GDM logins using VNC

It is possible to allow remote users to login to gnome, using gdm as you would on console, via vnc. There are other tools to do this, like NX, which are technically superior, but vnc clients are almost ubiquitous making this solution work for almost any client.

We will use xinetd to handle the incoming connections. Since Core 4, xinetd is not installed by default, I have tested this on FC3 – FC6. We also need the vnc-server software as well. To install the required software:

# yum install xinetd vnc-server

Open the GDM configuration tool: System -> Administration -> Login Screen. Select the ‘Remote’ tab. Style will currently read “Remote login disabled”. Change this to read “Same as local”.

It is probably a good idea to disable remote system logins under the security tab, unless you need it.

All of these gdm settings can be edited directly as well, /etc/X11/gdm/gdm.conf in FC3 and FC4, /etc/gdm/custom.conf for newer versions.

The relevant gdm custom.conf entries:

[daemon]
RemoteGreeter=/usr/libexec/gdmgreeter

[security]
AllowRemoteRoot=false

[xdmcp]
Enable=true

Make sure vnc is not launching on startup:

# chkconfig vncserver off

Edit /etc/services, adding a new service at the end of the file:

# Local services
vnc             5900/tcp                        # vncserver

Now we need to define the new service. Create the file /etc/xinetd.d/vnc.

service vnc
{
     disable = no
     socket-type = stream
     protocol = tcp
     group = tty
     wait = no
     user = nobody
     server = /usr/bin/Xvnc
     server_args = -inetd -query localhost -geometry 1024x768 -depth 16 -once -fp unix/:7100 -securitytypes=none
}

Save the file. To see the changes, you can restart the machine, or:

# gdm-restart (This will kill X Windows)
# service xinetd restart

From your machine you will now be able to run ‘vncviewer localhost:0’, and if everything has worked, a vnc window should appear and show a login screen.

Firewall and Security Issues

You will probably find however, that if you try this from another machine it won’t work, your firewall will be stopping the connection. One solution is to open up port 5900 on the firewall, however, vnc sends information over the network un-encrypted, including any passwords you might type in. The better solution is to leave your firewall blocking vnc and tunnel the connection over ssh.

On the client machine (not the vnc server the machine you are connecting from), make an ssh connection to the host machine (the vnc server):

$ ssh -L 5901:localhost:5900 vnc.host.machine

This will attach your local port 5901 to the remote machine’s port 5900, the port that runs VNC. You can now attach your vncviewer to your local port, and ssh will tunnel it through to the remote machine.

$ vncviewer localhost:1

You should now have secure remote logins to your machines.