Compare commits
No commits in common. "548ed18791b21dd6bc670e3de97e25b60ccb78b8" and "93270e3901e6fc3b699a95101ea7b70cfb707ffd" have entirely different histories.
548ed18791
...
93270e3901
Binary file not shown.
Before Width: | Height: | Size: 30 KiB |
Binary file not shown.
Before Width: | Height: | Size: 37 KiB |
|
@ -1,544 +0,0 @@
|
||||||
# Remote control on Linux
|
|
||||||
|
|
||||||
## Console
|
|
||||||
|
|
||||||
For console control of a Linux machine `ssh` is **the** way to go.
|
|
||||||
This is what we've been using up until now and should be self evident to you.
|
|
||||||
To be able to multi task and have long running processes on a remote server you can use `tmux` or `screen`.
|
|
||||||
Again, nothing new here but let's try the following.
|
|
||||||
|
|
||||||
I installed a Debian 11 machine with graphical environment and I can log in over `ssh` as follows.
|
|
||||||
It shows a running `X11` session which is the desktop environment I'm using on the virtual machine.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
➜ ~ git:(master) ✗ ssh waldek@192.168.0.195
|
|
||||||
waldek@192.168.0.195's password:
|
|
||||||
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
|
|
||||||
|
|
||||||
The programs included with the Debian GNU/Linux system are free software;
|
|
||||||
the exact distribution terms for each program are described in the
|
|
||||||
individual files in /usr/share/doc/*/copyright.
|
|
||||||
|
|
||||||
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
|
||||||
permitted by applicable law.
|
|
||||||
Last login: Mon Sep 13 15:11:41 2021 from 192.168.0.16
|
|
||||||
waldek@debian:~$ ps a
|
|
||||||
PID TTY STAT TIME COMMAND
|
|
||||||
611 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
|
|
||||||
1142 tty7 Ssl+ 0:07 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitc
|
|
||||||
1459 pts/1 Ss+ 0:00 bash
|
|
||||||
2259 pts/0 Ss 0:00 -bash
|
|
||||||
2262 pts/0 R+ 0:00 ps a
|
|
||||||
waldek@debian:~$
|
|
||||||
```
|
|
||||||
|
|
||||||
We can use all console applications we know, such as `htop` and `vim` but what about the *graphical* ones?
|
|
||||||
Let's try and see what we can do.
|
|
||||||
`firefox` is installed on the remote machine so I *should* be able to launch it.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debian:~$ firefox
|
|
||||||
|
|
||||||
(firefox-esr:2275): Gtk-WARNING **: 15:14:42.460: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
Error: no DISPLAY environment variable specified
|
|
||||||
waldek@debian:~$
|
|
||||||
```
|
|
||||||
|
|
||||||
What is this `DISPLAY` variable?
|
|
||||||
On the ssh connection we can have a look at how it's set with the following command.
|
|
||||||
It seems to be *empty*
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debian:~$ echo $DISPLAY
|
|
||||||
|
|
||||||
waldek@debian:~$
|
|
||||||
```
|
|
||||||
|
|
||||||
On the graphical session we do the same and get the following.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debian:~$ echo $DISPLAY
|
|
||||||
:0
|
|
||||||
waldek@debian:~$
|
|
||||||
```
|
|
||||||
|
|
||||||
OK, there seems to a difference between both terminals here.
|
|
||||||
What would happen if we manually set the `DISPLAY` in the `ssh` connection?
|
|
||||||
Let's try this out.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debian:~$ export DISPLAY=:0
|
|
||||||
waldek@debian:~$ firefox
|
|
||||||
|
|
||||||
(firefox-esr:2298): Gtk-WARNING **: 15:19:37.681: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
(/usr/lib/firefox-esr/firefox-esr:2348): Gtk-WARNING **: 15:19:38.329: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
(/usr/lib/firefox-esr/firefox-esr:2391): Gtk-WARNING **: 15:19:38.818: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
(/usr/lib/firefox-esr/firefox-esr:2414): Gtk-WARNING **: 15:19:39.103: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
You should see `firefox` open up on the graphical desktop!
|
|
||||||
The `man X` pages explain this variable as follows:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
DISPLAY NAMES
|
|
||||||
From the user's perspective, every X server has a display name of the form:
|
|
||||||
|
|
||||||
hostname:displaynumber.screennumber
|
|
||||||
|
|
||||||
This information is used by the application to determine how it should connect to the server and which screen
|
|
||||||
it should use by default (on displays with multiple monitors):
|
|
||||||
|
|
||||||
hostname
|
|
||||||
The hostname specifies the name of the machine to which the display is physically connected. If the
|
|
||||||
hostname is not given, the most efficient way of communicating to a server on the same machine will be
|
|
||||||
used.
|
|
||||||
|
|
||||||
displaynumber
|
|
||||||
The phrase "display" is usually used to refer to a collection of monitors that share a common set of
|
|
||||||
input devices (keyboard, mouse, tablet, etc.). Most workstations tend to only have one display.
|
|
||||||
Larger, multi-user systems, however, frequently have several displays so that more than one person can
|
|
||||||
be doing graphics work at once. To avoid confusion, each display on a machine is assigned a display
|
|
||||||
number (beginning at 0) when the X server for that display is started. The display number must always be given in a display name.
|
|
||||||
|
|
||||||
screennumber
|
|
||||||
Some displays share their input devices among two or more monitors. These may be configured as a sin-
|
|
||||||
gle logical screen, which allows windows to move across screens, or as individual screens, each with
|
|
||||||
their own set of windows. If configured such that each monitor has its own set of windows, each screen
|
|
||||||
is assigned a screen number (beginning at 0) when the X server for that display is started. If the
|
|
||||||
screen number is not given, screen 0 will be used.
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
## X11 over SSH
|
|
||||||
|
|
||||||
While opening up a graphical program onto the remote screen can be handy, most often you'll want to actually interact with the program on your local screen.
|
|
||||||
This can be achieved via *Xforwarding* over `ssh`.
|
|
||||||
Let's dive into the trusty `man sshd_config` pages and look for all stuff related to `X11`.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
X11DisplayOffset
|
|
||||||
Specifies the first display number available for sshd(8)'s X11 forwarding. This prevents sshd from in-
|
|
||||||
terfering with real X11 servers. The default is 10.
|
|
||||||
|
|
||||||
X11Forwarding
|
|
||||||
Specifies whether X11 forwarding is permitted. The argument must be yes or no. The default is no.
|
|
||||||
|
|
||||||
When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if
|
|
||||||
the sshd(8) proxy display is configured to listen on the wildcard address (see X11UseLocalhost), though
|
|
||||||
this is not the default. Additionally, the authentication spoofing and authentication data verification
|
|
||||||
and substitution occur on the client side. The security risk of using X11 forwarding is that the
|
|
||||||
client's X11 display server may be exposed to attack when the SSH client requests forwarding (see the
|
|
||||||
warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want
|
|
||||||
to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which
|
|
||||||
can warrant a no setting.
|
|
||||||
|
|
||||||
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can al-
|
|
||||||
ways install their own forwarders.
|
|
||||||
|
|
||||||
X11UseLocalhost
|
|
||||||
Specifies whether sshd(8) should bind the X11 forwarding server to the loopback address or to the wild-
|
|
||||||
card address. By default, sshd binds the forwarding server to the loopback address and sets the hostname
|
|
||||||
part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the
|
|
||||||
proxy display. However, some older X11 clients may not function with this configuration.
|
|
||||||
X11UseLocalhost may be set to no to specify that the forwarding server should be bound to the wildcard
|
|
||||||
address. The argument must be yes or no. The default is yes.
