HOWTO Setup a Multi-User Graphic Desktop Server

Copyright 2005 W.S. Herrick 5/16/05

This document describes the steps to add remote desktops via VNC as a system service to Linux. The service can support remote users that you define and provide them a Linux GUI/desktop from the server. This service is available to any VNC client: Winx, Linux, or Mac. This dialogue is a little Mandrake bound, but many other distributions have similar methods.

The work-around presented here adds full-time pre-loaded X sessions launched by the server as a part of the vncserver service, not as an on-demand method. I tried to install the 'on-demand' Xvnc service using xinetd but couldn't make it respond to incoming session requests. I also tried using the Mandrake /etc/sysconfig/vncservers method, but could only get the last entry to run, so it effectively becomes a one-user service. The additional sessions require few resources beyond those needed by the regular X session, so the overhead for adding the static services is not very high. When many users begin to demand resources, the system response will slow.

The outcome of this effort is a server that will offer a desktop to a LAN/WAN VNC client. The server requires you to know the “display #” (eg: port#-5900) , the ip address of the server, and the password. You can forward and encrypt the session thru firewalls. Clients can get their same desktop from any workstation on the LAN or net. Several users may be able to share one machine without delays or conflicts-ymmv.

• Install the vncserver software-see your package manager and distrib for the right package-you can find packages by searching for VNC VNCSERVER TIGHTVNC REALVNC. AT&T wrote the original VNC and both Tight and Real VNC have added features. They all work. Pick the right package for your distribution, or compile the source code.

• NB: the display numbers set below must be unique, and may not be 0 (hint: use 1..n). Display 0 is usually taken by the graphic login manager, and then passed to the user running the server itself.

• NB: The display number+5900 corresponds to the port #.

• Display 0 is available to VNC if the user runs the vncserver (or rfb0server) once they've started their X session. The displays you are setting up here are going to run on a workstation, being served from the server box, and have display numbers larger than 0.

• Construct/Choose your users and set their vnc logins. For each user, add them. Set their password, and log in as that user. This creates their “/home/userid “ directory. Invoke vncserver. Offer it the same password as the user login. Kill the vncserver and logout. Do this for all users (you can add more later). You can set up an existing user, just invoke vncserver from the shell and procede as above. As an example, the following 9 users will be setup:

map 5951/display :1

map2 5952/display :2

map3 5953/display :3

johnc 5954/display :4

johnw 5955/display :5

derek 5956/display :6

wh 5957/display :7

tmp1 5958/display :8

tmp2 5959/display :9

• Use vncpasswd to change a password- or you can erase the “~/.vnc” dir and start vncserver.

• Create the file /etc/rc.d/init.d/vnczstart and write the following to it:

#!/bin/bash

su map -c "cd /home/map && [ -f .vnc/passwd ] && vncserver :1"

su map2 -c "cd /home/map2 && [ -f .vnc/passwd ] && vncserver :2"

su map3 -c "cd /home/map3 && [ -f .vnc/passwd ] && vncserver :3"

su johnc -c "cd /home/johnc && [ -f .vnc/passwd ] && vncserver :4"

su johnw -c "cd /home/johnw && [ -f .vnc/passwd ] && vncserver :5"

su wh2 -c "cd /home/wh2 && [ -f .vnc/passwd ] && vncserver :6"

su wh -c "cd /home/wh && [ -f .vnc/passwd ] && vncserver :7"

su tmp1 -c "cd /home/tmp1 && [ -f .vnc/passwd ] && vncserver :8"

su tmp2 -c "cd /home/tmp2 && [ -f .vnc/passwd ] && vncserver :9"

exit 0

• Create the file /etc/rc.d/init.d/vnczstop and write the following to it:

#!/bin/bash

su map -c "vncserver -kill :1 "

su map2 -c "vncserver -kill :2"

su map3 -c "vncserver -kill :3"

su johnc -c "vncserver -kill :4"

su johnw -c "vncserver -kill :5"

su wh2 -c "vncserver -kill :6 "

su wh -c "vncserver -kill :7"

su tmp1 -c "vncserver -kill :8"

su tmp2 -c "vncserver -kill :9"

exit 0

• Create/Edit the file /etc/rc.d/init.d/vncserver and write the following to it (NB: only two working lines are added- one to start the VNC server, and the other to stop-see the '# wsh' lines):

#!/bin/bash
#
# chkconfig: - 91 35
# description: Starts and stops vncserver. \
#	       used to provide remote X administration services.

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

VNCSERVERS=""
[ -f /etc/sysconfig/vncservers ] && . /etc/sysconfig/vncservers


gprintf "VNCSERVERS %s: " "$VNCSERVERS"


prog=$"VNC server"

start() {
    gprintf "Starting %s: " "$prog"

#					 wsh 5/18/05
    /etc/rc.d/init.d/vnczstart 
# 					 wsh

    ulimit -S -c 0 >/dev/null 2>&1
    RETVAL=0
    for display in ${VNCSERVERS}
    do
        gprintf "%s " "${display}"
        initlog $INITLOG_ARGS -c \
            "su ${display##*:} -c \"cd ~${display##*:} && [ -f .vnc/passwd ] && vncserver :${display%%:*}\""
        RETVAL=$?
        [ "$RETVAL" -ne 0 ] && break
    done
    [ "$RETVAL" -eq 0 ] && success $"vncserver startup" || \
        failure "vncserver start"
    echo
    [ "$RETVAL" -eq 0 ] && touch /var/lock/subsys/vncserver
}

stop() {
    gprintf "Shutting down %s: " "$prog"

#  					wsh 5/18/05 
    /etc/rc.d/init.d/vnczstop
# 					wsh

    for display in ${VNCSERVERS}
    do
        gprintf "%s " "${display}"
	unset BASH_ENV ENV
        initlog $INITLOG_ARGS -c \
	    "su ${display##*:} -c \"vncserver -kill :${display%%:*} >/dev/null 2>&1\""
    done
    RETVAL=$?
    [ "$RETVAL" -eq 0 ] && success $"vncserver shutdown" || \
        failure "vncserver shutdown"
    echo
    [ "$RETVAL" -eq 0 ] && rm -f /var/lock/subsys/vncserver
}

# See how we were called.
case "$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  restart|reload)
	stop
	start
	;;
  condrestart)
	if [ -f /var/lock/subsys/vncserver ]; then
	    stop
	    start
	fi
	;;
  status)
	status Xvnc
	;;
  *)
	gprintf "Usage: %s {start|stop|restart|condrestart|status}\n" "$0"
	exit 1
esac

• Start the vncserver service. U nder Mandrake, from a console, key in 'service vncserver start' and your desktops should be available. From a server console, invoke the vncviewer with 'vncviewer localhost:1' to test the first display/user. Test each by repeating the above with their individual display #. Set the runlevels (start at GUI/Net level) with 'chkconfig –level 345 on vncserver' or you can use the 'Configure My Computer' dialogs and start the service and set the runlevels.

• If you are running VNC over an untrusted net like the the internet, read the next couple of items, if you have a trusted LAN, skip to the User Login step below.

• NB: VNC is insecure. It broadcasts tcp packets on ports 5900..5999. Use ssh/putty to build secure encrypted tunnels for VNC if you expect to use it via the internet-or in any circumstance where the net is untrused. See VNC, ssh, and putty docs for more.

• The ports 5900..5999 correspond to display numbers. When you set the VNCSERVER #:ID above, the number you gave for the display maps to a port, where Display 0 maps to port 5900, Display 1 to 5901 and so on. Your firewall will need to allow and forward the 59xx ports. The allow is an Iptable rule, and the forwarding is usually done via “putty” or “ssh” when you set up the secure tunnel. You don't need to know this if you are not running VNC on an untrusted net, eg: the internet. On trusted LANs you need only know the display number, userid, and password.

• User Login with a VNC Client is pretty straightforward. Ones I use often are tightvnc and vncserver. They both expect a resolvable name or IP address of the server box, and the display number. You will be prompted for the password. In general, you must know the display number, userid, and password. Most viewers launch from a windows or linux GUI and the exact language will vary. Assign the display, and invoke the right password for the userID you are logging in as, and shazzam- you are running a desktop from the server. Other users can also be doing the same, on different display #'s and logins, on the same server.

• Don't “Logout of X” from the vnc session, just quit the session to exit. If you do logout, you'll have to kill and restart vncserver as that user with their display # on the server, afaict.

• In a nutshell, to make a secure connection: set up all firewalls (yours and theirs) to accept outbound VNC tcp & udp packets from 5900-59xx, where xx is the number of displays you want to serve, then launch ssh from your workstation from a shell run from your GUI, to their firewall in the form:

  “ ssh -l userid -C -L 5901:192.168.0.1:5901 66.65.64.63“, NB: this Requires you to have a login on their firewall. The 5901:192.168.0.1:5901 part sets up your local display number for the VNC served GUI (+5900), the local IP address of the GUI server, and the display number of the remote GUI (+5900). You'll give your vncviewer the Local display number, as shown next. The 66.65.64.63 part is the internet address of the remote firewall. See the ssh man page for more.

• Launch vncviwer from your workstation, from another shell run from your GUI, by invoking: “vncviewer -compresslevel 5 -quality 3 localhost:1” NB the “:1” is the Local display number that you set with the ssh command. See the vncviewer man page for details bout the compression and quality settings.

Stuff I learned but didn't need.

Install and configure the dm service: KDM, GDM, mdkkdm, etc. In Mandrake, use Configure My Computer to start the dm service (other distributions have their own service manager). Choose the Display Manager tab and select mdkkdm. This offers the GUI login and allows for remote X.

• Allow xinetd to listen to external calls. Edit /etc/xinetd.conf

  Comment Out:

  #only_from = localhost

• Mandrake specific, other OS's similar: edit /etc/kde/kdm/kdmrc & enable XDMCP on port 177, d isallow shutdown, reboot, and remote root logins:

  [Xdmcp]    	Enable=true    	Willing=/etc/X11/xdm/Xwilling    	Xaccess=/etc/X11/xdm/Xaccess    	Port=177

[X-*-Core]

  	AllowShutdown=None

 	AllowRootLogin=false

• Specify who has access to XDMCP

Edit /etc/X11/xdm/Xaccess and uncomment the line

'* #any host can get a login window

by removing the single quote '.

• Login as root and cd to /etc. Edit /etc/sysconfig/vncservers. Append a new line for each GUI instance you want to support-that is probably one for each userid. According to the KDE manual, adding new instances to a box already running KDE takes relatively few resources. Each line should be of the form: “VNCSERVERS #:ID” where # is the display # and ID is the userid. You need to know your display number when asking the server for the GUI login. You will need to know this if you have to pass thru a firewall, as well (see below). In our example, this file looks like:

VNCSERVERS="1:map"

VNCSERVERS="2:map2"

VNCSERVERS="3:map3"

VNCSERVERS="4:johnc"

VNCSERVERS="5:johnw"

VNCSERVERS="6:derek"

VNCSERVERS="7:wh"

VNCSERVERS="8:tmp1"

VNCSERVERS="9:tmp2"

• Restart the X server and xdm. Test from localhost:x. The following should show the map user's GUI/desktop:

pgrep xinetd <== shows PID

kill -s SIGHUP PID <== Use PID from above

pgrep dm

kill -s SIGHUP PID <== Use PID from above

vncviewer localhost:1