GDM logins using VNC
15 Nov 2006It is possible to allow remote users to login to gnome, using gdm as you would on console, via vnc. There are other tools to do this, like NX, which are technically superior, but vnc clients are almost ubiquitous making this solution work for almost any client.
We will use xinetd to handle the incoming connections. Since Core 4, xinetd is not installed by default, I have tested this on FC3 – FC6. We also need the vnc-server software as well. To install the required software:
# yum install xinetd vnc-server
Open the GDM configuration tool: System -> Administration -> Login Screen. Select the ‘Remote’ tab. Style will currently read “Remote login disabled”. Change this to read “Same as local”.
It is probably a good idea to disable remote system logins under the security tab, unless you need it.
All of these gdm settings can be edited directly as well, /etc/X11/gdm/gdm.conf in FC3 and FC4, /etc/gdm/custom.conf for newer versions.
The relevant gdm custom.conf entries:
[daemon]
RemoteGreeter=/usr/libexec/gdmgreeter
[security]
AllowRemoteRoot=false
[xdmcp]
Enable=true
Make sure vnc is not launching on startup:
# chkconfig vncserver off
Edit /etc/services, adding a new service at the end of the file:
# Local services
vnc 5900/tcp # vncserver
Now we need to define the new service. Create the file /etc/xinetd.d/vnc.
service vnc
{
disable = no
socket-type = stream
protocol = tcp
group = tty
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -inetd -query localhost -geometry 1024x768 -depth 16 -once -fp unix/:7100 -securitytypes=none
}
Save the file. To see the changes, you can restart the machine, or:
# gdm-restart (This will kill X Windows)
# service xinetd restart
From your machine you will now be able to run ‘vncviewer localhost:0’, and if everything has worked, a vnc window should appear and show a login screen.
Firewall and Security Issues
You will probably find however, that if you try this from another machine it won’t work, your firewall will be stopping the connection. One solution is to open up port 5900 on the firewall, however, vnc sends information over the network un-encrypted, including any passwords you might type in. The better solution is to leave your firewall blocking vnc and tunnel the connection over ssh.
On the client machine (not the vnc server the machine you are connecting from), make an ssh connection to the host machine (the vnc server):
$ ssh -L 5901:localhost:5900 vnc.host.machine
This will attach your local port 5901 to the remote machine’s port 5900, the port that runs VNC. You can now attach your vncviewer to your local port, and ssh will tunnel it through to the remote machine.
$ vncviewer localhost:1
You should now have secure remote logins to your machines.