Differences between revisions 1 and 23 (spanning 22 versions)

Contents

Remote access to a Linux host's desktop with VNC

Remote access to a Linux host's desktop with VNC

The following article explains how to access the desktop of a Linux host residing inside the ETH network from another host on the in- or outside by using Virtual Network Computing (VNC)¹. Throughout his article, the following placeholders are used:

current_host: This is a remote host in- or outside the ETH network, i.e. your office computer or home computer; the host you are currently working on. It will run the software to view a remote Linux desktop, the VNC viewer.
gateway_host: This is the entrance gateway to the ETH network to bypass the firewall restrictions for connections from the outside, by the name of login.ee.ethz.ch. It is used to tunnel SSH connections in case you choose not to use VPN.
internal_host: This is the target host you intend to connect to. If it's your personal PC in your office you know its name. Students can use an arbitrary shared student room PC like tardis-d12. If you're using a shared student PC, check it's availability at login.
eth_username: This is the username you use to log in anywhere on an ETH provided IT service.
eth_password: This is your password used in combination with your eth_username which lets you access ETH provided IT services, except for network authentications (see below).
eth_network_password: This is your password also used in combination with your eth_username which is used for authentication to network services like Wifi and VPN. It is different from your eth_password.
L: This variable is used as a placeholder for the local port on current_host where VNC connections will be made to. Set it to 1 unless you have other plans.
R: This variable is used as a placeholder for the remote port on internal_host where a VNC server will be listening after a successfull setup. Set it to 1 unless you have other plans.

Connect to the ETH network

If current_host resides outside of the ETH network, you need to connect to it thorugh either a VPN connection or an SSH tunnel. Connecting through VPN is the preferred method as it uses a dedicated infrastructure. Both methods are explained in the following steps.
If current_host is alreay inside the ETH network, skip to Start a VNC server on internal_host.

Preferred method: Connect through a VPN connection

Know your ETH network password

If you're unsure about your eth_network_password, login on password.ethz.ch with your regular eth_password and change your former eth_network_password to a new password.

Install the VPN client on your current host

Go to sslvpn.ethz.ch and follow the instructions provided there to download, install and configure the Cisco AnyConnect VPN client provided by central IT services.
To log in here you have to use your eth_username with an added realm in combination with your eth_network_password, as described on sslvpn.ethz.ch.
If you have access to additional realms, a.k.a virtual private Zones (VPZ), you can list them by visiting realms.ethz.ch.

Initiate a VPN connection to internal_host

Now you are ready to connect the VPN client on current_host to the ETH network and continue with the following steps.

Alternative method: Connect through an SSH tunnel

SSH tunnel on Linux

The host login.ee.ethz.ch is the entry point for an SSH connection. More information about SSH connections can be found in the article RemoteAccess: SSH -remote_terminal_session.

Establish an SSH tunnel from the local port 590L on current_host to login.ee.ethz.ch for the VNC server port 590R with your eth_username. The syntax for this is
```
ssh -L 590L:current_host:590R eth_username@login.ee.ethz.ch 
```
For convenience use the default VNC port on both sides of the tunnel and replace current_host with localhost:
```
ssh -L 5901:localhost:5901 eth_username@login.ee.ethz.ch 
```
Do not close the terminal window wherein you opened the tunnel

The default VNC port will only be known for sure after you start the VNC server on internal_host

SSH tunnel on Windows 10 with OpenSSH

Install the optionally installable feature OpenSSH Client in Apps → Optional features → OpenSSH Client
Establish the SSH tunnel as described for Linux

SSH tunnel on Windows with PuTTY

Start PuTTY
Create a session to login.ee.ethz.ch
Configure a tunnel with port forwarding to internal_host for this session under Connection → SSH
In Source port enter 590L
In Destination enter internal_host:590R
Select IPv4
Klick on Add, the line 4l590L internal_host:590R appears in the previously empty list of tunnels
Save the session

A comfortable setup of PuTTY is described in Windows "direct" SSH access with PuTTY

Start a VNC server on internal_host

To start a VNC server instance on internal_host, you need to initiate a SSH connection to it.
If you previously opened a VPN connection, make sure it is still active

Initiate a SSH connection to internal_host

SSH connection on Linux

If you previously opened a VPN connection, issue the command following command
```
ssh eth_username@internal_host 
```
If you established an SSH tunnel, enter the above command in the terminal window still connected to login.ee.ethz.ch

With neither a VPN connection or SSH tunnel, issue the command

ssh -o ProxyJump=eth_username@login.ee.ethz.ch eth_username@internal_host

SSH connection on Windows 10 with OpenSSH

Install the optionally installable feature OpenSSH Client in Apps → Optional features → OpenSSH Client
Establish the SSH connection as described for Linux

SSH connection on Windows with PuTTY

Follow the article Windows "direct" SSH access with PuTTY

Setup and start the VNC server

Configuration and start of a VNC server works with an ISG-provided wrapper script by issuing the command

vncserver

in your shell connected to internal_host.

Setup and first startup

If this is the first time you start vncserver, you will be asked to provide a password to allow access to the VNC server instance you start now and in the future. It is possible to set the password to allow only observing or also interacting with the VNC session. Choose a strong password, as anyone on the ETH network can connect to your internal_host while a VNC server is running. The password should contain:

8 characters²
Uppercase letters
Lowercase letters
Numbers

The setup followed by the startup process will look like this:

Creating directory /home/eth_username/.vnc......
Creating startup_file /home/eth_username/.vnc/xstartup.....

You will require a password to access your desktops.

Password:
Verify:
Would you like to enter a view-only password (y/n)? n

New 'default' desktop is internal_host:R

Creating default config /home/eth_username/.vnc/config
Starting applications specified in /home/eth_username/.vnc/xstartup
Log file is /home/eth_username/.vnc/internal_host:R.log

Note the virtual display number R of your VNC server appearing after internal_host:. It is needed later to connect your VNC viewer on current_host to the VNC server instance on internal_host or to kill a vncserver process manually.
The default desktop started now is Xfce4. If you prefer a different desktop you have to kill the running vncserver process and start it again with the desktop of your choice.
Otherwise the vncserver process terminates after you log out of your desktop environment.

Terminating a running VNC server process

Issue the command

vncserver -kill :R

in a shell on internal_host.

Choose a non-default desktop

To start the VNC session with a non-default desktop, provide one of the options [xfce|gnome|kde|light|xterm]:

vncserver gnome

Option light starts the light desktop Fluxbox
Option xterm starts a minimal desktop with a window manager and a xterm terminal window. This option should be used if you intend to use your session to run only one application at the time and start said application on the command line.

Use a VNC viewer to view and control the desktop on internal_host

If your current_host is an ISG-managed Linux computer a VNC viewer is installed.
If it is a ISG-managed Windows computer you have to request installation of a VNC viewer.
If you use your self-managed office or your personal home computer you have to install a viewer yourself.

VNC viewer software

The listed VNC software contains a viewer component and is available for both Linux and Windows:

TightVNC: Opensource
TigerVNC: Opensource, a fork of TightVNC with additional features
TurboVNC: Opensource, a fork of TightVNC with peak 3D/video performance as a goal
RealVNC: Freeware

The above list is not meant to be complete, feel free to install other solutions on your self-managed computer.

TigerVNC viewer is installed on managed Linux clients
On managed Windows clients, RealVNC viewer is installed on request.
On private Windows clients, use of RealVNC is discouraged. Some versions show error messages similar to "RFB protocol error bad rectangle size 10794x10794" and fail to connect.

Connect your VNC viewer to the VNC server on internal_host

VNC connection from a Linux client

On a Linux client issue the command

vncviewer internal_host:590R

VNC connection from a Windows or Mac client

On a Windows or Mac client, open your VNC viewer and connect to internal_host:590R.
If you terminate your VNC viewer without logging out of your desktop environment, your VNC session will stay active and you can reconnect to it later on.

VNC connection from Mac alternative

On a Mac client the built-in VNC viewer may be started by pressing Command-K and entering the url vnc://internal_host:590R. No support is given for this way to connect to a VNC session.

Misc

Check (student) host availability

Check with the command htop if any other users are using internal_host 's resources right now. If they do, log out and log in to a different host.
A list of student hosts can be shown by issuing the command grep tardis /etc/hosts

Advanced usage

Some advanced configuration or usage examples have not yet been migrated from the previous documentation about VNC.

Virtual display size

The size of the virtual display can be set by entering its dimensions in pixel in either /home/eth_username/.vnc/config.turbo for gnome sessions or /home/eth_username/.vnc/config for all other sessions by adding a line similar to the following:

geometry=3840x1200

VNC on Wikipedia (1)
The standard VNC implementation uses the password as a DES key, which is the reason it's truncated after 8 characters. The DES key size is limited to 56 bits plus 8 parity bits. Using ASCII characters made up of 7 bits it's possible to use an 8 character password, as the unused 8th bit of each byte is discarded. A password shorter than 8 characters is padded with zeroes. (2)

-  ⇤ ← Revision 1 as of 2020-03-22 19:47:51 → 
  Size: 2447
  Editor: stroth
  Comment:
+   ← Revision 23 as of 2020-09-11 15:31:34 → ⇥
  Size: 12279
  Editor: stroth
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 4:
-The following article explains how to access the desktop of a Linux host residing inside the ETH network from another host on the in- and outside. Throughout the article, the following placeholders are used:
 * Host '''A'''<<BR>>
 This is a remote host in- or outside the ETH network, i.e. your home computer. It will run the software to view a desktop, the [[#VNC_viewer_software|VNC viewer]].
 * Host '''B'''<<BR>>
 This is the entrance gateway to the ETH network to bypass the firewall restrictions for connections from the outside, by the name of '''login.ee.ethz.ch'''. It is used to tunnel SSH connections. It is not necessary when you're using VPN.
 * Host '''C'''<<BR>>
 This is the target host you intend to connect to. If it's your personal PC in your office you know its name. Students can use an arbitrary shared student room PC like tardis-d12. If you're using a shared student PC, [[#Check_.28student.29_host_availability|check it's availability]] at login.
+The following article explains how to access the desktop of a Linux host residing inside the ETH network from another host on the in- or outside by using __V__irtual __N__etwork __C__omputing (VNC)<<FootNote([[https://en.wikipedia.org/wiki/Virtual_Network_Computing|VNC on Wikipedia]])>>. Throughout his article, the following placeholders are used:
 * '''current_host''': This is a remote host in- or outside the ETH network, i.e. your office computer or home computer; the host you are currently working on. It will run the software to view a remote Linux desktop, the [[#VNC_viewer_software|VNC viewer]].
 * '''gateway_host''': This is the entrance gateway to the ETH network to bypass the firewall restrictions for connections from the outside, by the name of '''login.ee.ethz.ch'''. It is used to tunnel SSH connections in case you choose not to use VPN.
 * '''internal_host''': This is the target host you intend to connect to. If it's your personal PC in your office you know its name. Students can use an arbitrary shared student room PC like tardis-d12. If you're using a shared student PC, [[#Check_.28student.29_host_availability|check it's availability]] at login.
 * '''eth_username''': This is the username you use to log in anywhere on an ETH provided IT service.
 * '''eth_password''': This is your password used in combination with your ''eth_username'' which lets you access ETH provided IT services, except for network authentications (see below).
 * '''eth_network_password''': This is your password also used in combination with your ''eth_username'' which is used for authentication to network services like Wifi and VPN. It is different from your ''eth_password''.
 * '''L''': This variable is used as a placeholder for the ''local'' port on ''current_host'' where VNC connections will be made to. Set it to ''1'' unless you have other plans.
 * '''R''': This variable is used as a placeholder for the ''remote'' port on ''internal_host'' where a VNC server will be listening after a successfull setup. Set it to ''1'' unless you have other plans.
-Line 12:
+Line 14:
-== How to access a host with VNC ==
Activate your VPN connection to ETH if your host '''A''' resides outside of the ETH network. The eduroam WLAN is outside the ETH network.
Initiate a SSH connection to host '''C'''
Start a VNC server on host '''C'''
Connect from host '''A''' to host '''C'''
+== Connect to the ETH network ==
If ''current_host'' resides outside of the ETH network, you need to connect to it thorugh either a [[#VPN_Connection|VPN connection]] or an [[#SSH_tunnel|SSH tunnel]]. Connecting through VPN is the preferred method as it uses a dedicated infrastructure. Both methods are explained in the following steps.<<BR>>
If ''current_host'' is alreay inside the ETH network, skip to [[#Start_a_VNC_server_on_internal_host|Start a VNC server on internal_host]].
 Line 18:
+=== Preferred method: Connect through a VPN connection ===

==== Know your ETH network password ====
If you're unsure about your ''eth_network_password'', login on [[https://password.ethz.ch/|password.ethz.ch]] with your regular ''eth_password'' and change your former ''eth_network_password'' to a new password.

