Running X-based apps in a remote Unix machine

New school way (recommended):

desktop%  ssh -Y remote
				remote% x-win-app

ssh likely default to this now.  If -Y doesn't work, try -X.

Old school way:

desktop% xhost +remote
				remote% setenv DISPLAY desktop:0
				remote% x-win-app
				remote% xclock

Modern Linux implemented some securities that need to be changed/relaxed:



In Solaris, often time /tmp/X11-unix or some such pipe is owned by root and need to be chown to the user.

In newer version of Linux, need to update /etc/X11/gdm/gdm.conf
else, X server will only use named pipes and not listen on port 6000,
thereby rendering X forward inusable.

Usual cavet: allowing X forward is a security problem, allows remote capture of
screen, keystrokes, etc.

x-ref: linux#XDMCP

Running X-based apps in Windows

There are many ways of running Unix GUI application in the Microsoft World (and Apple OS X). The most popular way is to create an X-Window server on top of Windows so that Unix GUI programs can display directly on the Windows machine. This can be done by program such as Exceed, X Manager, and even Cygwin.

An alternative is to run VNC. It is typically thought of a remote desktop program, but it works very well in hosting virtual X-Window session and allow a multitude of client to access and share such session.

Advantages of VNC:
  1. All session info is stored on the server, so client can disconnect and reconnect at any time without loosing the session.
  2. Easily sharable, recruit your colleague to help you troubleshoot problem and let everyone watch the window at the same time (be careful about password sharing!)
  3. More efficient use of bandwidth than the full blown X-Window protocol, thus more usable across slow DSL and WAN.
  4. Easier to tunnel traffic thru SSH
  5. Client/Viewer exist for many platform, even web-based Java applet.
  6. Many implementations are free

Advantages of X-Window Emulation Software:
  1. In LAN environment where there is plenty of bandwidth, X is a bit more responsive in interactive session than VNC.
  2. Coloring tends to be more accurate than VNC as it does not use compression.
  3. No need to pre-set window size, thus screen size can change dynamically depending on client-side screen resolution.
Where to get VNC
  1. Real VNC - Commercial version, default wraps vnc in ssh to make it secure.
  2. RedHat Linux comes with VNC, binaries in /usr/bin
  3. Ubuntu may need to install, use "aptitude search vnc" and "apt-get install tightvnc" or something along those lines.
  4. Tight VNC - Open Source software model, my current favorite.
  5. Ultra VNC - Has a nice auto-hide toolbar in full window mode, similar to Windows Remote Desktop client.
  6. Turbo VNC - touted as faster VNC by using compression. But NX maybe faster as it compress and caches.
Where to get X-Window emulator:
  1. Cygwin. This open source tool add lot of unix commands to windows, as well as provide an X server emulation, which is very usable now. Highly recommended for unix user stuck in windows land.
  2. X Manager 2.0 - Shareware, basic functionality, "lighter weight" install, solid performer.
  3. Humingbird Exceed - Lot more bells and whishels that may not be useful, integration into Explorer neighborhood, etc. Likely best 3D performance of all implementation.
  4. X-Win32 ... This is probably very old stuff now...
  5. NoMachine NX


X2go provides an easy way to gain graphical session with a remote linux server. Think of Terminal Server.
Beats having to ssh in, run vncserver, and then start a vnc client. Think it was automatically wrapper around ssh tunnel.
NX still provides a more seamless (and probably speedier) experience, but NX may not be free.
X2go does not work with GNOME 3 :(


NoMachine NX is a great wrapper around VNC. The NX client, which can run on windows, mac or linux, will ssh to the NX server, and setup the necessary VNC server, and connect the client thru. It seems a bit slow when more than a couple of users is logged in to a machine though :(
NX 3 on Linux created virtual servers and worked like a terminal server.
NX 5, at least the free version, mirror a physical screen like Windows and Mac. It is more like x11vnc. Terminal Server is a different commercial product now.
Use commercial NoMachine NX client and their ssh key if don't want to deal with key distribution.
(their client is free).

nx-3.5.0-1.el5.centos			# base free nx package
freenx-0.7.3-8.el5.centos		# server end rpm, update and restart sshd , add init script.

The freenx-server rc init really just really say whether client can start NX session.  
There is no NX daemon running on the machine.  Client ssh in and start necessary process.

config files are in /etc/nxserver


update /var/lib/nxserver/home/.ssh
to use the key from NOMACHINE client key 
should not need to update authorized_keys2



General method of operation

In windows, VNC server works very similar to the Remote Desktop feature. A server process runs all the time, and VNC viewer (client) connects to it via WinMachineName:0. A password will be needed to connect, but typically one can't tell if there are any VNC client connected to a server. If the shared options is used (often a check box in "do not disconnect other client"), then many users can view and control the same physical screen displayed on a windows machine.

In Unix/Linux, VNC works somewhat differently. By default, the VNC server process (Xvnc) starts and create a virtual X window environment. There is no physical display/screen associated with this virtual session. Furthermore, more than one VNC server can run at a time, and they will be assigned different "display session number", eg :1 , :2, :3, etc. When a vnc viewer (client) connects, it must specify the server name together with the display session number, eg : LinuxMachineName:1
While Xvnc does not attach to a physical screen, a user can connect to the virtual X session of the local machine without problem (eg vncviewer localhost:1).

More recently (a few year now, really), Unix also have abilities to share the physical screen just the same way windows behave. This is provided by a different server process called x11vnc, which need to be started by the user on demand in a physical session (ie :0). More info below

Since RHEL 5.4 or maybe even earlier, "vncserver" can be configured to listen to the actual GUI login screen (ie, :0). Instructions in centos wiki.
In a nutshell, update xorg.conf and restart X, ensure port 5900 is open (iptables -I INPUT -p tcp --dport 5900 -j ACCEPT):
## Module section:
Section "Module"
  Load "vnc"

## Screen section:
Option "SecurityTypes" "VncAuth"
Option "UserPasswdVerifier" "VncAuth"
Option "PasswordFile" "/root/.vnc/passwd"
Wikipedia has a good overview of VNC.

Basic VNC Setup

RealVNC host a good intro on setting up to use VNC, see .

Here are the commands that need to be run:
If you are running vnc on Linux, the software is usually pre-installed and PATH pre-configured. It usually is as simple as logging in (via ssh, eg, use PUTTY), then run the vncserver command to start the server session. Then, from the windows machine, use VNCviewer to connect to the remote machine, appending :1, :2 or whatever that is the virtual screen session created by VNC.
To avoid panning, you may want to set a specific geometry when starting VNC, use any one of the folllowing example:

vncserver -geometry 1012x688 -depth 24
# Good for small Laptop LCD at 1024x688 (with 4 toolbars/title bars all together)

vncserver -geometry 1260x950 -depth 24
# Good for 17" desktop screen running at resolution of 1280x1024

vncserver -geometry 1580x1120 -depth 24
# Good for 20" desktop screen running at resolution of 1600x1200
vncserver -geometry 1280x800 -depth 24 # Good screen resolution of 1280x800 (eg macbook full screen, which isn't 1400x900)

If you are using Solaris, the procedure is slightly more involved.  Below is a basic outline of commands to run.

ssh to your sun machine and run:
export PATH=$PATH:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/usr/dt/bin:/opt/sfw/bin
vncserver -nolisten local -geometry 1012x712 -depth 24

Then, on your windows machine:
vncviewer YOURHOST:x

Once inside the VNC session, at the xterm window prompt, enter the commands:
pkill twm
/usr/dt/bin/dtwm &

vncconfig -iconic &
In some machines, the vnc config panel does not start automatically, this will start it, and would allow cut-n-paste. On some machine, starting this will return an error saying no vnc-extension found. Not sure what it means, maybe some perm on /tmp/X11... is not allowing the clipboard to be transferable... SOL :(

Detailed Instructions on Starting VNC

(i) Setup your PATH.  
You may already have them setup.  You can check via echo $PATH 
or you can rerun these commands, duplicates are safe. 

sh/ksh/bash users  (recommended, csh/tcsh is weired!):
Solaris	export PATH=$PATH:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/usr/dt/bin:/opt/sfw/bin
Linux	export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
AIX	export PATH=$PATH:/usr/local/bin:/usr/lpp/X11/bin
HP-UX	export PATH=$PATH:/usr/dt/bin:/bin/X11:/usr/bin:/usr/local/bin

csh/tcsh users:
Solaris	set path=($path /usr/bin /usr/local/bin /usr/X11R6/bin /usr/dt/bin /opt/sfw/bin) 
Linux	set PATH=($path /bin /usr/bin /usr/local/bin /usr/X11R6/bin)
AIX	set PATH=($path /usr/local/bin /usr/lpp/X11/bin)
HP-UX	set path=($path /usr/dt/bin /bin/X11 /usr/bin /usr/local/bin)

(ii) Start the vncserver:

vncserver -nolisten local -geometry 1012x712 -depth 24

The "-nolisten local" parameter avoid the need to write to the directory /tmp/.X11-unix, 
which only root can do.

The -geometry and -depth settings set the screen size and color palette.
This setting should work well in windows desktop running resolution of 1024x768,
so that you don't have to be scrolling till your head is dizzy.

NOTE: If you have never run vncserver before, it will prompt you to enter a 
vnc session password.  Enter that, and when it returns to the prompt, 
run the vncserver command listed above again to really start the server.
This time, it will print a message telling you which virtual session
(:N) your vnc session will be located, or an error message.

Info for setting a a Desktop Environment inside VNC session.

Desktop Environment includes Windows Manager and extra features like
desktop icons, integrated file manager and web browser, etc.

By default, vnc session starts with the most barebone windows manager (twm) 
and no desktop environment.
You can change it to use something else, so that you won't be left with 
a boring plain pale looking TWM. 
This is optional, but it generally gives a much better feel of 
actually running the stuff in local machine native graphical console.
The settings are platform depending.

Traditional Unix typically support CDE, and it is the default Desktop Environment
pushed by the major vendors in the past few years.  
Linux use gnome or kde, and don't typically have CDE installed.



CDE for Solaris 7, 8, 9
CDE for AIX 4.x, 5L
CDE for HP-UX 11i

set your ~/.vnc/xstartup file to something like:

    	Xsession &
    	xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &

and start the vncserver, it will start CDE environment nicely.
The color settings of starting CDE like this is better than just
running dtwm.

You can also copy the xstartup file from /nfshome/tho/.vnc/xstartup.cde
Be sure that XSTATION and DTXSERVERLOCATION are NOT preceded with "set"!!

If your vncsession start up with a blank screen, then check that
CDE and X server has been installed on your machine.
AIX does not have this installed by default!!
If it is installed, you should be able to do ls for file such as:
If the file above cannot be found, or if the whole /usr/dt/bin dir is not there,
contact the sysadmin to get the CDE/X server packages installed to the system.


GNOME on Linux (and possibly Solaris machines with gnome setup)

First, ensure that twm is not running.  In the xterm windows:
	ps -ef | grep twm

If there is a process named twm, just issue a "kill" on the pid, eg:  
	kill 12345 
	ps -ef | grep twm | grep -v grep | awk '{print "kill " $2 }' | sh

Then, run:
	/usr/bin/gnome-session &

This should start a nice and complete gnome desktop environment.

For lighter terminal settins, AS/ES 3.0 can use the following two lines instead,
it will disable things like the screen saver, etc.
This method seems to be needed for Solaris 10 w/ international language support,
as somehow that interact catastrophically with gnome-session and the keyboard
won't work!
	/usr/bin/gnome-wm    &
	/usr/bin/gnome-panel &

For GNOME/Java Desktop on Solaris 10, run:
	/usr/dt/config/Xsession2.jds &


startkde	= start a kde session, will work inside VNC 
		  equiv to gnome-session

kwin		= kde windows manager.  Equiv to gnome-wm or twm.
kicker		= start the KDE bottom panel (start menu)
		  equiv to gnome-panel
kdesktop	= start process that respond to desktop background

(Info collected from RHEL 4, SUSE 10 has KDE under /opt/kde3 and use different binaries)

Changing Windows Manager

Windows Manager can be seen as a sub component of the Desktop Environment. One can run just the windows manager w/o a desktop environment for a light weight setup, and potentially for compatibility reasons inside a VNC virtual session.

There are lot of technical details here, and you need not be concerned about them if you can live with the default TWM windows manager, or if the Desktop Environment described above can be setup and run correctly.

By default, vnc session starts with the most barebone windows manager, twm. You can change it to use something else. The config file is ~/.vnc/xstartup. You will see twm toward the bottom. You can change it to other windows manager by running a different command instead of twm, eg:

dtwm	# This is the windows manager that is run with CDE.
	# available in /usr/dt/bin/dtwm (HP-UX, Solaris, AIX)
	# not available in default linux install (it is ugly anyway).
	# Note that the color is a bit off when run inside VNC,
	# but the funtionalities are there.
	# See CDE in desktop environment below.

olvwm	# Sun default windows manager before it adopted CDE.
	# It is pretty clumsy to use, but works well in old system.
	# try to locate it in one of these places:
	# - /usr/local/bin/olvwm
	# - /corpits/usr/local/bin/olvwm

mwm	# alternative to olvwm, much more usable and very light weight.
	# Available in 
	# - /usr/bin/X11/bin (HP-UX)
	# - /usr/X11R6/bin   (Solaris, Linux)

twm	# Most barebone windows manager, avail almost everywhere.
	# Solaris, Linux is in /usr/X11R6/bin
	# HP-UX don't seems to have it!

fvwm2	# fvwm2 build on top of mwm, adding a config option to allow 
	# win95 menu, if configured properly.
	# Avail in:
	# /corpits/opt/sfw/bin/  mwm or fvwm2

icewm	# an open source light weight Windows Manager 
	# with support for GNOME and KDE.
	# avail only in Linux, as the code won't compile under Solaris.
	# .xstartup recommended way to start icewm
	# icewmtray &
	# which icewm >/dev/null 2>&1 && exec icewm || exec xterm -bg red

If you want to try out the various windows manager, you can always lookup the 
process number of your current windows manager, kill it, and then start a new one.


PS1: has a very good FAQ 
about the many advance features for VNC.

PS2: Windows VNC program:

PS3: A note on HP-UX use of ^C and '@' symbol.
Default HP-UX /etc/profile map interrupt to "DEL" and kill to @.
This cause lot of confusion.  So, I recommend that you update your keyboard 
mapping once you get to a shell prompt:
	stty intr 
	stty kill 
	stty -a	# check your settings.


Instructions for X11vnc (Solaris only, for now)

Sunfreeware now has this package called x11vnc.  It works closer to the windows vnc
in the sense that you share physical display with a remote user.

To use it, you will need to have an existing physical login to your sun desktop.
Then, to share your display, issue the command:

x11vnc -display :0

Then, on the client side, just use vncviewer against your hostname with :0 as your display
(eg spartan:0) and it will connect.

When you are done, terminal the vncviewer.  Once the client ends, the x11vnc (server) also ends.  
Note that this is the only security, there are no password checking.  
So, run x11vnc only when you want to share your desktop.
You can use ssh or telnet to your machine and issue the command when you want to share.

