Enabling VNC Server on startup of the X server with SLE 11

Environment

SUSE Linux Enterprise Desktop 11 (SLED 11) or Server 11 (SLES 11)
openSUSE 11.1

Situation

VNC access is needed on startup of the system.

VNC access is needed to display :0 (or the display viewed at the monitor directly connected to the system) before or after anyone has logged in.

The method for invoking the VNC Server described below can be used when the traditional methods available in YaST-->Remote Administration (VNC), or in the Control Center-->Remote Desktop are not working as desired.  For example, the "Remote Desktop available in the Control Center will start "vino-server" which allows access to display :0 (or what the user at the physical system sees), but this is only available when the user is logged in and it must be configured for each individual user on the system.  The method described below will work for display :0 for all users and will work when nobody is logged into the system.

When enabling the "Remote Administration (VNC)" in YaST, some people have reported getting a gray screen rather than the expected login screen.  Using the method described below seems to avoid that issue as well.


Resolution

Warnings

Using this method to access display :0 can create a security problem if the system you have connected to is not physically secure.  Anyone that has access to the physical system can see what you are doing and take control of the keyboard and mouse.  If you lose your connection or disconnect without logging out then anyone at the physical system can take control while still logged in as you.  This is one of the primary reasons that the option in sax2 (Graphic Card and Monitor Configuration in YaST) for enabling VNC for the X server was removed for SLE 11. 

When using the following configuration, the selections for "Remote Administration (VNC)" in YaST and the "Remote Desktop" in the Control Center should both be disabled.

Directly modifying the xorg.conf file is not generally recommended because anytime the sax2 configuration utility is run, or potentially when a new graphics driver or driver update is installed, the file can be overwritten causing all manual changes to be lost.  Therefor it is Very Important to make a backup copy of your xorg.conf file along with all of the changes needed for your environment to configure VNC access through the X server.

X Server Configuration for VNC Access

With this method of enabling VNC Server functionality, the X server actually loads the VNC extension from the VNC libraries which will allow your normal X Server to also act as a VNC Server.


Step 1
  
The following modifications need to be made to the file "xorg.conf" which can be found under the "/etc/X11/" directory.  You will need to be the "root" user to have rights to modify the file.

1.  Locate the section titled "Section "Module"" and add the following line:

   Load"vnc"

2.  Create two new sections with the following text:

   Section"InputDevice"
      # VNCKeyboard: keyboard actions from vnc
      Identifier "vncKeyboard"
      Driver "rfbkeyb"
   EndSection

   Section"InputDevice"
      # vncMouse: mouse actions from vnc
      Identifier "vncMouse"
      Driver "rfbmouse"
   EndSection

3.  Locate the section titled "Section "ServerLayout"" and add the following lines:

   InputDevice"vncMouse""ExtraPointer"
   InputDevice"vncKeyboard""ExtraKeyboard"

4.  Locate the section titled "Section "Device"".  All of the following lines can be added including the comments so there is a reference to what each setting does.  Uncomment the appropriate items as desired for your environment or alternatively you could just add the entries needed:

   # Enable the vnc service on this device, IMPORTANT!
   Option"usevnc"

   # If this option is disabled no password is required for client connections.
   # The rfbauth option specifies the location of a password file to use for
   # authenticating viewers. (see step 2 below)
   Option"rfbauth"     "/root/.vnc/passwd"

   # The port to listen to for client connections.
   # 5900 corresponds to display :0, 5901 corresponds to display :1, etc.
   Option"rfbport"     "5900"

   # Multi-viewer control options:
   # "nevershared" - only allow one (or zero) viewers/clients
   # "alwaysshared" - allow multiple viewers/clients (the default)
   #Option"nevershared"

   # When"nevershared" is set, this option controls what happens when a second
   # client tries to connect. If enabled the first connection will remain active
   # and the second will be denied.
If disabled the original connection will be
   # terminated and the new connection takes over.

