Tightvnc, Chicken of the VNC

VNC is "Virtual Network Computing" and is a crossplatform method of allowing remote access to desktops (Windows or Unix/Linux, Mac and others)). It is conceptually like using Terminal Services or PcAnywhere etc for Windows but is license free and of course capable of serving Linux/Unix machines also.

The origination of this was an AT&T project; you can find it at http://www.realvnc.com/ now. There have been a number of forks spun off from this, of which the most popular (right now anyway) is Tight VNC, which uses a "tighter" compression scheme to get better performance. That may still be true when you read this, or someone else may have come up with something even better. So although this article will be using TightVNC and the Mac client Chicken of the VNC, you should be more concerned with the overall concepts rather than the specific implementation. You also need to be aware that your choice of a viewer is also important: for example, the Linux vncviewer I used did not properly display the Windows VNC desktop, but the Mac viewer did. If you aren't getting the results you need, the viewer may be the source of your problems. Also keep in mind that any feature or limitation I mention may not be present in some other version.

The final thing that Windows users may have a little trouble grasping is the multiuser orientation of VNC on Unix platforms. For example, as I write this, I have two vncservers running on a Linux box: one was started by root, the other by the user apl. I am connected to the root server from a Windows 98 machine, and to the apl server from my Mac iBook. I also have a vncserver running on the Windows 98 box, have connected to that from my iBook, and am using THAT machines connection to the Linux vncserver too.

I can make multiple connections to the same vncserver: if I connect to apl's vncserver multiple times, each connection sees the same view: if I press enter on one connection, any other connection sees that. That's great for training sessions and demos. Why pay for expensive connections like NetMeeting etc. when this is free?

Finally, each Unix user can have multiple vncservers running. If you aren't confused yet, you obviously aren't a Windows user. These would be totally independent sessions, and none of them have anything to do with any Unix desktop that happened to be running when vncserver is started. In fact, you can start vncserver from a character mode command line, and you can startup another one right after that. The very first time you start it, it will ask for a password: that password will be used for ALL vncservers. You can change it with the "vncpasswd" command

Windows is different. When you start up vncserver on Windows a user that connects to it sees your Windows desktop, just as you are seeing it. This is very different on the Unix/Linux versions: the vncserver is a completely different login session on Unix and Linux. If you WANT a vncserver that serves up your current Unix desktop, there's apparently a GEMSVNC that does that, but I was unable to get to the web site at all.

You would think that because Windows XP is multiuser, you could have multiple users running VNC servers. Indeed you can, but you can only use the one that has the currently active user - switch away, and that server goes black, and in my testing, can't even be used again. Windows XP is not really multiuser.

Before we go any farther, understand that VNC is full of security problems, and many of them are just because of its basic nature. If you are using this over the internet, you probably want to run this over an ssh tunnel, and you probably want to restrict access with your firewall too. Of course, within your office as I am doing here doesn't need that, but is still a great tool: I can access QuickBooks on my wife's computer without getting up and going to it, and she can see my calendar without coming over here.

Setting up and running vncserver on Windows is trivial. On Unix, because it uses X11, it isn't quite as easy, though simply running "vncserver" after installing it will startup a simple server running twm and an xterm. That's probably not what you had in mind: if an xterm were all you needed, you'd just ssh to the box, right? To get my KDE desktop running, I made two changes: first, I replaced ~/.vnc/xstartup with one line:

/etc/X11/xinit/xinitrc &
 

and then created a ~/.vnc/.xsession file that contained "/usr/bin/startkde". That gave me my ordinary KDE desktop.

You are supposed to be able to startup vncserver that uses XDMCP so that your connection would be presented with a login dialog rather than being already logged in. So far, I haven't been able to make that work, but I'll keep chipping away at it and will report back here when I figure out what I'm doing wrong.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Tightvnc, Chicken of the VNC

17 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence



please explain in more detail, the statement: "understand that VNC is full of security problems"

--

Just do a Google search for "VNC Security"

--TonyLawrence

Full of security problems? Google finds one security issue, resolved in current tightvnc (and as you say, you should use ssh tunnelling anyway, which gives strong security).

Xf4vnc is a Linux tightvnc version that shares the root window like the Windows version -- see http://xf4vnc.sf.net


--

I don't understand you. You agree that you should use ssh tunnelling, but don't like the words "full of security problems"? Is it because you read "full of" as implying a defective product?

If all security issues are resolved, why recommend tunnelling?

I think this is just one of those silly "I don't like your choice of words". OK - noted. Feel free to submit some better words: http://aplawrence.com/publish.html Seriously: I'm happy to publish your thoughts about this or anything else.

--TonyLawrence

TightVNC is secure enough but it is not encrypted and therefore can be attacked through numerous methods. In the least a hacker can capture your VNC packet and store it for later analysis. If you use encryption, ie use SSH tunneling you reduce your exposure to threat a great deal. No system is 100% secure. All encryption schemes can and will be rendered insecure eventually.

------------

I am R. J. Brown
the author of gemsvnc, and I appologize for the web server being down. It is now back up. It was down during a conversion from redhat to gentoo, since redhat has dropped support for non-"enterprise" versions of their distribution. The page for gemsvnc is http://www.elilabs.com/~rj/gemsvnc/

-------------


---August 13, 2004

http://home.comcast.net/~davedyer/znc/zvnc.html
I felt it was my civic duty to point out there is an encrypted VNC out there. You dont HAVE to tunnel through SSH if you dont want to.

---August 13, 2004


I don't know that you had a duty, but thanks for the link!

--TonyLawrence


---February 5, 2005

Just to say that I would not be so sure this was originally an AT&T project, as VNC started in the Olivetti/Oracle labs in Cambridge (UK, what else?) before it was taken over by AT&T.

Giuliano





Tue Apr 5 14:58:57 2005: 150   anonymous


(link)



Wed Apr 13 13:36:17 2005: 339   KaM










Thu Jul 14 01:37:03 2005: 796   anonymous


and is compatible, free (GPL), popular, etc.

(link)






Fri Dec 29 15:02:02 2006: 2787   anonymous




I'm not sure i understand the "full of security problems" comment either.



I thought it traditionally had one huge flaw that everyone knew about regarding everything being sent clear-text. Kinda like the way smtp and http send everything clear-text.



I believe people take offense to the comment because it doesn't acknowledge that VNC was *designed* with the understanding that it was running in the clear versus having shoddy craftmanship that leads to various *unintended* security issues. This is a HUGE difference!




Fri Dec 29 15:17:49 2006: 2788   TonyLawrence

gravatar
Well, yes, that is an important distinction.

I guess what I was trying to impart was that using this without a vpn or secure tunnel is not secure: I've probably just seen too many people who assumed otherwise.







Sun Mar 4 18:13:37 2007: 2894   anonymous


Okay, just installed Tight VNC on my Windows XP PC how do I use it with SSH



Mon Jun 4 17:48:37 2007: 3018   anonymous


How vulnerable is vnc to brute force attacks? I wouldn't want someone from the outside to be able to remote control simply because they ran a brute force attack password guesser on my pc. Can IP's be banned or auto-banned (after n number of failed connection attempts) Or at the very lease can we somewhere provide an "allowed" ip list so only connections from certain ip's or domains be allowed?

------------------------
Kerio Samepage


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Zawinski's Law: Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can. (Jamie Zawinski)





This post tagged: