Prevent reconnection on the port if it is already open with TurboVNC Session Manager

[MoiseKans]

Hello,

I am using the TurboVNC Session Manager to allow multiple connection (TurboVNC host can be CentOS 7 or 8) . I use generic account for some purpose i.e. many users use the same ID and password, what is easily done with TurboVNC Session Manager.

Now, I would like to prevent users from connecting (button "connect" of the TurboVNC Session Manager) to the TurboVNC sessions which are currently running (under the user account) on the TurboVNC host (this will prevent users from seeing or controlling what another user is doing).

Is there any possibility to do that?

Kanssoune

[dcommander]

No. The TurboVNC Session Manager just automates the existing TurboVNC workflow, and there is no way within that workflow to prevent a user from connecting to a session started under their account. Even if there were a way to do that using the TurboVNC Session Manager, a user could still snoop another TurboVNC session by launching a VNC viewer within their session. So there wouldn't be much point to implementing a restriction that is so easy to get around.

In a nutshell, there is no way to achieve session isolation if all of the sessions are running under the same user account. Use different accounts.

[dcommander]

Now, I would like to prevent users from connecting (button "connect" of the TurboVNC Session Manager) to the TurboVNC sessions which are currently running (under the user account) on the TurboVNC host (this will prevent users from seeing or controlling what another user is doing).

To be clear, if you mean the TurboVNC sessions that are currently running on the TurboVNC host but not started by the session manager, then there might be a way to hack something resembling what you want. The session manager is just executing a variation of /opt/TurboVNC/bin/vncserver -list via SSH in order to figure out which sessions are running under a particular user account, and /opt/TurboVNC/bin/vncserver -list simply scans ~/.vnc for .pid files. You could temporarily manipulate the HOME environment variable or temporarily manipulate the $vncUserDir variable in ~/.vnc/turbovncserver.conf when starting non-session-manager sessions, and in so doing, the session manager wouldn't see the .pid files for those sessions. However, you would also have to temporarily manipulate HOME or $vncUserDir when killing the non-session-manager sessions. Ultimately, it's a lot cleaner to just use a separate account for session manager sessions and non-session-manager sessions.

Also, for completeness, I should point out that there is a way to prevent new connections to running sessions that already have connections. You can pass -nevershared to /opt/TurboVNC/bin/vncserver or include that argument in the $serverArgs variable in turbovncserver.conf in order to achieve that.

[MoiseKans]

Thanks a lot for the very helpful reply.

I included -nevershared in the $serverArgs variable in turbovncserver.conf and it work as I want.

Is it also possible to prevent the use of the kill button (in the TurboVNC Session Manager) to disconnect ?

Thank!

[dcommander]

I included -nevershared in the $serverArgs variable in turbovncserver.conf and it work as I want.

I'm glad it did what you want. Your post was unclear, since you said "running" TurboVNC sessions. What you really meant was "connected" TurboVNC sessions. (A session can be running but have no connections.)

Is it also possible to prevent the use of the kill button (in the TurboVNC Session Manager) to disconnect ?

No, because again, the session manager is just automating things that were already possible with TurboVNC. Because you are running all of the sessions under the same user account, any user connected to any session can kill any other session. Even if the session manager didn't allow that, then they would still be able to open a terminal in their TurboVNC session, run /opt/TurboVNC/bin/vncserver -list to list all running sessions, and run /opt/TurboVNC/bin/vncserver -kill to kill any of them. If that is an unacceptable risk, then you need to revisit your decision to run all sessions under the same user account. In my opinion, that is a very bad idea for a lot of reasons that are completely unrelated to TurboVNC. That configuration is in no way supportable by us in any official capacity.