that ssh listen on a particular port on your local machine, and forward communication on that port down the secure connection to a port on the machine running the vncserver.

For example:

    ssh -L x:localhost:y vncserver_machine

means "Start an SSH connection to the vncserver_machine, and also listen on port x on my machine, and forward any connections there to port y on the vncserver_machine."

Now, the VNC protocol normally uses port 59xx, where xx is the display number of the server. So a VNC server on a Windows machine, which normally uses display number 0, will listen on port 5900. The first VNC server on linux will probably use display number 1, and subsequent servers would use 2, 3, etc. and so the vncservers on linux will be listening on ports 5901, 5902 and so forth.

By forwarding these ports to a remote machine running vncserver, you can make the remote VNC server appear to be a server running on your local machine.

So, imagine you had a VNC server running as display :1 on vncserver_machine, and you wanted a secure connection to it from your local machine. You could start the ssh session using:

    ssh -CL 5902:localhost:5901 vncserver_machine

After that, starting up the vncviewer as follows on your local machine:

    vncviewer -encodings "copyrect hextile" localhost:2 

would actually connect to display :1 on the vncserver_machine.

Note that the above OpenSSH command-line is deliberately meant to accept incoming connections only from the local machine. This means that to use the ssh connection that we have just set up, we must connect to it from the same machine, using the special name localhost, rather than using the local machine's own unique name.

Choosing the appropriate compression method for using VNC over OpenSSH

When you use the linux VNC viewer to connect to a local machine, for best performance VNC selects whatever is available from the following list of compression methods to encode screen updates, in this order:

  raw copyrect tight hextile zlib corre rre

As you can see, for local connections, VNC's raw pixel encoding is first in this list, and although it generally gives better performance for local access, when the vncserver is actually remote (i.e. when you are really accessing it over an ssh tunnel), then if the raw encoding is used, a lot more data will be sent over the network than is necessary. The order of the list of compression methods that VNC chooses from when the connection is to a remote vncserver, is as follows:

  copyrect tight hextile zlib corre rre raw

So, when using vnc over ssh, let's use the compression methods copyrect and hextile, and of course leave out raw, as follows:

    vncviewer -encodings "copyrect hextile" localhost:2 

Using vnc over ssh with ssh compression enabled

OpenSSH can compress the data it transfers. This is particularly useful if the link between the vncviewer and the vncserver is a slow one, such as a modem, but even on a faster network it can help make up for the fact that the encryption takes a certain amount of time and so can slow the link down a little. To add simple compression, use the -C option to ssh (or the +C option for ssh v2). To see how much your data is actually being compressed, you can use the -v option to ssh.

Using vnc in a Java-enabled browser

John McCaughey suggested that for Apple Macintosh machines, it might be simplest to use vnc within a Web browser. The VNC server also serves a Java applet that should run within any Java-enabled browser. Let's say you have a VNC server set up as session :1 on vncserver_machine, and you fire up your web browser, and go to:

  http://vncserver_machine:5801

the browser will then prompt you for the VNC server password as usual, and the VNC viewer session will start up within the browser in a Java applet.

Using VNC over OpenSSH in a Java-enabled browser

To use the Java applet method over an OpenSSH tunnel, two tunnels need to be set up, one on port 5801and another on 5901. Note that the local side of the 5901 port must be forwarded with the same number, as unfortunately the vncserver software sends back the Java applet server's port number incremented by100 to the Java applet running in the client browser, to establish the communication channel. So forwarding the ports over ssh would look like this:

ssh -L 5802:localhost:5801 -L 5901:localhost:5901 vncserver_machine

Piotr Zbiegiel suggests that instead of listing so many port forwardings, it might be more convenient to put the settings into your local $HOME/.ssh/config file as follows:

  Host vncserver_machine  ForwardX11 no  LocalForward 5802 localhost:5801  LocalForward 5901 localhost:5901

To launch the VNC client Java applet, put the following url in the client browser:

http://localhost:5802

Note: when using port forwarding, remember that if you ssh or scp over to the same machine name again, ssh will try to establish the same port forwardings again a second time, and fail with a "port busy" message. To avoid this, use an alias for the remote machine (add the alias to your /etc/hosts file), and ssh or scp to the alias instead. This works because ssh is very literal-minded about reading its config file. Lucky for us.

Port-forwarding firewall considerations

If you are trying to run VNC over an SSH tunnel into a machine (on a private network) located behind a port-forwarding firewall, then this section may be just what the doctor ordered. Thanks to Bill Crooke for this guide.

