Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Google   

VNC -- The Essential Sysadmin Tool

News Recommended Links Recommended Articles Solaris main page Xwindows XWindows Managers
Rc scripts VNC installation & configuration VNC on Solaris VNC on Linux VNC for Windows and TightVNC Etc

VNC stands for Virtual Network Computing This great tool was developed at AT&T Laboratories in Cambridge, England. This tool should be in every sysadmins arsenal.

VNC is a  network graphics protocol (applications running on one computer but displaying their windows on another) in the spirit of X, however, unlike X, the viewing-end is very simple and maintains no state. It is a remote framebuffer (RFB) protocol. Some VNC links:

For Unix, the traditional VNC implementation includes a "virtual" X11 server Xvnc (usually launched via the vncserver command) that is not associated with a physical display, but provides a "fake" one X11 clients (xterm, mozilla, etc.) can attach to. A remote user then connects to Xvnc via the VNC client vncviewer from anywhere on the network to view and interact with the whole virtual X11 desktop.

The VNC protocol is in most cases better suited for remote connections with low bandwidth and high latency than is the X11 protocol because it involves far fewer "roundtrips" (an exception is the cached pixmap data on the viewing-end provided by X). Also, with no state maintained the viewing-end can crash, be rebooted, or relocated and the applications and desktop continue running. Not so with X11.

So the standard Xvnc/vncserver program is very useful for things like:

However, sometimes one wants to connect to a real X11 display (i.e. one attached to a physical monitor, keyboard, and mouse: a Workstation or a SunRay session) from far away. Maybe you want to close down an application cleanly rather than using kill, or want to work a bit in an already running application, or would like to help a distant colleague solve a problem with their desktop, or would just like to work out on the deck for a while. This is where x11vnc is useful.

VNC is perfect for those who use Windows desktop to manage Unix servers. It not only allows you to view other Unix desktop from PC and other architectures that do not have X it also have several additional benefits.  One of the most important is that it preserves state of the session.  So if you left your office and reconnect from home the session will be at the state you left it up to the last cursor position. That saves a lot of time if you administer multiple servers.

Being able to access a user’s desktop remotely is also very important for network administrators, as they don’t have to run around all over the place doing troubleshooting.  There are various commercial packages that have been providing this capability for a long time (pcAnywhere was available for DOS, Hummingbird is 10 years old, etc).  Win XP Professional has Remote Desktop Connection and Remote Assistance that allows you to access the machine remotely, whether over a LAN or even the Internet.  And this is a high quality free product that works for Unix.

It is, in essence, a remote display system which allows you to view a whole computing 'desktop' environment.

VNC is very similar to Windows Terminal Services. There are, however, some key differences, such as:

Although VNC is great, it does not make an efficient use of bandwidth. It seems Windows XP Remote Desktop makes significantly better job in comparison. Also, when the VNC server is running on Linux/Unix, I cannot see the current desktop (on the console) remotely.  There is a special version of VNC called TightVNC which helps to overcome this problem. Some Linux distributions like Fedora are working on integrating VNC as a core technology. There is also NX, the version of VNC that is leaner and meaner then VNC. NX gives you a free (as in speech and beer) "CITRIX-style"  solution. You can download Knoppix 3.6 and give FreeNX a try.

VNC offers a server for Windows as well and it works reasonably well. The best windows implementation is  TightVNC VNC-Based Free Remote Control Solution (native port is much weaker).  You need to use TightVNC client too (actually this is a better client for any VNC version, not only for TightVNC). VNC ports to Windows have an important limitation: when the VNC server is running on Windows, multiple people cannot have remote independent sessions.

For Solaris vnc package is provided on Software Companion CD and X11vnc prcompiled package from http://sunfreeware.com

The VNC is launched using   vncserver Perl script.  The script vncserver is a wrapper for Xvnc.

   vncserver

The example of modified 'vncserver' is shown below.

. . .
. . .
$defaultXStartup
    = ("#!/bin/sh\n\n".
       "xrdb \$HOME/.Xresources\n".
       "xsetroot -solid grey\n".
       "xterm -geometry 80x24+10+10 -ls -title \"\$VNCDESKTOP Desktop\" &\n".
       "startkde &\n");

chop($host = `uname -n`);

. . .

The first time you run vncserver, it will prompt you for a password (it launches vncpasswd), then it terminates without creating your desktop. To create your desktop, you have to run vncserver again. The password file and startup scripts are stored in your ~/.vnc directory. You have several choices of desktop environments and can either make an envelope scripts or to modify vncpasswd to launch CDE,  Gnome or KDE. You can create  several scripts, one for each desktop that you are using:  

vnccde :n  -  CDE on display number 'n'
vnckde :n  - KDE on display number 'n'

Leaving off the ":n" gives you the lowest available number. To connect to your desktop and use it, you'll need a VNC viewer program on your client machine.

vncserver is a perl script that you can (and probably should) customize

You can start a vncserver from RC scripts or manually by logging on to the system you want to administer remotely and launching it with the command: 

    # vncserver hostname:session_number

With VNC, you can run multiple sessions and connect to different servers. By default, the session numbers start at 1 and go up from there, but you can specify session 3 (for instance) right from the start by typing vncserver hostname:3. This highlights another benefit of VNC. Until you kill a VNC session, it retains its current state.

That means you can disconnect from a session, reconnect later, and return right where you left off. In fact, you can even share a session so multiple users can access it.

When you start the vncserver for the first time, you will be prompted for a password to access the server. You can always change it later using the vncpasswd command. Once the server is activated, you can connect to it using the vncviewer command. The format is as follows: 

   # vncviewer host:session_number

To exit the viewer (or send specific key sequences), use the F8 key. Then click on "Quit Viewer" to close the session. You can also start a shared session so that others may use the same X Window session with this version of the command: 

   # vncviewer -shared host:session_number

When you start the vncserver, it creates a .vnc directory under your home directory (/root/.vnc). Several files are kept here. You'll find a log file associated with each server you run and a .pid file to allow for removal of the server. By the way (since I mentioned it earlier), you kill a vncserver process like this: 

   # vncserver -kill :1

Remember that the :1 could be a :2 or :3, depending on the session you are trying to kill. That said, the other file I want you to look at is this one: -- xstartup. If you do a cat on the file, you get something that looks like this: 

   #!/bin/sh
 
   xrdb $HOME/.Xresources
   xsetroot -solid grey
   xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
   # twm &
   startkde &

Notice the second-to-last line is commented out, and a "startkde" line is added below. This is because VNC uses twm (the Tab Window Manager) as its default desktop.  If you prefer another window manager, add the startup here.

Notes:
  • Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
  • This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books.
  • The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.

Search Amazon by keywords:

 Google   
Open directory
Research Index
 

Old News ;-)

Vino. The Remote Desktop Project

RFB[1] (Remote FrameBuffer) is the protocol used by VNC. The emphasis in the design of the protocol was to make very few requirements of the client. The client has no need to maintain explicit state and clients are able to disconnect and re-connect to the server while preserving the state of the user interface.

The dislay part of the protocol is based around a single simple graphics primitive "put a rectangle of pixel data at a given position". Each rectangle may be encoded in any one of a number of encodings allowing for compression or usage of parts of the client's existing copy of the framebuffer. Updates are requested by the client rather than pushed out by the server allowing the protcol to adapt to slower networks and/or clients - i.e. with a slow network or client the rate of updates are greatly reduced and the client ignores the transient state of the framebuffer.

The protocol is quite extensible. Extra encodings can be advertised by the server and used if the client supports the encoding. Use of encodings are not only limited to how frame buffer updates are encoded on the wire, but also extra psuedo-encodings may be added which can do anything from inform the client of a change in cursor shape, a change in the size of the screen or even things like extra in-band communication between the server and client.

There seems to be many different implementations of VNC available. Available RFB server implementations include:

I won't list the VNC client's available, there seem to be many, but suffice to say there are X11, Windows and OS X clients available along with, interestingly, several implementations of a Java client which can be run embedded in the browser as an applet.

Tim Waugh has written a nice article[6] on VNC and the many projects around the technology.

In summary, the RFB protocol has a number of advantages:

  1. Simple and open protocol.
  2. Rate-limited by the client, pretty low bandwidth/latency requirements.
  3. Extensible.
  4. Several open source implementations available.
  5. Many existing clients available for different platforms.

