Jul 162012
 

Introduction

I’ve come across numerous sites that list the steps necessary to configure vnc-server on a variety of Linux distributions.  However, the majority of my work is on CentOS/RHEL 5, and finding the exact configuration on a newly installed server has been hit or miss.  Therefore, this post will document the steps that I’ve found to be the most straightforward for configuring vnc-server on CentOS and RHEL 5.

First, a basic assumption.  The vnc-server package must be installed.  When I do a new install of CentOS or RHEL, the settings I choose install this package by default.  If, for some reason vnc-server is not installed, you will need to download the package and install it using the rpm command or install it over the Internet using yum.  To determine if it is installed, you can issue the following command:

[root@CentOS ~]$ yum list vnc-server
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.sanctuaryhost.com
* extras: centos.vipernetworksystems.com
* updates: centos.aol.com
Installed Packages
vnc-server.x86_64     4.1.2-14.el5_6.6    installed
[root@CentOS ~]$ 

If it isn’t installed, then I prefer using yum over the rpm command since yum helps resolve dependencies.  Assuming Internet connectivity, the vnc-server package can be installed with this command:

yum install vnc-server

This should not be confused with yum install vnc, which installs the VNC client.

Overall Steps

Below are the steps that need to be performed to configure the vnc-server package:

  1. Identify the users who will have VNC access and set their passwords.
  2. Edit the server configuration.
  3. Start the VNC service and make sure it starts after a reboot.
  4. Customize xstartup.
  5. Open VNC port(s) in iptables

Identify Users and Set VNC Passwords

The user or users who will have VNC access must be identified.  If they do not exist, then make use of the useradd command.  Once users are identified and/or created, set up their VNC password.

[root@CentOS ~]# su - wwhitman
[root@CentOS ~]$ vncpasswd
Password:
Verify:
[root@CentOS ~]$

In addition to creating a VNC password, by issuing the vncpasswd command for each user, a new directory is created in each user’s home directory called .vnc.  This directory is important later on as it houses the xstartup file, which will be configured in a few more steps.

Server Configuration for Single and Multi-User

Single User

The file /etc/sysconfig/vncservers must be edited to include the users identified in the previous step.  The file looks something like this:

# The VNCSERVERS variable is a list of display:user pairs.
#
# Uncomment the lines below to start a VNC server on display :2
# as my 'myusername' (adjust this to your own).  You will also
# need to set a VNC password; run 'man vncpasswd' to see how
# to do that.
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, see
# 

# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.

# Use "-nohttpd" to prevent web-based VNC clients connecting.

# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel. See the "-via" option in the
# `man vncviewer' manual page.

# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -nohttpd -localhost"

 The last two lines must be changed.  In my example, using wwhitman as the only user accessing VNC, they will look like this:

VNCSERVERS="1:wwhitman"
VNCSERVERARGS[1]="-geometry 1280x1024 -depth 16 -nolisten tcp -nohttpd "

 

The –geometry argument allows you to change the resolution.  In this example, I have increased it significantly from the default.  You can do some research to find the supported resolutions, or just hack around and find the resolution that works best for you.

 

As stated above in the /etc/sysconfig/vncservers file, the –nolisten tcp argument prevents X connections while the –nohttpd argument prevents web-based VNC client connections.  The argument –localhost enforces security through a secure tunnel such as SSH.  This will be explained in a later post.  For now we will not use this argument so for now an unencrypted session can be established.

 

Multi-User

If more users are required, add them to the VNCSERVERS line so that it looks like this:

 

VNCSERVERS="1:wwhitman 2:sally 3:fred 4:jsmith"

Also, add a new VNCSERVERARGS line for every user.  The variables can change, such as resolution:

 

VNCSERVERARGS[1]="-geometry 1280x1024 -depth 16 -nolisten tcp -nohttpd "
VNCSERVERARGS[2]="-geometry 1280x1024 -depth 16 -nolisten tcp -nohttpd "
VNCSERVERARGS[3]="-geometry 800x600 -depth 16 -nolisten tcp -nohttpd "
VNCSERVERARGS[4]="-geometry 800x600 -depth 16 -nolisten tcp -nohttpd "

 

For a multi-user VNC implementation, the file will look something like this:

 

# The VNCSERVERS variable is a list of display:user pairs.
#
# Uncomment the lines below to start a VNC server on display :2
# as my 'myusername' (adjust this to your own).  You will also
# need to set a VNC password; run 'man vncpasswd' to see how
# to do that.
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, see
# 

# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.

# Use "-nohttpd" to prevent web-based VNC clients connecting.

# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel. See the "-via" option in the
# `man vncviewer' manual page.

VNCSERVERS="1:wwhitman 2:sally 3:fred 4:jsmith"
VNCSERVERARGS[1]="-geometry 1280x1024 -depth 16 -nolisten tcp -nohttpd "
VNCSERVERARGS[2]="-geometry 1280x1024 -depth 16 -nolisten tcp -nohttpd "
VNCSERVERARGS[3]="-geometry 800x600 -depth 16 -nolisten tcp -nohttpd "
VNCSERVERARGS[4]="-geometry 800x600 -depth 16 -nolisten tcp -nohttpd "

VNC Service

Now that the VNC users have a VNC password and that the /etc/sysconfig/vncservers file is correctly configured, it is time to start the VNC service.

The below commands help you determine if the VNC service is running.  If it’s not running, issue the service vncserver start command. 

[root@CentOS ~]# service vncserver status
Xvnc is stopped
[root@CentOS ~]# service vncserver start
Starting VNC server: 1:wwhitman xauth: creating new authority file /home/wwhitman/.Xauthority

New 'CentOS:1 (wwhitman)' desktop is CentOS:1

Creating default startup script /home/wwhitman/.vnc/xstartup
Starting applications specified in /home/wwhitman/.vnc/xstartup
Log file is /home/wwhitman/.vnc/CentOS:1.log

[ OK ]
[root@CentOS ~]#

As long as you created a VNC password for your VNC users, you will see that a new xstartup file is created in the $HOME/.vnc directory of each user recently added to the /etc/sysconfig/vncservers file.

Now, to make sure the VNC service starts up every time the machine reboots.

[root@CentOS ~]# chkconfig vncserver on
[root@CentOS ~]# chkconfig --list |grep vnc
vncserver  0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@CentOS ~]#

If you installed the VNC package on your own, you may need to add it to chkconfig

[root@CentOS ~]# chkconfig --add vncserver

If you make any changes down the road, such as adding more users, make sure to restart the VNC service so that the changes take effect.

[root@CentOS ~]# service vncserver restart

Customize xstartup

The xstartup file is found in the home directory of each VNC user under .vnc.  So, for the user wwhitman, the path for xstartup is /home/wwhitman/.vnc/xstartup.

This file looks like this:

#!/bin/sh
 
# Uncomment the following two lines for normal desktop:
# unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
 
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
twm &

The only thing that needs to change is to uncomment the two lines at the top of the file so that it looks like this:

#!/bin/sh
 
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
 
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
twm &

Configure iptables

Finally, make sure iptables allows VNC ports through.  This is not an article about configuring iptables.  To securely configure iptables I suggest several articles below under the Additional Reading section.  For now, we merely want to take a default iptables file and configure it to allow VNC to function.  By the way, this does not cover ip6tables.  If you have ipv6 running, you will need to configure that as well.

Here is a fairly typical configuration file for iptables, which is found at /etc/sysconfig/iptables:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

As seen in the /etc/sysconfig/vncservers file, the user wwhitman is associated with :1, which is shorthand for the VNC server listening on port 5901.  The user sally is associated with :2, which is shorthand for the VNC server listening on port 5902.  Now that we know which ports to open, we can configure the iptables file by adding one port or a range of ports, depending on how many users require VNC access.

Near the bottom and after the rule that allows SSH (port 22), add the following rule using your favorite editor (I use vi):

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

This rule will allow the user wwhitman to access the VNC server over port 5901.  If you want to add all four users from the multi-user example, then add this rule:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901:5904 -j ACCEPT

So the /etc/sysconfig/iptables file should look like this for a multi-user implementation:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901:5904 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Once the rule is added to /etc/sysconfig/iptables, make sure to restart iptables so that the changes take effect.

[root@CentOS ~]# service iptables restart

VNC Viewer

I prefer TightVNC as my VNC viewer.  The most important thing to keep in mind for first time users of VNC is to enter the correct port.  The default port for VNC is 5900.  In my examples I start with 5901.  This is interchangeable with :1. With the multi-user example, VNC uses ports 5902, 5903, 5904, etc.  Therefore, :2, :3, :4, etc. are used for port notation in the viewer.

If we look at the multi-user example above, the /etc/sysconfig/vncservers file configures the user jsmith on port 5904 or :4. The below example demonstrates this connection to 10.10.10.10:4. Additionally, the settings (all defaults) that I use for TightVNC are shown.

 vnc viewer

Security Considerations

By itself, VNC is considered insecure.  It does not use encryption natively.  Therefore, never use VNC without additional security (tunnel over SSH) in any situation where network traffic could be sniffed.  For instance, from your home into work.  In a follow up article, I outline the steps needed to securely run VNC over an SSH tunnel.

Lastly, never set up VNC with the user root.  The reasons are too many to enumerate.  Just don’t do it!  Log in as a normal user and use sudo or su to root.

Additional Reading

http://wiki.centos.org/HowTos/VNC-Server

 

http://consultancy.edvoncken.net/index.php/HOWTO_Configure_VNC_Server_on_RHEL5_/_CentOS_5

 

http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/

 

http://wiki.centos.org/HowTos/Network/IPTables

http://naylors.net/blog/2012/07/17/tunnel-vnc-through-ssh/

  One Response to “VNC Server Configuration for CentOS 5 and RHEL 5”

  1. Hi,

    Thanks very much by sharing this, because these steps worked properly.

    Rgds,
    Sven