gui on a headless server

Carel Lubbe carel.lubbe at openpolytechnic.ac.nz
Thu Oct 22 20:03:19 UTC 2009 

Hi,

I hope this helps.

Regards,

Carel.



##########################################################################################################################
Set up of a  VNC Server

"Virtual Network Computing (VNC) is a desktop protocol to remotely control another computer. It transmits the keyboard presses and mouse clicks from one computer to another relaying the screen updates back in the other direction, over a network."
 
This how to describes in brief how to configure VNC server instances for one or multiple users on a remote machine, how to use VNC to start graphical applications on boot and finally how to enhance security by connecting to the server through encrypted SSH tunnels.

Prerequisites
  1.  A user account should exist on the remote machine.
  2.  The RPM packages vnc-server and vnc should be installed on the remote machine and your workstation respectively.

Setting up the server
I assume that we have setup a remote user account, named "leopard" and we want to start an X session through VNC for this user.
In Red Hat based distros in general, all we have to do is define the VNC server instances in /etc/sysconfig/vncservers. These will be started by the vncserver initscript. This has to be done as root. Edit this file so that it contains the following:

vi /etc/sysconfig/vncservers
VNCSERVERS="3:leopard"
VNCSERVERARGS[3]="-geometry 1024x768 -depth 16"

With these we define that a vnc server instance should be started as user leopard on display 3 and we also set some options for this server such as resolution and color depth. Each VNC server instance listens on port 5900 plus the display number on which the server runs. In our case, leopard’s vnc server would listen on port 5903.
For multiple vnc instances /etc/sysconfig/vncservers would look like this:

vi /etc/sysconfig/vncservers
VNCSERVERS="1:tiger 2:albatros 3:leopard"
VNCSERVERARGS[1]="-geometry 1024x768 -depth 16"
VNCSERVERARGS[2]="-geometry 800x600 -depth 8"
VNCSERVERARGS[3]="-geometry 1024x768 -depth 16"

These would listen on ports 5901, 5902, 5903 respectively .... Remember to add these to the firewall.

User Configuration
There is one more thing that needs to be done on the remote machine. User leopard’s vnc password needs to be set. So, as user leopard give the command:

As leopard
# vncpasswd
We are prompted for a password. This is the password that we will use when we connect to leopard’s vnc server instance. This password is saved in /home/leopard/.vnc/passwd.
Start the VNC server
After the initial configuration is done we restart the vnc service. 

As root:
# service vncserver restart

To make VNC server to start on boot:
# chkconfig vncserver on

More User Configuration
After the VNC service is started, some new files are created in /home/leopard/.vnc/ directory. These include leopard’s vnc server log file, pid file and an X startup script. As user leopard we edit the script in order to customize some settings. The default /home/leopard/.vnc/xstartup script contains some commands that are executed when the VNC server is started. 

These include:
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

xsetroot in this case sets the background color.
vncconfig is a supplementary program that can be used to control the vnc server. Apart from this, when run without arguments it acts as a helper application and its main purpose is to provide support for clipboard transfers between the client (vncviewer) and the vnc server.
xterm starts an xterm terminal.
twm starts the X server’s default window manager. We probably want to change that to a more user friendly window manager, eg fluxbox.

The VNC server, apart from letting us control a remote machine using a graphical interface, it serves as a way to start graphical applications on boot. For example, I want my favourite p2p program, amule, to start on boot. So, I add this to the /home/leopard/.vnc/xstartup script. This is how my xstartup file looks like:
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" -e ./menu &
amule &
fluxbox & 
menu is a script of mine that is executed when xterm is started.

If you read the coments in the .vnc/xstartup file you can also follow the instructions in there and coment the first two lines and that will give you a Gnome session when connecting to your vnc server.

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

Remember to put the "&" symbol after each command, so that it goes to the background and the xstartup script continues on.
Restart the VNC service for the changes to take effect. 

