Remote Access to the RHEL 5 Desktop
Red Hat Enterprise Linux 5 includes built-in support for remote desktop access. This provides two extremely useful features. Firstly it enables you or another person to view and interact with your Red Hat desktop environment from another computer system either on the same network or over the internet. This is useful if you need to work on your computer when you are away from your desk such as while traveling or even sitting in a Wi-Fi enabled location. It is also useful in situations where a co-worker or IT support technician needs access to your desktop to resolve a problem. In fact, there are even mobile applications for devices such as the iPhone that will allow you to access your RHEL desktop from just about anywhere that a data signal is available.
Secondly, in addition to providing access to your primary desktop (the one you see when you switch on your monitor every morning) it enables you to create multiple desktops and connect remotely to them.
The RHEL 5 remote desktop functionality is based on technology called Virtual Network Computing (VNC) and in this chapter we will cover the key aspects of configuring and using remote desktops within RHEL. It is important to note that there are both secure and insecure ways to access a remote desktop and both approaches will be covered.
Installing Remote Desktop Support
Remote desktop support should have been installed by default during the operating system installation process. If it has been installed, a Remote Desktop option will be available in the RHEL desktop System -> Preferences menu. Another useful way to check whether this package is installed is to run the following command from a terminal window (Applications -> System Tools -> Terminal):
rpm -q vino
If the rpm command reports package vino is not installed then the next step is to perform the installation. This can be performed either using the Add/Remove Software tool, launched by selecting Applications -> Add/Remove Software. Within the Add/Remove Software tool, search for vino, select the checkbox next to the item in the results list and click on Apply to install the package. Alternatively, to install from a terminal window, enter the following:
su - yum install vino
Once the installation is complete, the Remote Desktop option will now appear in the System -> Preferences menu.
Activating Remote Desktop Access
The next step in setting up remote desktop access is to activate it and define some basic security settings. These settings are configured in the Remote Desktop Preferences dialog. To access this dialog, open the desktop System menu and select Preferences followed by Remote Desktop. When selected, the following window will appear:
In this dialog the following configuration options are available:
- Allow others to view your desktop - Activates remote desktop access for viewing purposes.
- Allow other users to control your desktop - Allows users accessing your remote desktop to control the desktop. In other words the remote user can do anything to your desktop that they want using their mouse and keyboard as if they were sitting physically at the local system.
- Ask you for confirmation - When selected, this option causes a dialog to appear warning you of an attempt by a remote user to connect and prompting you to confirm or deny the connection. If you are likely to want to log in remotely you will need to turn this off since you will not be at the local system to accept your own connection.
- Require the user to enter this password - Specifies a password which must be entered by the remote user to access your desktop. It is strongly advised that you select this option and specify a password.
Finally this screen specifies the command to run on the remote system to access the desktop. Once you have configured Remote Desktop access you are almost ready to try connecting.
Secure and Insecure Remote Desktop Access
In this chapter we will cover both secure and insecure remote desktop access methods. Assuming that you are accessing one system from another within the context of a secure internal network then it is generally safe to use the insecure access method. If you plan to access your desktop remotely over any kind of public network you must use the secure method of access to avoid your system and data being compromised.
Firewall Configuration
If you want to use the insecure access methods (and I still strongly recommend you use the secure method) and are certain that remote access will always take place within the context of a secure internal local area network then it is important to be aware that you must configure the CentOS firewall to allow this to happen. By default, the CentOS firewall is both enabled and configured to block insecure remote desktop access. Before proceeding, therefore, it is necessary to allow VNC traffic to pass uneventfully through the firewall. Before performing this task it is important to know that the remote desktop system uses TCP/IP port 5900 to access the screen 0 (the main screen of your desktop) for communicating between the client and server systems. We must, therefore, configure the firewall to allow traffic on this port. To achieve this simply perform the following steps:
1. Start the Firewall configuration tool (System -> Administration -> Security Level and Firewall) and enter your root password when prompted to do so.
