Configuring VNC® Server for UNIX
Overview
Configuration of VNC Server for UNIX is done via configuration
parameters. The most common of these are described in the Xvnc man page and a full list can be obtained
by running the command vncserver -list. Configuration
parameters can be specified in one of three ways:
This page attempts to provide some common configuration scenarios.
Specifying Configuration Parameters in a Configuration File
Both vncserver and the vnc.so module
can be configured using configuration files, but the location and format
of these files differs:
- The location and format of
vncserverconfiguration files is described in detail in thevncserverman page. - The location and format of
vnc.soconfiguration files will be described in the documentation that came with your X Server. Often this will be in the XF86Config man page. Information specific to embeddingvnc.soconfiguration settings in this file is described here.
Specifying Configuration Parameters on the Command-Line
With the exception of the the vnc.so module, all VNC
Server programs can take configuration parameters on the command-line.
The basic command-line syntax is -name=value.
In the case of vncserver, parameters specified on the
command-line override those specified in configuration files.
Changing Configuration Parameters using vncconfig
Once a VNC Server is running, the vncconfig applet
can be used to change the configuration settings. See the vncconfig man page for
details.
Common Configuration Scenarios
Most VNC parameters are optional and have sensible defaults. However, to allow connections, you must set some parameters. It is intentionally the case that an unconfigured VNC Server will not accept connections. The configuration scenarios in the following sections should give some guidelines as to what will work best for you.
Maximum Security
For maximum security, you should configure the VNC server to use an encrypted connection. You should also use UNIX authentication, restrict the allowed users, and enable the query connection mechanism to manually approve new connections:
SecurityTypes=RA2 RSA_Private_Key_File=$HOME/.vnc/private.key UserPasswdVerifier=UnixAuth AllowedUsers=root:f,bob:f AllowedGroups=staff:d QueryConnect=1
With the above configuration, only encrypted connections are
supported. This could be relaxed by changing the SecurityTypes
parameter from RA2 to RA2,RA2ne, ensuring that
the password is always encrypted, but allowing viewers to request an
unencrypted session. Both bob and the superuser are granted
full access rights and can connect without approval; members of the staff
group can also connect, but must be approved. All users must enter their
UNIX password in order to connect.
Note that in order for querying of connections to work, you must
be running the vncconfig applet on the desktop when using
the module (this is not necessary for x0vncserver).
You can also restrict access to the server based on IP address
using the Hosts parameter, for example:
Hosts=192.168.0.0/255.255.0.0
If you are not using vncserver then you will also
need to manually run the vnckeygen
command to generate a secure key:
# vnckeygen Generating primes: p: ...................................... q: ...................
Support legacy viewers
To support legacy viewers, you will need to disable encryption and use VNC authentication. You will also need to specify where the password is stored:
SecurityTypes=VncAuth UserPasswdVerifier=VncAuth PasswordFile=$HOME/.vnc/passwd
If you are not using vncserver then you will also
need to manually run the vncpasswd
command and enter a password with which to access your VNC desktops:
# vncpasswd Password: Verify: