Remote Access with VNC: Difference between revisions

(35 intermediate revisions by the same user not shown)

Line 3:

openSUSE Leap supports two different kinds of VNC sessions: One-time sessions that "live" as long as the VNC connection from the client is kept up, and persistent sessions that "live" until they are explicitly terminated.

'''Note: Session Types'''

A machine can offer both kinds of sessions simultaneously on different ports, but an open session cannot be converted from one type to the other.

</div>

'''Important: Supported Display Managers'''

A machine can reliably accept VNC connections only if it uses a display manager that supports the XDMCP protocol. While <code>gdm</code>, <code>lxdm</code>, or <code>lightdm</code> support XDMCP, the KDE 5 default display manager <code>sddm</code> does not support it. When changing the default display manager, remember to log out of the current X session and restart the display manager with

tux > sudo systemctl restart xdm.service

</div>

=The '''<code>vncviewer</code>''' Client=

Line 22:

Line 28:

tux > vncviewer thinkserver.freddythechick.uk::5901

'''Note: Display and Port Number'''

The actual display or port number you specify in the VNC client must be the same as the display or port number picked by the '''<code>vncserver</code>''' command on the target machine. See Section 4.4, "Persistent VNC Sessions" for further info.

</div>

==Connecting Using the vncviewer GUI==

By running '''<code>vncviewer</code>''' without specifying '''<code>--listen</code>''' or a host to connect to, it will show a window to ask for connection details. Enter the host into the ''VNC server'' field like in Section 4.1.1, "Connecting Using the vncviewer CLI" and click ''Connect''.

[[File:vnc1.png|frame|center|Figure 1: <code>vncviewer</code>]]

==Notification of Unencrypted Connections==

Line 40:

Line 50:

==Main Window==

Run Remmina by entering the '''<code>remmina</code>''' command.

[[File:vnc2.png|frame|center|Figure 2: Reminna's Main Window]]

The main application window shows the list of stored remote sessions. Here you can add and save a new remote session, quick-start a new session without saving it, start a previously saved session, or set Remmina's global preferences.

==Adding Remote Sessions==

To add and save a new remote session, click + in the top left of the main window. The ''Remote Desktop Preference'' window opens.

To add and save a new remote session, click [[File:vnc10.png|25px]] in the top left of the main window. The ''Remote Desktop Preference'' window opens.

[[File:vnc3.png|frame|center|500px|Figure 3: Remote Desktop Preference]]

Complete the fields that specify your newly added remote session profile. The most important are:

Line 60:

Line 74:

Credentials to use for remote authentication. Leave empty for no authentication.

'''~~Color~~ depth, Quality'''<br>

'''Colour depth, Quality'''<br>

Select the best options according to you connection speed and quality.

Select the ''Advanced'' tab to enter more specific settings.

'''Tip: Disable Encryption'''

If the communication between the client and remote server is not encrypted, active ''Disable encryption'', otherwise the connection fails.

</div>

Select the SSH tab for advanced SSH ~~tunneling~~ and authentication options.

Select the ''SSH'' tab for advanced SSH tunnelling and authentication options.

Confirm with Save. Your new profile will be listed in the main window.

Confirm with ''Save''. Your new profile will be listed in the main window.

==Starting Remote Sessions==

Line 80:

Line 96:

To start a remote session quickly without proper adding and saving connection details, use the drop-down box and text field at the top of the main window.

Select the communication protocol from the drop-down box, for example 'VNC', then enter the VNC server DNS or IP address followed by a colon and a display number, and confirm with Enter.

[[File:vnc4.png|frame|center|Figure 4: Quick-Starting]]

Select the communication protocol from the drop-down box, for example 'VNC', then enter the VNC server DNS or IP address followed by a colon and a display number, and confirm with {{key press|Enter}}.

===Opening Saved Remote Sessions===

Line 86:

Line 104:

===Remote Sessions Window===

Remote sessions are opened in tabs of a separate window. Each tab hosts one session. The toolbar on the left of the window helps you manage the windows/sessions, such as toggle ~~fullscreen~~ mode, resize the window to match the display size of the session, send specific keystrokes to the session, take screenshots of the session, or set the image quality.

Remote sessions are opened in tabs of a separate window. Each tab hosts one session. The toolbar on the left of the window helps you manage the windows/sessions, such as toggle full-screen mode, resize the window to match the display size of the session, send specific keystrokes to the session, take screenshots of the session, or set the image quality.

