I’ve configured VNC for ubuntu on a couple of occasions and it’s always taken me far longer than necessary. This time, after having a server compromised recently I wanted a more secure way of connecting to VNC from remote locations so here I will also explain how to setup an SSH tunnel for the VNC session. I thought I’d document the process for my own and anyone else’s benefit. I’d be interested to hear other experiences.
Overview
Client: OS X 10.10.1 (Macbook) || Server: Ubuntu 14.04
- I used x11vnc so that I can connect to existing desktop sessions on the server.
- Server has auto-login enabled as there is no keyboard, mouse or monitor connected. This is important to note; X11vnc is a tool for sharing existing desktop sessions on the server – if you are looking to create new user/desktop sessions then you will need to use a different VNC server
- I also beefed up the security of my SSH connections by revoking password & root authentication
- Public keys are used to speed up connections as passwords don’t need to be entered in order to establish connections over SSH
Method
Install the VNC server on Ubuntu:
sudo apt-get install x11vncConfigure the password for VNC (you will be promoted to enter and then confirm the password and for a location to store it – I used the default values):
x11vnc -storepasswdOn you mac, enter the following to tunnel port 5900 to server port 5900 over SSH (it would be more secure to use non-standard ports).
ssh <user>@123.123.123.123 -L 5900:localhost:5900Start the x11vnc vnc server on the Ubuntu server:
x11vnc -forever -bg -usepw -httpdir /usr/share/vnc-java/ -httpport 5901 -display :0We’re using OSX’s built in VNC viewer, so in finder: shift+cmd+k and type:
vnc://localhost… and then click ‘connect’
NOTE: In order to connect successfully to the tunnelled ‘localhost’ you must disable screen sharing on your mac. Disable it by going to system preferences > Sharing and un-tick/de-select ‘Screen Sharing’.
To configure autostart of x11vnc on the server:
Add the command, that we use to start the VNC server, to a script in your home directory. We will then set the script to run at login:
echo "/usr/bin/x11vnc -forever -bg -usepw -httpdir /usr/share/vnc-java/ -httpport 5901 -display :0" > ~/x11vnc.shNext, make the script executable:
chmod +x ~/x11vnc.shTest the script with this operation:
~/x11vnc.shNow, add the script to your ‘Startup Applications’.
/home/<USER>/x11vnc.shUse the full file path to reference the script (I originally tried using tilde ‘~/’ to reference my home directory at first, but this did not work). I used the ubuntu GUI for this part – I did want to do the whole lot via the terminal, but I gave up as I ran out of time. For me, where the Ubuntu server is just used for network backups from my application & file servers and local/on-site security isn’t an issue, having it log in automatically on boot works fine as it will run the script as part of this boot/login process.
Finally, reboot and make sure all is working ok.
If at any time you need to kill and restart x11vnc, user pgrep to search for x11vnc’s process id <1234> and then kill it as
sudo pgrep x11vnc1234 //process ID returned from the command, then: kill 1234Summary
Once configured, you can simply create the ssh tunnel by running the following in your Mac’s terminal:
ssh @123.123.123.123 -L 5900:localhost:5900Then in finder, press shift+cmd+k and type vnc://localhost and press connect and you will be prompted for your password before the vnc ‘session’ begins. SSH will keep your password secure.
To further improve security, make sure 5900 is not accessible from outside your network (you could also change this port number) and you should setup public key access for SSH between your server and your mac. Having done this, you can then disable password login and root login over for both your server and mac by editing the respective ssh_config/sshd_config files. This will reduce the threat of a breach from a brute force password/crack attempt.
Leave a Reply