VNC® documentation

Overview

Configuration of VNC Server for UNIX is done via configuration parameters. The most common of these are described in the Xvnc man page and a full list can be obtained by running the command vncserver -list. Configuration parameters can be specified in one of three ways:

This page attempts to provide some common configuration scenarios.

Specifying Configuration Parameters in a Configuration File

Both vncserver and the vnc.so module can be configured using configuration files, but the location and format of these files differs:

Specifying Configuration Parameters on the Command-Line

With the exception of the the vnc.so module, all VNC Server programs can take configuration parameters on the command-line. The basic command-line syntax is -name=value. In the case of vncserver, parameters specified on the command-line override those specified in configuration files.

Changing Configuration Parameters using vncconfig

Once a VNC Server is running, the vncconfig applet can be used to change the configuration settings. See the vncconfig man page for details.

Common Configuration Scenarios

Most VNC parameters are optional and have sensible defaults. However, to allow connections, you must set some parameters. It is intentionally the case that an unconfigured VNC Server will not accept connections. The configuration scenarios in the following sections should give some guidelines as to what will work best for you.

Maximum Security

For maximum security, you should configure the VNC server to use an encrypted connection. You should also use UNIX authentication, restrict the allowed users, and enable the query connection mechanism to manually approve new connections:

SecurityTypes=RA2
RSA_Private_Key_File=$HOME/.vnc/private.key
UserPasswdVerifier=UnixAuth
AllowedUsers=root:f,bob:f
AllowedGroups=staff:d
QueryConnect=1

With the above configuration, only encrypted connections are supported. This could be relaxed by changing the SecurityTypes parameter from RA2 to RA2,RA2ne, ensuring that the password is always encrypted, but allowing viewers to request an unencrypted session. Both bob and the superuser are granted full access rights and can connect without approval; members of the staff group can also connect, but must be approved. All users must enter their UNIX password in order to connect.

Note that in order for querying of connections to work, you must be running the vncconfig applet on the desktop when using the module (this is not necessary for x0vncserver).

You can also restrict access to the server based on IP address using the Hosts parameter, for example:

Hosts=192.168.0.0/255.255.0.0

If you are not using vncserver then you will also need to manually run the vnckeygen command to generate a secure key:

vnckeygen
Generating primes:
  p: ......................................
  q: ...................

Support legacy viewers

To support legacy viewers, you will need to disable encryption and use VNC authentication. You will also need to specify where the password is stored:

SecurityTypes=VncAuth
UserPasswdVerifier=VncAuth
PasswordFile=$HOME/.vnc/passwd

If you are not using vncserver then you will also need to manually run the vncpasswd command and enter a password with which to access your VNC desktops:

vncpasswd
Password:
Verify: