设为首页收藏本站
开启辅助访问

配置VNC

 您所在的位置:网站首页 vnc取消密码设置 配置VNC

配置VNC

#配置VNC| 来源: 网络整理| 查看: 265

单位某客户端必须在CentOS 8.3上以图形界面方式运行(真是坑),不得不为其配置vnc服务,记录该过程。

一、经典的vnc配置方法,适用于tigervnc-server-1.9.x及以前 1.1、经典的vnc配置步骤。 使用屏幕号:1。安装tigervnc-server tigervnc。用vncserver :1开启vnc服务。vncpasswd设置vnc密码。检查一下是否监听了5901端口(590x端口,x是屏幕号)。防火墙设置放开vnc-server使用vncviewer连接:1,注意是屏幕号,不是端口号。

编辑 .bashrc 文件,添加 export DISPLAY=:1

yum install tigervnc-server tigervnc

vncserver :1

vncpasswd

netstat -tunlp | grep 5901

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.27.0/24 service name=vnc-server accept'

1.2、配置vnc的x509通信加密

参考官方wiki

Secure your connection · TigerVNC/tigervnc Wiki · GitHubHigh performance, multi-platform VNC client and server - Secure your connection · TigerVNC/tigervnc Wikihttps://github.com/TigerVNC/tigervnc/wiki/Secure-your-connection

VNC Server端

默认的vnc链接只提供vncauth,tlsvnc的认证,不安全。使用x509可以提供服务端的身份认证,并对通信加密,是更安全的。步骤如下

在.vnc下创建x509目录,copy一份openssl.cnf

cd ~/.vnc mkdir x509 cp /etc/pki/tls/openssl.cnf . 

编辑openssl.cnf,在最后添加如下内容,添加SAN。本例vnc server的IP是192.168.27.7

[subject_alt_section] subjectAltName=IP:192.168.27.7

生成自签名证书,并将生成的vnc-server-private.pem和vnc-server.pem放入x509目录。

openssl req -x509 -newkey rsa -days 365 -nodes -config openssl.cnf -keyout vnc-server-private.pem -out vnc-server.pem -subj '/CN=192.168.27.7'

编辑.vnc/config配置文件,配置内容如下,启用x509vnc,指定私钥和证书的位置

# use x509 encryption                                                                                                       securitytypes=x509vnc x509key=/root/.vnc/x509/vnc-server-private.pem x509cert=/root/.vnc/x509/vnc-server.pem

# other config

desktop=sandbox geometry=2000x1200 alwaysshared

这样在启动vnc服务的时候就启用了x509

VNC Client端

把生成的证书vnc-server.pem放到Tiger VNC Viewer的目录下。启动vncviewer,输入地址屏幕号,点击option,找到Security,勾选x509证书,指定证书目录。

链接就是安全的,加密的。

二、tigervnc-server-1.10.1以后的vnc配置

和以往一样使用命令vncserver :1。回显提示vncserver已经被systemd单元代替,可以查看/usr/share/doc/tigervnc/HOWTO.md文档来获取更多信息。tigervnc-server-1.10.1版本以后,不能再使用vncserver命令直接开启vnc服务,需要使用systemd进行服务管理。

[root@test18 ~]# vncserver :1 vncserver has been replaced by a systemd unit. Please read /usr/share/doc/tigervnc/HOWTO.md for more information.

在此记录完整的配置vnc过程。

1、安装"Server with GUI",开启vnc服务必须让服务器有图形界面的支持。

[root@test18 ~]# yum groupinstall "Server with GUI"

2、配置环境变量DISPLAY,本例选择屏幕号:1,并使其生效

[root@test18 ~]# vim .bashrc export DISPLAY=:1 [root@test18 ~]# source .bashrc

3、安装vncserver

[root@test18 ~]# yum install tigervnc-server tigervnc

4、配置vncserver的用户及其使用的屏幕号,编辑/etc/tigervnc/vncserver.users,本例使用root访问(根据实际情况使用账户,用root并不是个好的选择),屏幕号与之前保持一致:1

[root@test18 ~]# vim /etc/tigervnc/vncserver.users :1=root

5、配置vncserver默认选项,编辑/etc/tigervnc/vncserver-config-defaults。注意session选项,应该匹配/usr/share/xsessions/目录下的内容,比如有/usr/share/xsessions/gnome.desktop文件,那么才能写session=gnome。详情可以man 8 vncsession查看手册。

[root@test18 ~]# ls /usr/share/xsessions/ com.redhat.Kiosk.desktop  gnome-custom-session.desktop  gnome-xorg.desktop  xinit-compat.desktop gnome-classic.desktop     gnome.desktop                 openbox.desktop

[root@test18 ~]# vim /etc/tigervnc/vncserver-config-defaults session=gnome securitytypes=vncauth,tlsvnc desktop=sandbox geometry=1366x768 alwaysshared

6、配置vnc密码

[root@test18 ~]# vncpasswd Password: Verify: Would you like to enter a view-only password (y/n)? n A view-only password is not used

7、在root家目录创建相应目录.config/systemd/user/,把vncserver的systemd单元复制过来。注意命名和之前使用的屏幕号一致:1

[root@test18 ~]# mkdir -p .config/systemd/user/ [root@test18 ~]# cp /lib/systemd/system/[email protected] .config/systemd/user/vncserver@:1.service

8、加载新的systemd单元。注意--user选项,应该能看到Loaded是我们配置的vncserver的systemd单元

[root@test18 ~]# systemctl --user daemon-reload [root@test18 ~]# systemctl --user status -l vncserver@\:1.service ● vncserver@:1.service - Remote desktop service (VNC)    Loaded: loaded (/root/.config/systemd/user/vncserver@:1.service; disabled; vendor preset: enabled)    Active: inactive (dead)

9、启动vncserver服务,注意--user选项。如果看到Active,说明服务启动。如果看到类似如下报错,那么参看下一步可选项,配置selinux上下文。

[root@test18 ~]# systemctl --user start vncserver@\:1.service [root@test18 ~]# systemctl --user status -l vncserver@\:1.service ● vncserver@:1.service - Remote desktop service (VNC)    Loaded: loaded (/root/.config/systemd/user/vncserver@:1.service; disabled; vendor preset: enabled)    Active: inactive (dead)

Mar 14 12:15:48 test18.abcd.com vncsession[1846]: vncsession: vncserver exited with status=71 Mar 14 12:15:48 test18.abcd.com vncsession[1846]: pam_unix(tigervnc:session): session closed for user root Mar 14 12:15:48 test18.abcd.com systemd[1769]: vncserver@:1.service: Succeeded. Mar 14 12:16:23 test18.abcd.com systemd[1769]: Starting Remote desktop service (VNC)... Mar 14 12:16:23 test18.abcd.com vncsession[1892]: pam_systemd(tigervnc:session): Cannot create session: Already running in a session or user slice Mar 14 12:16:23 test18.abcd.com vncsession[1892]: pam_unix(tigervnc:session): session opened for user root by (uid=0) Mar 14 12:16:23 test18.abcd.com systemd[1769]: Started Remote desktop service (VNC). Mar 14 12:16:23 test18.abcd.com vncsession[1892]: vncsession: vncserver exited with status=71 Mar 14 12:16:23 test18.abcd.com vncsession[1892]: pam_unix(tigervnc:session): session closed for user root Mar 14 12:16:23 test18.abcd.com systemd[1769]: vncserver@:1.service: Succeeded.

10、可选步骤,配置selinux。 办法一、禁用selinux,禁用后重启一下服务器即可。 办法二、配置.vnc目录的selinux上下文。先查询一下,发现家目录下.vnc需要xdm_home_t 。使用semanage fcontext -a -t xdm_home_t "/root/.vnc(/.*)?"加上这个上下文。使用restorecon -Rv .vnc/使其生效。再启动vnc服务就Active了!

[root@test18 ~]# semanage fcontext -l | grep vnc .vnc(/.*)?                                         all files          system_u:object_r:xdm_home_t:s0 /home/[^/]+/\.vnc(/.*)?                            all files          unconfined_u:object_r:xdm_home_t:s0 /home/\.vnc(/.*)?                                  all files          system_u:object_r:xdm_home_t:s0 /usr/bin/Xvnc                                      regular file       system_u:object_r:xserver_exec_t:s0 /usr/bin/nova-novncproxy                           regular file       system_u:object_r:nova_exec_t:s0 /usr/bin/nova-vncproxy                             regular file       system_u:object_r:nova_exec_t:s0 /usr/bin/nova-xvpvncproxy                          regular file       system_u:object_r:nova_exec_t:s0 /usr/bin/x11vnc                                    regular file       system_u:object_r:xserver_exec_t:s0 /usr/libexec/vncsession-start                      regular file       system_u:object_r:vnc_session_exec_t:s0 /usr/sbin/vncsession                               regular file       system_u:object_r:vnc_session_exec_t:s0 /var/run/vncsession-:[0-9]*\.pid                   regular file       system_u:object_r:vnc_session_var_run_t:s0

