ONLamp.com    
 Published on ONLamp.com (http://www.onlamp.com/)
 See this if you're having trouble printing code examples


FreeBSD Basics

Multi-Platform Remote Control

08/23/2001

So far this year, I've been concentrating on protecting your FreeBSD system by using permissions and creating firewall rules. In the next series of articles, I'd like to take a look at some of the ways you can use your FreeBSD computer to share resources and access other computers in your LAN.

In today's article, I'd like to take a look at VNC, the Virtual Network Computing project from ATT Laboratories. With VNC, you can access the desktop of any PC in your network, regardless of the operating system it is using. For example, from your FreeBSD computer you can access the desktop of a Windows 95/98/ME computer; an NT Workstation or Server; another FreeBSD computer, a Linux, SCO or Solaris system; or a Windows 2000 Professional or Server computer. You will be able to do anything from that desktop as if you were physically at the other machine. The reverse is also true, meaning you can access your FreeBSD computer from any of the above listed operating systems.

This functionality is extremely handy if you are an administrator of a network, as you can check the status and change the configurations of any PC in your network without leaving your desk. In my home network, I've found it to be an economic alternative to a KVM switch when I had more PCs than monitors and mice. As an instructor, it's an invaluable teaching tool as I can have the desktops of several operating systems minimized in my menubar.

Because of its functionality and ease of use, you may want to consider running VNC only on your local LAN. It's one thing for you to be able to access any of your PCs, but you probably wouldn't want to give that functionality to a stranger. VNC does have some built-in security measures, and I'll point them out as we come across them.

In my home LAN, I have the following computers:

In today's demonstration, I won't be going through the firewall on my other FreeBSD computer, so I won't have to change my ruleset. Also, all PCs on my LAN have already been set up for Internet connectivity, so I can build VNC on each of them.

Let's start by installing VNC. On the FreeBSD computer I built the port by typing:

su
Password:
cd /usr/ports/net/vnc
make install clean

On the 98 and NT PCs, I used my Web browser to navigate to:

www.uk.research.att.com/vnc/

While I was there, I read the interesting introduction on the benefits of using VNC, then I proceeded to the download page. I chose to download "Windows 9x/2000/NT (Intel Win32)" and filled in my name and e-mail address. Then I downloaded the zipped version and used "Winzip" to unzip it.

The unzipping process resulted in a folder called vnc_x86_win32, which contains two subfolders called vncviewer and winvnc. Like any other TCP/IP application, VNC contains two components: a server and a client (also known as the viewer). You use the viewer to access another PC; however, that PC must be running the server so it can listen for and authorize the connection.

I want to start by accessing the NT desktop, so on the NT machine, I'll doubleclick on the winvnc folder, then doubleclick on Setup.exe. I receive a warning to ensure that at least Service Pack 3 is installed; if you're running NT without a Service Pack, shake your head in shame then proceed to Microsoft's Web site to download the latest Service Pack.

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

Then I follow through the prompts to finish the installation of the VNC server. If I now go to Start-->Programs, I have a new heading for VNC that contains all of the server tools. I'll click on "Run WinVNC (App Mode)," which will bring up the "WinVNC: Current User Properties" box. This box contains a section to type in a password, which is VNC's first security feature. If you just press OK without typing in a password, you'll receive a warning that WinVNC will not accept any incoming connections until you set the password.

This password is used to authorize connections to the computer running the VNC server. If a user knows the password, he will have access to that computer; his permissions will be the same as the user who started the VNC server. For example, on my NT box, I'm currently logged in as administrator, which is the equivalent of the root account in FreeBSD. Accordingly, I'll probably want to set a unique and difficult password to prevent users other than myself from gaining administrative access through VNC.

I'll type in the password and press OK. I now have a VNC icon in my system tray next to the clock. If I right-click this icon, I can view the properties, kill any clients or stop the VNC server.

Let's see if I can access the NT server from the FreeBSD computer. When I installed the VNC port, the server component called "vncserver" and the client component called "vncviewer" were installed. Additionally, all of the VNC documentation was installed into /usr/X11R6/share/doc/vnc. This documentation is well-written and is worth reading even if you don't have any problems using VNC.

I'll start my favorite windows manager, open an xterm and type "vncviewer." A small box appears that prompts for the "VNC Server." I can type in either the hostname or the IP address of the NT server; I decide to type in 10.0.0.3. Another box appears prompting for the password, so I type in the password I created when I set up the VNC server on the NT computer. At that point, the NT Server's desktop appears on my screen.

These two computers happen to be side by side on my network, so I'm now seeing the NT desktop in stereo. As I move the cursor on my FreeBSD box, I can watch it move simultaneously on both monitors. As my cursor goes to the Start menu and I see the ShutDown option, my mind wanders to all sorts of evil April Fools pranks I could play on unsuspecting users in my network. I envision the horror on another user's face as I slowly open a command prompt and type fdisk, or perhaps format c:. But seriously, VNC is an effective administrative tool. If you don't want users to access another computer, don't run the VNC server on it. If you don't want all users accessing a VNC server, set a tough password and only give it to authorized users.

Now, let's try running the VNC server on the FreeBSD computer and accessing it from the Win98 computer. Remember, whenever users connect to a VNC server, they will inherit the permissions of the user who started that VNC server. For this reason, don't start the VNC server as root. Also, keep in mind that if the user who starts the VNC server has permission to become the superuser, then so will the person who accesses the VNC server.

