Remote Graphical Access for Older Hosts — RCG Handbook

Remote Graphical Access for Older Hosts

Method 1: X Forwarding Quick Graphical Remote Access

  1. ssh -Y
  2. From there, ssh -Y
  3. Run e.g., google-chrome.

Applications will not persist when you disconnect.

Method 2: VNC Over SSH Tunnel

Step #1: Fix your xstartup file

Make sure you fix your .vnc/xstartup file in your Linux server home directory. The one you used for CentOS will not work for Ubuntu. Here’s what we recommend as a bare minimum for the contents:


xrdb $HOME/.Xresources
xsetroot -solid grey
# Fix to make GNOME work
mate-session &

If you are met with a grey screen instead of MATE Desktop, ensure your xstartup file is executable:

$ chmod +x ~/.vnc/xstartup

If you want to load some modules into your MATE session so that they will automatically be loaded in all shells, then use something akin to the following. This example is with the LANG/PYTHON/3.5.2-SYSTEM module:


xrdb $HOME/.Xresources
xsetroot -solid grey
# Fix to make GNOME work
. /etc/profile.d/
module load LANG/PYTHON/3.5.2-SYSTEM
mate-session &

NOTE: if you use VNC to connect to both CentOS and Ubuntu servers, then you’ll need to write some code into your xstartup file to autodetect the Linux distro and act accordingly.

Step #2: Set a VNC password

Make sure you set a VNC password with the vncpasswd command.

Step #3: Start the VNC server

ssh into the Ubuntu Linux server and type:


It will start up the stuff in your .vnc/xstartup file and will respond with something like:

New 'X' desktop is

where is the server’s hostname and n is the virtual desktop number. Remember this number. The tcp port number used by VNC will be 5900+n. You can now log out of the server. The vnc session will remain running, virtually forever, until the server gets rebooted or you ssh in and issue:

vncserver -kill :n

(where n is the virtual desktop number)

Step #4: Tunnel VNC via SSH

NEVER connect directly to the VNC port! This is a security risk!

tightvnc, which is the default VNC packaged with Ubuntu 16, does not support encryption and therefore all packets sent over the internet without being tunneled via SSH are open to snooping. Although some VNC clients, such as RealVNC on Windows do support encryption, it won’t help if the server doesn’t!

In order to protect users from this risk, we firewall the VNC ports on Ubuntu servers. You therefore must tunnel the VNC ports via SSH.

(Those of you who used VNC with CentOS 6 servers might have avoided tunneling because the default VNC packaged with CentOS 6 is tigervnc, which does support encryption.)

SSH tunneling is easily done on the command-line of any Linux or Mac workstation.

On a Windows workstation, you can set up SSH tunneling via PuTTY, but we recommend MobaXterm because then the instructions are exactly the same as for Linux and Mac.

If your Windows workstation doesn’t have MobaXterm, you can download the home edition for free from:

On your client workstation or home computer, you’ll need to open 2 Linux shells, or 2 Mac Terminals or 2 MobaXterm windows. Choose an unused TCP port on your client workstation that you’d like to use to tunnel SSH to your VNC server on. Let’s say it’s 9999. Suppose that your VNC server’s hostname is “” and that your username is “user”. In Terminal 1, type:

ssh -L

and log into rcga-linux-ts1. Now port 9999 on your client workstation or home computer talks to port 22 on your VNC server via our Linux Terminal Server. Let’s suppose that your VNC server is using virtual desktop number 4. That means that it’s listening on TCP port 5904. In Terminal 2, type:

ssh -L 5904: -p 9999 user@

and log into (which is actually This will tunnel port 5904 on your home computer or client workstation to port 5904 on your VNC server (through the port 9999 tunnel that you set up).

NOTE that you must tunnel via if you are off campus or on wireless, because direct SSH access to hosts on campus is in general blocked (and so are the VNC ports).

Step #5: Connect your VNC client to the local end of the tunnel

Assuming your virtual desktop is 4, connect your VNC client to This is the local end of the tunnel. Use your VNC password set in step #2. The data will be fully encrypted via ssh all the way to your VNC server.

Step #6: Kill your VNC server sessions when you’re done with them

Please kill your old vncserver sessions with vncserver -kill :n when you are done with them. Don’t just start new ones! (We’ve seen some users with dozens of vnc sessions running on the same server! You only need one!)

If you’re not sure, take a look at the process table with ps -ef | grep -i vnc.