By Axel Schmidt
With VNC (Virtual Network Connection) the Help Desk can remote control any Linux or Windows computer virtually through any firewall.
For example in the Retail business the support Help Desk can connect remotely through WAN to the SUSE Linux Enterprise In-store Server or the Cash Register systems window manager, while transferring the whole desktop including mouse and keyboard actions to a another computer.
Depending on the VNC configuration used (e.g. view only) the remotely connected computer can interact with the other user of the system, by having the same view including the keyboard and mouse events of the GUI of actual running applications.
Therefore it is a basic requirement for the support Help Desk in the Retail market that VNC is enabled.
This documentation provides all the information needed to get VNC running on SUSE Linux Enterprise Server 9 (SLES 9) including the security aspects and when it comes to POS on to have VNC enabled on Novell Linux Point of Service 9 (NLPOS 9).
If you are running SLES 10 or SLEPOS 10 (SUSE Linux Point of Service 10) you might also find this information interesting, but not so essential than for SLES 9 or NLPOS 9 users.
The quick answer is, on SLES10 running YaST2 VNC needs only the right clicks within the YaST GUI to be installed, but on SLES9 even the installed documentation which can be found at “/usr/share/doc/manual/sles-admin_en/SLES-admin_en.pdf” is missing the information you need to setup VNC in the way, as described in this documentation.
What’s about TightVNC & xinited on SLES9?
I discovered when installing TightVnc on SLES9 it always opens a new X session on the remote computer, but the viewer cannot access the running X session on display “0”. If that’s what you want, you don’t need to read any further. Otherwise an X Window System server for Virtual Network Computing (VNC) needs to be installed and the XFree86 configuration file needs to be configured to enable VNC.
SLES 9 installed on the Server or NLD 9 installed on the cash register (CR) system.
Remote viewer systems need to install TightVNC to run the viewer “/usr/X11R6/bin/vncviewer”.
Note: VNC port 5900 has to be opened through the Firewall.
Figure 1: vncviever <remote host>
VNC Activation & Authentication
To provide a virtual network connection via TCP port 5900 to the X window session of display “:0” the rpm “Xfree86-Xvnc” needs to be installed on the server or integrated within the POS image.
Install Xfree86-VNC on SLES
Start “YaST Control Center > Software > Install and Remove Software” and search for the package “Xfree86-Xvnc”. Activate the check box of this rpm and select the “Accept”-Button to install it.
NLPOS Image Description
This is done by adding “~/system/templates/addons/vnc.xml” to the ImageSepcification.xml file of your NLPOS image.
<IncludeSpecificationList> <IncludeSpecification URI="/opt/SLES/POS/system/templates/addons/vnc.xml"/> </IncludeSpecificationList>
Rebuild your POS image with the “xscr” Image Builder tool.
X Server Configuration
On SUSE Linux Enterprise Server 10 (SLES10), the configuration of the xorg.conf1 file can be done easily with the SaX2 module running YaST2, and no knowledge about the X11 configuration options are needed.
Figure 2: SaX2: X11 Configuration – SLES10
Unfortunately the SaX2 module available with SLES9, does not provide the VNC configuration option.
Therefore VNC needs to be enabled and the remote frame buffer driver for mouse and keyboard must be configured within the “/etc/X11/XF86config” file on SLES9.
The following entries must be added in the XF86config file:
Section "Module" ... Load "vnc" .... EndSection
With the method shown above, the VNC X server plug-in module, the normal X server loads the VNC extension which allows your normal X server to act as a VNC server as well.
.Section "Device" ... Option "usevnc" Option "rfbport" "5900" Option "nevershared" Option "dontdisconnet" Option "httpdir" "/usr/share/vnc/classes" Option "httpport" "5800" Option "rfbauth" "/root/.vnc/vncpasswd" EndSection Section "InputDevice" # vncKeyboard: keyboard actions from vnc Identifier "vncKeyboard" Driver "rfbkeyb" EndSection Section "InputDevice" # vncMouse: mouse actions from vnc Identifier "vncMouse" Driver "rfbmouse" EndSection Section "ServerLayout" ... InputDevice "vncMouse" "ExtraPointer" InputDevice "vncKeyboard" "ExtraKeyboard" EndSection
Options of the Device Section
# Enable the vnc service on this device Option "usevnc" # By default no password is required for client connections. # The rfbauth option defines the location of the vnc password # file to use for authenticating remote viewers. # Option "rfbauth" "/root/.vnc/passwd" # The port to listen to for client connections. # 5900 corresponds to X server :0 # 5901 corresponds to X server :1, etc. Option "rfbport" "5900" # Multi-viewer control options: # "nevershared" - only allow one viewers/clients # "alwaysshared" - allow multiple viewers/clients (default) Option "nevershared" # When "nevershared" is set, this option controls what happens # when a second client tries to connect. Option "dontdisconnect" # This option is used in conjunction with the option above when # nevershared is set. If dontdisconnect is set, the first viewer # will keep the connection, otherwise the first viewer will be # disconnected and the second viewer will "win". # View only session (disables keyboard input from remote viewers) # Option "viewonly" # Enable these options to activate the http server to allow # java-enabled web browsers to act as vnc viewers. Option "httpdir" "/usr/share/vnc/classes" Option "httpport" "5800" # The local user must accept the vnc connection. # Option "useraccept" # Only listen on the localhost interface # Option "localhost" # Listen for client connections on a specific network # Option "interface" "192.168.0.1" # If "loginauth" is set, the viewer will have to provide a # username and password that's valid on the server in order to # connect. # Option "loginauth"
VNC Security options
The access to a VNC server can be secured using a VNC password, which is stored on the VNC server system. NOTE: The password is not encrypted and therefore not really secure, because it is transferred in readable form from the VNC viewer to the VNC server.
To provide a secure transmission of the VNC password a SSH tunnel is recommended.
A VNC password for user authentication can be set using
and the vnc password file is stored according to your setting of the Option “rfbauth”.
To further improve security of VNC a ssh tunnel can be used to access the VNC server. To setup an ssh tunnel from the localhost (where the vncviewer will be run) to the vnc server, the following command is used:
ssh -L 5900:localhost:5900 name@vncserverhost
Then the vncviewer can be run with a command like this:
VNC module options
loginauth – when set, the VNC server will require viewers to provide a username and a password that’s a valid Unix account on the server. The viewer will also prompt the user for a password.
rfbauth – this option specifies the VNC password file. Viewers need to provide the password stored on the VNC server. If both loginauth and rfbauth are set, loginauth will be used.
viewonly – the VNC server will ignore keyboard/mouse events from viewers.
localhost – only viewers running on the VNC server host will be allowed to connect.
interface – this option can be used to restrict connections to a particular network interface specified by an IP address.