installed TigerVNC on Centos 8.3 and tried to run it with vncserver Command but it is giving me this message "vncserver has been replaced by a systemd unit."
I have also followed the instruction from this file /usr/share/doc/tigervnc/HOWTO.md and created a vnc session. the session is accessible only on loopback ip of the machine.
Result of : netstat -tulpn Command:
tcp 0 0 127.0.0.1:5905 0.0.0.0:* LISTEN 2645/Xvnc
tcp6 0 0 ::1:5905 :::* LISTEN 2645/Xvnc
how can i change loopback ip of vnc session to machine ip.
Minhaj:
I ran into this today. TigerVNC has been changed with the version 8.x Fedora kernel. I dug a bit & found it is related to "an upstream decision." What this means in simple English is that the project team made a design decision. I personally agree with the design changes since it brings greater control and security to VCN than previous versions. This is not to suggest the actual VNC protocol is SSL enabled. You should still employ best practices like using firewalld to prevent access to VCN ports and using SSH tunneling to get to the console, etc.
To get started, you'll need to do a bit of simple configuration work as described in /usr/share/doc/tigervnc/HOWTO.md. Start by reading the instructions in the file.
All tasks must be run with root priv, so use the sudo utility for all of them.
TASK 1: At the simplest level, begin by opening the file /etc/tigervnc/vncserver.users
Create an entry for each user that will use the service. For example:
:1=hwojteczko
:2=esong
Note the digit preceding each user name. This is the VNC console number that will be assigned to each user. Save the file.
TASK 2: Inspect the /usr/share/xsessions file to confirm the type of desktop installed on the system. The default desktop is gnome, but there are others, so be mindful of this.
TASK 3: Next, you'll need to modify the Xvnc options file. Fortunately, there are some commented entries already left in place, which can be removed. Open the file /etc/tigervnc/vncserver-config-defaults, remove the comments as shown below, but also add the desktop to the session config within the stanza. This will not likely be there, so it is easy to miss this step. See example below:
securitytypes=vncauth,tlsvnc
desktop=sandbox
geometry=2000x1200
localhost
alwaysshared
session=gnome
TASK 4: As the user, set a VNC password using vncpasswd . This will be similar to what you are accustomed to with previous versions of TigerVNC, but it WILL NOT start TigerVNC.
IMPORTANT: For the next task, you must make sure that you, or the user, is not logged into a desktop session. For those like me who develop code on Linux, this is an easy way to get tripped up. This is not a concern if you are accessing a remote server.
TASK 5: Start the VNC Service for the correct user session. See below:
systemctl start vncserver#:1
You'll see there is no output to speak of. Use sysctl and check the status. It is best to wait about 10-15 seconds before doing so to ensure the startup does not fail.
systemctl status vncserver#:1
TASK 6: Now, you can check to see that port 5901 is open with nmap, as in:
nmap -PN localhost
Which should report something like:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
631/tcp open ipp
5901/tcp open vnc-1
now you can ssh to the host and tunnel VNC traffic securely, such as:
ssh hwojteczko#172.16.129.5 -N -L localhost:5901:localhost:5901
TASK 7: When you are done, don't forget to shutdown TigerVCN using systemctl, as in:
systemctl stop vncserver#:1
Happy coding......
h
Related
Background
I have a command-line application that I use to connect to a remote device on port 1234. I cannot change the port number, and I do not have access to the source to rebuild this tool. I'm currently working in a lab where all ports except SSH are blocked. To get around this, I create a tunnel, i.e.:
ssh -L 1234:remotehost:1234 sshuser#remotehost
Now, I can just point my CLI program at localhost:1234 to connect with my CLI tool to the desired host.
Problem
This CLI tool needs to run for about an hour straight, and I have about 200 remote hosts to test with it. I would like to parallelize this task. Unfortunately, I can only create a single tunnel on my local machine using port 1234.
Question
Is there a (trivial/simple/automated) way to jail/sandbox my CLI tool so that I can launch 100 instances in parallel (i.e. via a shell script) so that each instance "thinks" it's talking to port 1234? For example, does Docker or KVM provide some sort of anonymous/on-demand compute node feature that I could setup rapidly? I'd rather not have to resort to manually deploying and managing a slew of VirtulBox hosts via vagrant.
The simple answer is that you can use multiple IP addresses locally. Each local IP address on the client will allow you to create another tunnel. Currently, you are using localhost. But your client also has an IP address. You can prove my point by trying this syntax:
ssh -f -N -L 127.0.0.1:1234:remotehost1:1234 sshuser#remotehost1 # this is default
ssh -f -N -L <local-IP1>:1234:remotehost2:1234 sshuser#remotehost2 # specifying non-default value <local-IP1>
Now, you just need to figure out how to give your client multiple IP addresses (secondary addresses). Then you can expand this beyond 2 parallel sessions.
I've also added -f and -N to your ssh syntax to put ssh into the background (-f) and to not issue any commands.
Using -R tunnels in the past, I've found that I need to enable GatewayPorts on the server (/etc/ssh/sshd_config). In the case of -L , I don't see the need. However, the ssh man-page explicitly mentioned GatewayPorts associated with the -L function. You may need to play around a bit. I just tried this out on my Mac and I was able to get it going without any GatewayPorts considerations.
Ive got 4 dev VMs for four projects (all VMware Player VMs w/ubuntu 15.04 host) where each is running VNC (ports 5900, 5901, 5902, 5903) respectively.
I downloaded noVNC and saved to /var/www/html (my apache2 server on same host). Based on the ReadMe I then ran on my terminal
./utils/launch.sh --vnc localhost:5900
I received a missing websockify error, so downloaded it and placed it into the util folder. I then ran the same command and it worked! The terminal told me to Navigate to a url and sure enough I could control my VM.
However -- I'm wondering how can I use noVnc to access all 4 VM's? Is there some simple way to extend the port to a range like in iptables or firewalld?
./utils/launch.sh --vnc localhost:5900-5903
Okay, Ill answer for myself here in case it helps someone in the future...
First, create a token file where each line has a nickname, ip address, and port.
I created a file named token.list where each line looks like:
localhostnickname1: localhost:5900
localhostnickname2: localhost:5901
...
Then I use my terminal to go into the websockify folder so I can see the run file. I issue it the command:
./run --web /path/to/noVNC --target-config /path/to/token.list localhost:6080
Finally, I open my web browser and go to :
http://localhost:6080/vnc_auto.html?path=?token=localhostnickname1
Where localhost1 is the nickname of my first server on the first line of token.list
This link was my reference. If you want to serve this outside of localhost -- change the parameter localhost:8060 from localhost to an IP
I am using Cygwin X and Debian. I can forward my X session via SSH but what happens is that I seem to loose the display forwarding in the X session once in a while (from Cygwin to Linux). So i am guessing that that is an imnplementation thing with Cygwin because I never loose X11 display in the same ssh session when I use Linux to Linux.
This also happens when a X11 forwarded app tries to fork another process lets say I run Thunderbird and I click on a url inside an email. Naturally Thurderbird will try to start the default web browser but it is not doing it with Cygwin X server and here is the message I get when SSH session gives up the display for various reasons that I am not able to know.
"Error: cannot open display: localhost:10.0"
The other issue is that since the ssh gives up the display variable, I have to restart my ssh session to get it working which also kills other apps that I might be running during the ssh session.
Anyway after struggling with this for a while I am thinking that I want to be able to open my apps on another display without using ssh forwarding. I am using it internally and it is almost a closed lan so I am not worried about the security for now. I just want to be able to run the app on the Linux then see the app on the Pc that is running Cygwin.
I tried basic DISPLAY variable thing like "export DISPLAY=MY_CYGWIN_PC_IP:0.0" (on Linux Pc) but it does not work.
So I am wondering about how I can achieve this. What are the proper settings to achieve what i need?
Your direction was OK. export DISPLAY is what you want. But it is not enough.
On the target, you need to type
xhost +from.where.the.windows.are.coming.com
It gives the X server the permission to allow remote windows from this computer.
Beware, it is not really secure! A possible attacker could not only windows shown by you, but even control your mouse/keyboard. But for simple solutions, or if you can trust the remote machine and the network between you, it may be ok.
If not, there is an advanced authorization, based on preshared keys. It is named xauth. Google for xauth.
The Xorg server has an option to disable the remote windows, and there are distributions, (f.e. ubuntu!) who turn this option by default on. You can test it - if you can telnet to the tcp port 6000, it is allowed.
If you are using ssh -X, don't. Use ssh -Y
Cygwin XWin server randomly loses connection
Basically to work as old times , we need enable xdmcp on display manager and use X11 , Xwayland seems to me that doesn't work either.
sddm doesn't support xdmcp , but gdm does , you need edit /etc/gdm/custom.conf and add
[security]
DisallowTCP=false
[xdmcp]
Enable=true
xhost + ip_of_remote_computer
echo $DISPLAY (the number of the display usually :0 or :1)
after you can verify :
netstat -l | grep xdmcp
udp 0 0 0.0.0.0:xdmcp 0.0.0.0:*
lsof -i :xdmcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gdm 862335 root 12u IPv4 71774686 0t0 UDP *:xdmcp
on remote host :
export DISPLAY="ip_of_server:0" (see if is 0 or other number in echo $DISPLAY on server mention above )
xclock &
References:
http://www.softpanorama.org/Xwindows/Troubleshooting/can_not_open_display.shtml
https://tldp.org/HOWTO/html_single/XDMCP-HOWTO/
https://wiki.archlinux.org/title/XDMCP
I work at an organization with stringent security requirements, sometimes excessively so. My project team is trying to create an SVN repository, and we are having difficulties setting one up to comply with both our needs and our security requirements.
