[tclug-list] Questions regarding VNC behaviour between Linux machines

Wed May 31 16:00:51 CDT 2006

On Wed, 31 May 2006, Jordan Peacock wrote:

> Yeah, I changed the shell script in ~/.vnc/xstartup to what you had...my 
> original was:
>
> #!/bin/sh
>
> xrdb $HOME/.Xresources
> xsetroot -solid grey
> x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
> x-window-manager &
>
> But when I try 'vncviewer localhost:1' it hasn't changed anything; it's 
> the rootweave X pattern still. How do I know if it'll actually read and 
> run the shell script?

In order to read the ~/.vnc/xstartup you have to kill the session and 
restart it:

vncserver -kill :1
vncserver :1

That will cause the server to start with the new settings you created. 
The settings are used by the server.  The viewer just looks at what the 
server is putting out.

I just realized the other day that I've been reading the VNC help list for 
8 years now!  Here is the most important tip I've come up with in all that 
time:

If you are using the VNC Free Edition, make sure you are either using 
version 4.1.2 or 4.0.x or earlier.  The 4.1.0 - 4.1.1 versions have a 
*very* serious vulnerability that allows remote access to your session. 
This was just discovered on 5/11 or so.  Exploits are readily available 
and people are scanning right now (they mostly scan port 5900 instead of 
5901, and would miss you, but it only takes one script kiddie to ruin your 
day).  This is a really bad problem, but it's the only really serious one 
I've seen in all these years.

Another good tip is to run VNC within an SSH tunnel, which is a bit of a 
pain, but your security level will be much improved.  Another way to deal 
with security is to compile VNC against libwrap.a and use /etc/hosts.deny 
and /etc/hosts.allow to restrict access.  I actually do both but I don't 
bother with the SSH protection sometimes.  If you don't use an SSH tunnel, 
it is *possible* for someone to view your session but not to control it. 
Password authentication is reasonably secure even without SSH:

    http://www.realvnc.com/faq.html#security

    VNC Free Edition and older VNC 3 based systems support a simple
    challenge-response protocol used to verify a password of up to eight
    characters, supplied by the connecting user. While this avoids exposing
    the password to attackers as would be the case with pure plaintext
    protocols such as telnet, the rest of the session is unencrypted and so
    anything typed into the viewer passes "in the clear" to the server.

If you want more security and ease of management, you can try VNC 
Enterprise Edition or VNC Personal Edition, but you pay for those (not a 
lot though).

Mike

-- 
Michael B. Miller, Ph.D.
Assistant Professor
Division of Epidemiology and Community Health
and Institute of Human Genetics
University of Minnesota
http://taxa.epi.umn.edu/~mbmiller/