This week I had the opportunity to add Virtual Network Computing (VNC) support to some of my lab servers. The VNC server bits were already installed by default but I wanted to simplify how to enable non-privileged users to setup and tear down their own VNC sessions.
Before going into my solution, I should explain that I try to ensure that my servers are as secure as possible. VNC doesn't offer native encryption support and therefore is not natively that secure. Any information transmitted over the network related to the VNC session could be snooped off the network. The best way to add encryption to a VNC session is to tunnel the VNC session through an encrypted secure shell (ssh) connection. I lock down my firewall to only allow ssh connections so that VNC is forced through ssh. Further, just in case the firewall was compromised I don't want VNC to listen on any IP address other than localhost (127.0.0.1). This is actually pretty standard stuff. The interesting part comes in what I wrote to simplify setup and tear down of the VNC sessions.
I wrote a script called vncctl to start, stop, or restart VNC sessions. When you run "vncctl start" to start a new VNC session, it finds the next available VNC port on the server and uses that port. It also provides sample ssh commands that you can use from your client to connect to the VNC session via tunneling X11 or by tunneling the VNC port to your client. You can even run it multiple times to start up multiple VNC sessions. Lastly, if you run "vncctl stop", it will stop all of your existing VNC sessions. Way Cool!
Lets look at some sample outputs. Here is the output from running "vncctl start".
$ vncctl start
New 'lab01:3 (brad)' desktop is lab01:3
Starting applications specified in /home/brad/.vnc/xstartup
Log file is /home/brad/.vnc/lab01:3.log
You have two options for connecting to this VNC server: through port tunneling (fast) or over X11 (slow).
If you prefer through port tunneling over ssh, use the following command:
ssh -L 5903:127.0.0.1:5903 brad@lab01
Then connect to 127.0.0.1:5903 via your local VNC client application
If you prefer over X11, use the following command from your server:
ssh -X brad@lab01 vncviewer 127.0.0.1:5903
Note that you may need to add -p
$ vncctl stop
Killing Xvnc process ID 9507
You can download vncctl from dl.thezonemanager.com.
From an operating system support perspective, I wrote this for Oracle Enterprise Linux version 6 and have not tested it on any other operating system. Therefore, it should also work on RedHat Enterprise Linux version 6 as well. If you have difficulties running it on some other operating system and figure out how to fix it, send the fix to me and I will gladly incorporate it.
Enjoy and have a great day!
Brad
PS: As always, the sample scripts provided in this post are for reference are not supported by me or my employer in any way.
No comments:
Post a Comment