[Jun 4, 2007] VNC and Similar

undated,linuxmafia.com

VNC implementations (also known as "RFB" = Remote Frame Buffer)

You'll find a number of resources about VNC over SSH in my ssh-clients
file, http://linuxmafia.com/ssh/.

Also worth looking into:

Citrix Metaframe: This is the old-established proprietary remote-Win32-access technology (implementing ICA = Independent Computing Architecture remote imaging), whose predecessor Citrix Winframe was licensed by Microsoft Corporation and rebranded as Microsoft Terminal Server. (Microsoft also rebranded ICA as Microsoft Remote Desktop Protocol = RDP.)
http://www.citrix.com/

For completeness:
Sun Secure Global Desktop: This is a proprietary remote-Win32-access technology formerly called Tarantella, until Sun Microsystems bought Tarantella, Inc., formerly Santa Cruz Operation (dubbed "old SCO" to distinguish it from the Utah company formerly named Caldera Systems that renamed itself The SCO Group). Santa Cruz Operation in turn had developed Tarantella from code acquired when it bought IXI Limited of Cambridge, UK and Visionware Limited of Leeds, UK, in 1993 and 1994, respectively.
http://www.sun.com/software/products/sgd

[Apr 5, 2007] freshmeat.net Project Reviews - vnc2swf

by jeff covey, in Project Reviews - Sat, Feb 5th 2005 00:00 PDT

Screenshots have always been invaluable tools for graphical user interfaces. They let programmers flaunt their wares to prospective users; even with console tools, I usually zoom right in on a screenshot link to get my first impression of a program. They let the desktop-inclined show off their backgrounds and theme authors show why you must have their work. And when things go wrong, a screenshot can often save a thousand words of bug reporting. vnc2swf puts all these benefits in motion.

vnc2swf is a Virtual Network Computing client which can record a VNC session and save it as a Shockwave Flash file.

[Mar 24, 2007] freshmeat.net Project details for Enhanced TightVNC Viewer

Enhanced TightVNC Viewer 1.0.14 released
The Enhanced TightVNC Viewer package is part of the x11vnc VNC server project. It provides a native VNC viewer that takes advantage of new features in x11vnc, e.g. cursor alpha blending and automatic SSL tunnelling. Some features apply to any VNC server, e.g. automatic SSH tunnelling. Another goal is to provide a package that conveniently bundles everything needed for the user to have the enhanced viewer running quickly. This includes pre-built binaries of the viewer and utility programs for Windows and many Unix variants, and a GUI to configure and launch the viewer. The short name for this project is "ssvnc", for SSL/SSH VNC viewer.

Release focus: Minor bugfixes

Changes:
Using port numbers lower than VNC's default port (5900) now works on Windows (for example, myhost.com:443).

Author:
Karl Runge [contact developer]

LinuxPlanet - Tutorials - Using VNC Tunneling over SSH - Temporary Access

While working on a project to create tutorials, I needed a way to watch how a user stepped through the process of using an application without being on-site.

VNC turned out to be a viable solution. I could remotely connect and view all the steps, while conversing about the process over the phone.

The trouble was there were firewalls at both ends. It would have been easy to just open the port normally used for VNC connectivity (5900) in the firewall, but it's definitely not secure.

Using VNC while tunneling over SSH was a quick and more secure way to accomplish the process/application watching goal.

Several steps are required to make it work.

Ideally, all inbound ports are closed on an Internet facing firewall. That will go a long way to keeping out the bad guys. Of course, any other remote access is then limited as well.

Opening up port 22 on the distant IPCop firewall works well for the purpose of tutorial generation and is easily accomplished using the IPCop Web-based GUI. A similar process is used if the user machine is behind a dedicated firewall appliance. The idea is to port forward the SSH traffic from the Internet to the VNC-equipped user desktop machine.

Port 22 on the user's Linux desktop also needs to be available for logging in via SSH. When the session is finished, the firewall's SSH port can then again be closed to inbound traffic.

Specialized remote access techniques should be considered, like port-knocking or using hardened firewall devices when a more permanent or bulletproof connection is needed.

"Sharing computers on a Linux (or heterogeneous) network, Part 1" (developerWorks, December 2001)

compares ssh to VNC. "Sharing computers on a Linux (or heterogeneous) network, Part 2" (developerWorks, March 2002) covers VNC in more detail and also discusses remote X and security.

Logging into NT service from Linux VNC client 

TightVNC client has an option sending this key sequence to Windows (left-click mouse of the client and see "send Ctrl-Alt-Del" option.

Q. How can I send an ALT-CTRL-DEL from a Linux XFree VNC client to an NT server (running VNC as a service) to login? It seems that the Alt-Ctrl-Del to gobbled up by Xfree (or maybe something else?) and not sent to the server. My SunOS client sends the Alt-Ctrl-Del fine. There is no pull-down item to sent it like on a Win95 client.

TIA...

I would suggest that this be added to the FAQ.

TightVNC Remote X the secure, fast & easy way (LinuxWorld)

John Wilson tug "at" wilson.co.uk
Tue, 22 Jun 1999 17:08:56 +0000 

My VncMonitor program will allow you to connect to a remote system without
the need to type in details (it gets the information from a configuration
file). My VncProxy program allows the number of connections to a proxied VNC
server to be restricted to any number.

They are both Java programs so should run on your machines.

http://www.wilson.co.uk/Software/vnc/VncMonitor.htm
http://www.wilson.co.uk/Software/vnc/proxy/VncProxy.htm

I'm about to release new versions in the next day or so.

John Wilson
The Wilson Partnership
5 Market Hill, Whitchurch, Aylesbury, Bucks HP22 4JB, UK
+44 1296 641072, +44 976 611010(mobile), +44 1296 641874(fax)
Mailto: tug "at" wilson.co.uk

----- Original Message -----
From: Pavel Satny <pavel.satny "at" alcatel.cz>
To: <vnc-list "at" uk.research.att.com>
Cc: <aarnout.wieers "at" alcatel.cz>
Sent: 22 June 1999 15:19
Subject: VNC Configuration


> Dear all,
>
> can somebody help me with configuring VNC? I have an idea to instal it as
> "semi-videoconferencing tool", where two persons can discuss by phone
about
> what they are showing themselves on shared screen.
> What are possibilities to make it very easy startable, without typing
> comands with (for ordinary users) nonunderstandable options.
>

---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html

Recommended Links

 

 

Clones/Forks

TightVNC: Manual Page for Xvnc(1) Const Kaplinsky const@ce.cctpu.edu.ru has developed TightVNC, a version of VNC providing better compression for use with slow links than the standard VNC 3.3.3 release. Although it includes a number of extensions to the standard VNC distribution, TightVNC remains compatible with existing versions. The TightVNC homepage is at http://www.tightvnc.com/

TightVNC is fully compatible with the standard RFB protocol used in VNC, so you can use TightVNC viewer with the standard VNC server and vice versa. But note that protocol enhancements implemented in TightVNC will work only if these enhancements are supported on both sides of the connection.

TightVNC Features

Here is a brief list of TightVNC features absent in the standard VNC.

 


... please look at the Xvnc -help output and read the Xserver(1) manual page for ... rfbwait
time Maximum time, in milliseconds, to wait for an RFB client (VNC viewer ...
www.tightvnc.com/Xvnc.1.html - 14k - Cached - Similar pages

TightVNC: Manual Page for vncviewer(1)
vncviewer(1) Manual Page. [DONATE], Get a better TightVNC: make a donation
($10 is ok)! ... NAME. vncviewer - an X viewer client for VNC SYNOPSIS. ...
www.tightvnc.com/vncviewer.1.html - 24k - Cached - Similar pages
[ More results from www.tightvnc.com ]

x0rfbserver - accessing a standard X server with VNC

Jens Wagner has written some VNC-related tools, amongst which is a program called x0rfbserver. This is a VNC server which serves a standard X server desktop thus behaving more like WinVNC and MacVNC than does Xvnc. It is available in the rfb-n.n.n.tar.gz package from http://www.hexonet.de/software.en/

 

 

 http://ultravnc.sourceforge.net Want to remote control your computer?  If you have Windows XP Professional, you can use Remote Desktop.  If you don't use Windows XP Professional, you can still get remote control using UltraVNC.  UltraVNC is an excellent fast & free remote control, and file transfer program.

Harakan - Software - PalmVNC
... Ultra-thin client uses less than 40Kb of Palm memory. VNC servers available
for a wide variety of platforms. ... Please download the binaries and manual. ...
Description: Remote access and collaboration client for Palm Platform. A Virtual Network Computing client for the palm.
Category: Computers > Software > ... > Thin Clients > Virtual Network Computing
www.btinternet.com/~harakan/PalmVNC/ - 5k - Cached - Similar pages

PalmVNC v1.40 User's Guide
... Features and Compatibility. Ultra-thin client uses less than 40Kb of
Palm memory. VNC servers available for a wide variety of platforms. ...
www.btinternet.com/~harakan/PalmVNC/Manual/manual.htm - 13k - Cached - Similar pages 

[PDF]Using VNC (3
File Format: PDF/Adobe Acrobat - View as HTML
... Tower, 545-2836 C:\My Documents\Word\documentation\vnc\VNCVIEWER_web.doc 06/30/2003
5 Troubleshooting Note: For troubleshooting involving VNC Server, you must ... 
www.math.umass.edu/~scc/software/ handouts/VNCVIEWER.pdf - Similar pages

x11vnc a VNC server for real X displays

x11vnc: a VNC server for real X displays    (to FAQ)    (to downloads)    (to building)

x11vnc allows one to remotely view and interact with real X displays (i.e. a display corresponding to a physical monitor, keyboard, and mouse) with any VNC viewer. In this way it plays the role for Unix/X11 that WinVNC plays for Windows.

I wrote x11vnc because x0rfbserver was basically impossible to build on Solaris and had poor performance. The primary x0rfbserver build problems centered around esoteric C++ toolkits. x11vnc is written in plain C and uses only standard libraries. I also added a few enhancements to improve the interactive response, add esoteric features, etc. The FAQ contains a lot of information and solutions to problems, but please feel free to contact me if you have problems or questions.

 

Background:

VNC (Virtual Network Computing) is a very useful network graphics protocol in the spirit of X, however, unlike X, the viewing-end is very simple and maintains no state. It is a remote framebuffer (RFB) protocol

 

Some VNC links:

 

For Unix, the VNC implementation includes a virtual X11 server Xvnc (usually launched via the vncserver command) that is not associated with a real display, but provides a "fake" one X11 clients (xterm, mozilla, etc.) can attach to. A remote user then connects to Xvnc via the VNC client vncviewer from anywhere on the network to view and interact with the whole virtual X11 desktop.

The VNC protocol is in most cases better suited for remote connections with low bandwidth and high latency than is the X11 protocol. Also, with no state maintained the viewing-end can crash, be rebooted, or relocated and the applications and desktop continue running. Not so with X11.

So the standard Xvnc program is very useful, I use it for things like:

 

However, sometimes one wants to connect to a real X11 display (i.e. one attached to a physical monitor, keyboard, and mouse: a Workstation or a SunRay session) from far away. Maybe you want to close down an application cleanly rather than using kill, or want to work a bit in an already running application, or would like to help a distant colleague solve a problem with their desktop. This is where x11vnc is useful.

How to use x11vnc:

In this example let's assume the remote machine with the X display you wish to view is "far-away.east:0" and the workstation you are presently working at is "sitting-here.west".

Step 0. Download x11vnc (see below) and have it available to run (e.g. via $PATH) on far-away.east. Similarly, have a VNC viewer (e.g. vncviewer) ready to run on sitting-here.west. We recommend TightVNC Viewers.

Step 1. By some means log in to far-away.east and get a command shell running there. You can use ssh, rlogin, telnet, or any other method to do this. x11vnc needs to be run on the same machine the X server process is running on (because MIT-SHM shared memory is used to poll the X11 framebuffer).

Step 2. In that far-away.east shell (with command prompt "far-away>" in this example) run x11vnc directed at the far-away.east X session display:

 

  far-away> x11vnc -display :0

You could have also set the environment variable DISPLAY=:0 instead of using -display. This step attaches x11vnc to the far-away.east:0 X display (no viewer clients yet).

