|This document is available in: English Castellano Deutsch Francais Nederlands Russian Turkce|
by Georges Tarbouriech
About the author:
Georges is a long time Unix user (commercial and free). VNC changed his life:-).
VNC is the dream of the network administrator come true.
We could say it's a remote display system, but it's much more than that.
Visiting http://www.uk.research.att.com allows you to get this great piece of software for FREE. VNC is distributed under GPL and it's available for a lot of platforms.
Obviously you can contribute and many ports on different OSes have been done by contributors.
Let's try to discover the many features of VNC.
The server sideCurrent version of vnc is 3.3.3 with different release number according to the platform.
The client side (the viewer)
The client is a single executable called vncviewer.
To connect to a VNC server you just have to launch vncviewer specifying the display number. For instance, if you want to connect to a server called linux on display number 2, you just have to type "vncviewer linux:2". Then you're asked for the server password and you're on the linux machine desktop like if you were working on that machine. If you logged as root, you can fully administrate that machine. Well, take care, you better know what you are doing!
This is available for each viewer on every platform. Just a word: fantastic!
On a local (because of the speed) network, VNC allows you to do
quite unusual things.
Everything seems possible: you can launch any type of application on any OSes.
For instance, if you run vncserver on a Windows NT machine and launch a viewer on BeOS, you're able to use every software available from the NT machine.
Let's say, if you own a Photoshop license you can run Photoshop on your BeOS machine as you would on the NT machine. This means, a window opens in your BeOS desktop representing the NT desktop: that is, you are working on the NT machine!
Photoshop on BeOS!
Or Gimp on Windows?
Once again, this can be done from any machine running a VNC
Another example: if you're working on a machine without Internet access, you can connect to a vncserver having an Internet connection and use its browser to visit an URL. Obviously you can as well use its mailer to check the mailbox or send a message.
The vncviewer has no Internet access, nevertheless...
Going further, you can connect to a vncserver and from there
connect to any other machine of the network, and why not, running a
new vncviewer from that machine and connect to another vncserver,
and so on!
If you run a vncserver on an Unix machine, many other machines running vncviewer can connect to this server at the same time, using different display numbers. This won't work on Windows machines as you only have one display available.
Well, that doesn't mean what we said before wasn't serious!
For instance, every SysAdmin can appreciate Windows NT administration: you don't even know who is connected to a server and, of course who is doing what... unless you bought the resource kit, this, at least allows you to get the list of running processes on a specific machine (but without being able to kill most of them). No comment!
Vnc allows to turn around this great "feature".
Let's take an example.
You're developing and maintaining different Windows applications (My fellow Javi says: when you're a poor man you can't choose!). Every new version requires an update on the server and on the clients. The machines are more or less far from your office.
Obviously, you can't update the application if it's running on one or more clients.
With vnc, you can stop the application on every clients, install the update, check it... without leaving your office. Well, it's much better to do this when nobody works, but many users forget to quit the application after use, then you'll have to check if the application is running or not.
As soon as VNC is installed as a service on the workstations, you can start vncserver remotely from the NT server and then connect to them and do what you have to. That is, you can stop the running application, install the upgrade, (even from a different NT server than the one you're working on and which is connected to the vncserver), and check if the upgrade works right. Then you can stop the vncserver on the remote machine and do the same work on another workstation.
This wouldn't be possible that way with an X emulation on the Windows machines, because even the installer is proprietary. Another difference: Other then uder X11 no state is stored on the viewer side. You can disconnect from the vncserver, go to another machine, connect again to the vncserver and continue your work!
Something important: VNC allows you to send a Ctrl-Alt-Del to unlock the remote NT workstation. (It wasn't possible on previous releases).
This example assumed we were working from an NT server. You can do exactly the same from an Unix workstation, running a vncviewer connected to the NT server running vncserver.
Obviously you can administrate the whole network that way, using remote commands (if they exist) to launch the vncservers on the remote machines as soon as you have the rights to do so.
Going further, "remote" means anywhere else. That is, you could do this from home!
That leads us to security.
Every communication task within a network can be considered as a
potential security hole.
It's a fact! The only thing you can do is to try to reduce the risk. Don't be fooled: security is only a word. If someone tells you his network is 100% secure, don't believe him! Hackers are much more clever than people think: it's another fact.
Accordingly, to secure VNC you must secure your network. Firewalls, SSL, SSH... can be used to improve security.
SSL and SSH allow to encrypt the traffic in two different ways. We won't talk about SSL or SSH as it is a completely different subject. If you want to know more about them, you can have a look at SSH website http://www.ssh.fi or at the open source SSL at http://www.openssl.org
Extras, patches and add-ons for security are available from the AT&T website. Among them you can find a way to access a server behind a firewall.
Also available is a version of VNC using SSLeay public key encryption.
Another security feature is to restrict connections by IP address.
There are much more and we won't list them all. You can check http://www.uk.research.att.com/vnc/extras.html
VNC has also a Java implementation. That means you can use a Java compliant web browser as a viewer as soon as you use the right port (58**, where ** means display number: ex. 5802 corresponds to display 2). This had to be mentioned, but it's awfully slow and it's a security whole. But it does exist and deserves some testing.
To close the security chapter, in short, "as is", VNC is not a bigger security hole than telnet or rlogin.
If you don't know VNC, it's worth testing. We hope this article
will be able to make VNC attractive to you. It's probably one of
the greatest piece of software in this category.
It's small in size, rather fast (of course, it depends on the network or on the type of connection) and it's FREE!
VNC is quite reliable, and the only problem I had with the latest release concerned the Windows version: if the user of a remote NT workstation has left the CapsLock key down the send Ctrl-Alt-Del command seems not to work (my co-worker suggests to write the password into an editor, copy it, and paste it into the password field... and it works!). That's all I was able to find! Nevertheless I use VNC on Solaris Sparc, Irix, Linux, BeOS, AmigaOS and NT. The least developed version is the AmigaOS version.
What you just read only represents a small part of VNC capabilities.
VNC begins to appear in some Linux distributions, a sign of a more wider interest in this software.
If you have a small network at home or a big one at work, just try VNC. It's great!
When I told you we were living a great time...
Webpages maintained by the LinuxFocus Editor team
© Georges Tarbouriech, FDL
Click here to report a fault or send a comment to LinuxFocus
2001-01-27, generated by lfparser version 2.8