|
|
||||||
|
|
||||||
XAuthLocation
|
|
||||||
Specifies the full pathname of the xauth(1) program, or none to not use one. The default is
|
|
||||||
/usr/bin/xauth.
|
|
||||||
```
|
|
||||||
|
|
||||||
We'll need to make sure a few setting are set in remote servers sshd configuration file, restart the server and try to launch a graphical application.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debian:~$ grep "X11" /etc/ssh/sshd_config
|
|
||||||
X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
# X11Forwarding no
|
|
||||||
waldek@debian:~$
|
|
||||||
```
|
|
||||||
|
|
||||||
By default the forwarding seems to be on so why can't we see the firefox locally?
|
|
||||||
Turn out that the ssh *client* needs to ask for a fowarded connection to have it work out of the box.
|
|
||||||
A quick read of the `man ssh` pages gives us this explication.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
-X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.
|
|
||||||
|
|
||||||
X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the
|
|
||||||
remote host (for the user's X authorization database) can access the local X11 display through the for-
|
|
||||||
warded connection. An attacker may then be able to perform activities such as keystroke monitoring.
|
|
||||||
|
|
||||||
For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please
|
|
||||||
refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.
|
|
||||||
|
|
||||||
(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension restrictions by default, be-
|
|
||||||
cause too many programs currently crash in this mode. Set the ForwardX11Trusted option to "no" to re-
|
|
||||||
store the upstream behaviour. This may change in future depending on client-side improvements.)
|
|
||||||
|
|
||||||
-x Disables X11 forwarding.
|
|
||||||
|
|
||||||
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension
|
|
||||||
controls.
|
|
||||||
|
|
||||||
(Debian-specific: In the default configuration, this option is equivalent to -X, since ForwardX11Trusted
|
|
||||||
defaults to "yes" as described above. Set the ForwardX11Trusted option to "no" to restore the upstream
|
|
||||||
behaviour. This may change in future depending on client-side improvements.)
|
|
||||||
```
|
|
||||||
|
|
||||||
Let's add the `-X` flag and see how it behaves now.
|
|
||||||
A firefox window should open up on your local screen!
|
|
||||||
|
|
||||||
```bash
|
|
||||||
➜ ~ git:(master) ✗ ssh -X waldek@192.168.0.195
|
|
||||||
waldek@192.168.0.195's password:
|
|
||||||
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
|
|
||||||
|
|
||||||
The programs included with the Debian GNU/Linux system are free software;
|
|
||||||
the exact distribution terms for each program are described in the
|
|
||||||
individual files in /usr/share/doc/*/copyright.
|
|
||||||
|
|
||||||
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
|
||||||
permitted by applicable law.
|
|
||||||
Last login: Mon Sep 13 15:29:56 2021 from 192.168.0.16
|
|
||||||
waldek@debian:~$ echo $DISPLAY
|
|
||||||
localhost:10.0
|
|
||||||
waldek@debian:~$ firefox
|
|
||||||
|
|
||||||
(firefox-esr:3415): Gtk-WARNING **: 15:48:38.880: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
(/usr/lib/firefox-esr/firefox-esr:3461): Gtk-WARNING **: 15:48:39.464: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
(/usr/lib/firefox-esr/firefox-esr:3508): Gtk-WARNING **: 15:48:40.522: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
(/usr/lib/firefox-esr/firefox-esr:3540): Gtk-WARNING **: 15:48:41.772: Locale not supported by C library.
|
|
||||||
Using the fallback 'C' locale.
|
|
||||||
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
## RDP
|
|
||||||
|
|
||||||
While Xforwarding over `ssh` is super handy for single applications, it becomes tricky to expose a full desktop environment over it.
|
|
||||||
A great alternative is the [Remote Desktop Protocol](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol) which is a proprietary protocol by Microsoft.
|
|
||||||
There are open source alternatives but RDP works pretty well out of the box on Linux and Windows 10 comes with a client installed by default.
|
|
||||||
This makes it a good go to candidate for quick connections.
|
|
||||||
On a clean Debian you install the `xrdp` package.
|
|
||||||
|
|
||||||
```
|
|
||||||
waldek@debian:~$ sudo apt install xrdp
|
|
||||||
Reading package lists... Done
|
|
||||||
Building dependency tree... Done
|
|
||||||
Reading state information... Done
|
|
||||||
xrdp is already the newest version (0.9.12-1.1).
|
|
||||||
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
|
|
||||||
waldek@debian:~$ sudo systemctl status xrdp --no-pager
|
|
||||||
● xrdp.service - xrdp daemon
|
|
||||||
Loaded: loaded (/lib/systemd/system/xrdp.service; enabled; vendor preset: enabled)
|
|
||||||
Active: active (running) since Mon 2021-09-13 15:34:13 CEST; 37min ago
|
|
||||||
Docs: man:xrdp(8)
|
|
||||||
man:xrdp.ini(5)
|
|
||||||
Main PID: 7020 (xrdp)
|
|
||||||
Tasks: 1 (limit: 4577)
|
|
||||||
Memory: 816.0K
|
|
||||||
CPU: 3.542s
|
|
||||||
CGroup: /system.slice/xrdp.service
|
|
||||||
└─7020 /usr/sbin/xrdp
|
|
||||||
|
|
||||||
Sep 13 16:03:52 debian xrdp[20045]: (20045)(140028929824576)[INFO ] xrdp_wm_log_msg: login successful for display 11
|
|
||||||
Sep 13 16:03:52 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] xrdp_wm_log_msg: started connecting
|
|
||||||
Sep 13 16:03:52 debian xrdp[20045]: (20045)(140028929824576)[INFO ] lib_mod_log_peer: xrdp_pid=20045 connected to…rt=52421
|
|
||||||
Sep 13 16:03:52 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] xrdp_wm_log_msg: connected ok
|
|
||||||
Sep 13 16:03:52 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] xrdp_mm_connect_chansrv: chansrv connect successful
|
|
||||||
Sep 13 16:03:52 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] Closed socket 16 (AF_INET6 ::1 port 55722)
|
|
||||||
Sep 13 16:09:25 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.0.2…rt 3389)
|
|
||||||
Sep 13 16:09:25 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] xrdp_mm_module_cleanup
|
|
||||||
Sep 13 16:09:25 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] Closed socket 17 (AF_UNIX)
|
|
||||||
Sep 13 16:09:25 debian xrdp[20045]: (20045)(140028929824576)[DEBUG] Closed socket 18 (AF_UNIX)
|
|
||||||
Hint: Some lines were ellipsized, use -l to show in full.
|
|
||||||
waldek@debian:~$
|
|
||||||
```
|
|
||||||
|
|
||||||
On your Windows client you can connect to machine and start a session.
|
|
||||||
|
|
||||||
![RDP client windows](./assets/rdp_windows.png)
|
|
||||||
|
|
||||||
On Linux `remmina` is a good all around client for `RDP`, `ssh` and `VNC` connections.
|
|
||||||
If you're running `GNOME` there is a high chance you'll get the following message.
|
|
||||||
|
|
||||||
![gnome error](./assets/gnome_error.png)
|
|
||||||
|
|
||||||
There is not much you can do about this and your best bet is to move to `xfce4` as desktop environment.
|
|
||||||
You can install both side by side and use gnome when sitting at the physical machine, and xfce4 over RDP.
|
|
||||||
The easiest way to *add* xfce4 to an existing installation is via `sudo tasksel`.
|
|
||||||
To set your default session you can do the following (tab complete works here!).
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debianremote:~$ sudo update-alternatives --config x-session-manager
|
|
||||||
There are 3 choices for the alternative x-session-manager (providing /usr/bin/x-session-manager).
|
|
||||||
|
|
||||||
Selection Path Priority Status
|
|
||||||
------------------------------------------------------------
|
|
||||||
0 /usr/bin/gnome-session 50 auto mode
|
|
||||||
* 1 /usr/bin/gnome-session 50 manual mode
|
|
||||||
2 /usr/bin/startxfce4 50 manual mode
|
|
||||||
3 /usr/bin/xfce4-session 40 manual mode
|
|
||||||
|
|
||||||
Press <enter> to keep the current choice[*], or type selection number: 2
|
|
||||||
update-alternatives: using /usr/bin/startxfce4 to provide /usr/bin/x-session-manager (x-session-manager) in manual mode
|
|
||||||
waldek@debianremote:~$ sudo systemctl restart lightdm.service
|
|
||||||
waldek@debianremote:~$
|
|
||||||
```
|
|
||||||
|
|
||||||
Try to get an RDP session going and once you're logged in, try to run a parallel session via the lightdm display manager.
|
|
||||||
You'll log in but will get *kicked out* almost immediately.
|
|
||||||
This is because by default you can't have two sessions running at the same time on the same computer.
|
|
||||||
Try to connect from a different station to the same session again over RDP.
|
|
||||||
You'll get to log in, but the original one will be cut off.
|
|
||||||
This is the expected behavior, so not a bug, more of a feature!
|
|
||||||
Your session will stay running so you can disconnect and reconnect from a different location later.
|
|
||||||
|
|
||||||
## VNC
|
|
||||||
|
|
||||||
### Remote helping via x11vnc
|
|
||||||
|
|
||||||
If we need to connect to an running session to help out, or take over, the control of a Linux machine we can use `x11vnc` to do this.
|
|
||||||
This is a program that can expose *any* running screen over vnc, with or without a password!
|
|
||||||
In a terminal either via the virtual machine, or via ssh, you execute the following commands.
|
|
||||||
A vnc server is now running and you can connect to it with remmina or vncviewer.
|
|
||||||
As long as this x11vnc process is running we can connect to it.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debianremote:~$ sudo apt install x11vnc
|
|
||||||
Reading package lists... Done
|
|
||||||
Building dependency tree... Done
|
|
||||||
Reading state information... Done
|
|
||||||
x11vnc is already the newest version (0.9.16-7).
|
|
||||||
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
|
|
||||||
waldek@debianremote:~$ x11vnc -display :0
|
|
||||||
###############################################################
|
|
||||||
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
|
|
||||||
#@ @#
|
|
||||||
#@ ** WARNING ** WARNING ** WARNING ** WARNING ** @#
|
|
||||||
#@ @#
|
|
||||||
#@ YOU ARE RUNNING X11VNC WITHOUT A PASSWORD!! @#
|
|
||||||
#@ @#
|
|
||||||
#@ This means anyone with network access to this computer @#
|
|
||||||
#@ may be able to view and control your desktop. @#
|
|
||||||
#@ @#
|
|
||||||
#@ >>> If you did not mean to do this Press CTRL-C now!! <<< @#
|
|
||||||
#@ @#
|
|
||||||
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
|
|
||||||
#@ @#
|
|
||||||
#@ You can create an x11vnc password file by running: @#
|
|
||||||
#@ @#
|
|
||||||
#@ x11vnc -storepasswd password /path/to/passfile @#
|
|
||||||
#@ or x11vnc -storepasswd /path/to/passfile @#
|
|
||||||
#@ or x11vnc -storepasswd @#
|
|
||||||
