RHEL SSH remote desktop VNC

November 15, 2023

RHEL adds a few complexities on top of the “plain” Debian-based Linux distros. SELinux in particular is another layer to consider. Here are common considerations for settings up SSH and/or VNC on RHEL, CentOS or similar RHEL-derived Linux distro.

For SSH connection problems, consider adding to /etc/ssh/sshd_config:

LogLevel DEBUG

then:

systemctl restart sshd.service

then:

journalctl -f

and try to login. This will print a good amount of information streaming and helps reveal .ssh/authorized_keys permissions issues and more.

To determine if SELinux is causing an issue, as a last resort one may temporarily and carefully edit /etc/selinux/config to have

SELINUX=permissive

and reboot. Be sure to put that back to enforcing and reboot when done.

Check that firewalld is allowing the desired SSH port through.

tcpdump port 22 -n -Q inout

should show packets from the client–if not the SSH server firewall may be blocking them.

Waypipe remote desktop

In general current VNC servers are not compatible with the Wayland desktop (that replaces X11). Waypipe is a new remote desktop tool that works with Wayland. However, Waypipe requires another Linux machine with Wayland, so it doesn’t work with Windows or macOS natively. If permissible for your system, you may wish to switch the desktop to X11 instead of Wayland so that traditional VNC servers work.

X11 VNC server

If you are able to switch to X11, then you can use a traditional VNC server like TigerVNC.

Switch to X11 desktop on the server by editing /etc/gdm/custom.conf:

[daemon]
WaylandEnable=false
DefaultSession=gnome-xorg.desktop

Then reboot. Ensure you can locally logon to the X11 desktop as usual.

Install TigerVNC server:

sudo dnf install tigervnc-server

Ensure username is specified with a display number in file: “/etc/tigervnc/vncserver.users”. You do not need or want a file ~/.vnc/xstartup or ~/.vnc/config.

Enable SELinux VNC server:

ausearch -c 'vncsession' --raw | audit2allow -M my-vncsession

semodule -X 300 -i my-vncsession.pp

Set a password for the VNC server:

vncpasswd

Then start the VNC server:

systemctl enable --now vncserver@:2

Logoff the local server, otherwise when you try to view VNC, it will just show a black screen. If you are logged on remotely and try to login locally, the local login gets a black screen. If this happens, you can logout the unwanted black-screen sessions by:

who -u

# gives PID of the local user (:1)

then:

kill <PID of local user>

Reference: RHEL Remote desktop