 

To get X11 permissions right, you may also need to set the XAUTHORITY environment variable (or use the -auth option) to point to the correct MIT-MAGIC-COOKIE file (e.g. /home/joe/.Xauthority). More on this below.

There will then be much chatter printed out from x11vnc, until it finally says something like: 

  .
  .
  13/05/2004 14:59:54 Autoprobing selected port 5900
  13/05/2004 14:59:54 screen setup finished.
  13/05/2004 14:59:54 The VNC desktop is far-away:0
  PORT=5900

which means all is OK, and we are ready for the final step.

 

Step 3. At the place where you are sitting (sitting-here.west in this example) you now want to run a VNC viewer program. There are VNC viewers for Unix, Windows, MacOS, Java-enabled web browsers, and even for PDA's like the Palm Pilot! You can use any of them to connect to x11vnc (see the above VNC links under "Background:" on how to obtain a viewer for your platform or this FAQ. For Solaris, vncviewer is available in the Companion CD package SFWvnc ).

In this example we'll use the Unix vncviewer program on sitting-here by typing the following command in a second terminal window:

 

  sitting-here> vncviewer far-away.east:0

That should pop up a viewer window on sitting-here.west showing and allowing interaction with the far-away.east:0  X11 desktop. Pretty nifty! When finished, exit the viewer: the remote x11vnc process will shutdown automatically (or you can use the -forever option to have it wait for additional viewer connections).

 

Desktop Sharing: The above more or less assumed nobody was sitting at the workstation display "far-away.east:0". This is often the case: a user wants to access her workstation remotely. Another usage pattern has the user sitting at "far-away.east:0" and invites one or more other people to view and interact with his desktop. Perhaps the user gives a demo or presentation this way (using the telephone for vocal communication). A "Remote Help Desk" mode would be similar: a technician remotely connects to the user's desktop to interactively solve a problem the user is having.

For these cases it should be obvious how it is done. The above steps will work, but more easily the user sitting at far-away.east:0 simply starts up x11vnc from a terminal window, after which the guests would start their VNC viewers. For this usage mode the -accept popup option discussed in the FAQ below may be of use to allow the user at far-away.east:0 to accept or reject incoming connections.

Tunnelling x11vnc via ssh:

The above example had no security or privacy at all. When logging into remote machines (certainly when going over the internet) it is best to use ssh, or use a VPN. For x11vnc one can tunnel the VNC protocol through the encrypted ssh channel. It would look something like this: 

  sitting-here> ssh -L 5900:localhost:5900 far-away.east 'x11vnc -display :0'

(you will likely have to provide passwords/passphrases for the ssh login) and then in another terminal window on sitting-here run the command: 

  sitting-here> vncviewer -encodings "copyrect tight zrle hextile" localhost:0

The -encodings option is very important: vncviewer will default to "raw" encoding if it thinks the connection is to the local machine, and so vncviewer gets tricked this way by the ssh redirection. "raw" encoding will be extremely slow over a networked link, so you need to force the issue with -encodings "copyrect tight ...".

 

If the machine you SSH into is not the same machine with the X display you wish to view (e.g. your company provides incoming SSH access to a gateway machine), then you need to change the above to, e.g.: -L 5900:otherhost:5900. Once logged in, you'll need to do a second login (ssh, rsh, etc.) to the workstation machine 'otherhost' and then start up x11vnc on it.

Scripts to automate tunneling: As discussed below, there may be some problems with port 5900 being available. If that happens, the above port and display numbers may change a bit (e.g. -> 5901 and :1). However, if you "know" port 5900 will be free on the local and remote machines, you can easily automate the above two steps by using the x11vnc option -bg (forks into background after connection to the display is set up) or using the -f option of ssh. A simple example script, assuming no problems with port 5900 being taken on the local or remote sides, looks like: 

#!/bin/sh
# usage: x11vnc_ssh <host>:<xdisplay>
#  e.g.: x11vnc_ssh snoopy.peanuts.com:0

host=`echo $1 | awk -F: '{print $1}'`
disp=`echo $1 | awk -F: '{print $2}'`
if [ "x$disp" = "x" ]; then disp=0; fi

cmd="x11vnc -display :$disp -localhost -rfbauth .vnc/passwd"
enc="copyrect tight zrle hextile zlib corre rre raw"

ssh -f -L 5900:localhost:5900 $host "$cmd"

for i in 1 2 3
do
        sleep 2
        if vncviewer -encodings "$enc" :0; then break; fi
done

See also rx11vnc.pl below.