#@ @#
|
|
||||||
#@ (the last one will use ~/.vnc/passwd) @#
|
|
||||||
#@ @#
|
|
||||||
#@ and then starting x11vnc via: @#
|
|
||||||
#@ @#
|
|
||||||
#@ x11vnc -rfbauth /path/to/passfile @#
|
|
||||||
#@ @#
|
|
||||||
#@ an existing ~/.vnc/passwd file from another VNC @#
|
|
||||||
#@ application will work fine too. @#
|
|
||||||
#@ @#
|
|
||||||
#@ You can also use the -passwdfile or -passwd options. @#
|
|
||||||
#@ (note -passwd is unsafe if local users are not trusted) @#
|
|
||||||
#@ @#
|
|
||||||
#@ Make sure any -rfbauth and -passwdfile password files @#
|
|
||||||
#@ cannot be read by untrusted users. @#
|
|
||||||
#@ @#
|
|
||||||
#@ Use x11vnc -usepw to automatically use your @#
|
|
||||||
#@ ~/.vnc/passwd or ~/.vnc/passwdfile password files. @#
|
|
||||||
#@ (and prompt you to create ~/.vnc/passwd if neither @#
|
|
||||||
#@ file exists.) Under -usepw, x11vnc will exit if it @#
|
|
||||||
#@ cannot find a password to use. @#
|
|
||||||
#@ @#
|
|
||||||
#@ @#
|
|
||||||
#@ Even with a password, the subsequent VNC traffic is @#
|
|
||||||
#@ sent in the clear. Consider tunnelling via ssh(1): @#
|
|
||||||
#@ @#
|
|
||||||
#@ http://www.karlrunge.com/x11vnc/#tunnelling @#
|
|
||||||
#@ @#
|
|
||||||
#@ Or using the x11vnc SSL options: -ssl and -stunnel @#
|
|
||||||
#@ @#
|
|
||||||
#@ Please Read the documentation for more info about @#
|
|
||||||
#@ passwords, security, and encryption. @#
|
|
||||||
#@ @#
|
|
||||||
#@ http://www.karlrunge.com/x11vnc/faq.html#faq-passwd @#
|
|
||||||
#@ @#
|
|
||||||
#@ To disable this warning use the -nopw option, or put @#
|
|
||||||
#@ 'nopw' on a line in your ~/.x11vncrc file. @#
|
|
||||||
#@ @#
|
|
||||||
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
|
|
||||||
###############################################################
|
|
||||||
13/09/2021 20:47:13 x11vnc version: 0.9.16 lastmod: 2019-01-05 pid: 14610
|
|
||||||
13/09/2021 20:47:13 Using X display :0
|
|
||||||
13/09/2021 20:47:13 rootwin: 0x532 reswin: 0x2e00001 dpy: 0xbfe738d0
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 ------------------ USEFUL INFORMATION ------------------
|
|
||||||
13/09/2021 20:47:13 X DAMAGE available on display, using it for polling hints.
|
|
||||||
13/09/2021 20:47:13 To disable this behavior use: '-noxdamage'
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 Most compositing window managers like 'compiz' or 'beryl'
|
|
||||||
13/09/2021 20:47:13 cause X DAMAGE to fail, and so you may not see any screen
|
|
||||||
13/09/2021 20:47:13 updates via VNC. Either disable 'compiz' (recommended) or
|
|
||||||
13/09/2021 20:47:13 supply the x11vnc '-noxdamage' command line option.
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 Wireframing: -wireframe mode is in effect for window moves.
|
|
||||||
13/09/2021 20:47:13 If this yields undesired behavior (poor response, painting
|
|
||||||
13/09/2021 20:47:13 errors, etc) it may be disabled:
|
|
||||||
13/09/2021 20:47:13 - use '-nowf' to disable wireframing completely.
|
|
||||||
13/09/2021 20:47:13 - use '-nowcr' to disable the Copy Rectangle after the
|
|
||||||
13/09/2021 20:47:13 moved window is released in the new position.
|
|
||||||
13/09/2021 20:47:13 Also see the -help entry for tuning parameters.
|
|
||||||
13/09/2021 20:47:13 You can press 3 Alt_L's (Left "Alt" key) in a row to
|
|
||||||
13/09/2021 20:47:13 repaint the screen, also see the -fixscreen option for
|
|
||||||
13/09/2021 20:47:13 periodic repaints.
