multiple VNC user accounts

[Glenn Newell]

Perhaps this is just how astroberry is configured as to noVNC, but I can't figure out how to setup noVNC to change to a user account that has been configured "viewonly" in the vnc server.

It's working with a regular VNC client. I have the vnc server standard user (which I can't modify or remove), an admin user which can control the screen, and a viewonly user that can only view.

However the username seems to be embedded in the noVNC process somehow as it doesn't prompt for username (password only) and is stuck on the standard username.

I have a novnc.service file in /var/www/novnc, that has a User parameter, but changing that doesn't seem to change any behviour (after reboot and force refreshing web pages).

[Unit]

Description="noVNC"

After=multi-user.target vncserver-x11-serviced.service

[Service]

User=astroberry

ExecStart=/usr/bin/websockify --log-file=/var/log/astroberry/novnc.log --web=/var/www/novnc/ 8080 localhost:5900

ExecStop=/usr/bin/pkill websockify

Restart=on-failure

RestartSec=3

[Install]

WantedBy=multi-user.target

I would be happy if the noVNC was always viewonly, and the admin account could use a regular VNC client. 

I have hacked the html in /var/www/novnc/index.html to have the niew_only checkbox checked, but that only works on touch devices AND the user can uncheck it to gain full control.

Suggestions?

[Glenn Newell]

OK I've spent many hours on this.

I understand what version of vncserver is on raspberrian and specifically on astroberry. It is some flaver of realvnc's vnc Connect. It seems to have some features of the free version but also I can set up viewonly and admin credentials, separate from the "standard user", and successfully use them as I intend from a standard VNC client (note that the doc says you can't do that with VNC connect free version). You cannot, however, change the permissions of the "standard user" to view only :0(

I've put the documented permissions string for that in the proper file, according to the vnc connect enterprise edition doc, but it doesn't have any affect. 

Moving beyond the vnc server, I have installed the latest websockify and have the latest novnc working, using the provided vnc.html.

However, even though the there is a code block in there to ask for username (in addition to a password) it doesn't show in the web rendering, so I still can't connect to the vnc server as anything other than the "standard user".

How do I activate the prompting for username, and have it passed through to the vnc server, like a non web vnc client?

[Samuel Mannehed]

Hi Glenn,

> However, even though the there is a code block in there to ask for
> username (in addition to a password) it doesn't show in the web
> rendering, so I still can't connect to the vnc server as anything
> other than the "standard user".
>
> How do I activate the prompting for username, and have it passed
> through to the vnc server, like a non web vnc client?

It all depends on the authentication mechanism used. You're probably
using a different mechanism on noVNC. If you enable debug logging in
noVNC and on your regular VNC viewer, you should be able to see the
difference.

The auth types that require username AND password in noVNC are:

* XvpAuth
* VeNCrypt
* TightUnixAuth

The "Standard VNC Authentication" only requires password.

Hope that helps,
--
Samuel Mannehed Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46 13 214 600

[Glenn Newell]

Thanks for the details.

The VNC Connect VNC server that comes in Raspbian has three types of authentication.

They call them:

• System authentication (labelled Windows password, Mac password or UNIX password)
• Interactive system authentication (labelled Interactive Mac authentication or Interactive UNIX authentication)
• VNC password

I don't know if any of those map into the more technical schemes you mentioned, but none of them seemed to trigger a user name prompt from the default vnc.html page.

With debug on in NoVNC I got:

So I am still stuck.

Should I try changing the VNC server to tightVNC or something else?

 

[Glenn Newell]

FYI,

When it works (with VNC password, no username prompt):

[Samuel Mannehed]

Hi Glenn,

> ...

> With debug on in NoVNC I got:
>
> [image: image.png]
>
> So I am still stuck.

As written in the browser console, there are problems with that server
in combination with open source viewers. You mentioned before that you
were able to get the username prompt in a regular viewer? I assume that
was RealVNC's own viewer?

RealVNC isn't open source, and they have loads of proprietary
extensions to the RFB protocol that they don't want to share with the
world. This makes it very difficult, and often impossible for us to be
compatible.

> Should I try changing the VNC server to tightVNC or something else?

Yeah, sounds good to use a different VNC server.

Regards,