If you have a Professional or Enterprise subscription and a Linux or Mac computer, you can specify interactive system authentication for VNC Server instead of system authentication. This means that connecting VNC Viewer users must first enter a user name from a user account that is registered with VNC Server. Then, they must provide one or more credentials, and/or perform one or more authorization operations, mandated by your choice of PAM authentication module(s).
*Choosing multiple PAM modules enables you to specify a comprehensive multi-factor authentication scheme for VNC Server.
Note the following:
- The user account of each prospective VNC Viewer user must be registered with VNC Server, and suitable session permissions assigned.
- Connecting users cannot ask VNC Viewer to remember password(s) entered as part of the authentication process.
- Connected users are not automatically reconnected if a session is interrupted. Re-authentication is mandatory.
Setting up the VNC Server computer
Perform the following steps:
-
Specify the interactive system authentication scheme, either by:
- Opening VNC Server’s Options > Security page and selecting the Interactive <platform> authentication option from the Authentication dropdown.
- Setting the VNC Server Authentication parameter to
InteractiveSystemAuth
.
-
Obtain the PAM module(s) that enable the functionality you want to provide. For example,
pam_google_authenticator.so
mandates that connecting users must enter a TOTP code. If you have a Duo account,pam_duo.so
mandates that connecting users must respond to a push notification or SMS or phone call, and so on. Note these modules might require additional configuration to integrate with your system in a way not covered by this documentation.Note that, out-of-the-box, VNC Server is configured to interact with the local password store using
pam_unix.so
. You can retain this configuration in order to provide standard system authentication (user account password after user name), and augment it with other modules to add any number of additional factors. -
Reference the module(s), and specify appropriate account and authentication rules, in the following file:
- For platforms using
/etc/pam.d/vncserver
, in/etc/pam.d/vncserver.custom
. Create this file if it does not exist. - For platforms using
/etc/pam.conf
, edit this same file to createvncserver.custom
rules pointing to the new PAM module(s).
For example, for a Debian-compatible computer:
#First, mandate standard system authentication auth required pam_unix.so #Second, require a TOTP code auth required pam_google_authenticator.so
- For platforms using
-
In an appropriate system-wide VNC Server configuration file (for example
/etc/vnc/config.d/common.custom
), specify the PamApplicationName parameter to register your changes with VNC Server:PamApplicationName=vncserver.custom
-
Register the user accounts of all prospective VNC Viewer users with VNC Server, either by:
- Opening VNC Server’s Options > Users & Permissions page and following these instructions.
- Setting the VNC Server Permissions parameter.
Note prior configuration is required to register domain accounts under Linux. You may also need to qualify user names with the domain name, for example
DEV.ACMECORP.COM\johndoe
.
If you have already set up PAM to work with other services, you may be able to configure VNC Server to reference changes already made. For example, under Debian-compatible Linux, you may be able to edit /etc/pam.d/vncserver.custom
as follows:
@include common-auth
@include common-account
@include common-session
For Red Hat-compatible Linux, the equivalent edits might be:
auth include password-auth
account include password-auth
session include password-auth
Comments
Article is closed for comments.