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 XFIXES available on display, resetting cursor mode
|
|
||||||
13/09/2021 20:47:13 to: '-cursor most'.
|
|
||||||
13/09/2021 20:47:13 to disable this behavior use: '-cursor arrow'
|
|
||||||
13/09/2021 20:47:13 or '-noxfixes'.
|
|
||||||
13/09/2021 20:47:13 using XFIXES for cursor drawing.
|
|
||||||
13/09/2021 20:47:13 GrabServer control via XTEST.
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 Scroll Detection: -scrollcopyrect mode is in effect to
|
|
||||||
13/09/2021 20:47:13 use RECORD extension to try to detect scrolling windows
|
|
||||||
13/09/2021 20:47:13 (induced by either user keystroke or mouse input).
|
|
||||||
13/09/2021 20:47:13 If this yields undesired behavior (poor response, painting
|
|
||||||
13/09/2021 20:47:13 errors, etc) it may be disabled via: '-noscr'
|
|
||||||
13/09/2021 20:47:13 Also see the -help entry for tuning parameters.
|
|
||||||
13/09/2021 20:47:13 You can press 3 Alt_L's (Left "Alt" key) in a row to
|
|
||||||
13/09/2021 20:47:13 repaint the screen, also see the -fixscreen option for
|
|
||||||
13/09/2021 20:47:13 periodic repaints.
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 XKEYBOARD:
|
|
||||||
13/09/2021 20:47:13 Switching to -xkb mode to recover these keysyms:
|
|
||||||
13/09/2021 20:47:13 xkb noxkb Keysym ("X" means present)
|
|
||||||
13/09/2021 20:47:13 --- ----- -----------------------------
|
|
||||||
13/09/2021 20:47:13 X 0x40 at
|
|
||||||
13/09/2021 20:47:13 X 0x23 numbersign
|
|
||||||
13/09/2021 20:47:13 X 0x5b bracketleft
|
|
||||||
13/09/2021 20:47:13 X 0x5d bracketright
|
|
||||||
13/09/2021 20:47:13 X 0x7b braceleft
|
|
||||||
13/09/2021 20:47:13 X 0x7d braceright
|
|
||||||
13/09/2021 20:47:13 X 0x7c bar
|
|
||||||
13/09/2021 20:47:13 X 0x5c backslash
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 If this makes the key mapping worse you can
|
|
||||||
13/09/2021 20:47:13 disable it with the "-noxkb" option.
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 X FBPM extension not supported.
|
|
||||||
13/09/2021 20:47:13 X display is capable of DPMS.
|
|
||||||
13/09/2021 20:47:13 --------------------------------------------------------
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 Default visual ID: 0x21
|
|
||||||
13/09/2021 20:47:13 Read initial data from X display into framebuffer.
|
|
||||||
13/09/2021 20:47:13 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/3200
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 X display :0 is 32bpp depth=24 true color
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 Autoprobing TCP port
|
|
||||||
13/09/2021 20:47:13 Autoprobing selected TCP port 5901
|
|
||||||
13/09/2021 20:47:13 Autoprobing TCP6 port
|
|
||||||
13/09/2021 20:47:13 Autoprobing selected TCP6 port 5900
|
|
||||||
13/09/2021 20:47:13 Listening also on IPv6 port 5901 (socket 10)
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 Xinerama is present and active (e.g. multi-head).
|
|
||||||
13/09/2021 20:47:13 Xinerama: number of sub-screens: 1
|
|
||||||
13/09/2021 20:47:13 Xinerama: no blackouts needed (only one sub-screen)
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 fb read rate: 1355 MB/sec
|
|
||||||
13/09/2021 20:47:13 fast read: reset -wait ms to: 10
|
|
||||||
13/09/2021 20:47:13 fast read: reset -defer ms to: 10
|
|
||||||
13/09/2021 20:47:13 The X server says there are 10 mouse buttons.
|
|
||||||
13/09/2021 20:47:13 screen setup finished.
