Vnc & Gdm

[gin]

so, you have no graphics card, but you still want GUI management / X Windows......

Perhaps you do have a graphics card but want the convenience of using VNC to reach your Fedora machine?

There are some great turotials on getting the basics of VNC set up, but it always logs you right into the machine as a specific user...I want to choose my user....VNC + GDM is the answer

VNC + GDM will allow you to fir a vnc viewr at you linux box and have the GDM appear. This information contained below is a collection of personal knowledge and information collected from other postings on some other boards (note: go back and reference some of the contributors).

This mini-tutorial will not cover off security...so if you are doing this..make sure it is on your own network, behind a firewall etc. etc. etc....I hope to come back and add the security pieces in later...just don't have too much time today.

On with the show......

How it will work
===========
GDM will be running in the background (with no X-Server in this config). When we start a VNC session, VNC will contact the GDM to display the "Greeter"...then we log in as we normally do with GDM locally.

Configure GDM
==========
Sorry to you KDM/XDM folks out there...I will add in KDM ata a later date...it isn't too much different.

GDM presents the graphical greeter. To allow VNC to contact the GDM we must turn on XDMCP (Security concious peeps should set their firewall to only allow LOCAL connections for XDMCP - i.e. from the localhost - because VNC is running on the same linux device) - there is another option here to change the XServer that GDM can run to be VNC but I have not explored this option...perhaps later, but for now we'll do it with XDMCP:
1. Turn on XDMCP

Code:

      edit /etc/X11/gdm/gdm.conf
      find the [xdmcp] section
      Change
           Enable=false
      to
           Enable=true

2. (optional) Turn off XWindows (VNC runs it's own XWindows)

Code:

      edit /etc/X11/gdm/gdm.conf
      find the [servers] section
      Change
           0=Standard
      to
           #0=Standard

Configure VNC
==========
We will have VNC run from xinetd. We will create 2 "services". One for 800x600 and the other for 1024x768...if you want others, you can extrapolate yourself....800x600 will be available via :0 and 1024x768 as :1 (don't worry yet if you do not understand what I mean by :0 and :1)

1. Create /etc/services

Code:

      edit /etc/services
      add the following 2 liines:
           vnc800  5900/tcp                        # VNC & GDM
           vnc1024 5901/tcp                        # VNC & GDM

2. create xinetd services

Code:

      create etc/xinetd.d/vnc800
      service vnc800
      {
        disable     = no
        socket_type = stream
        protocol    = tcp
        wait        = no
        user        = nobody
        server      = /usr/bin/Xvnc
        server_args = -inetd -broadcast -geometry 800x600 -depth 16 -once -fp unix/:7100 -securitytypes=none
      }

3. -securitytypes=none means VNC will not ask you to authenticate...we want GDM to do that part...

4. create xinetd services

Code:

      create etc/xinetd.d/vnc1024
      service vnc1024      {
        disable     = no
        socket_type = stream
        protocol    = tcp
        wait        = no
        user        = nobody
        server      = /usr/bin/Xvnc
        server_args = -inetd -broadcast -geometry 800x600 -depth 16 -once -fp unix/:7100 -securitytypes=none
      }

TEST IT
=====

Code:

1.  stop any X Windows
           init 3

2.  Log into console (text mode)
3.  Turn off "vncserver"...we don't want VNC to run except for xinetd
           chkconfig --level 2345 vncserver off  
4.  start GDM  
           init 5
5.  start vncviewer
        I tested my connection from Win XP...
        for 800x600 -> vncviewer localhost:0
        for 1024x768 -> vncviewer localhost:1

SUMMARY
=======
You should now be able to run a headless (no kbd/mouse/video) linux box with a GUI and GDM greeter....

I know this mini-tutorial is a little thin at the moment, but I only had a few mins to type it up..I will clean it up I promise...if anyone likes it...I could try and write a mini-howto.....anyway...good luck..

-GIN-

[redhat71]

Quote:

Originally posted by gin
You should now be able to run a headless (no kbd/mouse/video) linux box with a GUI and GDM greeter....

i do get a gdm greeter but it looks different, any idea?

[gin]

This is probably caused by the RemoteGreeter setting of GDM...try adding:

Code:

RemoteGreeter=/usr/bin/gdmgreeter

to /etc/X11/gdm/gdm.conf

Alternatively (GUI METHOD)
run gdmsetup

change the remote greeter in the GENERAL tab to your liking !!


Note..for the xinetd config...you can also use:

Code:

  server_args = -inetd -query localhost -geometry 800x600 -depth 16 -once -fp unix/:7100 -securitytypes=none

instead of

server_args = -inetd -broadcast -geometry 800x600 -depth 16 -once -fp unix/:7100 -securitytypes=none

-Gin-

[redhat71]

Quote:

Originally posted by gin
This is probably caused by the RemoteGreeter setting of GDM...try adding:

Code:

RemoteGreeter=/usr/bin/gdmgreeter

to /etc/X11/gdm/gdm.conf

Alternatively (GUI METHOD)
run gdmsetup

change the remote greeter in the GENERAL tab to your liking !!

that's it, thanks

Quote:

Originally posted by gin

Note..for the xinetd config...you can also use:

Code:

  server_args = -inetd -query localhost -geometry 800x600 -depth 16 -once -fp unix/:7100 -securitytypes=none

instead of

server_args = -inetd -broadcast -geometry 800x600 -depth 16 -once -fp unix/:7100 -securitytypes=none

-Gin-

and the difference would be?
i saw "-query localhost" as an example in the man page of Xvnc, but didn't find an explanation of it

[gin]

The difference would be that:

Quote:

--broadcast

does an xdmcp broadcast ( to the broadcast address ) and may receive "responses" from other machines, whereas

Quote:

--query 127.0.0.1

is a unicast message directly to the localhost. This is more appropriate since we do not want "remote" connections to GDM. The user connects remotely to VNC but VNC connects LOCALLY (sp) to [GKX]DM.

