22 February 2016

XRDP has been my tool of choice for remote access to my Linux workstation. Recently I have become aware that it has been assessed to have a vulnerabilty at the network level. After some research I decided to replace it with TigerVNC which, at this time, is assessed to be more secure. Knowing my fellow developers will also need to install it I will be documenting my experiences of installing it on my XFCE Fedora Core 23 workstation.

I followed the directions found in the Fedora Project Documentation. I found the directions somewhat confusing and lacking when it came to the client. Normally I would expect the service file to automatically be installed when the server is installed. It isn’t and the next bit touches on why. The Systemd service file for TigerVNC looks different than other service files. As shown below Tiger VNC’s service file has an “@” symbol in its name. Without going into the details, the result is that you start can multiple instances of Tiger VNC by passing different display numbers to the service file during startup.

/etc/systemd/system/
[chri]$ ls
basic.target.wants                         dbus-org.freedesktop.ModemManager1.service   display-manager.service  remote-fs.target.wants       syslog.service
bluetooth.target.wants                     dbus-org.freedesktop.NetworkManager.service  getty.target.wants       sockets.target.wants         systemd-timedated.service
dbus-org.bluez.service                     dbus-org.freedesktop.nm-dispatcher.service   graphical.target.wants   spice-vdagentd.target.wants  timers.target.wants
dbus-org.fedoraproject.FirewallD1.service  dbus-org.freedesktop.timedate1.service       multi-user.target.wants  sssd.service.d               vmtoolsd.service.requires
dbus-org.freedesktop.Avahi.service         default.target                               printer.target.wants     sysinit.target.wants         vncserver@.service

Let’s get started on setting up Tiger VNC. First step is to use YUM or DNF to install “vnc-server”

sudo dnf install vnc-server
[chris]$ sudo dnf install vnc-server
[sudo] password for chris: 
Last metadata expiration check performed 1:47:39 ago on Mon Feb 22 05:05:36 2016.
Dependencies resolved.
==============================================================================================================================================================================================
 Package                                           Arch                                     Version                                           Repository                                 Size
==============================================================================================================================================================================================
Installing:
 tigervnc-server                                   x86_64                                   1.6.0-1.fc23                                      updates                                   210 k

Transaction Summary
==============================================================================================================================================================================================
Install  1 Package

Total download size: 210 k
Installed size: 501 k
Is this ok [y/N]: y
Downloading Packages:
tigervnc-server-1.6.0-1.fc23.x86_64.rpm                                                                                                                        89 kB/s | 210 kB     00:02    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                          65 kB/s | 210 kB     00:03     
Running transaction check
Transaction check succeeded.with only 
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : tigervnc-server-1.6.0-1.fc23.x86_64                                                                                                                                       1/1 
  Verifying   : tigervnc-server-1.6.0-1.fc23.x86_64                                                                                                                                       1/1 

Installed:
  tigervnc-server.x86_64 1.6.0-1.fc23                                                                                                                                                         

Complete!

Next we copy over a service file from the libraries to our Systemd service directory.

copy service file
[chris]$ sudo cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service
[sudo] password for chris: 
[chris]$ 

Now we need to edit the vncserver@.service file to add your our name. I have provided a before and after look of the file. In my case I edit the file replacing with my login name “chris”.

Original vncserver@.service
###comments omitted

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

This file is owned by the root user and you will want to “sudo vim vncserver@.service” when editing the file. Or use whatever editor you prefer in place of vim.

Modified vncserver@.service
###comments omitted

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l chris -c "/usr/bin/vncserver %i"
PIDFile=/home/chris/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

Now we want to set a vnc password for our user. The following commands need to be run as the user which you added to the vncserver@.service file.

set vnc password
[chris]$ vncpasswd
Password:
Verify:
Would you like to enter a view-only password (y/n)? n

Next we want to reload the Systemd configuration. This is in case you already had Tiger VNC configured. This command has Systemd reread its configurations.

Reload Systemd configuration
[chris]$ sudo system daemon-reload

Set the password and set a view only password if you want one. The next step is to refresh Systemd, enable the Tiger VNC service and to start the service.

Restart Tiger VNC
[chris]$ sudo systemctl daemon-reload
[chris]$ sudo systemctl enable vncserver&#64;:1.service
[chris]$ sudo systemctl start vncserver&#64;:1.service
[chris]$ sudo systemctl status vncserver&#64;:1.service
● vncserver&#64;:1.service - Remote desktop service (VNC)
   Loaded: loaded (/etc/systemd/system/vncserver&#64;.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-02-22 11:25:13 EST; 14s ago
  Process: 5096 ExecStart=/sbin/runuser -l brightm -c /usr/bin/vncserver %i (code=exited, status=0/SUCCESS)
  Process: 5091 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill %i > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
 Main PID: 5142 (Xvnc)
   CGroup: /system.slice/system-vncserver.slice/vncserver&#64;:1.service
           ‣ 5142 /usr/bin/Xvnc :1 -auth /home/brightm/.Xauthority -desktop <address omitted>:1 (brightm) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfb...

Feb 22 11:25:10 <address omitted> systemd[1]: Starting Remote desktop service (VNC)...
Feb 22 11:25:13 <address omitted> systemd[1]: Started Remote desktop service (VNC).
[chris]$ 

The last step of the server setup is to open up your firewall. If you are using firewalld you can run firewall-config and select “vnc-server” under services in the runtime and permanent configurations. If you are using a different firewall you will probably want to open up ports 5900 to 6000.

The next step is to download the Tiger VNC Client from their GitHub site. From there you can follow the links to the latest download site. The client is a straight binary executable without an install program. Drop it in a folder and run it. The last tricky bit is you will need to add a “:1” to the end of your DNS/IP address to tell the client which display number to connect to.


Less Is More ~ Older posts are available in the archive.