On the FreeBSD computer, I'll start the VNC server as the user genisis:

vncserver
You will require a password to access your desktops.
Password:
Verify:
xauth: creating new authority file /home/genisis/.Xauthority
New 'X' desktop is genisis:1
Starting applications specified in /home/genisis/.vnc/xstartup
Log file is /home/genisis/.vnc/genisis:1.log

Note that I was again prompted for a password, just like I was when I started the VNC server on the NT computer. Several files were also created in genisis' home directory, including a log file for troubleshooting purposes. Take note of the number 1 as this is the number of the display that the client will make a connection to. If I was to repeat the vncserver command, then I would receive the same output, but with a display number of 2 and could repeat for as many connections as I was willing to listen for.

To ensure that the server is running, I can do a search through the running processes by greping the ps command like so:

ps -acux | grep vnc
genisis 20310  0.0  2.4  3556 3068  p0- I  8:36AM  0:00.20 Xvnc

You'll note that the actual name of the server is "Xvnc." Again, the owner of this process is "genisis" so any connections to this server will have all of the permissions of the user "genisis."

I'll also double check what port this server is listening on by searching through the socket table:

sockstat -4 | grep vnc
USER     COMMAND    PID  FD PROTO  LOCAL ADDRESS  FOREIGN ADDRESS      
genisis  Xvnc     20310   0 tcp4   *:6001         *:*                  
genisis  Xvnc     20310   3 tcp4   *:5901         *:*                  
genisis  Xvnc     20310   4 tcp4   *:5801         *:*

Note that the one process (PID 20310) is actually listening on three ports: 6001, 5901 and 5801. VNC uses the following numbering scheme for its ports:

In each case, the x represents the display number you were given when you started the VNC server; in our case it is 1.

Now that my FreeBSD box is listening for VNC connections, I'll go to the Win98 computer. When I unzipped the VNC program that I downloaded, a VNC folder was created. When I doubleclick on this folder, I see that it contains another folder called vncviewer that contains an executable called vncviewer. I'll doubleclick this executable, which will bring up the "Connection details" box that prompts me for the name of the VNC viewer in the format host:display. When I type in 10.0.0.1:1, I'll receive the "VNC Authentication" box, which prompts for the "Session password." Once I type this in, I'll receive a twm desktop with the following written in the blue title bar: genisis's X desktop (genisis:1)

At this point, I can type in whatever I want into the xterm and I can do anything to my FreeBSD computer from the Win98 computer that the user genisis has permission to do.

If you don't like the default window manager of "twm," you can experiment running other windows managers. Since the pixel information required to redraw the screen is being sent over the network, you'll probably want to consider one of the more light-weight windows managers. Since Windowmaker is already installed on my FreeBSD computer, I typed wmaker into the "xterm" and was greeted by the familiar Windowmaker desktop. For some reason, I was also able to load Xfce, but it refused to load the menubar, leaving it functionally useless. If you experiment on your own and find a windows manager that works for you, you can tell your VNC server to permanently change the default windows manager.

To do so, you'll have to kill the running VNC server and edit VNC's xstartup file. I'll do this as the user genisis:

killall Xvnc
cd ~genisis/.vnc
more xstartup

#!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

That last line that says twm &, I'll edit to read wmaker &. I'll then restart the VNC server using the vncserver command. When I reconnect from the Win98 computer, I now have the Windowmaker windows manager instead of "twm."

Another handy way to attach to a VNC server is from a Java enabled Web browser. I'll open Internet Explorer from the Win98 computer and type in the following URL:

http://10.0.0.1:5801

Remember that the VNC server listens for Web requests from port 580x; since my server is listening on display number 1, I replaced the x with the number 1. In the Web browser, a VNC Authentication page is displayed that prompts for the password. Once I type in the password, I'm once again greeted with the Windowmaker display running on my FreeBSD computer.

A quick note on the difference in the displays depending on whether the VNC server is running on a MS machine or a FreeBSD computer. Unlike Unix, Microsoft does not use the concept of an XServer that can listen for multiple connections. Instead, it uses profiles to distinguish one user's desktop from another. Since MS operating systems are single user, only one profile can be run at a time; which profile is used depends upon who has logged in. For this reason, when you access a MS machine using VNC, you will get the actual desktop that is currently running on that computer, including that user's wallpaper, shortcuts, etc.

In contrast, FreeBSD is a multi-user operating system and the XServer is capable of listening for multiple connections, each of which is assigned a sequential number. When you access a FreeBSD computer running VNC, you must specify the number of the display you would like to connect to. You'll then receive a default desktop, not the desktop of the user who started the VNC server.

On the Microsoft computers in your network, you don't have to install VNC on each machine you want to connect from, just those that will be running the server. The vncviewer easily fits on a floppy; simply copy the executable onto a floppy and take it with you when you want to initiate a VNC connection to another computer in your network.

This article should get you started on the possibilities available to you by using VNC on your LAN. To discover the other built-in features on VNC, check out the documentation that was installed on your FreeBSD computer or from the VNC Web site. They contain instructions on how to run VNC as a service in NT, how to run VNC through an SSH tunnel and how to run VNC through a firewall.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Return to the BSD DevCenter.

Copyright © 2009 O'Reilly Media, Inc.