Connecting VNC Server Via SSH Tunnel On CentOS 7

Virtual Network Computing(VNC)是基於Remote Framebuffer (RFB)協議(RFC6143)的圖形化桌面共享系統，可通過網路，控制遠程主機的桌面。

本文記錄在CentOS7.x中安裝、配置VNC Server(tigervnc)，通過VNC連接遠程主機的圖形化桌面，並通過創建SSH Tunnel實現加密通信。

Introduction

VNC

Virtual Network Computing (VNC)的RFC編號是7869。

In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network. – https://en.wikipedia.org/wiki/Virtual_Network_Computing

TigerVNC

官方介紹

TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing), a client/server application that allows users to launch and interact with graphical applications on remote machines. TigerVNC provides the levels of performance necessary to run 3D and video applications, and it attempts to maintain a common look and feel and re-use components, where possible, across the various platforms that it supports. TigerVNC also provides extensions for advanced authentication methods and TLS encryption. – http://tigervnc.org/

RedHat官方文檔介紹

TigerVNC (Tiger Virtual Network Computing) is a system for graphical desktop sharing which allows you to remotely control other computers.

TigerVNC works on the client-server principle: a server shares its output (vncserver) and a client (vncviewer) connects to the server. – https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-TigerVNC.html

TigerVNC採用server/client架構，在server端安裝tigervnc-server，在client端安裝tightvnc或其它vncviewer。

Preparation

本文所有操作在DigitalOcean的VPS中進行，默認是root用戶，為方便使用普通用戶賬戶登錄的用戶，在相關命令前添加sudo指令。

VPS相關信息如下

item	detail
OS	`CentOS Linux release 7.3.1611 (Core)`
Kernel	`3.10.0-514.2.2.el7.x86_64`
IP	`192.241.240.132`

通過SSH連接該主機，命令如下

`1`	`ssh -C -c aes256-cbc [email protected]`

使用VNC是為了連接圖形化桌面，故需在VPS中安裝圖形化卓名，此處選擇GNOME Desktop。執行如下命令進行安裝

1

sudo yum groupinstall -y "GNOME Desktop"

VNC軟件選擇tigervnc，安裝、配置過程參考RedHat官方文檔 CHAPTER 13. TIGERVNC。

TigerVNC Server

Installing

安裝tigervnc，可通過如下命令查看相關安裝包

1

sudo yum info tigervnc* | awk '$1=="Name"{print $NF}'

此處只安裝tigervnc-server，為演示方便添加普通用戶tigervnc，display_number 設置為1。

執行如下命令安裝tigervnc-server

1
2
3


sudo yum install -y tigervnc-server
# 查看服務管理文件
ls /lib/systemd/system/[email protected]

執行如下命令創建普通用戶tigervnc

1
2


sudo useradd tigervnc
echo 'tigervnc2017' | sudo passwd --stdin tigervnc

Attention

Unlike in previous Red Hat Enterprise Linux distributions, TigerVNC in Red Hat Enterprise Linux 7 uses the systemd system management daemon for its configuration. The /etc/sysconfig/vncserver configuration file has been replaced by /etc/systemd/system/[email protected]. – https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-TigerVNC.html

查看文件

`1`	`/lib/systemd/system/[email protected]`

其內容如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47


# The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/[email protected]
# 2. Edit /etc/systemd/system/[email protected], replacing <USER>
#    with the actual user name. Leave the remaining lines of the file unmodified
#    (ExecStart=/usr/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
#     PIDFile=/home/<USER>/.vnc/%H%i.pid)
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable [email protected]:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, you should
# limit connections to the local host and then tunnel from
# the machine you want to view VNC on (host A) to the machine
# whose VNC output you want to view (host B)
#
# [[email protected] ~]$ ssh -v -C -L 590N:localhost:590M hostB
#
# this will open a connection on port 590N of your hostA to hostB's port 590M
# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB).
# See the ssh man page for details on port forwarding)
#
# You can then point a VNC client on hostA at vncdisplay N of localhost and with
# the help of ssh, you end up seeing what hostB makes available on port 590M
#
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
#
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.


[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

註釋部分敘述了配置過程及通過SSH端口轉發實現加密通信。

重要：在複製文件/etc/systemd/system/[email protected]時，涉及到 *display_number*，該參數可指定具體的數值，如1、2、3等。VNC Server默認端口是5900，如果指定了 *display_number*，則VNC Server最終的監聽端口號為5900 + display_number。比如：指定 display_number 為1，則最終的監聽端口號為5901；指定 display_number 為2，則最終的監聽端口號為5902，依次類推。監聽端口可通過如下命令查看

1
2
3


sudo ss -tnlp | grep -i vnc
#或
sudo netstat -tnlpe | grep -i vnc

The default port of VNC server is 5900. To reach the port through which a remote desktop will be accessible, sum the default port and the user’s assigned display number. For example, for the second display: 2 + 5900 = 5902. – https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-vnc-viewer.html

