How to access a linux pc desktop from an Internet Tablet using VNC and SSH

From Internet Tablet Talk

There are various ways you can see and control the desktop of your PC on your Internet Tablet, both via a local network and the internet. While it is possible to connect to a PC running basically any operating system, the examples below only cover (Ubuntu) linux. By no means these are the 'best' or only ways to do so, but they are fairly straightforward and secure. It is not hard to set up as long as you are comfortable using the commandline and editing configuration files.

First you need software on the PC. You could set it up in such a way that you log into an existing session, so that you see the exact same screen as the PC. Or that you create a new session each time you log in. For the first option you can install x11vnc on the PC, and for the second option tightvncserver. It is not possible to hear sound from the PC using the either method. For that you need a different method such as x-forwarding.

Important notice

When using SSH, only the actual SSH tunnel is secure. Remember that you have to open a port on the firewall of your local Ubuntu machine (or its Internet gateway). Therefore thousands of script kiddies can try to gain root access via SSH on your Ubuntu machine the moment you open the ports on your firewall. To prevent this, you need to block SSH Brute Force Attacks and disable SSH root access. This is explained on the following web pages:

Using-pam-to-block-brute-force-attacks

Protecting Linux against automated attackers

Keeping SSH access secure

the most important thing is: "PermitRootLogin no" in the /etc/ssh/sshd_config file

Update: Unfortunately pam_adl seems to have problems creating its host_db, this seems to be a bug in openssl, see: Bug#405041: openssh-server: Problem with pam-stack. Cleanupdoesn't call pam_end() after auth failure and breaks pam-abl

A good and easy alternative to pam_adl seems to be denyhosts, see:

HOWTO: Installing DenyHosts

Option 1: x11vnc

This option is especially useful if you want to control the desktop you used while you were actually at your host computer. Meaning: If you were typing a letter in OpenOffice when you left the host computer in a hurry, you can now continue right where you stopped.

As the desktop is transferred via the SSH-tunnel "as is", this option needs more bandwidth than the tightvnc option and therefore isn't as responsive as with the tightvnc option. Tightvnc creates a new, virtual desktop for the remote VNC-user and therefore is useful if you only need access to some files or programs on the host computer that weren't still in use when you left your host computer (in a hurry).

Howto setup x11vnc and VNC via ssh:

• Install the openssh-server package on the Ubuntu machine.
• Openssh-server will be started automatically at every login.
• Install the x11vnc server package on the Ubuntu machine. Start it with the "-setpasswd" option to set a VNC password.
• Then start the x11vnc server on the Ubuntu machine with this command:

x11vnc -usepw -forever -display :0 -loop -solid darkblue -skip_dups -speeds dsl

The options explained:

1. "-usepw" is needed to actually use the password you set earlier
2. "-forever" is needed so x11vnc doesn't shutdown after every VNC session which would be its default behaviour;
3. "-display :0" tells the x11vnc server to use display 0 so you can use port 5900 - display 1 would use port 5901;
4. "-loop" should create an external loop process that is supposed to restart x11vnc in case of a crash;
5. "-solid darkblue" sets a monochrome desktop background (good for slow connections);
6. "-skip_dups" is needed because every keyboard button I pressed on the N810 appeared twice on the Ubuntu machine (seems to be a bug) and skip_dups suppresses that;
7. "-speeds dsl" is a preset to deal with latency issues, use "-speeds modem" for slower connections.
8. All options are explained (in great detail) in the manual, accessible via "man x11vnc" on the Ubuntu machine.

• Make sure x11vnc showed port 5900 in the last lines of all its messages after the start, so that later in the SSH connection you can actually forward the right port. If it showed 5901, use that number for the SSH connection.
• Install openssh-client and vncviewer on the Nokia tablet (downloads and repositories: Maemo Garage and Gronmayer repositories for Maemo 4 Chinook (OS2008)).
• Login from remote using the Nokia's openssh client "ssh" in X Terminal. The command is

ssh -X -l  username IP-address -L 5900:localhost:5900

where "username" is the username-on-the-Ubuntu-machine and "IP-address" is the IP-or-dyndns-address-of-the-Ubuntu-machine's-Internet-access. The "-L" option forwards the localhost connections to the port 5900 (display 0 of the VNC-server) to the remote client via SSH. This is a trick to use VNCviewer on the Nokia tablet with the "localhost" option. I got that from another VNC tutorial here: http://www.cl.cam.ac.uk(...)sshvnc.html The "-X" option enables the usage of GUI programs on the remote tablet - for example to start Firefox or Gimp remotely via X Terminal which (at the moment) is a terminal on your host computer and opens these applications on your Nokia tablet. :D

• To control the desktop, start the tablet's VNCviewer via the application launcher and enter "localhost:0" as host address, also enter the password set earlier in x11vnc. If you had to change the port options for the SSH connection you might need to use "localhost:1" or similar.
• Do whatever you want to do on the remote Ubuntu machine, then exit VNCviewer and don't forget to stop the SSH connection on your tablet by typing "exit" in X Terminal.

Option 2: tightvnc

If you prefer to use tightvnc instead of X11VNC you need to install the tightvnc and ssh packages on the pc. Do so by opening a terminal on the pc and type:

sudo apt-get install ssh vnc-common tightvncserver 

Then create the file /home/<your username>/.vnc/xstartup on the pc and put a few lines in it depending on the the desktop environment you use (Gnome,KDE, or XFCE). See the part under Step 4 - Edit your VNC startup script for what to put in there.

Start a connection on the PC with the command:

vncserver :20 -depth 16 -geometry 800x480

If you want to stop vncserver type:

killall Xtightvnc 

To keep vncserver running even if you close the terminal window you could put a space and a '&' behind the command. By using the -geometry option your desktop will fit exactly on the screen of the tablet, something you cannot do with x11vnc. Make sure that automatic login on the PC is turned off for the useraccount that you want to use.

On the internet tablet you need vncviewer and openssh. You can download the latest version of vncviewer at https://garage.maemo.org/frs/?group_id=119. The package openssh is in the Maemo repositories and can be installed via the Application Manager. To prevent the connection from dropping during inactivity go to "settings =>control panel =>connectivity => idle times" and set the idle times to "Unlimited". Then check if the wifi (or bluetooth) connection is active.

The very first time SSH connects to a device you are prompted to confirm that the device should be added to .ssh/known_hosts. Therefore make a connection from the pc to the tablet and vice versa once to get .ssh/known_hosts on both devices updated. Do so by opening Xterm on the internet tablet and typing:

   ssh <username>@<host>

Replace <username> and <host> with the username and ip address on your local network of the device you are connecting to. Close the window and then do the same thing from the pc. Now you can use ssh to tunnel vnc. Opening Xterm on the internet tablet and enter:

   ssh -fCNT <username>@<host> -L 5902:127.0.0.1:5920

Again you could optionally use a space and a '&' to keep the process running even if you close the xterm window. Replace <host> with the ip address of the pc on your local network. To connect via the internet replace <host> with the external ip address of your PC. In this case your router must be configured to give a fixed local ip address to the PC, and the external port 22 to be forwarded to port 22 on the PC. Read the manual of your router for details on port forwarding. If you are running a firewall on the PC such as Firestarter then make sure that traffic to port 22 is allowed from any ip address.

Next start vncviewer on the Internet Tablet. Select "file => connect to a VNC server". Choose "localhost:2". Enter the VNC password you created during the setup of tightvnc on the PC, not the password of the PC useraccount. If all went well you will see the PC desktop. To do a 'right-click' in vncviewer press the "zoom in" hardware button while tapping on the screen. The "zoom out" works the same way for a midle click. To enter text click on a textfield and then use the middle button of the d-pad. If you happen to use XFCE on the PC you might not see your desktop background. In that case in select "settings => desktop settings => allow XFCE to manage the desktop"

Some things you could do next:

• Make a shell script so you don't have to type the commands each time.
• Generate public keys for SSH so you don't have to enter your PC username and password. Although your connection is still secure you obviously run a risk when your tablet gets lost or stolen.
• Protect the SSH port on the PC against brute-force hacking attacks.
• if you are always only connecting from the same location, only allow that single ip address or address range through the firewall.
• Use ssh on a non standard port (i.e. not port 22) for security. So configure your router to map external port 22000 of the router to port 22 of your pc. In that case also use this on the Internet Tablet:

 ssh -fCNT <username>@<host> -L 5902:127.0.0.1:5920 -p  22000

For more info about installing ssh and tightvncserver on Ubuntu see [1].