theCAT
  
Report a Problem:
Email: support@cat.pdx.edu
Phone: 503-725-5420
Location: FAB 82-01
  USERS PLATFORMS SYSTEM RESOURCES    
Home Students Fac/Staff CS Tutors Guidelines Windows Linux Mac Mail Network Software Web TheCAT Sitemap Contact
arrowHome arrow Linux arrow Remote Access arrow Secure VNC from Linux Wednesday, 29 March 2017  
Remote Access
Secure VNC in Linux Print
Written by Administrator   
Wednesday, 16 February 2011

VNC allows you to remotely start a desktop environment on a computer, and interact with that desktop from your local machine. Unfortunately, VNC doesn't have built-in encryption, which means that all information sent through VNC can be caught by dubious third parties. One solution to this problem comes from utilizing ssh (The Secure Shell) to encrypt the traffic between you and your remote host. This tutorial will cover the basics of starting a VNC server, wrapping it in ssh, and connecting to your remote desktop securely. In the following examples I will be connecting to eve.ece.pdx.edu using display 44, which means my port number will be 5944 (VNC port numbers are equal to 5900 plus the display number). Where ever eve.ece.pdx.edu is mentioned, one could also use walle.ece.pdx.edu.

NOTE: You must connect to the VPN before you can access the Redhat machines (eve.ece.pdx.edu and walle.ece.pdx.edu)

All remote access to those hosts requires the VPN. This includes SSH and VNC connections.
Read our Tier 3 linux VPN guide for how to connect to the VPN.

Preliminaries

Starting the Server

Before we can connect to the remote desktop, we need to start the VNC server on the remote machine. In order to do this, ssh in to the machine where you'll be accessing the remote desktop. In a terminal, run the following command:

    vncserver -localhost

This will start the VNC server on the machine and tell it to only accept connections from the localhost, which is to say from users logged into the machine hosting the VNC server. You will be prompted for a password to log you into your VNC session (This is _not_ like logging in with your MCECS account. This password is arbitrarily chosen by you. It is _strongly_ advised that you not use your MCECS account password here!)
NOTE: This password must be under 8 characters!
It will also ask if you want to assign a view-only password. This would be a password you would give to someone if you wanted them to observe your VNC session without being able to interact the desktop. Afterwards, you should receive some output that looks like this:

    New 'X' desktop is eve.ece.pdx.edu:44

    Starting applications specified in /u/cecsuser/.vnc/xstartup
    Log file is /u/cecsuser/.vnc/eve.ece.pdx.edu:44.log

NOTE: The display number is where your VNC session funneling your desktop. My server was started on display number 44, as it was the next display available. In theory, the display number can be anywhere from 1 to 9999, and you can manually choose a display granting that it's not already in use. (for reference, :0 is considered the root display, for displays physically connected to the machine).

Troubleshooting: If you have forgotten your vnc password, or wish to change it use the vncpasswd command. It will prompt you for a new vncpassword and immediately change the vnc password. 

Creating the SSH Tunnel in Linux

Now that we have the VNC server running, we need to create the ssh tunnel from your local machine to the remote host. Log out of your ssh session (don't worry about vncserver dying when you quit, it's backgrounded) and reconnect to the same machine with the following:

    ssh cecsuser@eve.ece.pdx.edu -L 5944:localhost:5944

Where cecsuser would be replaced with your MCECS account username.
Remember: We were given display 44, which means the port number will be 5944 (VNC port numbers are equal to 5900 plus the display number).

NOTE: The syntax -L 5944:localhost:5944 is what is responsible for creating the ssh tunnel VNC will be using between your local host and the remote host. In essence, what it's saying is take everything that is being sent through the remote computer's port 5944 (the second number) and funnel it into the local computer's port 5944 (the first number). We're using the same two numbers here for simplicity's sake, but as above you can specify the port on the local computer (any number between 1024 and 65535).

VNC with Remmina (Linux GUI)

Remmina is the default remote desktop viewer included with Ubuntu (as of version 14.04). To start Remmina, you can either press the windows key, or open a run prompt (Alt+F2 by default)

 Image

Then click the blank page to create a new connection.
Image

Next, enter the information below:

 Image

Now you can click save, or connect. If you entered a password for your VNC session (which you really should do!), you will be prompted for it now:

 Image

Finally, you can enjoy your remote desktop session! Since you have a tunnel to the remote machine starting from your port 5944 and ending at the remote machine's port 5944, which is used by VNC, Remmina will treat the VNC session as if it's running locally.

If you clicked save, it will remember the port you used to connect to your VNC session. If next time the port changes, you can edit this connection by clicking on the connection, and then the pencil.

Troubleshooting: If you are having problems connecting, make sure the SSH tunnel is set up.

VNC from the Linux CLI

There are a number of available commandline VNC viewers available, among them is a commandline version of Vinagre as well as xtightvncviewer, which is the counterpart to tightvncserver. To install xtightvncviewer in Ubuntu, type the following into a terminal:

    sudo apt-get install xtightvncviewer

To start the viewer, follow the steps under Preliminaries and then enter the following:

    vncviewer localhost:5944

You will be prompted for your VNC server password:
NOTE: This password must be under 8 characters!

 

 Image

You'll notice that xtightvncviewer has a much more spartan interace than Vinagre. In order to affect setting in xvncviewer, hit F8 to bring up a menu

NOTE: It is important to log out from inside your remote connection. If you close your VNC viewer without logging out, the VNC server will continue running on the remote host and use system resources. If you leave it for too long, it will eventually be forcibly killed by a system administrator and you will be notified via e-mail. Please be considerate of others and correctly terminate your VNC servers!

Last Updated ( Saturday, 31 December 2016 )

©1999 - 2017 TheCAT