Password can probably be setup, will need to refer to the doc...

x11vnc in Linux

There is a x11vnc-0.9.8-1.el5.rf.x86_64.rpm  but this package doesn't seems to be needed on stock RHEL 5.4.
It just need some update on xorg.conf and a location to store the vnc password file.
Some video driver will prevent this screen duplication from working correctly.  Updating to latest driver should help.
Update /etc/X11/xorg.conf as follows:
In Section “screen…”, add these options:
     Option "SecurityTypes" "VncAuth"
     Option "UserPasswdVerifier" "VncAuth"
     Option "PasswordFile" "/root/.vnc-0/passwd"
The vnc password can be stored in any dir you want.  Create the password file using vncpasswd if needed, then copy it to the path indicated above..  You will need this to connect.
Then add this new section, say, at the end of the xorg.conf file.
Section "Module"
     Load           "dbe"
     Load           "extmod"
     Load           "type1"
     Load           "freetype"
     Load           "glx"
     Load           "vnc"
Restart X (eg init 3; init 5).
From windows, use vncviewer and connect to the nmr linux machine, no need to specify any session number, as :0.0 is assumed as default.

tigervnc in rhel7

# x0vncserver mirror actual screen, so like previous x11vnc:

sudo yum install tigervncserver
# as user that would typically be logged to the X session, eg bofh:
x0vncserver -PasswordFile=.vnc/passwd -AlwaysShared=1		# this listen for :0, port 5900
# /etc/systemd/system/vncserver0.service 
# sudo systemctl start vncserver0 works when file is configured to use service type "simple" instead of "forking"
ExecStart=/usr/sbin/runuser -l bofh -c "/usr/bin/x0vncserver -PasswordFile=/home/bofh/.vnc/passwd -AlwaysShared=1 -display=:0"
See also linux systemctl vnc example.

##  this one below theoretically create a virtual X server on :3, but systemctl have problem starting it... 

cp /lib/systemd/system/vncserver@.service  /etc/systemd/system/vncserver@.service
vi !$
	# change USER to actual username (yeah, not very general...)
systemctl daemon-reload
systemctl enable vncserver@:3.service		# template was vncserver@:DISPLAY.service   (but never got it to work)
	sudo /usr/sbin/runuser -l sn -c /usr/bin/vncserver 3	# should have been cmd by systemctl.  manually running it works

systemctl status vncserver@3.service 		# view log message ... somehow it fails, %i thing??
journalctl -xn 

VNC Installation, Encryption

download package, untar
cp vncviewer vncserver vncpasswd vncconnect Xvnc /usr/local/bin


need to ensure that /tmp/.X11-unix is world writable 
in solaris, need to do it in init script as it is changed back on bootup.
vncserver fails silently when this dir is not world writable.
chmod 777 /tmp/.X11-unix
Haven't seen any report of security problems with such setup, 
but solaris 9 seems to reset the directory permission.

Alternatively, start vncserver as 

vncserver :n -nolisten local 
So that it avoid writting to /tmp/.X11-unix completely.

logs are in ~/.vnc
~/.vnc/xstartup  is config file.  
	default to twm.
	can run olvwm (old sun) or dtwm (which is the one cde use, but ugly color).

vncserver -geometry  1500x1000 -depth 16 	# home 24"
vncserver -geometry  1260x910  -depth 16 	# win 1280x768 desktop, okay sun 20"
vncserver -geometry  1018x720   -depth 32	# approx for 1024x768...
vncserver -geometry  1150x910 	-depth 16	# u10 build in vga port + sun 20" mon
vncserver -kill :1

sun 21 inch is about 1280x1020, cde top aroud 934. title + frame around 24 pixels.

default port is 
5800  for windows
5801  for unix java
5901  for unix standard vnc client

solaris version req perl which may not be installed.  the vncserver script may need to change the #! line.


encapsulating vnc with ssh, all command run on localhost:

ssh -L 5911:localhost:5901 tin-u10 
         ^            ^^^^^^^^^^^^
         |             destination machine and port
       tunneled localhost port 5911
vncviewer -shared -hextile localhost:11

# establish tunnel that is: 
#  localhost:5911   <====> tin-u10:5901
#  thus vnc connect locally will get tunneled to remote host.
# vnc for unix default to port 5900 + virtual session number
# the tunnel kind of create the port on virtual session 11, 
# To some extend, this would limit number of VNC that can be running to 10.

