Where can I read more information about how to configure the session manager? I dont think I have the correct entry point for the session manager documentation.
The User's Guide (https://turbovnc.org/Documentation/Documentation) describes basic Session Manager operation. '/opt/TurboVNC/bin/vncviewer -?' has more in-depth documentation of the various parameters. You shouldn't really need to set any parameters for it, however.
I did seem to understand that to use the session manager I will need to use the internal ssh manager. For some reason I cant really get that working, unclear why, I dont think I have a weird ssh config. Is there some way to debug the internal ssh client to see where it fails?
Pass '-loglevel 110' to
/opt/TurboVNC/bin/vncviewer. There are a few limitations of the
built-in SSH client at the moment, including lack of direct
support for ed25519 keys. (You can still use such keys via
ssh-agent, but you can't pass them directly to the viewer.) It
also doesn't yet support jump hosts, but that's the highest
priority feature for TurboVNC 3.2. (I hope to have that feature
ready to test in the 3.2 evolving branch later this month.)
I use this atm: secret-tool lookup turbovnc password|/opt/TurboVNC/bin/vncviewer -AutoPass -ExtSSH=1 -Tunnel=1 genos:1 I use ssh-agent to handle the ssh. I understand from the docs that AutoPass is not recomended, but what do you think about this use-case using secret-tool?
The Session Manager automatically generates and transmits a one-time password through the SSH connection, so there is no need to use a VNC password with it at all. Once you authenticate with the SSH server, encryption and authentication with the TurboVNC session are handled automatically. Thus, if authentication is automatic and password-less when you SSH into the host, then the same should be true when using the TurboVNC Session Manager. When connecting to a session using the Session Manager, it effectively acts as if you had invoked:
ssh {host} /opt/TurboVNC/bin/vncpasswd -o
-display {TurboVNC_session_display} 2>&1 | \
sed 's/^.*: //g' | \
/opt/TurboVNC/bin/vncviewer -autopass -tunnel -securitytypes
vnc {host}:{TurboVNC_session_display}
You can, however, also set the SessMgrAuto
parameter to 0 if you want to use the Session Manager solely for
session management and configure encryption and authentication
manually.
I looked into enabling the Session Manager for external SSH clients as well (see https://github.com/TurboVNC/turbovnc/issues/148), but there doesn't seem to be a robust way of keeping the SSH session open for an indefinite period of time (while the Session Manager dialog is open in the TurboVNC Viewer) without risking the SSH session remaining open if the viewer aborts unexpectedly. Thus, I would either have to deal with OpenSSH control socket fragility, or I would have to stipulate that an SSH agent must be used when using the Session Manager with an external SSH client. (In other words, an SSH session created with the external SSH client would not be persistent until the VNC connection is established. Until then, the Session Manager would have to re-authenticate every time it needs to run a command on the host.) Neither is ideal.
I did make the internal ssh work, by adding a rsa key. Previously I only had a ed25519 key. Now I can can ssh using the internal client, but then a 2nd dialog appears saying "redundant encryption". Is this because I have a vnc password? I tried removin the .vnc/passwd file , but the server didnt star then, so I put it back.
No, it's because TLSVnc is the default security type, and that
security type implements TLS encryption. But you're using SSH
tunneling, which also implements encryption, so you're doubly
encrypted. (I guess I could look into changing the default
security type to "VNC" when using SSH tunneling.) The password
dialog turns yellow to warn you of that fact, because redundant
encryption can slow performance (and we still have "Turbo" in our
name, so performance matters), but the warning won't prevent you
from authenticating or connecting.
You can pass '-securitytypes vnc' to /opt/TurboVNC/bin/vncviewer
to get rid of the warning (or set SecurityTypes=vnc in
~/.vnc/default.turbovnc), or you can use the TurboVNC Session
Manager, which does that automatically by default.