Knowledgebase
ThinLinX Support > ThinLinX Help Desk > Knowledgebase

Search help:


Does TLXOS include a VNC server?

Solution

Yes, TLXOS has a VNC-based session shadowing feature, but it doesn't work the way that you probably think it does.  TLXOS uses stunnel-encapsulated reverse VNC, for three reasons:

  1. Forward VNC connections potentially have a problem with lack of informed user consent, because the protocol lacks any kind of connection event hook to hang a (reliable) consent dialog on.  By using a reverse connection, the console operator must initiate the connection, so that they are implicitly aware of, and have implicitly consented to, being shadowed.
  2. Standard VNC lacks any form of encryption and is therefore vulnerable to network interception.  SSL-enhanced VNC variants exist, but there is no common standard, which limits interoperability.  We chose to use stunnel as an external encryption helper as a relatively generic solution that does not require you to use any specific VNC client.
  3. Forward VNC cannot traverse NAT boundaries, e.g. a DSL modem connection to the Internet, unless the site goes to great trouble to set up port forwarding at the NAT boundary.  Reverse VNC sidesteps this issue.

TLXOS session shadowing can be accessed via the <ctrl><alt>s keyboard shortcut (if you're already in a fullscreen remote desktop you'll have to exit fullscreen mode / break keyboard lock first, it's easiest to do this before starting a remote desktop session).  At present the end user has to enter some data (the hostname/IP address and TCP port number of the shadower), but in future we will add controls to TMS and Tlxconfig UIs to allow administrators to preset this information.  The user is always going to have to press a button to initiate the connection, however.

You can either use one TLXOS device to shadow another, or set up your own shadower using Stunnel and the VNC client of your choice.  A separate knowledgebase article has instructions on how to set up a TLXOS shadower on Windows.  To set up a TLXOS device as a shadower, change its mode to VNC, change Security to SSL, and set Command Line Args to "-listen".  The shadowee will then be able to connect to the shadower on port 5500.

We realise that there are use cases where non-interactive shadowing is a legitimate and reasonable requirement (e.g. when the TLXOS device never runs anything like a remote desktop session and no passwords or personal information is ever entered, such as digital signage and some kiosk uses), but our apps have no way of determining what your use case is, so we have to err on side of caution.

For such cases we have provided a simpler (unencrypted, consentless, forward VNC) alternative. You can SSH to your device as root (see the SSH knowledgebase article for more information on how to do this) and use "systemctl enable x11vnc; reboot" to activate this (in future releases of TMS and Tlxconfig we will add an on-off control for this, with a strongly worded click-through disclaimer). Use this feature at your own risk.

If you want to add an access password to this service, you can do this using the following commands:

su - tlx -c 'mkdir .vnc; vncstorepw "your-password-here" ~/.vnc/passwd'
sed -i -e '/^ExecStart/s/$/ -usepw/' /etc/systemd/system/x11vnc.service
reboot

Adding an access password doesn't improve security much - the encryption used is weak, and is only used for authentication purposes; for session encryption you need SSL.

 

Related articles How secure is TLXOS? / TLXOS design overview
Running multiple fullscreen desktops/applications
Frequently Asked Questions
How to auto-launch a Citrix/Horizon app/desktop only (no app browser)
Article details
Article ID: 23
Category: Knowledgebase
Date added: 2019-05-29 12:27:27
Views: 141

 
« Go back