Let's say the VNC server machine that you are trying to connect to is located behind a firewall that uses port forwarding. This VNC server machine has an IP address that is a member of one of the private networks located behind the firewall. To connect to this machine using VNC over OpenSSH, you may need to use a modified invocation of the ssh command, specifying the machine's IP address rather than simply using localhost.

For example, if the IP address of the firewall is 24.4.252.118, the firewall is forwarding port 22 to the VNC server machine, and the VNC server machine has a private address of 192.168.0.200, then you would need to use the following ssh command to set up the OpenSSH tunnel for VNC. In plain English, this command means "Start an SSH connection to the firewall machine at 24.4.252.118, and at the same time listen on port 5903 of my local machine and forward any connections you see there to port 5905 on the remote VNC server machine at =192.168.0.200=".

  ssh -CL  5903:192.168.0.200:5905  24.4.252.118

The above command would be used in place of:

  ssh -CL  5903:localhost:5905  24.4.252.118 

Brute forcing vnc passwords

Only the first eight characters of the vncserver password are used for authentication, and there is no concept of user accounts in vncserver. Apssword guessing is very fast, and the vncserver does not generate any failed login messages. A patch to rfbproto.c in the vncviewer sources (specifically vnc-3.3.3r1_unixsrc.tgz) to enable brute forcing vnc passwords can be found here.

This patch to the vncviewer source code enables it to crack its way into a vncserver instead of simply requesting the password from the local user.

vnc server password encryption vulnerabilities

In November 1999, Conde Vampiro reported the following vulnerability related to VNC: VNC 3.3.2 R6 uses a weak password protection mechanism. The VNC password protection uses DES encryption, but the way WinVNC does the encryption is rather poor and can be easily decrypted by anyone with read access to the Microsoft operating system's registry.

The WinVNC software contains two vulnerabilities:

Fixed password length vulnerability

The fixed password length (up to 8 characters) that VNC uses is vulnerable. This vulnerability also applies to the linux vncserver. When the WinVNC server is installed on a Microsoft operating system, the encrypted password can be found under the following registry keys (look for the word "password"):

     \HKEY_CURRENT_USER\Software\ORL\WinVNC3     \HKEY_USERS\.DEFAULT\SOftware\ORL\WinVNC3

Fixed encryption key vulnerability

The fixed encryption key that VNC uses is insecure. When the WinVNC server encrypts a password it always uses the same fixed key, so the DES encrypted output is always the same for any given password. Since the software is open-source, the fixed key is publicly available, making the encryption pointless. The WinVNC server always uses the same fixed key in the current version:

      ("23 82 107 6 35 78 88 7") 

This mean that an attacker with read access to the Microsoft operating system's registry can simply decode the password and obtain the plain-text version of it.

An exploit for the above vulnerability is available.

Welcome to Hollywood - Recording your VNC session as a Shockwave animation

vnc2swf is a cross-platform screen recording tool developed by Yusuke Shinyama. It's a way to record your VNC session as an Adobe/Macromedia Shockwave Flash animation format file (swf), so that you can later play it back in Firefox, or using a standalone flash player e.g. gnash or swfdec or gplflash. For Debian stable, to build vnc2swf proceed something like this:

  sudo apt-get install libxmu-dev  sudo apt-get install libxaw7-dev  wget http://www.unixuser.org/~euske/vnc2swf/vnc2swf-0.5.0.tar.gz  tar zxvf vnc2swf-0.5.0.tar.gz  cd vnc2swf-0.5.0  ./configure  make  ./vnc2swf -startrecording outfile.swf your_vnc_server:1 > outfile.html

This will bring up a VNC client which is recording everything from your VNC server into the outfile.swf and once you quit by pressing F8 Q it will also build outfile.html which you can open in Firefox to review your captured animation, or should I say your next blockbuster.

Update: The Python version of vnc2swf includes a nifty sliding search bar at the bottom of your masterpiece, so that you can seek (and your audience can skip over any less-than stellar segments of your creation). For Debian stable, we can get it installed something like this:

  sudo apt-get install python2.3-tk  sudo apt-get install python-pygame  wget http://www.unixuser.org/~euske/vnc2swf/pyvnc2swf-0.8.2.tar.gz  tar zxvf pyvnc2swf-0.8.2.tar.gz  cd pyvnc2swf-0.8.2  ./vnc2swf.py

This brings up a nice friendly dialog box, with a "Start" button, which initiates the recording of the VNC server session, so you just control the VNC session you're recording using your regular VNC viewer.

-- PeterKnaggs - 21 Jul 2006

Back to LinuxHints - Everything GNU ever wanted to know about Linux