此處指定 display_number 為1。

Configuring

執行如下命令進行配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


#複製服務管理文件
sudo cp -f /lib/systemd/system/[email protected] /etc/systemd/system/[email protected]:1.service

#替換文件中的<USER>為目標用戶
#user: tigervnc
sudo sed -i '/^[^#]/[email protected]<USER>@tig[email protected]' /etc/systemd/system/[email protected]:1.service
#current user
# sudo sed -i '/^[^#]/[email protected]<USER>@'"$USER"'@' /etc/systemd/system/[email protected]:1.service

#更改.service文件後須執行該操作
sudo systemctl daemon-reload

#切換到用戶tigervnc
sudo su tigervnc
#設置訪問VNC桌面時的密碼，此處密碼設置為`lempstacker2017`
vncpasswd

#啟動服務
sudo systemctl start [email protected]:1
# sudo systemctl start [email protected]:1.service

#設置為開機啟動
sudo systemctl enable [email protected]:1.service

查看端口

1
2
3
4
5


#ss -tnlp | grep -i vnc
LISTEN     0     5         *:5901        *:*        users:(("Xvnc",pid=5046,fd=10))
LISTEN     0     128       *:6001        *:*        users:(("Xvnc",pid=5046,fd=1))
LISTEN     0     5        :::5901        :::*       users:(("Xvnc",pid=5046,fd=11))
LISTEN     0     128      :::6001        :::*       users:(("Xvnc",pid=5046,fd=0))

VNC Viewer

Installing

對於client端而言，只需安裝vncviewer即可，可選擇的軟件有tigervnc、xtightvncviewer、xvnc4viewer等，也可選擇RealVnc，或GNOME Desktop中的vinagre(Applications–>Utilities–>Remote Desktop Viewer)。

1
2
3
4
5
6


#CentOS
sudo yum install -y tigervnc

#Debian
sudo apt-get install -y xtightvncviewer
sudo apt-get install -y xvnc4viewer

Connecting Test

vncviewer

命令格式如下

1

vncviewer address:display_number

執行

1
2


vncviewer -Shared -FullColour 192.241.240.132:1
# -ViewOnly -FullScreen

操作截圖

Real vncviewer

在如下頁面下載RealVNC Viewer

1

https://www.realvnc.com/download/viewer/

此處下載

1

VNC-Viewer-6.0.1-Linux-x64.gz

解壓至目錄/tmp中，執行

1
2


chmod u+x VNC-Viewer-6.0.1-Linux-x64
./VNC-Viewer-6.0.1-Linux-x64

操作截圖

vinagre

如何打開Applications–>Utilities–>Remote Desktop Viewer

操作截圖

SSH Localhost Forwarding

設置SSH本地端口轉發，參考RedHat官方文檔10.4. MORE THAN A SECURE SHELL中相關章節，命令格式如下

`1`	`ssh -L local-port:remote-hostname:remote-port [email protected]`

此處將其改寫為

1
2


#本地端口設置為`9876`
ssh -C -c aes256-cbc -f -N -g -L 9876:localhost:5901 [email protected]

要求輸入用戶tigervnc的密碼。

將目標主機的5901端口通過SSH Tunnel轉發到本地的9876端口。

執行

1

vncviewer localhost:9876

正常打開遠程主機桌面。

此時執行

1

vncviewer -Shared -FullColour 192.241.240.132:1

仍能打開目標主機桌面。

Only Allow From LocalHost

出於安全考慮，設置VNC Server只允許VPS本地localhost訪問。創建SSH Tunnel後，就能直接訪問

修改文件

1
2
3
4
5
6
7
8
9


#/etc/systemd/system/[email protected]:1.service
#更改
ExecStart=/usr/sbin/runuser -l tigervnc -c "/usr/bin/vncserver %i"
#為
ExecStart=/usr/sbin/runuser -l tigervnc -c "/usr/bin/vncserver -localhost %i"

#重新載入服務
sudo systemctl daemon-reload
sudo systemctl restart [email protected]:1

修改後，直接連接報錯

1
2
3
4
5
6
7
8
9


[email protected]:~$ vncviewer -Shared -FullColour 192.241.240.132:1

VNC Viewer Free Edition 4.1.1 for X - built Apr  2 2015 21:51:06
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.

Mon Jan  2 17:49:20 2017
 main:        unable to connect to host: Connection refused (111)
[email protected]:~$

通過SSH Tunnel可正常連接

1

vncviewer localhost:9876

操作截圖

References

Change Logs

2017.01.02 17:54 Mon Asia/Shanghai
- 初稿完成
2018-08-01 22:46 Wed Asia/Shanghai
- 勘誤，排版，遷移到新Blog

Table of Contents

Introduction

VNC

TigerVNC

Preparation

TigerVNC Server

Installing

Attention

Configuring

VNC Viewer

Installing

Connecting Test

vncviewer

Real vncviewer

vinagre

SSH Localhost Forwarding

Only Allow From LocalHost

References

Change Logs