[[File:vnc5.png|frame|center|500px|Figure 5: Remmina Viewing SLES 15 Remote Session]]

==Editing, Copying and Deleting Saved Sessions==

Line 95:

Line 115:

To ''Delete'' a saved remote session, right-click its name in the Remmina's main window and select ''Delete''. Confirm with ''Yes'' in the next dialog.

==Running Remote ~~Sessons~~ from the Command Line==

==Running Remote Sessions from the Command Line==

If you need to open a remote session from the command line or from a batch file without first opening the main application window, use the following syntax:

tux > remmina -c profie_name.remmina

Remmina's profile files are stored in the <code>.local/share/remmina/</code> directory in your home directory. To determine which profile file belongs to the session you want to open, run Remmina, click the session name in the main window, and read the path to the profile file in the window's status line at the bottom.

[[File:vnc6.png|frame|center|Figure 6: Reading Path to the Profile File]]

While Remmina is not running, you can rename the profile file to to a more reasonable file name, such as <code>sle15.remmina</code>. You can even copy the profile file to your custom directory and run it using the '''<code>remmina -c</code>''' command from there.

Line 105:

Line 127:

A one-time session is initiated by the remote client. It starts a graphical login screen on the server. This way you can choose the user which starts the session and, if supported by the login manager, the desktop environment. When you terminate the client connection to such a VNC session, all applications started within that session will be terminated, too. One-time VNC sessions cannot be shared, but it is possible to have multiple sessions on a single host at the same time.

==Enabling One-time VNC Sessions==

'''Procedure 1: Enabling One-time VNC Sessions'''

# Start ''~~Yast~~ > Network Services > Remote Administration (VNC)''.

# Start ''YaST > Network Services > Remote Administration (VNC)''.

# Check ''Allow Remote Administration Without Session Management''.

# Activate ''Enable access using a web browser'' if you plan to access the VNC session in a Web browser window.

Line 113:

Line 135:

# In case not all needed packages are available yet, you need to approve the installation of missing packages.

'''Tip: Restart the Display Manager'''

YaST makes changes to the display manager settings. You need to log out of your current graphical session and restart the display manager for the changes to take effect.

</div>

[[File:vnc7.png|frame|center|500px|Figure 7: Remote Administration]]

==Available Configurations==

The default configuration on openSUSE Leap serves sessions with a resolution of 1024x768 pixels at a ~~color~~ depth of 16-bit. The sessions are available on ports <code>5901</code> for "regular" VNC viewers (equivalent to VNC display <code>1</code>) and on port <code>5801</code> for Web browsers.

The default configuration on openSUSE Leap serves sessions with a resolution of 1024x768 pixels at a colour depth of 16-bit. The sessions are available on ports <code>5901</code> for "regular" VNC viewers (equivalent to VNC display <code>1</code>) and on port <code>5801</code> for Web browsers.

Other configurations can be made available on different ports, see Section 4.3.3, "Configuring One-time VNC Sessions".

Line 129:

Line 155:

To connect to a one-time VNC session, a VNC viewer must be installed, see also Section 4.1, "The '''<code>vncviewer</code>''' Client".

==Configuring One time VNC Sessions==

==Configuring One-time VNC Sessions==

You can skip this section, if you do not need or want to modify the default configuration.

One-time VNC sessions are started via the <code>systemd</code> socket <~~ocde~~>xvnc.socket</code>. By default it offers six configuration blocks: three for VNC viewers (<code>vnc1</code> to <code>vnc3</code>), and three serving a Java applet (<code>vnchttpd1</code> to <code>vnchttpd3</code>). By default only <code>vnc1</code> and <code>vnchttpd1</code> are active.

One-time VNC sessions are started via the <code>systemd</code> socket <code>xvnc.socket</code>. By default it offers six configuration blocks: three for VNC viewers (<code>vnc1</code> to <code>vnc3</code>), and three serving a Java applet (<code>vnchttpd1</code> to <code>vnchttpd3</code>). By default only <code>vnc1</code> and <code>vnchttpd1</code> are active.

To activate the VNC server socket at boot time, run the following command:

sudo systemctl enable xvnc.socket

To start the socket ~~immediatley~~, run:

To start the socket immediately, run:

sudo systemctl start xvnc.socket

The '''<code>Xvnc</code>''' server can be configured via the <code>server_args</code> option. For a list of options, see '''<code>Xvnc --help</code>'''.

Line 145:

Line 171:

tux > sudo systemctl reload xvnc.socket

'''Important: Firewall and VNC Ports'''

When activating Remote Administration as described in Procedure 4.1, "Enabling One-time VNC Sessions", the ports <code>5801</code> and <code>5901</code> are opened in the firewall. If the network interface serving the VNC sessions is protected by a firewall, you need to manually open the respective ports when activating additional ports for VNC sessions. See Book ''"Security Guide", Chapter 15 "Masquerading and Firewalls"'' for instructions.

</div>

=~~Persistant~~ VNC Sessions=

=Persistent VNC Sessions=

A persistent session can be accessed from multiple clients simultaneously. This is ideal for demonstration purposes where one client has full access and all other clients have view-only access. Another use case are trainings where the trainer might need access to the trainee's desktop.

'''Tip: Connecting to a ~~Persistant~~ VNC Session'''

'''Tip: Connecting to a Persistent VNC Session'''

To connect to a persistent VNC session, a VNC viewer must be installed. Refer to Section 4.1, "The '''<code>vncviewer</code>''' Client" for more details.

</div>

There are two types of ~~persistant~~ VNC sessions:

There are two types of persistent VNC sessions:

* VNC Session Initiated using <code>vncserver</code>

* VNC Session Initiated using <code>vncmanager</code>

Line 165:

Line 195:

A session can have multiple client connections of both kinds at once.

~~===~~Procedure 4.2: Stating a ~~Persistant~~ VNC Session using ~~'''~~<code>vncserver</code>'''~~===~~

'''Procedure 2: Stating a Persistent VNC Session using <code>vncserver</code>'''

# Open a shell and make sure you are logged in as the user that should own the VNC session.

# If the network interface serving the VNC sessions is protected by a firewall, you need to manually open the port used by your session in the firewall. If starting multiple sessions you may alternatively open a range of ports. See Book ''"Security Guide", Chapter 15 "Masquerading and Firewalls"'' for details on how to configure the firewall.

# If the network interface serving the VNC sessions is protected by a firewall, you need to manually open the port used by your session in the firewall. If starting multiple sessions you may alternatively open a range of ports. See Book ''"Security Guide", Chapter 15 "Masquerading and Firewalls"'' for details on how to configure the firewall.<br><br>'''<code>vncserver</code>''' uses the ports <code>5901</code> for display <code>:1</code>, <code>5902</code> for display <code>:2</code>, and so on. For persistent sessions, the VNC display and the X display usually have the same number.

'''<code>vncserver</code>''' uses the ports <code>5901</code> for display <code>:1</code>, <code>5902</code> for display <code>:2</code>, and so on. For persistent sessions, the VNC display and the X display usually have the same number.

# To start a session with a resolution of 1024x768 pixel and with a colour depth of 16-bit, enter the following command:

vncserver -~~gemometry~~ 1024x768 -depth 16

vncserver -geometry 1024x768 -depth 16

The '''<code>vncserver</code>''' command picks an unused display number when none is given and prints its choice. See '''<code>man 1 vncserver</code>''' for more options.

Line 178:

Line 206:

The password(s) you are providing here are also used for future sessions started by the same user. They can be changed with the '''<code>vncpasswd</code>''' command.

'''Important: Security Considerations'''

Make sure to use strong passwords of significant length (eight or more characters. Do no share these passwords.

</div>

To terminate the session shut down the desktop environment that runs inside the VNC session from the VNC viewer as you would shut it down if it was a regular local X session.

If you prefer to manually terminate a session, open a shell on the VNC server and make sure you are logged in as the user that owns the VNC session you want to terminate. Run the following command to terminate the session that runs on display <code>:1</code>: '''<code>vncserver -kill :1</code>'''.

Line 190:

Line 220:

WINDOWMANAGER=gnome vncserver -geometry 1024x768

WINDOWMANAGER=icewm vncserver -geometry 1024x768

'''Note: One Configuration for Each User'''

Persistent VNC sessions are configured in a single per-user configuration. Multiple sessions started by the same user will all use the same start-up and password files.

</div>

==VNC Session Initiated Using '''<code>vncmanager</code>'''==

~~==VNC Session Initated using '~~''~~<code>vncmanager</code>~~'''

'''Procedure 3: Enabling Persistent VNC Sessions'''

~~===~~Procedure 4.3: Enabling ~~Persistant~~ VNC Sessions~~===~~

# Start ''YaST > Network Services > Remote Administration (VNC)''.

# Start ''YaST > Network Services > Remote Administration (VNC)~~</code>~~.

# Activate ''Allow Remote Administration With Session Management''.

# Active ''Allow access using a web browser'' if you plan to access the VNC session in a Web browser window.

Line 203:

Line 237:

# In case not all needed packages are available yet, you need to approve the installation of missing packages.

'''Tip: Restart the Display Manager'''

YaST makes changes to the display manager settings. You need to log out of your current graphical session and restart the display manager for the changes to take effect.

</div>

===Configuring Persistent VNC Sessions===

After you enable the VNC session management as described in Procedure 4.3, "Enabling Persistent VNC Sessions", you can normally connect to the remote session with your favourite VNC viewer, such as '''<code>vncviewer</code>''' or Remmina. You will be presented with login screen. After you log in, the 'VNC' icon will appear in the system tray of your desktop environment. Click the icon to open the ''VNC Session'' window. If it does not appear or if your desktop environment does not support icons in the system tray, run '''<code>vncmanager-controller</code>''' manually.

~~===Configuring Persistant VNC Sessions===~~

[[File:vnc8.png|frame|center|500px|Figure 8: VNC Session Settings]]

After you enable the VNC session management as described in Procedure 4.3, "Enabling Persistent VNC Sessions", you can normally connect to the remote session with your favorite VNC viewer, such as '''<code>vncviewer</code>''' or Remmina. You will be presented with login screen. ~~After you log in, the 'VNC' icon will appear in the system tray of your desktop environment. Click the icon to open the ''~~VNC Session~~'' window. If it does not appear or if your desktop environment does not support icons in the system tray, run '''<code>vncmanager-controller</code>''' manually.~~

There are several settings which influence the VNC session behaviour:

Line 235:

Line 273:

Confirm with ''OK''.

===Joining ~~Persistant~~ VNC Sessions===

===Joining Persistent VNC Sessions===

After you set up a persistent VNC session as described in Section 4.4.2.1, "Configuring Persistent VNC Sessions", you can join it with your VNC viewer. After the your VNC client connects to the server, you will be prompted to choose whether you want to create a new session, or join the existing one:

[[File:vnc9.png|frame|center|500px|Figure 9: Joining a Persistent VNC Session]]

After you click the name of the existing session, you may be asked for login credentials, depending on the persistent session settings.

=Encrypted VNC Communication=

If the VNC server is set up properly, all communication between the VNC server and the client is encrypted. The authentication happens at the beginning of the session, the actual data transfer only begins ~~afterward~~.

If the VNC server is set up properly, all communication between the VNC server and the client is encrypted. The authentication happens at the beginning of the session, the actual data transfer only begins afterwards.

Whether for a one-time or a persistent VNC session, security options are configured via the <code>-securitytypes</code> parameter of the '''<code>/usr/bin/Xvnc</code>''' command located on the <code>server_args</code> line. The <code>-securitytypes</code> parameter selects both authentication method and encryption. It has the following options:

Line 267:

Line 307:

TLS encryption with certificate. If you use a self-signed certificate, you will be asked to verify it on the first connection. On subsequent connections you will be warned only if the certificate changed. So you are protected against everything except man-in-the-middle on the first connection (similar to typical SSH usage). If you use a certificate signed by a certificate authority matching the machine name, then you get full security (similar to typical HTTPS usage).

'''Tip: Path to Certificate and Key'''

With X509 based encryption, you need to specify the path to the X509 certificate and the key with <code>-X509Cert</code> and <code>-X509Key</code> options.

</div>

If you select multiple security types separated by comma, the first one supported and allowed by both client and server will be used. That way you can configure opportunistic encryption on the server. This is useful if you need to support VNC clients that do not support encryption.

On the client, you can also specify the allowed security types to prevent a downgrade attack if you are connecting to a server which you know has encryption enabled (although our vncviewer will warn you with the "Connection not encrypted!" message in that case).

@@ Line 3: / Line 3: @@
 openSUSE Leap supports two different kinds of VNC sessions: One-time sessions that "live" as long as the VNC connection from the client is kept up, and persistent sessions that "live" until they are explicitly terminated.
+<div style="padding-bottom:5px;padding-top:5px;">
+<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;">
 '''Note: Session Types'''
 A machine can offer both kinds of sessions simultaneously on different ports, but an open session cannot be converted from one type to the other.
+</div>
+</div>
+<div style="padding-bottom:15px;padding-top:5px;">
+<div style="background:#FDDFA6;border:1px solid #BB7B03;padding-left:5px;padding-right:5px;">
 '''Important: Supported Display Managers'''
 A machine can reliably accept VNC connections only if it uses a display manager that supports the XDMCP protocol. While <code>gdm</code>, <code>lxdm</code>, or <code>lightdm</code> support XDMCP, the KDE 5 default display manager <code>sddm</code> does not support it. When changing the default display manager, remember to log out of the current X session and restart the display manager with
    tux > sudo systemctl restart xdm.service
+</div>
+</div>
 =The '''<code>vncviewer</code>''' Client=
@@ Line 22: / Line 28: @@
    tux > vncviewer thinkserver.freddythechick.uk::5901
+<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Note: Display and Port Number'''
 The actual display or port number you specify in the VNC client must be the same as the display or port number picked by the '''<code>vncserver</code>''' command on the target machine. See Section 4.4, "Persistent VNC Sessions" for further info.
+</div>
 ==Connecting Using the vncviewer GUI==
 By running '''<code>vncviewer</code>''' without specifying '''<code>--listen</code>''' or a host to connect to, it will show a window to ask for connection details. Enter the host into the ''VNC server'' field like in Section 4.1.1, "Connecting Using the vncviewer CLI" and click ''Connect''.
+[[File:vnc1.png|frame|center|Figure 1: <code>vncviewer</code>]]
 ==Notification of Unencrypted Connections==
@@ Line 40: / Line 50: @@
 ==Main Window==
 Run Remmina by entering the '''<code>remmina</code>''' command.
+[[File:vnc2.png|frame|center|Figure 2: Reminna's Main Window]]
 The main application window shows the list of stored remote sessions. Here you can add and save a new remote session, quick-start a new session without saving it, start a previously saved session, or set Remmina's global preferences.
 ==Adding Remote Sessions==
-To add and save a new remote session, click + in the top left of the main window. The ''Remote Desktop Preference'' window opens.
+To add and save a new remote session, click [[File:vnc10.png|25px]] in the top left of the main window. The ''Remote Desktop Preference'' window opens.
+[[File:vnc3.png|frame|center|500px|Figure 3: Remote Desktop Preference]]
 Complete the fields that specify your newly added remote session profile. The most important are:
@@ Line 60: / Line 74: @@
 Credentials to use for remote authentication. Leave empty for no authentication.
-'''Color depth, Quality'''<br>
+'''Colour depth, Quality'''<br>
 Select the best options according to you connection speed and quality.
 Select the ''Advanced'' tab to enter more specific settings.
+<div style="background:#B6D5B2;border:1px solid #439239;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Tip: Disable Encryption'''
 If the communication between the client and remote server is not encrypted, active ''Disable encryption'', otherwise the connection fails.
+</div>
-Select the SSH tab for advanced SSH tunneling and authentication options.
+Select the ''SSH'' tab for advanced SSH tunnelling and authentication options.
-Confirm with Save. Your new profile will be listed in the main window.
+Confirm with ''Save''. Your new profile will be listed in the main window.
 ==Starting Remote Sessions==
@@ Line 80: / Line 96: @@
 To start a remote session quickly without proper adding and saving connection details, use the drop-down box and text field at the top of the main window.
-Select the communication protocol from the drop-down box, for example 'VNC', then enter the VNC server DNS or IP address followed by a colon and a display number, and confirm with Enter.
+[[File:vnc4.png|frame|center|Figure 4: Quick-Starting]]
+Select the communication protocol from the drop-down box, for example 'VNC', then enter the VNC server DNS or IP address followed by a colon and a display number, and confirm with {{key press|Enter}}.
 ===Opening Saved Remote Sessions===
@@ Line 86: / Line 104: @@
 ===Remote Sessions Window===
-Remote sessions are opened in tabs of a separate window. Each tab hosts one session. The toolbar on the left of the window helps you manage the windows/sessions, such as toggle fullscreen mode, resize the window to match the display size of the session, send specific keystrokes to the session, take screenshots of the session, or set the image quality.
