Setting Up VNC, SSH Tunnels, and RDP

Thomas Pepler

August 8, 2016

If you have suggestions for improving this document, please email them to:tpepler@doe.carleton.ca

Contents

1 Connecting to DOE Linux Machines with PuTTY 21.1 Download and Setup PuTTY . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Configure PuTTY with DOE Connection Settings . . . . . . . . . . . . . . 21.3 Start an SSH Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Setting up a VNC Session 22.1 Creating Your VNC Password . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2 Changing the Default Desktop Environment and Other Settings . . . . . . . 42.3 Creating a New VNC Session . . . . . . . . . . . . . . . . . . . . . . . . . . 52.4 Listing Your VNC Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.5 Killing a VNC Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Adding an SSH Tunnel for Your VNC Session 63.1 Find an Available Port to Use For Tunneling . . . . . . . . . . . . . . . . . 63.2 Add an SSH Tunnel to Your VNC Port . . . . . . . . . . . . . . . . . . . . 7

4 Using a VNC Viewer to Access the VNC Session 84.1 Download, Install, and Run a VNC Viewer . . . . . . . . . . . . . . . . . . 84.2 Launch PuTTY and Log In to the server . . . . . . . . . . . . . . . . . . . . 104.3 Open the VNC Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Adding and using SSH Tunnels for RDP (Windows machines) 105.1 Adding the Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115.2 Connecting to the Remote Machine . . . . . . . . . . . . . . . . . . . . . . . 11

Page 1 of 13

1 Connecting to DOE Linux Machines with PuTTY

1.1 Download and Setup PuTTY

1. If you do not already have PuTTY installed on your computer, then go to the fol-lowing link, download and install a copy of PuTTY (on Windows OS, I recommendusing the Installer executable).

http://www.chiark.greenend.org.uk/˜sgtatham/putty/download.html

1.2 Configure PuTTY with DOE Connection Settings

1. The easiest way to configure PuTTY is to download the Windows registrey keysavailable from my website, here. (If this link is broken let me know.) This file isconfigured for a connection to borr, you should modify the server name to the oneyou want. The servers are: borr, odin, and thor.

Alternatively, in PuTTY set the “Host Name”, “Port”, and “Connection Type” tothose shown in figure 1, but use the server name you want. Then save these settingsby typing a name in the “Saved Sessions” field (the instructions assume it was ‘doe’)and click “Save”. You can then skip the remaining steps in section 1.2.

2. Find where you saved the file and double-click it, this should automatically add thekeys to your Windows Registry. The next time you run PuTTY there should be asaved session named ‘doe’ (see figure 1).

3. Load all the settings for the saved session by selecting the name and click “Load”.

1.3 Start an SSH Session

1. At the bottom of the Sessions setup page, click Open.

2. If this is the first time logging in to this server, you may be asked to add a securitykey for it; choose Yes to store the key and you will not get this warning next time.

3. A command prompt should pop up. Enter your DOE username and password at theprompts.

2 Setting up a VNC Session

This section describes how to use your local Windows machine to set up a remote VNCsession that runs on the DOE Linux machines. The advantage of using VNC is that thesession remains running even after the connection to it has closed (i.e. your applicationsremain open even after you close the VNC viewer).

Page 2 of 13

Figure 1: An example of PuTTY with saved sessions, showing the ‘doe’ saved session.

Page 3 of 13

Note: I have tried to stick to the following conventions related to using terminal com-mands: when asked to “enter” something at the prompt, this means type it and then push‘Enter’ or ‘Return’ on the keyboard; when directed to “type” something, this means to typeit, but omit the ‘Enter’ or ‘Return’.

2.1 Creating Your VNC Password

The first and most important thing to do is create a password (not only for your ownprotection, but anyone else who uses the machine).

1. At the prompt, enter vncpasswd. You will be directed to enter the password (nocharacters get echoed to the terminal while you enter your password), and then enterit again to verify against any typos.

2. If everything worked fine, you will be back at the prompt and your VNC sessionlogins are now secured with a password.

An example:

borr(tpepler ): ~ $vncpasswd

Password:

Verify:

borr(tpepler ): ~ $

2.2 Changing the Default Desktop Environment and Other Settings

Note: you may now be able to skip this section, as the xstartup script seems to be createdwith all the useful defaults now. However, I have left this section in, just in case.

If you have never run VNC before, then your xstartup script will not exist in your .vncdirectory yet. In that case, skip to section 2.3 to make a “dummy” session causing thecreation of your xstartup file, then section 2.5 to kill the session, then return here to changesome of the default settings.

1. To get the gnome desktop environment to load when you create your VNC session,uncomment the two lines at the top of the xstartup script just after the comment“Uncomment the following two lines for normal desktop”. Use any text editor to dothis, but the easiest might be: nano ~/.vnc/xstartup, you can replace ‘nano’ in thecommand with ‘vi’, ‘gedit’, or your own preferred editor.

2. While you’ve got the xstartup script open, you may as well make another change. Toallow copy/paste from the VNC viewer window to the client (e.g. Windows) machine,add the line “vncconfig -nowin &” before the two lines you just uncommented. Ingeneral, for vncconfig to work it must be called before the desktop environmentstartup (in this case, before those two lines).

Page 4 of 13

3. Save the file. Your xstartup should now look similar to this:

#!/bin/sh

# allow copy/paste , but do not pop up a window:

vncconfig -nowin &

# Uncomment the following two lines for normal desktop:

unset SESSION_MANAGER

exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup

[ -r $HOME /. Xresources ] && xrdb $HOME /. Xresources

xsetroot -solid grey

#xterm -geometry 80x24 +10+10 -ls -title ‘‘$VNCDESKTOP Desktop" &

2.3 Creating a New VNC Session

1. Everything should now be set up, so start a new VNC session with a specific resolutionand colour depth as follows (note: 24-bit colour is required for some CAD programs,e.g.: Cadence Virtuoso):

borr(tpepler ): ~ $vncserver -depth 24 -geometry 1920 x1080

New ‘borr.doe.carleton.ca:9 (tpepler)’ desktop is

borr.doe.carleton.ca:9

Starting applications specified in /home/tpepler /.vnc/xstartup

Log file is /home/tpepler /.vnc/borr.doe.carleton.ca:9.log

borr(tpepler ): ~ $

2. The first line that is printed by the vncserver program tells you which server anddisplay number is associated with this new VNC session. In the example above, theserver is ‘borr.doe.carleton.ca’ and the display is ‘9’. Take note of these, as you willneed them to connect using your VNC viewer or when creating an SSH tunnel.

2.4 Listing Your VNC Sessions

1. The vncserver program maintains a set of files in your .vnc directory for each VNCsession you have created. Currently running sessions are the files with a .pid exten-sion, so to list your currently running sessions type “ls ~/.vnc/*.pid”. e.g.:

Page 5 of 13

borr(tpepler ): ~ $ls ~/. vnc /*. pid

/home/tpepler /.vnc/loki :3.pid

/home/tpepler /.vnc/borr.doe.carleton.ca:11. pid

/home/tpepler /.vnc/loki :4.pid

/home/tpepler /.vnc/borr.doe.carleton.ca:9.pid

/home/tpepler /.vnc/loki :6.pid

/home/tpepler /.vnc/oslo.doe.carleton.ca:1.pid

borr(tpepler ): ~ $

2.5 Killing a VNC Session

From time to time, you may need to close your VNC session (e.g. a program has locked upand you can’t recover). To do this, you need to know the server and VNC display number.

1. SSH in to the server using PuTTY, as outlined in section 1.3. You must be SSH’d(or logged in somehow) to the server with the VNC session you want to kill.

2. Now issue the command “vncserver -kill :<display number to kill>”.

For example, if I wanted to kill my borr:11 session:

borr(tpepler ): ~ $vncserver -kill :11

Killing Xvnc process ID 7881

borr(tpepler ): ~ $

3 Adding an SSH Tunnel for Your VNC Session

This section describes how to use an SSH tunnel to access your VNC session from outsidethe DOE network (e.g. somewhere else on campus, or off campus completely).

3.1 Find an Available Port to Use For Tunneling

1. On your Windows machine, open cmd.exe by: (a) Using the Start menu search tofind a program called “cmd.exe”; or (b) type [Windows key]+R to open a run dialog,and enter “cmd”.

2. At the cmd prompt enter “netstat -ano | find ‘‘<port_number>"”. For the <port_number>you can put any number, but I suggest sticking to 4-digit numbers; 1234 seems to beopen on most systems.

3. If the command returns nothing, then the port is available for your use (make a noteof the number to use in a later part of the instructions). If the port is already being

Page 6 of 13

used, the command will return some information about the port. An example of thecommand first for an unused port number, then a used port number are shown infigure 2.

Figure 2: Example of finding an open (”1234”) and used (”1972”) port.

3.2 Add an SSH Tunnel to Your VNC Port

1. If you have the PuTTY prompt already open, click on the icon in the top left cornerof the window (see figure 3) and choose “Change Settings...”, if you’ve just startedPuTTY but not opened a connection, make sure you’ve loaded the settings for ‘doe’first (check that the Host Name and Port fields are set correctly). Either way, youshould now see a PuTTY configuration window like that shown in figure 1.

2. On the navigation panel on the left, expand (if needed) Connection, and then SSH,then select Tunnels (you may need to scroll down).

3. In the Source port field, type in the open port you found in section 3.1. In theDestination field type in the port in the format “localhost:<port>”; for VNC ports,

Page 7 of 13

the port number is calculated as [5900] + [display number] (remember the one I toldyou to note down in section 2.3?).

4. Make sure the Local and Auto radio buttons are selected, then click Add to add thistunnel to the list. See figure 4 for an example.

5. Now select the Session category on the left pane of the PuTTY window, click ‘doe’and choose Save to save the setting you just changed (i.e. added a tunnel).

6. Finally, choose Apply at the bottom to apply the changes.

Figure 3: The PuTTY window icon to access the “Change Settings” form.

4 Using a VNC Viewer to Access the VNC Session

4.1 Download, Install, and Run a VNC Viewer

Any VNC viewer should work fine, however TigerVNC works best as it allows the sessionscreen size to be dynamically adjusted as you change the viewer window size.

Page 8 of 13

Figure 4: Adding a new SSH tunnel.

Page 9 of 13

4.2 Launch PuTTY and Log In to the server

If you were following the tutorial so far, PuTTY should already be running and loggedinto the DOE. Each time you want to access your VNC session (on or off campus), youwill have to first launch PuTTY and log in as described in section 1.3.

4.3 Open the VNC Session

1. Make sure you have PuTTY running and logged in.

2. Open your VNC viewer, and in the server field enter “localhost::<local port>”,where <local port> is the “Local” port you entered in section 3.2, e.g. see figure 5.

3. Finally, click Connect, if you get a warning about this being an unencrypted connec-tion just continue anyway (and you can opt to not have the warning again), next youshould be prompted to enter the password that you set earlier, if that works yourVNC session should pop up.

Figure 5: Entering the server in the VNC Viewer dialog.

5 Adding and using SSH Tunnels for RDP (Windows machines)

An alternative to VNC is Remote Desktop Protocol (RDP), and is what you would use toaccess most machines running the Windows OS, e.g. the VLSI Windows servers maintainedby Nagui, or your office computer (if it’s running Windows).

The corresponding viewer, Remote Desktop Connection, is usually installed by defaulton Windows; it is also available for Mac OS X, and there are equivalents for Linux (andprobably other OSes).

The process for using SSH tunnels to allow RDP access is basically the same as forVNC, as shown below.

Page 10 of 13

5.1 Adding the Tunnel

1. The default port for RDP is 3389 (although this can possibly be changed by theadministrator; maybe there’s a way to find what it is, please let me know if you findout how).

2. Follow the same steps as in 3.1 and 3.2, except the destination port should be 3389(or whatever else, if not the default), e.g.: “134.117.38.203:3389”.

Note: For the VLSI servers maintained by Nagui, you will have to use the IP addressrather than the machine name, as the DNS does not seem to be configured for them.Following is a list of the server names and corresponding IPs:

Server IP address

Rami 134.117.38.25Marianne 134.117.38.41

macopeland 134.117.38.70Tewfik 134.117.38.186Michel 134.117.38.193Sobhi 134.117.38.195Galal 134.117.38.196Marie 134.117.38.203

eli 134.117.38.204Mounir 134.117.38.207gabrielle 134.117.38.242knight 134.117.38.243gisele 134.117.39.42Celine 134.117.38.68Celine (using IPv6) fe80::716a:8e3e:e63:454b

* IPv6 addresses like that shown are only supported inthe latest (nightly) builds of PuTTY, and should be in-cluded in PuTTY 0.65, when it’s released (I assume).You would need to surround the address in squarebrackets, e.g.: “[fe80::1c90:cc21:63ad:da42]:3389”.After trying all of that, it was still not working forme, let me know if you have any success.

5.2 Connecting to the Remote Machine

1. Open Remote Desktop Connection, and in the “Computer” field, type“localhost:<local port number>”, e.g. if I used port number 2345, that would be“localhost:2345” (see figure 6).

Page 11 of 13

2. Before connnecting, you can adjust display options by clicking “Show Options”, andthen the “Display” tab (see figure 7). Here you can adjust the screen resolution ofthe remote session by dragging the slider.

You can also use all monitors (if you have more than 1), by checking “Use all my mon-itors...” (although this may not work depending on the version of Windows runningon the remote machine).

As well, you can change the colour depth (24-bit is recommended since some programscannot run with less).

3. After making any changes, click “Connect” and you should be prompted to enteryour username and password. You have to make sure your username also includesthe correct domain, in the format of <domain>\<username>, e.g. vlsi1\tpepler. TheVLSI servers use the domain name of “vlsi1” while any of the DOE computers havethe domain of “doe.carleton.ca”.

Figure 6: Example screenshot of Remote Desktop Connection for a tunnel through localport 2345.

Page 12 of 13

Figure 7: Example screenshot of Remote Desktop Connection display options.

Page 13 of 13