2. Select the Other Ports option and click on the Add button to open the Add Port dialog.
3. Add port 5900 for protocol tcp and click OK.
4. Repeat the previous stop for port 5900 udp.
5. Click on the Apply button followed by OK to exit the firewall tool.
Accessing a Remote RHEL Desktop using vncviewer
Remote desktop access from other Linux based systems can be achieved using the vncviewer tool. This tool is contained within a package named vnc which may be installed on RHEL using the following command sequence in a terminal window:
su - yum install vnc
The vncviewer tool is available for a wide range of operating systems and a quick internet search will likely provide numerous links providing details on how to obtain and install this tool on your chosen platform.
To access a remote desktop using vncviewer, execute the following command in a terminal window:
vncviewer hostname:0
where hostname is either the hostname or IP address of the remote system. Alternatively, run the command without any options to be prompted for the details of the remote server:
If you configured the remote system to prompt to approve a connection a dialog will appear on the remote system. Until the connection is approved the vncviewer session will wait. Once approved, or if no approval is required, VNC will prompt for the password (assuming one was defined):
If you see a message similar to the following then you may need to use the secure method of remote desktop display outlined in the next section:
main: unable to connect to host: No route to host (113)
Otherwise, enter the password and a new screen will appear containing the desktop from the remote system. Note that if the remote desktop is configured to prompt you before allowing remote access you will need to accept the connection on the remote system before the desktop will appear in the viewer. If remote desktop control was enabled you can interact with the desktop as if you were sitting at the remote screen.
This section assumed that the remote desktop was being accessed from a Linux or UNIX system. Access is also possible from a Windows system.
Accessing a Remote RHEL Desktop from a Windows System
In order to access an RHEL remote desktop from a Windows system the first step is to install a Windows VNC client on the Windows system. There are a number of VNC packages available for Windows. In this chapter we will look at using TightVNC (http://www.tightvnc.com).
Download and install TightVNC on your Windows system. Once installed, launch the TightVNC Viewer and in the resulting Connection details dialog enter the IP address or hostname of the remote system and press OK. Enter the password if one is required. The screen should load and display the remote desktop.
You may also enter the port number in the form hostname:5900 (screen 0 in VNC uses port 5900). TightVNC assumes port 5900 if none is specified but when we look at setting up additional desktops later in this chapter we will need to specify port numbers in order to connect.
Establishing a Secure Remote Desktop Session
The remote desktop configurations we have explored so far in this chapter are considered to be insecure because no encryption is used. This is acceptable when the remote connection does not extend outside of an internal network protected by a firewall. When a remote session is required over an internet connection a more secure option is needed. This is achieved by tunneling the remote desktop through a secure shell (SSH) connection.
The ssh server is installed and activated by default on RHEL 5 systems. If this is not the case on your system, refer to the chapter entitled Configuring RHEL 5 Remote Access using SSH.
Assuming the SSH server is installed and active it is time to move to the other system. At the other system, log in to the remote system using the following command, which will establish the secure tunnel between the two systems:
ssh -L 5900:localhost:5900 hostname
In the above example, hostname is either the hostname or IP address of the remote system. Log in using your account and password. The secure connection is now established and it is time to launch vncviewer so that it uses the secure tunnel. Leaving the ssh session running in the other terminal window, launch another terminal and enter the following command:
vncviewer localhost:5900
The vncviewer session will prompt for a password if one is required, and then launch the VNC viewer providing secure access to your desktop environment.
In the above example we left the ssh tunnel session running in a terminal window. If you would prefer to run the ssh session in the background, this can be achieved by using the –f and –N flags when initiating the connection:
ssh –f –N -L 5900:localhost:5900 hostname
The above command will prompt for a password for the remote server and then establish the connection in the background, leaving the terminal window available for other tasks.
If you are connecting to the remote desktop from outside the firewall keep in mind that the IP address for the ssh connection will be the external IP address provided by your ISP, not the LAN IP address of the remote system (since this IP address is not visible to those outside the firewall). You will also need to configure your firewall to forward port 22 (for the ssh connection) to the IP address of the system running the desktop. It is not necessary to forward port 5900. Steps to perform port forwarding differ between firewalls, so refer to the documentation for your firewall, router or wireless base station for details specific to your configuration.