+Remote sessions are opened in tabs of a separate window. Each tab hosts one session. The toolbar on the left of the window helps you manage the windows/sessions, such as toggle full-screen mode, resize the window to match the display size of the session, send specific keystrokes to the session, take screenshots of the session, or set the image quality.
+[[File:vnc5.png|frame|center|500px|Figure 5: Remmina Viewing SLES 15 Remote Session]]
 ==Editing, Copying and Deleting Saved Sessions==
@@ Line 95: / Line 115: @@
 To ''Delete'' a saved remote session, right-click its name in the Remmina's main window and select ''Delete''. Confirm with ''Yes'' in the next dialog.
-==Running Remote Sessons from the Command Line==
+==Running Remote Sessions from the Command Line==
 If you need to open a remote session from the command line or from a batch file without first opening the main application window, use the following syntax:
    tux > remmina -c profie_name.remmina
 Remmina's profile files are stored in the <code>.local/share/remmina/</code> directory in your home directory. To determine which profile file belongs to the session you want to open, run Remmina, click the session name in the main window, and read the path to the profile file in the window's status line at the bottom.
+[[File:vnc6.png|frame|center|Figure 6: Reading Path to the Profile File]]
 While Remmina is not running, you can rename the profile file to to a more reasonable file name, such as <code>sle15.remmina</code>. You can even copy the profile file to your custom directory and run it using the '''<code>remmina -c</code>''' command from there.
@@ Line 105: / Line 127: @@
 A one-time session is initiated by the remote client. It starts a graphical login screen on the server. This way you can choose the user which starts the session and, if supported by the login manager, the desktop environment. When you terminate the client connection to such a VNC session, all applications started within that session will be terminated, too. One-time VNC sessions cannot be shared, but it is possible to have multiple sessions on a single host at the same time.
-==Enabling One-time VNC Sessions==
+'''Procedure 1: Enabling One-time VNC Sessions'''
-# Start ''Yast > Network Services > Remote Administration (VNC)''.
+# Start ''YaST > Network Services > Remote Administration (VNC)''.
 # Check ''Allow Remote Administration Without Session Management''.
 # Activate ''Enable access using a web browser'' if you plan to access the VNC session in a Web browser window.
@@ Line 113: / Line 135: @@
 # In case not all needed packages are available yet, you need to approve the installation of missing packages.
+<div style="background:#B6D5B2;border:1px solid #439239;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Tip: Restart the Display Manager'''
 YaST makes changes to the display manager settings. You need to log out of your current graphical session and restart the display manager for the changes to take effect.
+</div>
+[[File:vnc7.png|frame|center|500px|Figure 7: Remote Administration]]
 ==Available Configurations==
- The default configuration on openSUSE Leap serves sessions with a resolution of 1024x768 pixels at a color depth of 16-bit. The sessions are available on ports <code>5901</code> for "regular" VNC viewers (equivalent to VNC display <code>1</code>) and on port <code>5801</code> for Web browsers.
+The default configuration on openSUSE Leap serves sessions with a resolution of 1024x768 pixels at a colour depth of 16-bit. The sessions are available on ports <code>5901</code> for "regular" VNC viewers (equivalent to VNC display <code>1</code>) and on port <code>5801</code> for Web browsers.
 Other configurations can be made available on different ports, see Section 4.3.3, "Configuring One-time VNC Sessions".
@@ Line 129: / Line 155: @@
 To connect to a one-time VNC session, a VNC viewer must be installed, see also Section 4.1, "The '''<code>vncviewer</code>''' Client".
-==Configuring One time VNC Sessions==
+==Configuring One-time VNC Sessions==
 You can skip this section, if you do not need or want to modify the default configuration.
-One-time VNC sessions are started via the <code>systemd</code> socket <ocde>xvnc.socket</code>. By default it offers six configuration blocks: three for VNC viewers (<code>vnc1</code> to <code>vnc3</code>), and three serving a Java applet (<code>vnchttpd1</code> to <code>vnchttpd3</code>). By default only <code>vnc1</code> and <code>vnchttpd1</code> are active.
+One-time VNC sessions are started via the <code>systemd</code> socket <code>xvnc.socket</code>. By default it offers six configuration blocks: three for VNC viewers (<code>vnc1</code> to <code>vnc3</code>), and three serving a Java applet (<code>vnchttpd1</code> to <code>vnchttpd3</code>). By default only <code>vnc1</code> and <code>vnchttpd1</code> are active.
 To activate the VNC server socket at boot time, run the following command:
    sudo systemctl enable xvnc.socket
-To start the socket immediatley, run:
+To start the socket immediately, run:
    sudo systemctl start xvnc.socket
 The '''<code>Xvnc</code>''' server can be configured via the <code>server_args</code> option. For a list of options, see '''<code>Xvnc --help</code>'''.
