okay, to all those people our there that have been waiting 1, 2, 3 for a vnc session manager – here it is. I have also made the patches (and compiled binaries) available for download from SourceForge.
basically it combines the idea of the -inetd flag to support logins by an unknown user, then detects an existing session (or starts one if necessary) and then hands this back off to the inetd wrapper which connects to the existing session.
Most of this script has been written around a RedHat distribution (ick). Mainly because my debian distro doesn’t have X11 installed.
These install instructions have been written very quickly and may possibly need expanding. I will update them as and when that is needed – most likely when somebody emails me and complains
Prerequisites: you will need netpipes for the inetd script. Unfortunatly the 4.0 rpm does not have the –netslave option (which makes hose terminate when inetd closes the socket) so either use the hose in the download directory (from netpipes-4.2-debian, but works in RH9.0 too) or the preferred option is please find me a RH9 rpm for netpipes-4.2. I tried using ‘socket’ from the debian toolkit, but it seems a bit picky, also hose closes when the connection terminates.
Update: I have written a c version of in.vncserver, it makes sure that the daemon runs as the authenticated user, and re-synchronizes the connection with the viewer, and then it uses a chunk of the netpipes/hose code to do the connection to the running vnc server.
–> go visit the download url and download all of the server components. Please do NOT download all three clients just-for-the-purpose-of-having-all-of-them, rather choose the one you’re used to using and get that one. The download will be slow, if you’d like to mirror the download just leave a comment with the url.
–> add the inetd.conf line or the xinetd.d file (as appropriate) and do a killall -HUP [inetd/xinetd]
–> add “/usr/local/sbin/XvncPreSession || exit 1″ to /etc/X11/gdm/PreSession/Default or similar file (/etc/X11/xinit/xinitrc has not been specifically tested but will probably work).
–> build in.vncserver, you should just be able to type ‘make in.vncserver’.
–> start up one of the patched clients and try login !
Please note: that because of the -nopasswd flag the Xvnc servers will start with-out additional password protection. You should firewall all ports from 5901-5999 from the outside world. If you remove the -nopasswd flag (or don’t patch vncserver) then you will be double protecting the vnc sessions (by unix password & vnc password) Update: I have removed the need for the -nopasswd flag in the clients, they can now save the session after the redirect. Yes you will be prompted for two passwords now, but the vnc one will save with the session. I see this as more secure. Another thought I had on this front is that the server could transmit the password the client needs to continue the login. I’m against doing this (it’s pretty easy) even though it would be rather un-safe.
The server generates a random password hash from /dev/urandom every time the user logs in. The password hash is transmitted to the client during the login process. This could be used in a reply attack, but only until the next time you log in. Additionally I plan to make in.vncserver delete the password file after a short delay after you have logged in. (10 seconds or so) Remembering that you should firewall the ports that the users’ vncservers will run on and only leave the session manager port open.