# -hextile will not let machine think it is local and use raw.
# actually, not sure if that is windows only.

# for linux machine to vnc server on tin-u10, but i haven't gotten it to work yet.

New vncclient (eg tigervnc, mobaXterm) support a -via option:

vncviewer -via user@server:1

and the ssh tunnel will be created.  No need to manually run ssh and understand the whole tunnel business :)

windows client options

-shared -fullscreen
-scale 1024/1280	# scale 1280 screen to fit 1024, but ugly font and slower.
-scale 4/5		# same ratio as above, read as, every 5 pixels on svr,
			# becomes 4 pixels on client.  

-noauto			# no auto detect color depth, not usually needed.

disable full screen prompt:
    Create DWORD SkipFullScreenPrompt set value to 1.
    wish there was just a cli option for it :)

-localhost	vncserver only binds to
-interface IP	vncserver binds to specified IP

starting vnc at startup thru rc script,
this case for oracle applmgr user, as ora app need running X server to work 
correctly in rendering graphics for web clients!!
simple content for rc2.d/S99rcVnc
su - applmgr -c "/opt/sfw/bin/vncserver :18 -localhost -nolisten local -geometry 1012x712 -depth 24"

search online for other script to start series of vnc at startup.

Linux client (vncviewer) options

F8 = pop up menu, send key sequences like ctrl-alt-del
full screen mode

Display Manager vs Window Manager

Display Manager governs the GUI login screen before a user login. Window Manager is the GUI that gets loaded for a specific user once login is complete.

Historically, gdm is the display manager everyone used. It can load Gnome Desktop Environment and its Window Manager, or it can load KDE.

Increasingly, different DM are used for different WM/Desktop Environment.
MDM is the default for Mint, which loads the Cinnamon environment. To switch to use Gnome, have to install GDM, which required changes to /etc/X11/default-display-manager
LightDM ...
Ubuntu: sudo dpkg-reconfigure gdm # display a TUI to change Display Manager

Desktop Environment

X Window Emulation

X Quartz

XQuartz, aka Provides an X server in Mac OS X. Used to ship by default, but starting with X 10.8 (Mountain Lion) onward, one has to use the open source version (ie, apple no longer provide support for it).

X Manager 2.0

X Manager support many ways of starting an X Window emulation. IMHO, I recommend using a simple "xstart", and have it use SSH to login to the remote machine and launch the correct xterm command. This will not start a full blown Desktop Environment though. If sshd has been configured to disable X port forwarding, X Manager may not run. In such case, try RSH, REXEC, or TELNET.

X settings

Things that I like...


! rxvt settings customization, usable in Cygwin

! color could be named, or #000000 for black, #FFFFFF for white
! #DDddDD is lighter gray than LightGrey, this bg works better than black for ls --color
!Rxvt*background:           Black
!Rxvt*background:           LightGrey
!Rxvt*background:           #EEEEEE
Rxvt*background:           #DDDDDD
Rxvt*backspacekey:         ^H
Rxvt*boldFont:             Fixedsys
Rxvt*colorBD:              Red2
Rxvt*colorRV:              RoyalBlue
Rxvt*colorUL:              ForestGreen
!Rxvt*cursorColor:         Cyan3
Rxvt*cursorColor:          RoyalBlue
Rxvt*cursorColor2:         Gold
Rxvt*cutchars:             BACKSLASH `"'&()*,;<=>? at []{|}
Rxvt*externalBorder:       0
Rxvt*font:                 Fixedsys
!Rxvt*foreground:           LightGrey
Rxvt*foreground:           Black

[Doc URL:]
(cc) Tin Ho. See main page for copyright info.