HOWTO Setup a Multi-User Graphic Desktop Server With Linux (2005) Posted: March 25, 2014 HOWTO Setup a Multi-User Graphic Desktop Server Copyright 2005 W.S. Herrick 5/16/05 This document describes the steps to add remote desktops via VNC as a system service to Linux. The service can support remote users that you define and provide them a Linux GUI/desktop from the server. This service is available to any VNC client: Winx, Linux, or Mac. This dialogue is a little Mandrake bound, but many other distributions have similar methods. The work-around presented here adds full-time pre-loaded X sessions launched by the server as a part of the vncserver service, not as an on-demand method. I tried to install the 'on-demand' Xvnc service using xinetd but couldn't make it respond to incoming session requests. I also tried using the Mandrake /etc/sysconfig/vncservers method, but could only get the last entry to run, so it effectively becomes a one-user service. The additional sessions require few resources beyond those needed by the regular X session, so the overhead for adding the static services is not very high. When many users begin to demand resources, the system response will slow. The outcome of this effort is a server that will offer a desktop to a LAN/WAN VNC client. The server requires you to know the “display #” (eg: port#-5900) , the ip address of the server, and the password. You can forward and encrypt the session thru firewalls. Clients can get their same desktop from any workstation on the LAN or net. Several users may be able to share one machine without delays or conflicts-ymmv. Install the vncserver software-see your package manager and distrib for the right package-you can find packages by searching for VNC VNCSERVER TIGHTVNC REALVNC. AT&T wrote the original VNC and both Tight and Real VNC have added features. They all work. Pick the right package for your distribution, or compile the source code. NB: the display numbers set below must be unique, and may not be 0 (hint: use 1..n). Display 0 is usually taken by the graphic login manager, and then passed to the user running the server itself. NB: The display number+5900 corresponds to the port #. Display 0 is available to VNC if the user runs the vncserver (or rfb0server) once they've started their X session. The displays you are setting up here are going to run on a workstation, being served from the server box, and have display numbers larger than 0. Construct/Choose your users and set their vnc logins. For each user, add them. Set their password, and log in as that user. This creates their “/home/userid “ directory. Invoke vncserver. Offer it the same password as the user login. Kill the vncserver and logout. Do this for all users (you can add more later). You can set up an existing user, just invoke vncserver from the shell and procede as above. As an example, the following 9 users will be setup: map 5951/display :1 map2 5952/display :2 map3 5953/display :3 johnc 5954/display :4 johnw 5955/display :5 derek 5956/display :6 wh 5957/display :7 tmp1 5958/display :8 tmp2 5959/display :9 #!/bin/bash su map -c "cd /home/map && [ -f .vnc/passwd ] && vncserver :1" su map2 -c "cd /home/map2 && [ -f .vnc/passwd ] && vncserver :2" su map3 -c "cd /home/map3 && [ -f .vnc/passwd ] && vncserver :3" su johnc -c "cd /home/johnc && [ -f .vnc/passwd ] && vncserver :4" su johnw -c "cd /home/johnw && [ -f .vnc/passwd ] && vncserver :5" su wh2 -c "cd /home/wh2 && [ -f .vnc/passwd ] && vncserver :6" su wh -c "cd /home/wh && [ -f .vnc/passwd ] && vncserver :7" su tmp1 -c "cd /home/tmp1 && [ -f .vnc/passwd ] && vncserver :8" su tmp2 -c "cd /home/tmp2 && [ -f .vnc/passwd ] && vncserver :9" exit 0 #!/bin/bash su map -c "vncserver -kill :1 " su map2 -c "vncserver -kill :2" su map3 -c "vncserver -kill :3" su johnc -c "vncserver -kill :4" su johnw -c "vncserver -kill :5" su wh2 -c "vncserver -kill :6 " su wh -c "vncserver -kill :7" su tmp1 -c "vncserver -kill :8" su tmp2 -c "vncserver -kill :9" exit 0 #!/bin/bash # # chkconfig: - 91 35 # description: Starts and stops vncserver. \ # used to provide remote X administration services.
# Source function library. . /etc/init.d/functions
# Source networking configuration. . /etc/sysconfig/network
# Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0
VNCSERVERS="" [ -f /etc/sysconfig/vncservers ] && . /etc/sysconfig/vncservers
gprintf "VNCSERVERS %s: " "$VNCSERVERS"
prog=$"VNC server"
start() { gprintf "Starting %s: " "$prog"
# wsh 5/18/05 /etc/rc.d/init.d/vnczstart # wsh
ulimit -S -c 0 >/dev/null 2>&1 RETVAL=0 for display in ${VNCSERVERS} do gprintf "%s " "${display}" initlog $INITLOG_ARGS -c \ "su ${display##*:} -c \"cd ~${display##*:} && [ -f .vnc/passwd ] && vncserver :${display%%:*}\"" RETVAL=$? [ "$RETVAL" -ne 0 ] && break done [ "$RETVAL" -eq 0 ] && success $"vncserver startup" || \ failure "vncserver start" echo [ "$RETVAL" -eq 0 ] && touch /var/lock/subsys/vncserver }
stop() { gprintf "Shutting down %s: " "$prog"
# wsh 5/18/05 /etc/rc.d/init.d/vnczstop # wsh
for display in ${VNCSERVERS} do gprintf "%s " "${display}" unset BASH_ENV ENV initlog $INITLOG_ARGS -c \ "su ${display##*:} -c \"vncserver -kill :${display%%:*} >/dev/null 2>&1\"" done RETVAL=$? [ "$RETVAL" -eq 0 ] && success $"vncserver shutdown" || \ failure "vncserver shutdown" echo [ "$RETVAL" -eq 0 ] && rm -f /var/lock/subsys/vncserver }
# See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload) stop start ;; condrestart) if [ -f /var/lock/subsys/vncserver ]; then stop start fi ;; status) status Xvnc ;; *) gprintf "Usage: %s {start|stop|restart|condrestart|status}\n" "$0" exit 1 esac
Start the vncserver service. U nder Mandrake, from a console, key in 'service vncserver start' and your desktops should be available. From a server console, invoke the vncviewer with 'vncviewer localhost:1' to test the first display/user. Test each by repeating the above with their individual display #. Set the runlevels (start at GUI/Net level) with 'chkconfig –level 345 on vncserver' or you can use the 'Configure My Computer' dialogs and start the service and set the runlevels. If you are running VNC over an untrusted net like the the internet, read the next couple of items, if you have a trusted LAN, skip to the User Login step below. NB: VNC is insecure. It broadcasts tcp packets on ports 5900..5999. Use ssh/putty to build secure encrypted tunnels for VNC if you expect to use it via the internet-or in any circumstance where the net is untrused. See VNC, ssh, and putty docs for more. The ports 5900..5999 correspond to display numbers. When you set the VNCSERVER #:ID above, the number you gave for the display maps to a port, where Display 0 maps to port 5900, Display 1 to 5901 and so on. Your firewall will need to allow and forward the 59xx ports. The allow is an Iptable rule, and the forwarding is usually done via “putty” or “ssh” when you set up the secure tunnel. You don't need to know this if you are not running VNC on an untrusted net, eg: the internet. On trusted LANs you need only know the display number, userid, and password. User Login with a VNC Client is pretty straightforward. Ones I use often are tightvnc and vncserver. They both expect a resolvable name or IP address of the server box, and the display number. You will be prompted for the password. In general, you must know the display number, userid, and password. Most viewers launch from a windows or linux GUI and the exact language will vary. Assign the display, and invoke the right password for the userID you are logging in as, and shazzam- you are running a desktop from the server. Other users can also be doing the same, on different display #'s and logins, on the same server. Don't “Logout of X” from the vnc session, just quit the session to exit. If you do logout, you'll have to kill and restart vncserver as that user with their display # on the server, afaict. In a nutshell, to make a secure connection: set up all firewalls (yours and theirs) to accept outbound VNC tcp & udp packets from 5900-59xx, where xx is the number of displays you want to serve, then launch ssh from your workstation from a shell run from your GUI, to their firewall in the form: “ ssh -l userid -C -L 5901:192.168.0.1:5901 66.65.64.63“, NB: this Requires you to have a login on their firewall. The 5901:192.168.0.1:5901 part sets up your local display number for the VNC served GUI (+5900), the local IP address of the GUI server, and the display number of the remote GUI (+5900). You'll give your vncviewer the Local display number, as shown next. The 66.65.64.63 part is the internet address of the remote firewall. See the ssh man page for more. Launch vncviwer from your workstation, from another shell run from your GUI, by invoking: “vncviewer -compresslevel 5 -quality 3 localhost:1” NB the “:1” is the Local display number that you set with the ssh command. See the vncviewer man page for details bout the compression and quality settings. Stuff I learned but didn't need. Install and configure the dm service: KDM, GDM, mdkkdm, etc. In Mandrake, use Configure My Computer to start the dm service (other distributions have their own service manager). Choose the Display Manager tab and select mdkkdm. This offers the GUI login and allows for remote X. -
Allow xinetd to listen to external calls. Edit /etc/xinetd.conf Comment Out: Mandrake specific, other OS's similar: edit /etc/kde/kdm/kdmrc & enable XDMCP on port 177, d isallow shutdown, reboot, and remote root logins: [Xdmcp] Enable=true Willing=/etc/X11/xdm/Xwilling Xaccess=/etc/X11/xdm/Xaccess Port=177 [X-*-Core] AllowShutdown=None AllowRootLogin=false Specify who has access to XDMCP Edit /etc/X11/xdm/Xaccess and uncomment the line '* #any host can get a login window by removing the single quote ' . Login as root and cd to /etc. Edit /etc/sysconfig/vncservers. Append a new line for each GUI instance you want to support-that is probably one for each userid. According to the KDE manual, adding new instances to a box already running KDE takes relatively few resources. Each line should be of the form: “VNCSERVERS #:ID” where # is the display # and ID is the userid. You need to know your display number when asking the server for the GUI login. You will need to know this if you have to pass thru a firewall, as well (see below). In our example, this file looks like: VNCSERVERS="1:map" VNCSERVERS="2:map2" VNCSERVERS="3:map3" VNCSERVERS="4:johnc" VNCSERVERS="5:johnw" VNCSERVERS="6:derek" VNCSERVERS="7:wh" VNCSERVERS="8:tmp1" VNCSERVERS="9:tmp2" pgrep xinetd <== shows PID kill -s SIGHUP PID <== Use PID from above pgrep dm kill -s SIGHUP PID <== Use PID from above vncviewer localhost:1
|