 

Another method is to start the VNC viewer in listen mode "vncviewer -listen" and have x11vnc initiate a reverse connection using the -connect option: 

#!/bin/sh
# usage: x11vnc_ssh <host>:<xdisplay>
#  e.g.: x11vnc_ssh snoopy.peanuts.com:0

host=`echo $1 | awk -F: '{print $1}'`
disp=`echo $1 | awk -F: '{print $2}'`
if [ "x$disp" = "x" ]; then disp=0; fi

cmd="x11vnc -display :$disp -localhost -connect localhost"   # <-- note new option
enc="copyrect tight zrle hextile zlib corre rre raw"

vncviewer -encodings "$enc" -listen &
pid=$!
ssh -R 5500:localhost:5500 $host "$cmd"
kill $pid

 

A third way is specific to the TightVNC vncviewer special option -via for gateways. The only tricky part is we need to start up x11vnc and give it some time to start listening for connections (so we cannot use the TightVNC default setting for VNC_VIA_CMD): 

#!/bin/sh
# usage: x11vnc_ssh <host>:<xdisplay>
#  e.g.: x11vnc_ssh snoopy.peanuts.com:0

host=`echo $1 | awk -F: '{print $1}'`
disp=`echo $1 | awk -F: '{print $2}'`
if [ "x$disp" = "x" ]; then disp=0; fi

VNC_VIA_CMD="ssh -f -L %L:%H:%R %G x11vnc -localhost -rfbport 5900 -display :$disp; sleep 5" 
export VNC_VIA_CMD

vncviewer -via $host localhost:0      # must be TightVNC vncviewer.

Of course if you already have the x11vnc running waiting for connections (or have it started out of inetd(1)), you can simply use the TightVNC vncviewer -via gateway host:port in its default mode to provide secure ssh tunnelling.

 

VNC password file: Also note in the first example script that the option "-rfbauth .vnc/passwd" provides additional protection by requiring a VNC password for every VNC viewer that connects. The vncpasswd or storepasswd programs, or the x11vnc -storepasswd option can be used to create the password file. x11vnc also has the slightly less secure -passwdfile and "-passwd XXXXX" options.

Important: It is up to you to tell x11vnc to use password protection, it will not do it for you automatically. The same goes for encrypting the channel between the viewer and x11vnc: it is up to you to use ssh, stunnel, VPN, etc. Also look into the -allow and -localhost options and building x11vnc with tcp_wrappers support to limit host access.

 

Downloading x11vnc:

x11vnc is a contributed program to the libvncserver project at SourceForge.net. I use libvncserver for all of the VNC aspects; I couldn't have done without it. The full source code may be found and downloaded (either file-release tarball or CVS tree) from the above link. As of Aug 2004, the x11vnc-0.6.2.tar.gz source package is released (recommended download) . The x11vnc package is the subset of the libvncserver package needed to build the x11vnc program. Please do not use the LibVNCServer-0.6 tarball: it contains an older, more buggy version of x11vnc (Oct 2003) that you likely want to avoid. Also, you can get a copy of my latest, bleeding edge x11vnc.c file to replace the one in the above packages or the one in the CVS tree and then rebuild.

 

See the FAQ below for information about where you might obtain a precompiled x11vnc binary from 3rd parties.

To obtain VNC viewers for the viewing side (Windows, Mac OS, or Unix) try here:

 

More tools: Here is a rsh/ssh wrapper script rx11vnc that attempts to automatically do the above Steps 1-3 for you (provided you have rsh/ssh login permission on the machine x11vnc is to be run on). The above example would be: rx11vnc far-away.east:0 typed into a shell on sitting-here.west. Also included is an experimental script rx11vnc.pl that attempts to tunnel the vnc traffic through an ssh port redirection (and does not assume port 5900 is free). Have a look at them to see what they do and customize as needed:

Copyright © 1996-2007 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: March 15, 2008