[root@test18 ~]# semanage fcontext -a -t xdm_home_t "/root/.vnc(/.*)?" [root@test18 ~]# restorecon -Rv .vnc/ Relabeled /root/.vnc from system_u:object_r:admin_home_t:s0 to system_u:object_r:xdm_home_t:s0 Relabeled /root/.vnc/passwd from system_u:object_r:admin_home_t:s0 to system_u:object_r:xdm_home_t:s0 Relabeled /root/.vnc/test18.abcd.com:1.log from system_u:object_r:admin_home_t:s0 to system_u:object_r:xdm_home_t:s0

[root@test18 ~]# systemctl --user start vncserver@\:1.service [root@test18 ~]# systemctl --user status -l vncserver@\:1.service ● vncserver@:1.service - Remote desktop service (VNC)    Loaded: loaded (/root/.config/systemd/user/vncserver@:1.service; disabled; vendor preset: enabled)    Active: active (running) since Sun 2021-03-14 20:48:25 CST; 1s ago

11、配置防火墙vncserver服务入栈规则,一定要reload生效,查看允许的服务有vnc-server

[root@test18 ~]# firewall-cmd --permanent --add-service=vnc-server [root@test18 ~]# firewall-cmd --reload [root@test18 ~]# firewall-cmd --list-all

12、在本地使用vncviewer连接:1,并输入vnc密码可以看到图形界面。

附/usr/share/doc/tigervnc/HOWTO.md文件内容

# What has changed The previous Tigervnc versions had a wrapper script called `vncserver` which could be run as a user manually to start *Xvnc* process. The usage was quite simple as you just run ``` $ vncserver :x [vncserver options] [Xvnc options] ``` and that was it. While this was working just fine, there were issues when users wanted to start a Tigervnc server using *systemd*. For these reasons things were completely changed and there is now a new way how this all is supposed to work.  # How to start Tigervnc server   ## Add a user mapping With this you can map a user to a particular port. The mapping should be done in `/etc/tigervnc/vncserver.users` configuration file. It should be pretty straightforward once you open the file as there are some examples, but basically the mapping is in form ``` :x=user ``` For example you can have ``` :1=test :2=vncuser ``` ## Configure Xvnc options To configure Xvnc parameters, you need to go to the same directory where you did the user mapping and open `vncserver-config-defaults` configuration file. This file is for the default Xvnc configuration and will be applied to every user unless any of the following applies: * The user has its own configuration in `$HOME/.vnc/config` * The same option with different value is configured in   `vncserver-config-mandatory` configuration file, which replaces the default   configuration and has even a higher priority than the per-user configuration.   This option is for system administrators when they want to force particular   *Xvnc* options. Format of the configuration file is also quite simple as the configuration is in form of ``` option=value option ``` for example ``` session=gnome securitytypes=vncauth,tlsvnc desktop=sandbox geometry=2000x1200 localhost alwaysshared ``` ### Note: There is one important option you need to set and that option is the session you want to start. E.g when you want to start GNOME desktop, then you have to use ``` session=gnome ``` which should match the name of a session desktop file from `/usr/share/xsessions` directory. ## Set VNC password You need to set a password for each user in order to be able to start the Tigervnc server. In order to create a password, you just run ``` $ vncpasswd ``` as the user you will be starting the server for. ### Note: If you were using Tigervnc before for your user and you already created a password, then you will have to make sure the `$HOME/.vnc` folder created by `vncpasswd` will have the correct *SELinux* context. You either can delete this folder and recreate it again by creating the password one more time, or alternatively you can run ``` $ restorecon -RFv /home//.vnc ``` ## Start the Tigervnc server Finally you can start the server using systemd service. To do so just run ``` $ systemctl start vncserver@:x ``` as root or ``` $ sudo systemctl start vncserver@:x ``` as a regular user in case it has permissions to run `sudo`. Don't forget to replace the `:x` by the actual number you configured in the user mapping file. Following our example by running ``` $ systemctl start vncserver@:1 ``` you will start a Tigervnc server for user `test` with a GNOME session. ### Note: If you were previously using Tigervnc and you were used to start it using *systemd* then you will need to remove previous *systemd* configuration files, those you most likely copied to `/etc/systemd/system/[email protected]`, otherwise this service file will be preferred over the new one installed with latest Tigervnc. # Limitations You will not be able to start a Tigervnc server for a user who is already logged into a graphical session. Avoid running the server as the `root` user as it's not a safe thing to do. While running the server as the `root` should work in general, it's not recommended to do so and there might be some things which are not working properly.



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3