   #Option"dontdisconnect"

   # View only session (disallows input from viewers)
   #Option"viewonly"

   # Enable these options to activate the http server.
   # This allows java-enabled web browsers to act as vnc viewers.
   # The VNC server will look in "httpdir" for the Java class files to send
   # to the viewer.
   #Option"httpdir"    "/usr/share/vnc/classes"
   #Option"httpport"    "5800"

   # The local user must accept the new connection.
   #Option "useraccept"


Step 2
Create a password for an authenticated connection.

1.  Login (or su) as root.

2.  Run the following command to set the password to be used for VNC access:

   vncpasswd

You will be asked to enter the password 2 times to confirm.  You will then be asked if you would like to enter a "Read Only" password.  If you would like to setup a password that only allows the person connecting to view the screen and not have keyboard and mouse control then answer yes and enter a new password (different than the first password used for full access) otherwise answer no.

This will create the VNC passwd file under "/root/.vnc/passwd" which is the same location indicated in the "rfbauth" entry in the Section "Device" of the xorg.conf file mentioned above.


Step 3
Enable XDMCP and root access (if desired).

To enable XDMCP and root user access for the default displaymanager (gdm) there are three files that will need to be modified.

1.  Edit /etc/gdm/custom.conf and enable [xdmcp] and if root access is desired set "AllowRemoteRoot" to true.  Following is an example of what the file should look like:

[xdmcp]
# SuSEconfig: displaymanager:DISPLAYMANAGER_REMOTE_ACCESS
Enable=true

[chooser]

[security]
# SuSEconfig: displaymanager:~DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN
DisallowTCP=true
# SuSEconfig: displaymanager:DISPLAYMANAGER_ROOT_LOGIN_REMOTE
AllowRemoteRoot=true

2.  Edit /etc/gdm/gdm.schemas and enable XDMCP and if root access is desired set "AllowRoot" to true.  Following is an example of the two sections to locate and set to true (the AllowRoot entry is normally just above the xdmcp entry):

<schema>
      <key>security/AllowRoot</key>
      <signature>b</signature>
      <default>true</default>
</schema>

<schema>
      <key>xdmcp/Enable</key>
      <signature>b</signature>
      <default>true</default>
</schema>

3.  Edit /etc/sysconfig/displaymanager and locate the following two entries.  Verify that they are set to "yes" (again the root login is optional):

DISPLAYMANAGER_REMOTE_ACCESS="yes"

DISPLAYMANAGER_ROOT_LOGIN_REMOTE="yes"


Step 4
Allow incoming port 5900 through the firewall (if it is enabled).

In YaST under Security and Users-->Firewall verify that the firewall is disabled.  Most systems are setup behind an already existing firewall so running the firewall on this server or desktop system is not required.  If the firewall is needed then an exception for TCP port 5900 will need to be added to the "Allowed Services".


Step 5
Restart the system or switch to runlevel 3 (init 3) then back to runlevel 5 (init 5) to restart all the graphics components.

Additional Information

Additional notes for "Option "rfbport"  "5900""  listed above in the Section "Device" section of the xorg.conf.

If port 5900 is used, the person connecting will be viewing display :0 which is what is being displayed on the monitor physically connected to the system.  If someone is already logged in then the connecting user will see what is currently being displayed for the logged in user rather than the login screen.  If the connecting user closes the VNC client without logging out first then the next user to connect will see the desktop in the same state it was left in (unless some other user connects or there is a"real" user at the system).  I mention this as a reminder not to leave the system logged in as the "root" user or some other user you would not want other people to have access to.

If port 5901 or higher is used then when you connect you will be connecting to the same display corresponding to the port number used.  5901=display :1, 5902=display :2, etc.  When you connect you will not see the same display that the user at the physical machine is using.  You will be given a new session and will be required to login to the system. 

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

你可能感兴趣的:(server,user,System,Access,login,keyboard)