@@ Line 145: / Line 171: @@
    tux > sudo systemctl reload xvnc.socket
+<div style="background:#FDDFA6;border:1px solid #BB7B03;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Important: Firewall and VNC Ports'''
 When activating Remote Administration as described in Procedure 4.1, "Enabling One-time VNC Sessions", the ports <code>5801</code> and <code>5901</code> are opened in the firewall. If the network interface serving the VNC sessions is protected by a firewall, you need to manually open the respective ports when activating additional ports for VNC sessions. See Book ''"Security Guide", Chapter 15 "Masquerading and Firewalls"'' for instructions.
+</div>
-=Persistant VNC Sessions=
+=Persistent VNC Sessions=
 A persistent session can be accessed from multiple clients simultaneously. This is ideal for demonstration purposes where one client has full access and all other clients have view-only access. Another use case are trainings where the trainer might need access to the trainee's desktop.
-'''Tip: Connecting to a Persistant VNC Session'''
+<div style="background:#B6D5B2;border:1px solid #439239;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
+'''Tip: Connecting to a Persistent VNC Session'''
 To connect to a persistent VNC session, a VNC viewer must be installed. Refer to Section 4.1, "The '''<code>vncviewer</code>''' Client" for more details.
+</div>
-There are two types of persistant VNC sessions:
+There are two types of persistent VNC sessions:
 * VNC Session Initiated using <code>vncserver</code>
 * VNC Session Initiated using <code>vncmanager</code>
@@ Line 165: / Line 195: @@
 A session can have multiple client connections of both kinds at once.
-===Procedure 4.2: Stating a Persistant VNC Session using '''<code>vncserver</code>'''===
+'''Procedure 2: Stating a Persistent VNC Session using <code>vncserver</code>'''
 # Open a shell and make sure you are logged in as the user that should own the VNC session.
-# If the network interface serving the VNC sessions is protected by a firewall, you need to manually open the port used by your session in the firewall. If starting multiple sessions you may alternatively open a range of ports. See Book ''"Security Guide", Chapter 15 "Masquerading and Firewalls"'' for details on how to configure the firewall.
+# If the network interface serving the VNC sessions is protected by a firewall, you need to manually open the port used by your session in the firewall. If starting multiple sessions you may alternatively open a range of ports. See Book ''"Security Guide", Chapter 15 "Masquerading and Firewalls"'' for details on how to configure the firewall.<br><br>'''<code>vncserver</code>''' uses the ports <code>5901</code> for display <code>:1</code>, <code>5902</code> for display <code>:2</code>, and so on. For persistent sessions, the VNC display and the X display usually have the same number.
-'''<code>vncserver</code>''' uses the ports <code>5901</code> for display <code>:1</code>, <code>5902</code> for display <code>:2</code>, and so on. For persistent sessions, the VNC display and the X display usually have the same number.
 # To start a session with a resolution of 1024x768 pixel and with a colour depth of 16-bit, enter the following command:
-   vncserver -gemometry 1024x768 -depth 16
+   vncserver -geometry 1024x768 -depth 16
 The '''<code>vncserver</code>''' command picks an unused display number when none is given and prints its choice. See '''<code>man 1 vncserver</code>''' for more options.
@@ Line 178: / Line 206: @@
 The password(s) you are providing here are also used for future sessions started by the same user. They can be changed with the '''<code>vncpasswd</code>''' command.
+<div style="background:#FDDFA6;border:1px solid #BB7B03;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Important: Security Considerations'''
 Make sure to use strong passwords of significant length (eight or more characters. Do no share these passwords.
+</div>
- To terminate the session shut down the desktop environment that runs inside the VNC session from the VNC viewer as you would shut it down if it was a regular local X session.
+To terminate the session shut down the desktop environment that runs inside the VNC session from the VNC viewer as you would shut it down if it was a regular local X session.
 If you prefer to manually terminate a session, open a shell on the VNC server and make sure you are logged in as the user that owns the VNC session you want to terminate. Run the following command to terminate the session that runs on display <code>:1</code>: '''<code>vncserver -kill :1</code>'''.
@@ Line 190: / Line 220: @@
    WINDOWMANAGER=gnome vncserver -geometry 1024x768
    WINDOWMANAGER=icewm vncserver -geometry 1024x768
+<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Note: One Configuration for Each User'''
 Persistent VNC sessions are configured in a single per-user configuration. Multiple sessions started by the same user will all use the same start-up and password files.
+</div>
+==VNC Session Initiated Using '''<code>vncmanager</code>'''==
