<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head><title>Remote LTSP access with SSHVNC applet</title> <meta name="description" content="Remote LTSP access with SSHVNC applet"> <meta name="keywords" content="sshvnc"> <meta name="resource-type" content="document"> <meta name="distribution" content="global"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="Generator" content="LaTeX2HTML v2K.1beta"> <meta http-equiv="Content-Style-Type" content="text/css"> <link rel="STYLESHEET" href="sshvnc.css"></head> <body> <h1 align="center">Remote LTSP access with SSHVNC applet</h1> <h1><a name="SECTION00010000000000000000"> 1 Introduction</a> </h1> Using VNC and ssh, it is possible to allow your LTSP users to access your terminal server securely from anywhere in the world. This is very useful for road warriors, students/teachers at home, etc. While this can be done with ssh port forwarding and the VNC client, that solution can be confusing for normal end users. This document will show how that works, but will also introduce a solution using the SSHVNC java applet from http://www.sshtools.com/. This simplifies the process by wrapping the ssh port forwarding and VNC client into one applet. All the user needs is a url, their username and their password. No special knowledge or training is required. After logging into the applet, he user will have exactly the same interface they would have if they were sitting at one of your LTSP terminals, and there is no special software required for the user, only an Internet connection and a web browser with Java. The emphasis on this solution is on ease of use for end users. I wanted a way for our remote users to use our terminal server without knowing anything but their username and password. Because the SSHVNC applet implements ssh port forwarding, the only port that needs to be accessible on your terminal server is the ssh port (22). All the data to and from your terminal server is delivered over a secure ssh connection. <h1><a name="SECTION00020000000000000000"> 2 Overview</a> </h1> Here are the basic components needed to implement this solution <ul> <li>VNC server - There are many. I use the server from http://www.tightvnc.org/ </li> <li>Web server - Again, there are many. I use apache http://www.apache.org/ </li> <li>ssh server - Linux distributions all come with the ssh server from http://www.ssh.org/ </li> <li>SSHVNC applet - This is available from http://www.sshtools.org/ </li> </ul> You will need to enable ssh access to your terminal server. With normal ssh port forwarding and VNC, you can forward the ports from a gateway, but the SSHVNC client requires that the ssh server is running on the box you are connecting to with VNC. The applet can live on any web server. If you already have a web server up, you can put it on that. There is no need to set up another web server. You will configure the applet to connect to the right ssh server. The VNC server will be set up to start via the Internet Daemon (inetd/xinetd). This will allow a new VNC server to be started automagically for all incoming connections. <h1><a name="SECTION00030000000000000000"> 3 Getting the software</a> </h1> <h2><a name="SECTION00031000000000000000"> 3.1 Getting Apache</a> </h2> Installation and configuration of Apache is beyond the scope of this document. The instructions will depend on what distribution you are using and whether you are installing a binary package or compiling from source. There is excellent documentation on the Apache web site. <ul> <li>http://www.apache.org </li> </ul> Once you have Apache installed, there are a few things you can do to make it easier for your users. You might want to set up a virtual server for the SSHVNC applet and made an index file that launches the applet in a different window. I'll give an example below in the SSHVNC configuration section. <h2><a name="SECTION00032000000000000000"> 3.2 Getting SSHVNC</a> </h2> The SSHVNC applet is available here <ul> <li>http://sourceforge.net/projects/sshtools </li> </ul> There is also an SSHVNC client that can be installed locally. This has the advantage of a seucre file transfer client, but it requires that the user install and configure the software on their local machine. I was going for no software install and ease of use with this setup. Installing the applet is easy. Simply download it and extract it to a directory that is accessible by your web server. For example, if you downloaded it to /usr/local/src/ and your apache document root is /usr/local/apache2/htdocs <blockquote> cd /usr/local/apache2/htdocs/ </blockquote> <blockquote>tar -xvzf /usr/local/src/SSHVnc-0.1.3-applet-signed.tar.gz </blockquote> If Apache is running, you should now be able to point your browser at your web server and the applet will download and run like so <blockquote> http://my.web.server/ssh-applet/ssh-applet.htm </blockquote> <h2><a name="SECTION00033000000000000000"> 3.3 Getting sshd</a> </h2> Most Linux distributions come with an ssh server already. If you don't already have one, check your distribution for the specifics on installing one, or visit http://www.ssh.org/ Once you have an ssh server installed, you can verify that it is running with <blockquote> ps waux | grep sshd </blockquote> You should see a line like this in the output <blockquote> root 934 0.0 0.0 2620 1032 ? S Mar26 0:13 /usr/sbin/sshd </blockquote> <h2><a name="SECTION00034000000000000000"> 3.4 Getting the VNC server</a> </h2> There are many VNC servers. I use the tightVNC server because one of their focuses is low bandwidth operation. I want the experience to be as useful as possible for my users on slow dial up connections. The tightVNC server is available here <blockquote> http://www.tightvnc.org/ </blockquote> It is available in either rpm or source formats. If your distribution supports rpm, installing it is as easy as <blockquote> rpm -ivh tightvnc-server-1.2.9-1.i386.rpm </blockquote> If your distribution doesn't support rpm or you would like to compile it locally for some reason, download the source and read the INSTALL file. <h1><a name="SECTION00040000000000000000"> 4 Configuring the software</a> </h1> There are two major components to the configuration. They are configuring the SSHVNC client and configuring the VNC server to use the internet daemon. <h2><a name="SECTION00041000000000000000"> 4.1 Configuring the VNC server</a> </h2> In order for a new VNC server to be spawned each time a user connects, we need to set up the Internet Daemon (inetd/xinetd.) Suse Linux handles starting the VNC server through inetd very well. My terminal server is currently RedHat, so I modified the Suse configuration to fit. <h3><a name="SECTION00041100000000000000"> 4.1.1 Setting up inetd</a> </h3> Some distributions use inetd, some use xinetd, the extended internet daemon. You may have to adjust this configuration depending on your distribution. This configuration is currently running on RedHat 7.3 which uses xinetd. In order to enable a service in xinetd, you set up a file in /etc/xinetd.d for that service. In this case, we create the file /etc/xinetd.d/vnc <blockquote> # default: off </blockquote> <blockquote># description: This serves out a VNC connection which starts at a KDM login \ </blockquote> <blockquote># prompt. This VNC connection has a resolution of 1024x768, 16bit depth. </blockquote> <blockquote>service vnc10 { </blockquote> <blockquote>disable = no </blockquote> <blockquote>socket_type = stream </blockquote> <blockquote>protocol = tcp </blockquote> <blockquote>wait = no </blockquote> <blockquote>user = nobody </blockquote> <blockquote># server = /usr/X11R6/bin/Xvnc </blockquote> <blockquote>server = /usr/bin/Xvnc </blockquote> <blockquote># server_args = :42 -inetd -once -query localhost -geometry 1024x768 -depth 16 </blockquote> <blockquote>server_args = :42 -inetd -once -query localhost -geometry 800x600 -depth 16 -fp tcp/fonts1.gouldacademy.internal:7100 </blockquote> <blockquote>type = UNLISTED </blockquote> <blockquote># port = 5910 </blockquote> <blockquote>port = 5901 </blockquote> <blockquote>} </blockquote> <blockquote>service vnchttpd10 { </blockquote> <blockquote>disable = no </blockquote> <blockquote>socket_type = stream </blockquote> <blockquote>protocol = tcp </blockquote> <blockquote>wait = no </blockquote> <blockquote>user = nobody </blockquote> <blockquote>server = /usr/X11R6/bin/vnc_inetd_httpd </blockquote> <blockquote># server = /usr/bin/Xvnc </blockquote> <blockquote>server_args = 800 600 5910 </blockquote> <blockquote># server_args = -inetd -httpport 5910 -httpd /usr/share/vnc/classes </blockquote> <blockquote>type = UNLISTED </blockquote> <blockquote># port = 5810 </blockquote> <blockquote>port = 5801 </blockquote> <blockquote>} </blockquote> Now you can restart the xinetd server with /etc/init.d/xinetd restart As you can see, xinetd will start a script called vnc_inetd_httpd when accessed on port 5801. This script was slightly modified from the Suse script of the same name. I'll include links to copies of these files because the formatting here might not be great. Here it is. <blockquote> #!/bin/sh </blockquote> <blockquote>read request url httptype || exit 0 </blockquote> <blockquote>url="${url/M/}" </blockquote> <blockquote>httptype="${httptype/M/}"</blockquote> <blockquote>width=$1 </blockquote> <blockquote>height=$2 </blockquote> <blockquote>port=$3</blockquote> <blockquote>if [ "x$httptype" != "x" ]; then </blockquote> <blockquote>line="x" </blockquote> <blockquote>while [ -n "$line" ]; do </blockquote> <blockquote>read line || exit 0 </blockquote> <blockquote>line="${line/M/}" </blockquote> <blockquote>done </blockquote> <blockquote>fi </blockquote> <blockquote>case "$url" in </blockquote> <blockquote>/) </blockquote> <blockquote># We need the size of the display for the current applet. </blockquote> <blockquote># The VNC menubar is 20 pixels high ... </blockquote> <blockquote>height=$((height+20)) </blockquote> <blockquote>ctype="text/html" </blockquote> <blockquote>content=" <HTML><HEAD><TITLE>Remote Desktop</TITLE></HEAD> <BODY> <APPLET CODE=VncViewer.class ARCHIVE=VncViewer.jar WIDTH=$width HEIGHT=$height> <param name=PORT value=$port> </APPLET> </BODY></HTML>" </blockquote> <blockquote>;; </blockquote> <blockquote>*.jar|*.class) </blockquote> <blockquote># Use basename to make sure we have just a filename, not ../../... </blockquote> <blockquote>url=${url/.*\/} </blockquote> <blockquote>ctype="application/octet-stream" </blockquote> <blockquote>cfile="/usr/share/vnc/classes/$url" </blockquote> <blockquote>content="FILE" </blockquote> <blockquote>;; </blockquote> <blockquote>esac</blockquote> <blockquote>if [ "x$httptype" != "x" ]; then </blockquote> <blockquote>echo "HTTP/1.0 200 OK" </blockquote> <blockquote>echo "Content-Type: $ctype" </blockquote> <blockquote>if [ "$content" == "FILE" ]; then </blockquote> <blockquote>clen=`wc -c "$cfile"` </blockquote> <blockquote>else </blockquote> <blockquote>clen=`echo "$content"|wc -c`</blockquote> <blockquote>fi </blockquote> <blockquote>echo "Content-Length: $clen" </blockquote> <blockquote>echo "Connection: close" </blockquote> <blockquote>echo </blockquote> <blockquote>fi</blockquote> <blockquote>if [ "$request" == "GET" ]; then </blockquote> <blockquote>if [ "$content" == "FILE" ]; then </blockquote> <blockquote>cat "$cfile" </blockquote> <blockquote>else </blockquote> <blockquote>echo "$content" </blockquote> <blockquote>fi </blockquote> <blockquote>fi </blockquote> <blockquote>exit 0</blockquote> <h2><a name="SECTION00042000000000000000"> 4.2 Configuring the SSHVNC client</a> </h2> Once you have the SSHVNC client extracted and accessible through apache, you will want to make it easy for your users to connect. You can do this by specifying most of the ssh and vnc configuration options for them. This is done by editing the sshvnc-applet.htm file. Here is an example. <blockquote> <applet width="820" height="675" archive="SSHVncApplet-signed.jar,SSHVncApple\t-jdkbug-workaround-signed.jar,SSHVncApplet-jdk1.3.1-dependencies-signed.jar" code="com.sshtools.sshvnc.SshVNCApplet" codebase="." style="border-style: solid; border-width: 1; padding-left: 4; padd\ing-right: 4; padding-top: 1; padding-bottom: 1"> </blockquote> <blockquote><param name="sshapps.connection.connectImmediately" value="true"> </blockquote> <blockquote><param name="sshapps.connection.host" value="my.server.com"> </blockquote> <blockquote><param name="sshapps.connection.userName" value=""></blockquote> <blockquote><param name="sshapps.connection.showConnectionDialog" value="true"> </blockquote> <blockquote><param name="sshapps.connection.authenticationMethod" value="password"> </blockquote> <blockquote><param name="sshvnc.connection.vncHostDisplay" value="localhost:5901"> </blockquote> <blockquote></applet</blockquote> You should now be able to connect to your terminal server from anywhere with any Java enabled web browser. Simply point your browser at the applet on your web server and it will set up the ssh port forwarding and VNC connection for you. Remember, VNC is a remote control program, so you are really just looking at an image of your desktop. You should be able to do exactly the same things that you can do on an X terminal on your netowrk. I have found the performance to be excellent over DSL, and acceptable over dialup. Remember, any fancy graphics, window managers, background images, etc. will affect your performance. I am using icewm as my window manager with a simple blank background. <h1><a name="SECTION00050000000000000000"> 5 Manual ssh port forwarding</a> </h1> Here are some resources if you would like to learn more about ssh port forwarding, particularly as it relates to VNC. While this document focuses on the SSHVNC applet, you can accomplish the same thing with a VNC client installed on the computer that is accessing remotely, and ssh port forwarding. On windows you can accomplish the ssh port forwarding with putty.exe <ul> <li>VNC port forwarding with ssh: HOWTO - James Lindler - http://www.ltsp.org/contrib/vnc.html </li> <li>Making VNC more secure using SSH - http://www.uk.research.att.com/archive/vnc/sshvnc.html </li> </ul> <h1><a name="SECTION00060000000000000000"> 6 Conclusion</a> </h1> One of the great advantages of LTSP is the centralized administration and maintenance. This setup allows you to leverage your existing services to your users when they are not physically on your network. In a sense, you are making all your local network services ``web enabled'' with very little additional support overhead. I'm sure this document needs improvement. Feedback is appreciated and ``patches'' are welcome. Also, feel free to contact me if you have questions. Derek.Dresser@gouldacademy.org <h2><a name="SECTION00061000000000000000"> 6.1 Caveats</a> </h2> One of the big issues users run into right off using VNC is that there is no provision for moving files from the terminal server to your local machine. Right now we deal with this by emailing files from the terminal server session and then retrieving them locally, but this is a bit confusing for some people. If anyone knows a simple web based secure file transfer mechanism, please let me know. <h1><a name="SECTION00070000000000000000"> About this document ...</a> </h1> Remote LTSP access with SSHVNC applet This document was generated using the <a href="http://www-texdev.mpce.mq.edu.au/l2h/docs/manual/">LaTeX2<tt>HTML</tt></a> translator Version 2K.1beta (1.48) Copyright � 1993, 1994, 1995, 1996, <a href="http://cbl.leeds.ac.uk/nikos/personal.html">Nikos Drakos</a>, Computer Based Learning Unit, University of Leeds. Copyright � 1997, 1998, 1999, <a href="http://www.maths.mq.edu.au/%7Eross/">Ross Moore</a>, Mathematics Department, Macquarie University, Sydney. The command line arguments were: latex2html <tt>-no_subdir -split 0 -show_section_numbers /tmp/lyx_tmpdir3335AjsNpl/lyx_tmpbuf3335kXxQv7/sshvnc.tex</tt> The translation was initiated by Derek.Dresser@gouldacademy.org on 2004-04-22<hr> <address> Debian User 2004-04-22 </address> </body></html>