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
13/09/2021 20:47:13 WARNING: You are running x11vnc WITHOUT a password. See
|
|
||||||
13/09/2021 20:47:13 WARNING: the warning message printed above for more info.
|
|
||||||
13/09/2021 20:47:13
|
|
||||||
|
|
||||||
The VNC desktop is: debianremote:1
|
|
||||||
PORT=5901
|
|
||||||
|
|
||||||
******************************************************************************
|
|
||||||
Have you tried the x11vnc '-ncache' VNC client-side pixel caching feature yet?
|
|
||||||
|
|
||||||
The scheme stores pixel data offscreen on the VNC viewer side for faster
|
|
||||||
retrieval. It should work with any VNC viewer. Try it by running:
|
|
||||||
|
|
||||||
x11vnc -ncache 10 ...
|
|
||||||
|
|
||||||
One can also add -ncache_cr for smooth 'copyrect' window motion.
|
|
||||||
More info: http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching
|
|
||||||
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
You can combine both RDP and x11vnc as follows.
|
|
||||||
First you have to find out how the display of RDP is referenced.
|
|
||||||
The you create the x11vnc process and connect to it.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debianremote:~$ ps aux | grep xorgxrdp
|
|
||||||
waldek 3516 0.2 3.0 664264 118116 ? Sl 20:53 0:02 /usr/lib/xorg/Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log
|
|
||||||
waldek 4333 0.0 0.0 6152 716 pts/0 S+ 21:11 0:00 grep xorgxrdp
|
|
||||||
waldek@debianremote:~$ x11vnc -display :10
|
|
||||||
```
|
|
||||||
|
|
||||||
On a different machine you run the following.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
vncviewer 192.168.0.239:0
|
|
||||||
```
|
|
||||||
|
|
||||||
You probably realize this is super insecure so we should tunnel it over ssh!
|
|
||||||
Luckily this is quite easy to do.
|
|
||||||
We need to add `-allow localhost` to the `x11vnc` command, and then use the `-via` argument with `vncviewer`.
|
|
||||||
Both lines are noted below.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
waldek@debianremote:~$ x11vnc -display :0 -allow localhost
|
|
||||||
```
|
|
||||||
|
|
||||||
```bash
|
|
||||||
vncviewer -via waldek@192.168.0.239 localhost:0
|
|
||||||
```
|
|
||||||
|
|
||||||
### Exposing the lightdm login screen
|
|
||||||
|
|
||||||
We can expose the actual login screen of lightdm over vnc to offer RDP like functionality but without the restrictions.
|
|
||||||
To do this we need to set the `-auth` flag of `x11vnc` to the `.Xauthority` file of `lightdm`.
|
|
||||||
On most disto's this can be found at `/var/lib/lightdm/.Xauthority`.
|
|
||||||
Because the login session runs as root we need to start the x11vnc as root as well.
|
|
||||||
You should limit to localhost for security reasons!
|
|
||||||
If you want the tunnel vnc process to keep running after you disconnect you should add the `-forever` argument together with the `-loop` one.
|
|
||||||
If you want more than one client to connect you can add the `-shared` argument.
|
|
||||||
Together with password for actual users and viewers the can become quite powerful!
|
|
||||||
|
|
||||||
```bash
|
|
||||||
x11vnc -rfbauth /etc/vncpasswd -auth /var/lib/lightdm/.Xauthority -display :0 -allow localhost -forever -loop -shared
|
|
||||||
```
|
|
||||||
|
|
||||||
Multiple users can now connect to the same session and to control the session they need a password.
|
|
||||||
This password can be set with the `vncpasswd` program.
|
|
||||||
You can make this into a systemd service to start at boot if you want!
|
|
Loading…
Reference in New Issue