vnc session manager

okay, to all those people our there that have been waiting 1, 2, 3 for a vnc session manager – here it is. I have also made the patches (and compiled binaries) available for download from SourceForge.

basically it combines the idea of the -inetd flag to support logins by an unknown user, then detects an existing session (or starts one if necessary) and then hands this back off to the inetd wrapper which connects to the existing session.

Most of this script has been written around a RedHat distribution (ick). Mainly because my debian distro doesn’t have X11 installed.

These install instructions have been written very quickly and may possibly need expanding. I will update them as and when that is needed – most likely when somebody emails me and complains :-)

Prerequisites: you will need netpipes for the inetd script. Unfortunatly the 4.0 rpm does not have the –netslave option (which makes hose terminate when inetd closes the socket) so either use the hose in the download directory (from netpipes-4.2-debian, but works in RH9.0 too) or the preferred option is please find me a RH9 rpm for netpipes-4.2. I tried using ‘socket’ from the debian toolkit, but it seems a bit picky, also hose closes when the connection terminates.
Update: I have written a c version of in.vncserver, it makes sure that the daemon runs as the authenticated user, and re-synchronizes the connection with the viewer, and then it uses a chunk of the netpipes/hose code to do the connection to the running vnc server.

–> go visit the download url and download all of the server components. Please do NOT download all three clients just-for-the-purpose-of-having-all-of-them, rather choose the one you’re used to using and get that one. The download will be slow, if you’d like to mirror the download just leave a comment with the url.

–> add the inetd.conf line or the xinetd.d file (as appropriate) and do a killall -HUP [inetd/xinetd]

–> add “/usr/local/sbin/XvncPreSession || exit 1″ to /etc/X11/gdm/PreSession/Default or similar file (/etc/X11/xinit/xinitrc has not been specifically tested but will probably work).

–> build in.vncserver, you should just be able to type ‘make in.vncserver’.

–> start up one of the patched clients and try login !

Please note: that because of the -nopasswd flag the Xvnc servers will start with-out additional password protection. You should firewall all ports from 5901-5999 from the outside world. If you remove the -nopasswd flag (or don’t patch vncserver) then you will be double protecting the vnc sessions (by unix password & vnc password) Update: I have removed the need for the -nopasswd flag in the clients, they can now save the session after the redirect. Yes you will be prompted for two passwords now, but the vnc one will save with the session. I see this as more secure. Another thought I had on this front is that the server could transmit the password the client needs to continue the login. I’m against doing this (it’s pretty easy) even though it would be rather un-safe.
The server generates a random password hash from /dev/urandom every time the user logs in. The password hash is transmitted to the client during the login process. This could be used in a reply attack, but only until the next time you log in. Additionally I plan to make in.vncserver delete the password file after a short delay after you have logged in. (10 seconds or so) Remembering that you should firewall the ports that the users’ vncservers will run on and only leave the session manager port open.

10 comments on “vnc session manager

  1. Hi, you made a great job, i’ve not tested this yet, but i will do this in a few days.
    My question is, why did’nt you release patch to vncviewers, it could be great to give them…

    Thanks
    Serge

  2. Not having much luck running the PreSession Default script, any advice?
    Adam

  3. Have you had any luck porting to other platforms – we run VNC on HPUX, and this would be a godsend!

    Simon.

  4. Is there some way of making it possible to pick up an existing session logged in on the console, through your session manager? (Maybe if somehow inserted a vncserver in the console login…?)

    BTW: Has your work anything to do with this “commercial” product including a VSM? :
    http://www.cendio.com/files/thinlinc/userguide/html/architecture.html
    I got the impression that they have chosen a solution on the server-side so they don’t have to use modified vncviewers. Might be interesting?

    Cheers
    Mike

  5. I’m probably being an idiot but I can’t get this to work… I’m using Slackware 10 (so there might be some differences).
    When I fire up one of the patched clients it does connect to my machine, then it asks for a password.
    Now, I have no idea what this first stage password would be (generated from /urandom everytime?) am I missing something stupidly obvious? I’ve tried passing a username to the host machine (i.e. 192.168.0.1 root) but the password for the username given doesn’t match.
    Andy help or pointers greatfully appriciated as this would be really handy.

  6. After a little bit of fiddling around I’ve got the Session Manager to work. System in SuSE 9.1 Pro. Only issue now is that I’m only getting twm as the Windows Manager and no Display Manager – any ideas?

    *off to rejoin my game of xsnake*

    Adam

  7. hey – this is great!
    nice to see things just “happen”.

    >okay, to all those people our there that have been waiting 1, 2, 3 for a vnc session manage
    no – you should count: 1,2,3,4 !!!
    :D

    why?
    i have also been waiting, but i eveni have a basic “concept” around for some time:

    http://sourceforge.net/mailarchive/forum.php?thread_id=1898006&forum_id=2544
    http://www.realvnc.com/pipermail/vnc-list/2003-May/039017.html
    http://www.realvnc.com/pipermail/vnc-list/2003-April/038603.html

    that little concept is currently hosted at:
    http://www.computerkeek.de/projects/vnc4e/concept.txt
    maybe you`re interested in reading that.

    feedback was very low, and due to lack of time and missing programming skills, it didn`t come forward.

    regards
    roland kletzing
    sysadmin

  8. Simon: Not yet, possibly in the future.

    Mike: With RealVNC 4 you can just add the vnc module to the X config file and connect directly. This doesn’t have anything to do with the cendio product. My idea behind this was to make the experience as simple as possible, so doing it in a similar way to MS Remote Desktop makes a lot of sense. The modified viewers are a small price to pay for only making a single TCP connection to the server.

    Roland: As I said to Mike – single TCP connection, means it’s much easier to manage the firewall. It also means that all VNC connections are authenticated via your system login, so there are no extra VNC passwords to manage.

  9. I’m just wondering if you have any links to compiled windows clients? I’m not quite sure how hard it would be to compiled on windows… I just need the normal realvnc client with your patch applied… Can this be done even?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>