==== Install the VPN client on your current host ====
 * Go to [[https://sslvpn.ethz.ch/|sslvpn.ethz.ch]] and follow the instructions provided there to download, install and configure the Cisco !AnyConnect VPN client provided by central IT services.
 * To log in here you have to use your ''eth_username'' with an added realm in combination with your ''eth_network_password'', as described on [[https://sslvpn.ethz.ch/|sslvpn.ethz.ch]].
 * If you have access to additional realms, a.k.a virtual private Zones (VPZ), you can list them by visiting [[https://realms.ethz.ch/|realms.ethz.ch]].

==== Initiate a VPN connection to internal_host ====
Now you are ready to connect the VPN client on ''current_host'' to the ETH network and continue with the following steps.

=== Alternative method: Connect through an SSH tunnel ===

==== SSH tunnel on Linux ====
The host `login.ee.ethz.ch` is the entry point for an SSH connection. More information about SSH connections can be found in the article [[RemoteAccess#SSH_-_remote_terminal_session|RemoteAccess: SSH -remote_terminal_session]].
 * Establish an SSH tunnel from the local port ''590L'' on ''current_host'' to ''login.ee.ethz.ch'' for the VNC server port ''590R'' with your ''eth_username''. The syntax for this is {{{
ssh -L 590L:current_host:590R eth_username@login.ee.ethz.ch }}}
 . For convenience use the default VNC port on both sides of the tunnel and replace ''current_host'' with ''localhost'': {{{
ssh -L 5901:localhost:5901 eth_username@login.ee.ethz.ch }}}
 * Do not close the terminal window wherein you opened the tunnel
The default VNC port will only be known for sure after you start the VNC server on ''internal_host''

==== SSH tunnel on Windows 10 with OpenSSH ====
 * Install the optionally installable feature ''OpenSSH Client'' in Apps &rarr; Optional features &rarr; OpenSSH Client
 * Establish the SSH tunnel as described for [[#SSH_tunnel_on_Linux|Linux]]

==== SSH tunnel on Windows with PuTTY ====
 * Start PuTTY
 * Create a session to ''login.ee.ethz.ch'' 
 * Configure a tunnel with port forwarding to ''internal_host'' for this session under ''Connection'' &rarr; ''SSH''
 * In ''Source port'' enter ''590L''
 * In ''Destination'' enter ''internal_host:590R''
 * Select ''IPv4''
 * Klick on ''Add'', the line ''4l590L   internal_host:590R'' appears in the previously empty list of tunnels
 * Save the session
A comfortable setup of PuTTY is described in [[WindowsDirectSSHAccess|Windows "direct" SSH access with PuTTY]]


== Start a VNC server on internal_host ==
To start a VNC server instance on ''internal_host'', you need to initiate a SSH connection to it.<<BR>>
If you previously opened a VPN connection, make sure it is still active

=== Initiate a SSH connection to internal_host ===

==== SSH connection on Linux ====
 * If you previously opened a VPN connection, issue the command following command {{{
ssh eth_username@internal_host }}}
 * If you established an SSH tunnel, enter the above command in the terminal window still connected to ''login.ee.ethz.ch''
 * With neither a VPN connection or SSH tunnel, issue the command {{{
ssh -o ProxyJump=eth_username@login.ee.ethz.ch eth_username@internal_host }}}

==== SSH connection on Windows 10 with OpenSSH ====
 * Install the optionally installable feature ''OpenSSH Client'' in Apps &rarr; Optional features &rarr; OpenSSH Client
 * Establish the SSH connection as described for [[#SSH_connection_on_Linux|Linux]]

==== SSH connection on Windows with PuTTY ====
Follow the article [[WindowsDirectSSHAccess|Windows "direct" SSH access with PuTTY]]

=== Setup and start the VNC server ===
Configuration and start of a VNC server works with an ISG-provided wrapper script by issuing the command {{{
vncserver
}}}
in your shell connected to ''internal_host''.

