Ubuntu Linux provides remote desktop access. This provides two extremely useful features. Firstly it enables you or another person to view and interact with your desktop environment from another computer system either on the same network or over the internet. This is useful if you need to work on your computer when you are away from your desk while traveling or sitting in a coffee shop. It is also useful in situations where a co-worker or IT support technician needs access to your desktop to resolve a problem.
Secondly, in addition to providing access to your primary desktop (the one you see when you switch on your monitor every morning) it also enables you to create multiple desktops and connect to them remotely.
The Ubuntu remote desktop functionality is based on technology called Virtual Network Computing (VNC) and in this chapter we will cover the key aspects of configuring and using remote desktops with Ubuntu Linux. It is important to note that there are both secure and insecure ways to access a remote desktop. Although both approaches will be covered, the secure method is strongly recommended when accessing remote desktops over an internet or other insecure connection.
Activating Remote Desktop Access
The first step in setting up remote desktop access is to activate it and define some basic security settings. These settings are configured in the Remote Desktop Preferences dialog. To access this dialog, open the desktop System menu, select Preferences and click on Remote Desktop. When selected the following window will appear:
The Remote Desktop Preferences dialog consists of two panels. The General settings panel is displayed by default and provides the following configuration options:
- Allow others to view your desktop - Activates remote desktop access for viewing purposes.
- Allow other users to control your desktop - Allows users accessing your remote desktop to control the desktop. In other words the remote user can do anything to your desktop that they want using their mouse and keyboard as if they were sitting physically at the local system. When this option is disabled, the remote user can see what is happening on the desktop, but is unable to interact with it using the keyboard and mouse.
- Ask for confirmation - When selected, this option causes a dialog to appear warning you of an attempt by a remote user to connect and prompting you to confirm or deny the connection. If you are likely to want to log in remotely you will need to turn this off since you will not be at the local system to accept your own connection.
- Require the user to enter this password - Specifies a password which must be entered by the remote user to access your desktop. It is strongly advised that you select this option and specify a password.
Finally this screen specifies the command to run on the remote system to access the desktop.
The Advanced configuration options are accessed by clicking on the Advanced tab. Once selected, the following panel will be displayed in the Remote Desktop Preferences dialog:
Details of the advanced configuration options are as follows:
- Only allow local connections - Only allows remote desktop connections to be established from the local system. This essentially disables access from remote systems.
- Use an alternate port - Remote Desktop access requires the use of a TCP/IP port. By default a port will be assigned to the current connection starting at port 5900. If an alternate port is required, select this option and specify the required port.
- Disable the wallpaper when connected - A key objective of remote desktop access is to minimize the volume of network traffic involved in projecting the desktop to the remote user. If the desktop currently has a wallpaper image defined (in other words the background of the desktop) this will result in a considerable amount of additional network traffic. This option switches the desktop wallpaper to a plain background to reduce bandwidth usage thereby speeding the desktop presentation.
- Require encryption - As previously mentioned, remote desktop access may be established using both secure and insecure mechanisms. When selected, this option enforces the use of secure, SSH based, connections when accessing the desktop remotely.
- Lock screen on disconnect - Causes the desktop screen lock to be engaged automatically when the remote desktop connection is disconnected. This ensures that the next user to connect to the desktop will be required to enter a password to gain access.
- Always display icon - Causes the remote desktop icon to appear in the Notification area of the top status bar when remote desktop access is enabled (even when a remote user is not connected).
- Only display an icon when there someone is connected - Displays an icon on the Notification area of the top status bar when a user is remotely connected to the desktop.
- Never display an icon - The Notification icon is never displayed regardless of the current state of the remote desktop system.
Once you have configured Remote Desktop access you are ready to try connecting.
Accessing a Remote Ubuntu Linux Desktop using Vinagre
As mentioned previously there are both secure and insecure methods for accessing a remote desktop. In this section we assume that the desktop is being accessed by a remote system on the same local network where security is not a concern. See the section later in this chapter for establishing a secure connection if you are connecting from a system outside your firewall.
Connection to the remote desktop may be performed by running either the vncviewer tool, or the newer vinagre on the system from which the remote desktop is to be accessed. On Ubuntu systems, vinagre is installed by default. On other systems, however, it may need to be manually installed. For example to install vinagre on a Fedora system, execute the following command in a terminal window:
yum install vinagre
To access a remote desktop, open a terminal window and enter the command specified in the Remote Desktop Preferences dialog, for example:
where hostname is either the hostname or IP address of the remote system.
If you configured the remote system to prompt to approve a connection a dialog will appear on the remote system. Until the connection is approved the vinagre session will wait. Once approved, or if no approval is required, vinagre will prompt for the password (assuming one was defined):
Enter the password and vinagre will appear containing the desktop from the remote system. If remote desktop control was enabled you can interact with the desktop as if you were sitting at the remote screen. The following figure illustrates a vinagre session running on a Fedora system attached to a remote desktop running on Ubuntu. Note that only part of the remote desktop is displayed. The entire desktop may be viewed by clicking on the Full Screen toolbar button.
Vinagre is a relatively new tool and has a number of advantages over the older vncviewer tool (such as the ability to manage concurrent connections to multiple remote desktops). For those who prefer to use a simpler interface, or who use a system for which vinagre is not easily obtainable, vncviewer makes an adequate alternative.
As with vinagre, vncviewer is not installed by default on many systems. To install vncviewer on Red Hat, CentOS and Fedora systems, execute the following commands in a terminal window:
yum install vnc
Similarly, to install vncviewer on an Ubuntu system:
sudo apt-get install xvnc4viewer
Once installed, run the command using the following syntax where hostname is the host name or IP address of the remote system and port is the port number assigned for access to the desktop:
If the remote desktop was configured to require a password, vncviewer will prompt for this before displaying the desktop:
So far in this chapter we have assumed that the remote desktop was being accessed from a Linux or Unix system. Access is also possible from a Windows system.
In order to access a Linux remote desktop from a Windows system the first step is to install a Windows VNC client on the Windows system. There are a number of VNC packages available for Windows. In this chapter we will look at TightVNC (http://www.tightvnc.com).
Download and install TightVNC on your Windows system. Once installed, launch the TightVNC Viewer and in the resulting Connection details dialog enter the IP address or hostname of the remote system and press OK. Enter the password if one is required. The screen should load and display the remote desktop,
You may also enter the port number in the form hostname::5900 (screen 0 in VNC uses port 5900). TightVNC assumes port 5900 if none is specified but when we look at setting up additional desktops later in this chapter we will need to specify port numbers in order to connect.
The remote desktop configurations we have explored so far in this chapter are considered to be insecure because no encryption is used. This is acceptable when the remote connection does not extend outside of an internal network protected by a firewall perimeter. When a remote session is required over an internet connection a more secure option is needed. This is achieved by tunneling the remote desktop through a secure shell (SSH) connection.
Before a secure connection is established the SSH server must be installed on the system to which the connection is to be established. For detailed steps on installing the SSH server on an Ubuntu Linux system see Configuring Ubuntu Linux Remote Access using SSH.
Once the SSH server is installed and active it is time to move to the other system. At the other system, log in to the remote system using the following command, which will establish the secure tunnel between the two systems:
ssh -L 5900:localhost:5900 hostname
In the above example, hostname is either the host name or IP address of the remote system. Log in using your account and password. The secure connection is now established and it is time to launch vncviewer so that it uses the secure tunnel. Leaving the ssh session running in the other terminal window, launch another terminal and enter the following command to use vncviewer:
Alternatively, to use vinagre:
The vncviewer session will prompt for a password if one is required, and then launch the corresponding viewer providing secure access to your desktop environment.
If you are connecting to the remote desktop from outside the firewall keep in mind that the IP address for the ssh connection will be the external IP address provided by your ISP, not the LAN IP address of the remote system (since this IP address is not visible to those outside the firewall). You will also need to configure your firewall to forward port 22 (for the ssh connection) to the IP address of the system running the desktop. It is not necessary to forward port 5900. Steps to perform port forwarding differ between firewalls, so refer to the documentation for your firewall, router or wireless base station for details specific to your configuration.
A similar approach is taken to establishing a secure desktop session from a Windows system. Assuming that you have a VNC client installed (as described above) the one remaining requirement is a Windows ssh client. A popular ssh client for Windows is (PuTTY).
Once PuTTY is downloaded and installed the first step is to set up a secure connection between the Windows system and the remote Linux system with appropriate tunneling configured. When launched, PuTTY displays the following screen:
Enter the IP address or host name of the remote host (or the external IP address of the gateway if you are connecting from outside the firewall). The next step is to set up the tunnel. Click on the + next to SSH in the Category tree on the left hand side of the dialog and click on Tunnels. The screen should appear as follows:
Enter 5900 as the Source port and localhost:5900 as the Destination and click on Add. Finally return to the main screen by clicking on the Session category. Enter a name for the session in the Saved Sessions text field and press save. Click on Open to establish the connection. A terminal window will appear with the login prompt from the remote system. Enter your user login and password credentials.
The SSH connection is now established. Launch the TightVNC viewer and enter localhost::5900 in the VNC Server text field and click on Connect. The viewer will establish the connection, prompt for the password and then display the desktop. You are now accessing the remote desktop of a Linux system on Windows via a secure tunnel.
In the examples so far we have only covered remote access to the primary desktop. By primary desktop we mean the desktop you see when you sit at your computer and turn on the monitor. While this is fine for a single user system we should not lose sight of the fact that Linux is a multi-user operating system and it will often be necessary for more than one person to have remote desktop access at a time. While it might be fun to watch everyone fight over the mouse pointer as they share the same desktop it is clear that not much work will get done. The solution to this is to run multiple desktops for the users to connect to.
New desktop environments are created using the vncserver utility. If vncserver is not already installed, it may be installed from a terminal window as follows:
sudo apt-get install vnc4server
Once the VNC server package is installed, the next step is to assign a password to protect the desktops. This can be achieved using the vncpasswd tool. Run this tool from the command-line prompt in a terminal window and enter the password of your choice.
The desktop we have used so far in this chapter is desktop :0. New desktops must be assigned different numbers. For example to launch desktop :1 run the following command from a terminal window command-line prompt:
This will start a new desktop in the background ready for a remote user to connect to. To connect to the desktop follow the steps for connecting to desktop :0 outlined above but this time use port 5901 instead of port 5900 (you will similarly use port 5902 for desktop :2 and so on).
When the desktop appears you will notice that it doesn't look much like the standard desktop:
The problem here is that we need to configure the VNC session to launch the correct desktop. To do this shutdown the VNC desktop session as follows:
vncserver -kill :1
Next go to your home folder and edit the $HOME/.vnc/xstartup file. This will look similar to the following file:
# Uncomment the following two lines for normal desktop:
# unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
To configure this startup script to launch the standard desktop (known as the GNOME desktop) change the twm& line so that the file reads:
# Uncomment the following two lines for normal desktop:
# unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
#[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
#[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
#xsetroot -solid grey
#vncconfig -iconic &
#xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
Restart the vncserver:
Finally, reconnect from the remote system. The full desktop should now appear in the vncviewer or vinagre window.