How to set up VNC to be accessed from outside CSAIL
First, be clear about the problem you're trying to solve. Is VNC (originally for "Virtual Network Computing") really the best solution? VNC is best for checking in on long-running processes that will continue after your remote client disconnects.* Other kinds of "remote access" needs are often better solved using ssh tunnels, VPN
, installing programs directly a laptop or remote device, using X11 to run programs on a remote machine and display them locally, or some combination of the above.
Due to security limitations of the VNC protocol (passwords are weak and do not encrypt characters typed or windows displayed), CSAIL does not allow direct VNC connections from outside our network perimeter. However, VNC can safely be tunnelled via SSH as follows:
A. Set up
sshd on the host (if necessary)
- For a CSAIL Debian host, this is likely already done. (See Setting up SSH.)
- For a Mac OS host, this means turning on System Preferences -> Sharing -> Remote Login, and preferably restricting it to only your username. If connections are refused, try turning off the appfirewall (System Preferences -> Security -> Firewall -> Allow all connections) for the first ssh connection, then re-enabling it.
- Not possible on a Windows host -- use Remote Desktop instead of VNC, or else use VPN instead of SSH (see bottom of this page).
B. Set up
vncserver on the host
- For a CSAIL Debian host:
- install with
sudo apt-get install tightvncserver
- run with
longjob vncserver :0
- if you omit "longjob",
vncserver will refuse connections with "configuration error" as soon as your Kerberos+AFS credentials expire (or as soon as you close the SSH session that started VNC)
- if you get "host:0 is taken", increment to vncserver argument to :1 and port (below) to :5901
- this will ask you for a password only the first time. If you've forgotten it,
- For a Mac OS host:
- System Preferences -> Sharing -> Screen Sharing occasionally works (and then only with a TightVNC client)
- Vine Server (OSXvnc) usually gives better results. Under Authentication, set "Require remote login (SSH)" to YES.
- For a Windows host, suggest using Remote Desktop instead. Otherwise:
- TightVNC server
- UltraVNC server
ssh tunnel on the client
- CSAIL Debian client, Mac OS client:
ssh YOU@HOST.csail.mit.edu -L5900:localhost:5900
- Windows client:
- Install PuTTY. Recommended: PuTTY with Kerberos. Alternatively, standard PuTTY (requiring typed passwords).
- In PuTTY Configuration -> Connection -> SSH -> Tunnels, enter "Source port"
localhost:5900, then click "Add."
- In Session, enter "Host Name:"
HOST.csail.mit.edu, "Saved Sessions:"
HOST, and click "Save."
HOST to connect via SSH with the tunnel. (Only this last step needs to be repeated for future connections.)
- iOS client (iPhone, iPad, etc): use a combined SSH+VNC client
- with iSSH: Add Configuration -> (fill in Description, Host, Login) -> choose SSH then VNC, then enter your VNC password -> Save.
D. Connect using VNC client
- CSAIL Debian client:
- for example, install with
sudo apt-get install xtightvncviewer and run with
- Mac OS client:
- Windows client: use any of the below to connect to
- iSSH: tap configuration name to connect; enter SSH password when prompted.
E. Destroy your VNC session (optional)
- CSAIL Debian host:
vncserver -kill :0
- Mac, Windows: switch to VNC Server window and choose "shut down" or similar.
Using VNC through CSAIL VPN (Virtual Private Network)
This works with any host, and with Windows and Mac OS clients.
- install the CSAIL VPN Client
- establish the VNC connection to CSAIL
- ensure the VNC server is running on the host
- use your favorite VNC client to connect directly to the hostname.
* Also note that some long-running processes are best submitted as Condor jobs
rather than manually tended using VNC.