Our IT department requires us to authenticate ourselves with two-factor authentication. Each developer has an RSA token that must be used to log in to the repository host machines via SSH. The value displayed on the token changes once per minute and each value can be used only once.
The developers require the capability to store passwords. This prevents us from using svn+ssh to log in to the repository. Since the RSA token changes once a minute, we can't store the SSH passwords. Worse, the RSA token would reduce us to one SVN operation each minute. This is flatly unacceptable, especially since we have scripts that chain multiple SVN operations together.
We attempted to compromise by opening an SSH tunnel with port forwarding. We would open up a tunnel using ssh user#hostmachine -L 3690:localhost:3690 to forward all SVN requests on our local machine to the secure machine, where an svnserve process was running. This meant we could log in with two-factor authentication, and then use a separate SVN username and password (which could be stored) with our utilities.
Unfortunately, we noticed that we didn't need the tunnel; port 3690 was available to any computer for whom the hostname was visible. This is unacceptable to IT, and our sysadmin thinks that svnserve is the problem, so she is wondering if we have to go back to svn+ssh.
Is there any solution that works? Is our sysadmin correct? Is there an option on svnserve that will force it to listen only to traffic from localhost?
use:
svnserve -dr /my/repo --listen-host 127.0.0.1
This way the service will only listen on the loopback interface. When you connect with ssh use:
ssh -L3690:127.0.0.1:3690 user#svnserver.mycompany.com
also see:
vince#f12 ~ > svnserve --help
usage: svnserve [-d | -i | -t | -X] [options]
Valid options:
-d [--daemon] : daemon mode
-i [--inetd] : inetd mode
-t [--tunnel] : tunnel mode
-X [--listen-once] : listen-once mode (useful for debugging)
-r [--root] ARG : root of directory to serve
-R [--read-only] : force read only, overriding repository config file
--config-file ARG : read configuration from file ARG
--listen-port ARG : listen port
[mode: daemon, listen-once]
--listen-host ARG : listen hostname or IP address
[mode: daemon, listen-once]
-T [--threads] : use threads instead of fork [mode: daemon]
--foreground : run in foreground (useful for debugging)
[mode: daemon]
--log-file ARG : svnserve log file
--pid-file ARG : write server process ID to file ARG
[mode: daemon, listen-once]
--tunnel-user ARG : tunnel username (default is current uid's name)
[mode: tunnel]
-h [--help] : display this help
--version : show program version information
svnserve might have options to only listen on localhost, but this sounds like a firewall configuration issue.
If port 3690 isn't meant to accessible externally, it should be blocked by the firewall. It shouldn't matter whether svnserve or anything else is listening on that port. svnserve can then continue to listen on 3690, but will only receive connections from localhost because others are blocked by the firewall.
I just started a new position where none of the code is in version control. One of my duties is to fix that. I have some space on a SuSe 10 box, and subversion 1.6 is installed. Following the instructions in the O'Reilly Subversion book, I've got a subversion repository with code in it, and svnserve running:
#lsof -i :3690
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
svnserve 15115 xxxxxx 3u IPv6 xxxxxxxx TCP *:svn (LISTEN)
Also, this command works
svnlook cat /home/svn/repos/ /project1/trunk/index.php
However, when I try to connect to the subversion repository from my desktop (running Windows) using TortoiseSVN, I get the error
Can't connect to host 'xxx.xxx.xxx.xxx': A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
I have tried multiple repository URLs, including:
svn://internalmachinename.internalnetwork.com/project1
svn://machinename/project1
svn://machinename/repos/project1
svn://machinename/svn/repos/project1
svn://xxx.xxx.xxx.xxx/project1/trunk:3690
I don't have access to Cygwin because of the company's firewall policy, so I can't try to connect via the command line.
Before trying to use svn, use the simple ping command to check the connection between the two computers.
Only if that works, go to the next step (which still isn't using svn!): check if you can reach the correct port using telnet.
Then, and only then should you try to use svn to do the connection.
The firewall suggestion was close - it was the firewall on my Windows desktop that was keeping Subversion from connecting.