As root:
# service vncserver restart

Connect to the VNC server
In our example, leopard’s vnc server listens for connections on port 5903. So, open this port in the remote machine’s firewall.
We connect to the remote machine using a vnc viewer. Having installed the vnc package, connect to to the server with the following command:

# vncviewer 10.3.1.3:5902:2
The general usage is :
vncviewer [Server's IP]:[Port]:[Display]
We are prompted for the password and eventually connect to the server. Closing the vncviewer’s window, does not affect the server or the programs we run on it. If we reconnect everything will be there.
Special Note: There is no need, actually it’s pointless and could give you some trouble, to logoff from your remote X session. If this happens, generally you need to restart the VNC service on the remote machine to get your remote desktop back. If you want to stop working on your remote desktop, just close the vncviewer’s window and you are done.

Security
The VNC protocol is not a secure communication protocol. The use of a vnc password provides security at the level of server access (it’s vulnerable to brute-force attacks though), but the whole VNC session is transmitted in the clear, without encryption. The easiest, but most effective, way to secure our connection to the VNC server is to connect through an encrypted SSH tunnel. This way the whole session will be encrypted.
The rest assume that you have the SSH server up and running on your remote machine (server.example.com) and you know what SSH tunnels are.
So, what we are going to do is to create an encrypted tunnel, and connect to our VNC server through it. We also want this tunnel to be automatically closed as soon as we shut down vncviewer. All this is done with the following command:
ssh -f -L 25902:127.0.0.1:5902 carel at 121.73.35.97 sleep 10; vncviewer 127.0.0.1:25902:2

This is what it does:
-L 25903:127.0.0.1:5903 forwards our local port 25903 to port 5903 on the remote machine. In other words, it creates the tunnel. 
-f forks the SSH session to the background, while sleep is being executed on the remote machine. This ssh option is needed because we want to execute the following command (vncviewer) in the same local machine’s terminal. 
vncviewer connects to the forwarded local port 25903 in order to connect to the VNC server through the encrypted tunnel. 
The sleep command is of major importance in the above line as it keeps the encrypted tunnel open for 10 seconds. If no application uses it during this period of time, then it’s closed. Contrariwise, if an application uses it during the 10 sec period, then the tunnel remains open until this application is shut down. This way the tunnel is automatically closed at the time we close vncviewer’s window, without leaving any SSH processes running on our workstation. This is pure convenience! More information can be found at the Auto-closing SSH Tunnels article.
Using SSH tunnels to conect to your VNC server has two advantages:
  1.  The whole session is encrypted. 
  2.  Keeping port 5903 open on your remote machine is no longer needed, since all take place through the SSH tunnel. So, no one will know that you run a VNC server on the remote machine. 
############################################################################################################################



On Thursday 22 October 2009 19:00:07 Geofrey Rainey wrote:
> Also, if you're able to VNC to the box, you'll probably be presented with an xterm and not the GUI login as you'd expect. I can't quite remember why this
> Is, it's something to do with a file starting "twm" window manager and this needs to be changed to another window manager like gnome. If you need to know I could look a little deeper into it.
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of Prajish S
> Sent: Thursday, 22 October 2009 6:40 p.m.
> To: General Red Hat Linux discussion list
> Subject: Re: gui on a headless server
> 
> > > Hi,
> > >
> > > aside from the mirroring issue i had with this server, it's also a headless
> > > one.  So i was able to install RHEL5 into runlevel 3 via serial. But how do
> > > i configure it such that i can VNC to it and use gui/gnome/kde, etc.
> 
> Do an "rpm -qa | grep vnc" to check whether the vnc server package is installed.
> 
> if installed, execute "vncserver" from the shell to create a running
> vnc session.
> 
> first line of the output will look similar to this
> 
> "New 'hostname:display (user)' desktop is hostname:display "
> 
> put this hostname:display in your vncviewer to get the access..
> 
> 
> Regards
> Prajish S
> tweet me @prajish
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> ==========================================================
> For more information on the Television New Zealand Group, visit us
> online at tvnz.co.nz 
> ==========================================================
> CAUTION:  This e-mail and any attachment(s) contain information that
> is intended to be read only by the named recipient(s).  This information
> is not to be used or stored by any other person and/or organisation.
> 
>

More information about the redhat-list mailing list