Gilles Gravier's Weblog

Remotely connecting to a Solaris machine... with security, minimal fuss and stuff!

I figured (OK... it was suggested to me by Karim Berrah who runs the CHOSUG Wiki) that others might be interested in knowing how I remotely connect to my favorite OpenSolaris machines.

It's actually very simple... all the tools are there for you!

The basic protocol that we will be using is called VNC. OpenSolaris comes with 2 different VNC servers.

The first one is the traditional "vncserver" process, which you can start manually, specifying resolution "-geometry XxY" and a number of virtual display to use ":X". E.g. "vncserver -geometry 1024x768 :2". The first time you use vncserver it will ask you to specify a password to protect the conenction to your system. (You can change it later with "vncpasswd".) If you don't do anything special, the session starts with twm as the window manager. You can edit the .vnc/xstartup file and change the "twm &" line to start some other window manager if you want. But twm is very lightweight. You can kill the vnc server by using "vncserver -kill :X" where X is the same you used to start the server. You can run multiple vncservers...

The second means comes bundled with GNOME, and is done using vino, which is the GNOME vnc server. It is embedded with GNOME and starts when you start your session.  You first configure and enable it with the command vino-preferences (or through the menus System->Preferences->Desktop Sharing). Allow users to view and control your desktop... and very important, set a password! Current build of OpenSolaris has an "Advanced" tab there that offers additional options. Have a look. Note that since vino is sharing your GNOME display it is automatically set to number :0.

To connect to your machine from remote, there are 2 ways. The "fat" way by using the native VNC client "vncviewer :X" where X is the number you defined when starting vncserver or, for vino, :0.

You will be prompted for the password you specified.

Vino is interesting as, since it's integrated with GNOME, it offers full DBus integration... but has the drawback of being fixed to :0 ... and requiring the GNOME session to be started on the machine by loging in... where vncserver can be remotely started from a shell and doesn't require the user to be logged in, but doesn't offer that full GNOME integration.

VNC traditionally uses 2 ports to work.

One is the normal VNC protocol port and is 5900+X (where X is the number you chose when launching vncserver)... so 5900 for vino and (in my example when I used :2) 5902. This needs to be tunneled if you are going to go through a NAT router.

The second port is 5800+X (same rules for X)... and that's the Java client for VNC. This is the light way of accessing it. If your server is, say, :0 (case of vino) just open a browser to http://yourhost:5800/ and it will start a Java vncviewer directly to port 5900. VINO comes with the Java client by default. vncserver doesn't (you have to manually add -httpd to the vncserver command - i.e. vncserver -httpd -geometry 800x600 :2). This Java solution is nice as it doesn't require a local vncviewer client... can be run from any modern browser with a Java VM installed.

Here is an added bit of magic... I don't like to run vnc over a cleartext network connection. VINO supports encryption, but not all clients. So what I do is that I don't open 5800+X and 5900+X on my NAT router. Instead I open port 22 and SSH to my server, and there, through SSH I tunnel ports 5800+X and 5900+X. And from my client machine I "vncviewer localhost:5900+X". This is now tunneled through SSH from my client machine to the actual server.

My favorite application to do this SSH magic is AppGate's MindTerm. It's a free (for personal and small business) Java SSH client. It's a jar file that can be run as an application or hosted as a Java applet (I have the application on my OpenSolaris laptop, but the applet served from the web server on my home network so that it's always available to me wherever I am comming from). When you launch it, you specify which machine you want to connect to. You do the login... and then Tunnels->Setup and select "Add". Since I have vino on my local laptop, I can't use local port 5900... so I forward 5901 to the remote "localhost" 5900 (since the remote server is also running vino on :0). This is done by selecting

- Type : local

- Bind address : localhost

- Bind port : 5901

- Dest address : localhost

- Dest port : 5900

And then clicking OK. Voila. You can then run "vncviewer :1" from a terminal and it will connect to vino (:0) on the remote machine, tunneled through SSH.

Have fun!

Gilles.

Posted at 11:38AM Dec 10, 2008 by gravax in Security  |  Comments[0]