Getting Tiger VNC to Work on Linux
Created: 22 February 2016 Modified:XRDP has been my tool of choice for remote access to my Linux workstation. Recently I have become aware that it has been assessed to have a vulnerabilty at the network level. After some research I decided to replace it with TigerVNC which, at this time, is assessed to be more secure. Knowing my fellow developers will also need to install it I will be documenting my experiences of installing it on my XFCE Fedora Core 23 workstation.
I followed the directions found in the Fedora Project Documentation. I found the directions somewhat confusing and lacking when it came to the client. Normally I would expect the service file to automatically be installed when the server is installed. It isn’t and the next bit touches on why. The Systemd service file for TigerVNC looks different than other service files. As shown below Tiger VNC’s service file has an “@” symbol in its name. Without going into the details, the result is that you start can multiple instances of Tiger VNC by passing different display numbers to the service file during startup.
/etc/systemd/system/
[chri]$ ls
basic.target.wants dbus-org.freedesktop.ModemManager1.service display-manager.service remote-fs.target.wants syslog.service
bluetooth.target.wants dbus-org.freedesktop.NetworkManager.service getty.target.wants sockets.target.wants systemd-timedated.service
dbus-org.bluez.service dbus-org.freedesktop.nm-dispatcher.service graphical.target.wants spice-vdagentd.target.wants timers.target.wants
dbus-org.fedoraproject.FirewallD1.service dbus-org.freedesktop.timedate1.service multi-user.target.wants sssd.service.d vmtoolsd.service.requires
dbus-org.freedesktop.Avahi.service default.target printer.target.wants sysinit.target.wants vncserver@.serviceLet’s get started on setting up Tiger VNC. First step is to use YUM or DNF to install “vnc-server”
sudo dnf install vnc-server
$ sudo dnf install vnc-server
[sudo] password for chris:
Last metadata expiration check performed 1:47:39 ago on Mon Feb 22 05:05:36 2016.
Dependencies resolved.
==============================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================
Installing:
tigervnc-server x86_64 1.6.0-1.fc23 updates 210 k
Transaction Summary
==============================================================================================================================================================================================
Install 1 Package
Total download size: 210 k
Installed size: 501 k
Is this ok [y/N]: y
Downloading Packages:
tigervnc-server-1.6.0-1.fc23.x86_64.rpm 89 kB/s | 210 kB 00:02
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 65 kB/s | 210 kB 00:03
Running transaction check
Transaction check succeeded.with only
Running transaction test
Transaction test succeeded.
Running transaction
Installing : tigervnc-server-1.6.0-1.fc23.x86_64 1/1
Verifying : tigervnc-server-1.6.0-1.fc23.x86_64 1/1
Installed:
tigervnc-server.x86_64 1.6.0-1.fc23
Complete!Next we copy over a service file from the libraries to our Systemd service directory.
copy service file
$ sudo cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service
[sudo] password for chris:
$ Now we need to edit the vncserver@.service file to add your our name. I have provided a before and after look of the file. In my case I edit the file replacing
Original vncserver@.service
=== comments omitted
[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]
Type=forking
= Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.targetThis file is owned by the root user and you will want to “sudo vim vncserver@.service” when editing the file. Or use whatever editor you prefer in place of vim.
Modified vncserver@.service
=== comments omitted
[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]
Type=forking
= Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l chris -c "/usr/bin/vncserver %i"
PIDFile=/home/chris/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.targetNow we want to set a vnc password for our user. The following commands need to be run as the user which you added to the vncserver@.service file.
set vnc password
$ vncpasswd
Password:
Verify:
Would you like to enter a view-only password (y/n)? nNext we want to reload the Systemd configuration. This is in case you already had Tiger VNC configured. This command has Systemd reread its configurations.
Reload Systemd configuration
$ sudo system daemon-reloadSet the password and set a view only password if you want one. The next step is to refresh Systemd, enable the Tiger VNC service and to start the service.
Restart Tiger VNC
$ sudo systemctl daemon-reload
$ sudo systemctl enable vncserver@:1.service
$ sudo systemctl start vncserver@:1.service
$ sudo systemctl status vncserver@:1.service
● vncserver@:1.service - Remote desktop service (VNC)
Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2016-02-22 11:25:13 EST; 14s ago
Process: 5096 ExecStart=/sbin/runuser -l brightm -c /usr/bin/vncserver %i (code=exited, status=0/SUCCESS)
Process: 5091 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill %i > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
Main PID: 5142 (Xvnc)
CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service
‣ 5142 /usr/bin/Xvnc :1 -auth /home/brightm/.Xauthority -desktop <address omitted>:1 (brightm) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfb...
Feb 22 11:25:10 <address omitted> systemd[1]: Starting Remote desktop service (VNC)...
Feb 22 11:25:13 <address omitted> systemd[1]: Started Remote desktop service (VNC).
$ The last step of the server setup is to open up your firewall. If you are using firewalld you can run firewall-config and select “vnc-server” under services in the runtime and permanent configurations. If you are using a different firewall you will probably want to open up ports 5900 to 6000.
The next step is to download the Tiger VNC Client from their GitHub site. From there you can follow the links to the latest download site. The client is a straight binary executable without an install program. Drop it in a folder and run it. The last tricky bit is you will need to add a “:1” to the end of your DNS/IP address to tell the client which display number to connect to.
tags: linux - tls - certificate - selinux - file - security - context - xfce - fedora - fedora 23