This will allow users running firewalls to keep this more secure.

-Gin-

[redhat71]

ok, thanks a lot!

[g3brown]

This works great. However if I turn on IPTABLES, you just get an X type desktop after connecting. Seems the X and GDM are communicating. Could you offer any advice there? Thanks!

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

[gin]

Unfortunatly I was unable to replicate your results. First thing would be to turn on logging in the firewall so that we can actually see what is being rejected. Here is a sample that I used for testing. This in no way implies a secure firewall configuration (infact...it's not):

Code:

:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:LOGANDREJECT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOGANDREJECT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A LOGANDREJECT -j LOG                                                  
-A LOGANDREJECT -j REJECT

Basically this code will log to /var/log/messages the packets that do not get accepted.

look for (sorry if this is all news to you, I just do not know your familiarity with firewalls:

Code:

Jun  1 X:X:X ABCDEFG kernel: IN=eth0 OUT= MAC= 
SRC=X.X.X.X DST=X.X.X.XLEN=XX TOS=0x00 PREC=0x00 TTL=XXX 
ID=30755 DF PROTO=UDP SPT=XXX DPT=XXX LEN=XX

Pay attention to the SPT= and DPT= fields. Post your info and we'll see what happens.....

-GIN-

[g3brown]

Do you have the COMMIT at the end of your file? I think it is necessary for the filter to take effect. I logged the rejects and caught only one line.

Jun 2 22:37:37 fedora2 kernel: IN=eth0 OUT= MAC= SRC=192.168.0.107 DST=192.168.0.255 LEN=35 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=177 LEN=15

I opened upd port 177 with

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT

and now vnc connects wonderfully again. Thanks for your help.

[ofergal]

Didn't you mean:
create etc/xinetd.d/vnc1024
service vnc1024 {
disable = no
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -inetd -broadcast -geometry 1024x768 -depth 16 -once -fp unix/:7100 -securitytypes=none }

2 more
1. Is this going to force 1 password for VNC then user/password for the login?
2. Can I have more then 2 VNC services (say for 3 more resolutions optins)

Thanks

[gin]

1024x76s...oops...bad copy paste :-)

Quote:

1. Is this going to force 1 password for VNC then user/password for the login?

No, the "-securitytypes=none" argument makes VNC not ask you for a password but because we are using XDMCP (think GDM) then then GDM will respond (or xdm or kdm depending on what you are running).

Quote:

Can I have more then 2 VNC services (say for 3 more resolutions optins)

Yes you can..just keep adding them:
Add to /etc/services
Add to /etc/xinetd.d/<whatever>

-GIN-

[zathrusuk]

Hi, Thanks for the how to it was very very usefull, i have followed it and got the login screen to appear, i fill in my details and then it suddenly closes the vnc viewer on my windows xp service pack 2 machine is there something i am doing wrong?

ANy help would be great. Thanks

Mike

[felmasper]

I am using this tutorial for Debian and:

1) Xvnc does not have the securitytype option yet, I've just disabled it
2) what if I want my machine to have a gdm working on :0 while I use another via VNC?

Well I suppose I could use vncserver which chooses an empty DISPLAY or write a script myself... kind of:

Xvnc.new:
#!/bin/sh
d=0
while [ -f /tmp/.X11-unix/X$d ] ; do let d++ ; done
Xvnc "$@" :$d
#eof

Supposed... I tried but it did not work. VNC gives me "invalid protocol". I did straces (with "strace -o /tmp/foo -fp `pidof inetd`"), solved some problems (mainly with font paths, Debian uses additional paths besides xfs and I X was not getting a cursor theme) but I am still getting "Invalid protocol".

I do not understand how is gdm going to be started after I connect to a VNC... hmm let me see... -query localhost will look for XDMCP connections in localhost and gdm is one of them, is that it?

Should I change gdm.conf, XDMCP part, enabling servers on :1, :2 and so on?

I am using it over ssh. It's ok, I've already used VNC over ssh with a fixed server (vncserver called from command line).

[]s
Felipe

[jtkohl]

If I understand the basic setup here, won't the Xvnc server stop when
you disconnect the vnc client? That's rotten, because half of the
benefit of VNC is being able to disconnect a session and reconnect
later. How do xinetd and Xvnc interact?

If I can reconnect later, then you really need to set up the Xvnc line
in the xinetd config file to require some authentication, otherwise when
you disconnect someone else can reconnect without authenticating.

[baoilleach]

I'm trying to set up a vnc server so that users will see gdm when they start a vncviewer. I'm trying to set this up using SSH tunneling.

I'm having some problems.

Can someone talk me through what is exactly happening in this case - e.g. computer A connects to port X on computer B; this causes xinetd to do something, etc. I find it a bit hard to get it all straight in my head, so I don't know how to look for the problem.

Regards,
baoilleach