Accessing your desktop remotely is a convenience that we all appreciate. Many people set up VNC Server and an associated client in order to have their full ‘X’ capable desktop with them wherever they have a network connection. What some do not realize is that VNC as a protocol is extremely insecure and very susceptible to MitM snooping (Man in the Middle) since much of the text back and forth between client and server is transmitted as clear text. Today we are going to install and configure a simple VNC Server, access it with a VNC client and then add some security by using it over SSH.Simple Server SetupWe are going to use ‘tightvncserver’ to get ourselves up and running:sudo apt-get install tightvncserver
Next, we need to set an access password for the vncserver once we start it up:vncpasswd
Will prompt us for a password. Note that the current version of ‘tightvncserver’ will automatically truncate any password entered here to eight characters (yet another reason we need to add security to our connections). You have the opportunity to set a second password that will allow ‘view only’ access to the desktop, pressing ENTER here will disable that function.If you tried to start the vncserver right now, it would start with the default built ‘xstartup’ script created in the ‘/home/user/.vnc’ directory. However, it would be a mess. Unity is not supported in 3D mode in VNC, so you end up with a desktop that is empty (no menu bar, no side bar). We can fix that easily enough as so by installing:sudo apt-get install gnome-session-fallback
This will enable the session type of ‘gnome-classic’ in our configuration. So, edit your /home/user/.vnc/xstartup file and make sure it looks like this:
#!/bin/sh# Uncomment the following two lines for normal desktop:unset SESSION_MANAGER#exec /etc/X11/xinit/xinitrcgnome-session –session=gnome-classic &[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresourcesxsetroot -solid greyvncconfig -iconic &#x-terminal-emulator -geometry 1280×1024+10+10 -ls -title “$VNCDESKTOP Desktop” &#x-window-manager &
Finally, we can start our vncserver at the command line:vncserverYou should see a few lines of text, which will include the message “New ‘X’ desktop is HOSTNAME:1” although the ‘1’ may be another number depending on your local configuration. Now, lets connect to it.Simpler Client SetupLet’s install a simple VNC client to connect to our newly minted VNC server, our command is:sudo apt-get install xtightvncviewer
This will install the package and create some shortcuts so we can use a common command to connect. Easiest way is to connect to our server is to bring up the client:vncviewer
Which will give you this:

VNCViewer Prompt

Our Unity 2D Classic Desktop
ssh -L 5901:127.0.0.1:5901 username@remotehost
Then fire up another shell on your client and type:vncviewer 127.0.0.1:5901
Huh? That looks like I am connecting to my local system you say? Well, you would be right. The first command tells your system to create an SSH tunnel from your local port 5901 to port 5901 on the ‘remotehost’ connecting as ‘username’. This secures and encrypts all the ‘forwarded’ traffic over SSH (the same was a ‘x-forwarding’ can let you run a remote gui command locally).Final ThoughtsAs we have discussed in previous articles, security is important and never gets enough attention. The more layers of encryption and abstraction between and end user and the system(s) being accessed, the better it is for you and your organization. In this case where you may be accessing your home system remotely, you can expose SSH without the compromises that come from VNC alone.Of course I would always recommend you set up a VPN solution for connecting to your desktop or server from wherever you are from, however, incoming VPN is restricted by many ISPs where SSH is generally left alone. As long as you keep your system patched and enforce a good password security policy (one that makes brute force password attacks take such a long time they are abandoned), then this setup is a good compromise.Once you are confident in your configuration, you can simply add the ‘vncserver’ service to your /etc/rc.d/rc.local file on boot. As always, drop me a comment or share your experience.