-==VNC Session Initated using '''<code>vncmanager</code>'''
+'''Procedure 3: Enabling Persistent VNC Sessions'''
-===Procedure 4.3: Enabling Persistant VNC Sessions===
+# Start ''YaST > Network Services > Remote Administration (VNC)''.
-# Start ''YaST > Network Services > Remote Administration (VNC)</code>.
 # Activate ''Allow Remote Administration With Session Management''.
 # Active ''Allow access using a web browser'' if you plan to access the VNC session in a Web browser window.
@@ Line 203: / Line 237: @@
 # In case not all needed packages are available yet, you need to approve the installation of missing packages.
+<div style="background:#B6D5B2;border:1px solid #439239;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Tip: Restart the Display Manager'''
 YaST makes changes to the display manager settings. You need to log out of your current graphical session and restart the display manager for the changes to take effect.
+</div>
+===Configuring Persistent VNC Sessions===
+After you enable the VNC session management as described in Procedure 4.3, "Enabling Persistent VNC Sessions", you can normally connect to the remote session with your favourite VNC viewer, such as '''<code>vncviewer</code>''' or Remmina. You will be presented with login screen. After you log in, the 'VNC' icon will appear in the system tray of your desktop environment. Click the icon to open the ''VNC Session'' window. If it does not appear or if your desktop environment does not support icons in the system tray, run '''<code>vncmanager-controller</code>''' manually.
-===Configuring Persistant VNC Sessions===
+[[File:vnc8.png|frame|center|500px|Figure 8: VNC Session Settings]]
-After you enable the VNC session management as described in Procedure 4.3, "Enabling Persistent VNC Sessions", you can normally connect to the remote session with your favorite VNC viewer, such as '''<code>vncviewer</code>''' or Remmina. You will be presented with login screen. After you log in, the 'VNC' icon will appear in the system tray of your desktop environment. Click the icon to open the ''VNC Session'' window. If it does not appear or if your desktop environment does not support icons in the system tray, run '''<code>vncmanager-controller</code>''' manually.
 There are several settings which influence the VNC session behaviour:
@@ Line 235: / Line 273: @@
 Confirm with ''OK''.
-===Joining Persistant VNC Sessions===
+===Joining Persistent VNC Sessions===
 After you set up a persistent VNC session as described in Section 4.4.2.1, "Configuring Persistent VNC Sessions", you can join it with your VNC viewer. After the your VNC client connects to the server, you will be prompted to choose whether you want to create a new session, or join the existing one:
+[[File:vnc9.png|frame|center|500px|Figure 9: Joining a Persistent VNC Session]]
 After you click the name of the existing session, you may be asked for login credentials, depending on the persistent session settings.
 =Encrypted VNC Communication=
-If the VNC server is set up properly, all communication between the VNC server and the client is encrypted. The authentication happens at the beginning of the session, the actual data transfer only begins afterward.
+If the VNC server is set up properly, all communication between the VNC server and the client is encrypted. The authentication happens at the beginning of the session, the actual data transfer only begins afterwards.
 Whether for a one-time or a persistent VNC session, security options are configured via the <code>-securitytypes</code> parameter of the '''<code>/usr/bin/Xvnc</code>''' command located on the <code>server_args</code> line. The <code>-securitytypes</code> parameter selects both authentication method and encryption. It has the following options:
@@ Line 267: / Line 307: @@
 TLS encryption with certificate. If you use a self-signed certificate, you will be asked to verify it on the first connection. On subsequent connections you will be warned only if the certificate changed. So you are protected against everything except man-in-the-middle on the first connection (similar to typical SSH usage). If you use a certificate signed by a certificate authority matching the machine name, then you get full security (similar to typical HTTPS usage).
+<div style="background:#B6D5B2;border:1px solid #439239;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
 '''Tip: Path to Certificate and Key'''
 With X509 based encryption, you need to specify the path to the X509 certificate and the key with <code>-X509Cert</code> and <code>-X509Key</code> options.
+</div>
 If you select multiple security types separated by comma, the first one supported and allowed by both client and server will be used. That way you can configure opportunistic encryption on the server. This is useful if you need to support VNC clients that do not support encryption.
 On the client, you can also specify the allowed security types to prevent a downgrade attack if you are connecting to a server which you know has encryption enabled (although our vncviewer will warn you with the "Connection not encrypted!" message in that case).