==== Setup and first startup ====
If this is the first time you start `vncserver`, you will be asked to provide a password to allow access to the VNC server instance you start now and in the future. It is possible to set the password to allow only observing or also interacting with the VNC session. Choose a [[https://en.wikipedia.org/wiki/Password_strength|strong password]], as anyone on the ETH network can connect to your ''internal_host'' while a VNC server is running. The password should contain:
 * 8 characters<<FootNote(The standard VNC implementation uses the password as a DES key, which is the reason it's truncated after 8 characters. The DES key size is limited to 56 bits plus 8 parity bits. Using ASCII characters made up of 7 bits it's possible to use an 8 character password, as the unused 8th bit of each byte is discarded. A password shorter than 8 characters is padded with zeroes.)>>
 * Uppercase letters
 * Lowercase letters
 * Numbers
The setup followed by the startup process will look like this: {{{
Creating directory /home/eth_username/.vnc......
Creating startup_file /home/eth_username/.vnc/xstartup.....

You will require a password to access your desktops.

Password:
Verify:
Would you like to enter a view-only password (y/n)? n

New 'default' desktop is internal_host:R

Creating default config /home/eth_username/.vnc/config
Starting applications specified in /home/eth_username/.vnc/xstartup
Log file is /home/eth_username/.vnc/internal_host:R.log
}}}
Note the virtual display number ''R'' of your VNC server appearing after ''internal_host:''. It is needed later to connect your VNC viewer on ''current_host'' to the VNC server instance on ''internal_host'' or to kill a vncserver process manually.<<BR>>
The default desktop started now is Xfce4. If you prefer a different desktop you have to kill the running vncserver process and start it again with the [[#Choose_a_non-default_desktop|desktop of your choice]].<<BR>>
Otherwise the vncserver process terminates after you log out of your desktop environment.

==== Terminating a running VNC server process ====
Issue the command {{{
vncserver -kill :R
}}}
in a shell on ''internal_host''.

==== Choose a non-default desktop ====
To start the VNC session with a non-default desktop, provide one of the options `[xfce|gnome|kde|light|xterm]`: {{{
vncserver gnome
}}}
 * Option `light` starts the light desktop Fluxbox
 * Option `xterm` starts a minimal desktop with a window manager and a xterm terminal window. This option should be used if you intend to use your session to run only one application at the time and start said application on the command line.

== Use a VNC viewer to view and control the desktop on internal_host ==
 * If your ''current_host'' is an ISG-managed Linux computer a VNC viewer is installed.
 * If it is a ISG-managed Windows computer you have to request installation of a VNC viewer.
 * If you use your self-managed office or your personal home computer you have to install a viewer yourself.
-Line 25:
+Line 134:
-The above list is not meant to be complete, feel free to install other solutions on your own on your home computer.<<BR>>
+The above list is not meant to be complete, feel free to install other solutions on your self-managed computer.<<BR>>
-Line 27:
+Line 137:
- * On managed Windows clients, RealVNC viewer is installed on request
+ * On managed Windows clients, RealVNC viewer is installed on request.
 * On private Windows clients, use of RealVNC is discouraged. Some versions show error messages similar to "RFB protocol error bad rectangle size 10794x10794" and fail to connect.
-Line 29:
+Line 140:
+=== Connect your VNC viewer to the VNC server on internal_host ===
==== VNC connection from  a Linux client ====
On a Linux client issue the command {{{
vncviewer internal_host:590R
}}}
==== VNC connection from a Windows or Mac client ====
On a Windows or Mac client, open your VNC viewer and connect to  ''internal_host:590R''.<<BR>>
If you terminate your VNC viewer without logging out of your desktop environment, your VNC session will stay active and you can reconnect to it later on.
==== VNC connection from Mac alternative ====
On a Mac client the built-in VNC viewer may be started by pressing Command-K and entering the url ''vnc://internal_host:590R''. No support is given for this way to connect to a VNC session.
-Line 30:
+Line 151:
+== Misc ==
-Line 33:
+Line 153:
-Check with the command `htop` if any other users are using '''C''''s resources right now. If they do, log out and log in to a different host.<<BR>>
+Check with the command `htop` if any other users are using ''internal_host'' 's resources right now. If they do, log out and log in to a different host.<<BR>>
-Line 36:
+Line 156:
-== And Mac users? ==
To be documented. Hint: Everything you need is already available in macOS.
+=== Advanced usage ===
Some advanced configuration or usage examples have not yet been migrated from the [[FAQ/VNCUsage|previous documentation about VNC]].
==== Virtual display size ====
The size of the virtual display can be set by entering its dimensions in pixel in either `/home/eth_username/.vnc/config.turbo` for gnome sessions or `/home/eth_username/.vnc/config` for all other sessions by adding a line similar to the following:
{{{
geometry=3840x1200
}}}

Wiki

Page