Establishing a Secure Remote Desktop Session from a Windows System
A similar approach is taken to establishing a secure desktop session from a Windows system to an RHEL server. Assuming that you have a VNC client installed (as described above) the one remaining requirement is a Windows ssh client. A popular free ssh client for Windows is (PuTTY).
Once PuTTY is downloaded and installed the first step is to set up a secure connection between the Windows system and the remote Linux system with appropriate tunneling configured. When launched, PuTTY displays the following screen:
Enter the IP address or host name of the remote host (or the external IP address of the gateway if you are connecting from outside the firewall). The next step is to set up the tunnel. Click on the + next to SSH in the Category tree on the left hand side of the dialog and click on Tunnels. The screen should appear as follows:
Enter 5900 as the Source port and localhost:5900 as the Destination and click on Add. Finally return to the main screen by clicking on the Session category. Enter a name for the session in the Saved Sessions text field and press save. Click on Open to establish the connection. A terminal window will appear with the login prompt from the remote system. Enter your user login and password credentials.
The SSH connection is now established. Launch the TightVNC viewer and enter localhost:5900 in the VNC Server text field and click on Connect. The viewer will establish the connection, prompt for the password and then display the desktop. You are now accessing the remote desktop of a Linux system on Windows.
Creating Additional Desktops
In the examples so far we have only covered remote access to the primary desktop. By primary desktop we mean the desktop you see when you sit at your computer and turn on the monitor. While this is fine for a single user system we should not lose sight of the fact that Linux is a multi-user operating system and it will often be necessary for more than one person to have remote desktop access at a time. While it might be fun to watch everyone fight over the mouse pointer as they share the same desktop it is clear that not much work will get done. The solution to this is to run multiple desktops for the users to connect to. New desktop environments are created using the vncserver utility which should also have been installed by default when you installed CentOS. Installation may, however, be performed as follows:
su - yum install vnc-server
The desktop we have used so far in this chapter is desktop :0. New desktops must be assigned different numbers. For example to launch desktop :1 run the following command from a terminal window command-line prompt:
vncserver :1
The vncserver tool will prompt for a password to protect the desktop and then start a new desktop in the background ready for a remote user to connect to. To connect to the desktop follow the steps for connecting to desktop :0 outlined above but this time use port 5901 instead of port 5900 (you will similarly use port 5902 for desktop :2 and so on). Be sure to open ports on the firewall for these new desktops as outlined earlier in this chapter.
To connect to a new desktop using the vncviewer tool, execute the following at a terminal window command prompt:
vncviewer hostname:1
Shutting Down a Desktop Session
In order to shut down a vncserver hosted desktop session, use the –kill command line option together with the number of the desktop to be terminated. For example, to kill desktop :1:
vncserver –kill :1
Configuring the Remote Desktop Environment
If you are connecting to the remote desktop other than the primary desktop, it is likely that the full GNOME desktop environment will not run by default. In fact, what you will probably see is a very minimal window management environment known as twm. When this appears you may notice that it doesn't look much like the standard RHEL 5 GNOME desktop:
The problem here is that we need to configure the VNC session to launch the correct desktop. To do this shutdown the VNC desktop session as follows:
vncserver -kill :1
Next go to your home folder and edit the .vnc/xstartup file. This will look similar to the following file:
#!/bin/sh # Uncomment the following two lines for normal desktop: # unset SESSION_MANAGER # exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & twm &
To configure this startup script to launch the standard desktop (known as the GNOME desktop) change the twm& line so that the file reads:
#!/bin/sh # Uncomment the following two lines for normal desktop: # unset SESSION_MANAGER # exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & unset SESSION_MANAGER gnome-session &
Restart the vncserver:
vncserver :1
Finally, reconnect from the remote system. The full desktop should now appear in the VNC viewer window: