From 4e2a888bf1bcb107d737020aa669c71119a4419d Mon Sep 17 00:00:00 2001 From: ctrlaltf24 <70006231+ctrlaltf24@users.noreply.github.com> Date: Mon, 22 Mar 2021 17:15:32 -0700 Subject: [PATCH 1/4] added Screen Sharing Page --- docs/configuration/screen-share.md | 65 ++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 docs/configuration/screen-share.md diff --git a/docs/configuration/screen-share.md b/docs/configuration/screen-share.md new file mode 100644 index 0000000..cc7d83c --- /dev/null +++ b/docs/configuration/screen-share.md @@ -0,0 +1,65 @@ + +How to Share A Screen Across Qubes +================================== + +## Setup The Shared Screen Server + +In the Qube you want to want to share a screen from (referred to the Content Qube) execute these commands: + +1. Install packages `sudo apt install -y xfwm4 tigervnc-standalone-server tigervnc-viewer` + +2. Start the server `vncserver :10 -xstartup /usr/bin/xfwm4 -geometry 1920x1080 -localhost no` + +3. Enter passwords when prompted + + 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` + + 2. Enter one password for read/write (first password and verify prompt) + + 3. Enter a different password for the view only password (second password and verify prompt) + +3. View the shared screen `xtigervncviewer -passwd /home/user/.vnc/passwd :10` + +4. Open applications `DISPLAY=:10 xterm` where xterm can be any binary on your system + +## Qubes Connect TCP Service + +These steps are a simpler version of [The Qubes Firewall](https://www.qubes-os.org/doc/firewall/#opening-a-single-tcp-port-to-other-network-isolated-qube). In dom0 execute these steps: + +1. Edit /etc/qubes-rpc/policy/qubes.ConnectTCP + +2. Add the line: `PRESENTATION-QUBE @default ask,target=CONTENT-QUBE` + + - Where PRESENTATION-QUBE is the Qube you want to view the screen from + + - Where CONTENT-QUBE is the Qube that has the window you want to share + +## View The Shared Screen + +In the Qube you want to view the shared screen from (referred to the Presentation Qube): + +1. Install package `sudo apt install -y tigervnc-viewer` + +2. Bind TCP port using Qubes Connect TCP service `qvm-connect-tcp ::5910` + +3. Start the VNC Viewer `vncviewer -Shared -ViewOnly -RemoteResize=0 -SendPrimary=0 -SendClipboard=0 -SetPrimary=0 127.0.0.1:5910` + +4. Confirm that you want to connect to the Presentation Qube in the dom0 prompt + +5. Enter the view only password given during step 3 of Setup The Shared Screen Server + +6. In your presentation software share the VNC viewer + +## Present + +In the Content Qube interact with the shared screen, the changes will be mirrored back to your Presentation Qube. + +## Notes + +- To reset the VNC password delete `/home/user/.vnc/passwd` in the Content Qube + +- The Content Qube does not need to have access to the internet + +- Opening up a TCP port between Qubes Should only be used as a last resort, use sparingly. + +- After you are done, remove the line you added in `/etc/qubes-rpc/policy/qubes.ConnectTCP` From 2e5b69569c3719f52709bf8c5ed36a26e16e9aa5 Mon Sep 17 00:00:00 2001 From: ctrlaltf24 <70006231+ctrlaltf24@users.noreply.github.com> Date: Thu, 25 Mar 2021 15:54:26 -0700 Subject: [PATCH 2/4] Added x11vnc and fedora. UNTESTED --- docs/configuration/screen-share.md | 68 ++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 13 deletions(-) diff --git a/docs/configuration/screen-share.md b/docs/configuration/screen-share.md index cc7d83c..32bcbf7 100644 --- a/docs/configuration/screen-share.md +++ b/docs/configuration/screen-share.md @@ -2,11 +2,23 @@ How to Share A Screen Across Qubes ================================== +> Warning: +> This guide involves opening up a TCP port between qubes. This is discouraged from the security standpoint and should only be used as a last resort, use sparingly. + +## Terminology +PRESENTATION-QUBE is the Qube you want to view the screen from + +CONTENT-QUBE is the Qube that has the window you want to share + ## Setup The Shared Screen Server -In the Qube you want to want to share a screen from (referred to the Content Qube) execute these commands: +Choose one of these sub-sections depending on whether you want to open a new screen (increased isolation), or use an existing monitor or screen. -1. Install packages `sudo apt install -y xfwm4 tigervnc-standalone-server tigervnc-viewer` +### If You Want To Share a New Screen + +In the Content Qube: + +1. Install packages `sudo apt install -y xfwm4 tigervnc-standalone-server tigervnc-viewer` or `sudo dnf install -y xfwm4 tigervnc-server tigervnc` 2. Start the server `vncserver :10 -xstartup /usr/bin/xfwm4 -geometry 1920x1080 -localhost no` @@ -16,27 +28,61 @@ In the Qube you want to want to share a screen from (referred to the Content Qub 2. Enter one password for read/write (first password and verify prompt) - 3. Enter a different password for the view only password (second password and verify prompt) + 3. (recommended) Enter a different password for the view only password (second password and verify prompt) -3. View the shared screen `xtigervncviewer -passwd /home/user/.vnc/passwd :10` +3. View the shared screen `vncviewer -passwd /home/user/.vnc/passwd :10` 4. Open applications `DISPLAY=:10 xterm` where xterm can be any binary on your system +## If You Want To Share an Existing Monitor or Window + +In the Content Qube: + +1. Install packages `sudo apt install -y xfwm4 x11vnc x11-utils` or `sudo dnf install -y xfwm4 x11vnc xwininfo` + +2. Start the server + + 1. If you want to share a window `x11vnc -rfbport 5910 -clip 1920x1080+0+0 -storepassword` + + - Replace `1920x1080+0+0` with the resolution and offset of the screen area you want to share. The origin for linux monitors is in the top left, increasing down and to the right. + + - Use `xrandr --listactivemonitors` in Dom0 to get a list of all monitors and their offsets. That command returns in the form `W/_xH/_+X+Y`. For example to share DP-1, with xrandr output of ` 0: +DP-1 1920/510x1080/287+1280+0 DP-1`, 1920x1080+1280+0 would share just that screen. + + - `arandr` is a useful graphical tool to show where all the monitors are in relation to each other. + + 2. If you want to share a monitor `x11vnc -rfbport 5910 -id pick -storepassword` + + - This uses the `xwininfo` (or `x11-utils`o on debian) package installed earlier to get the numerical id of the next window you click on. + +3. Enter passwords when prompted + + 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` + + 2. Enter one password for read/write (first password and verify prompt) + + 3. Enter a different password for the view only password (second password and verify prompt) + +3. View the shared screen like normal + +4. Open applications like normal + ## Qubes Connect TCP Service These steps are a simpler version of [The Qubes Firewall](https://www.qubes-os.org/doc/firewall/#opening-a-single-tcp-port-to-other-network-isolated-qube). In dom0 execute these steps: 1. Edit /etc/qubes-rpc/policy/qubes.ConnectTCP -2. Add the line: `PRESENTATION-QUBE @default ask,target=CONTENT-QUBE` +2. Add the line: ` @default ask,target=` - - Where PRESENTATION-QUBE is the Qube you want to view the screen from + - (recommended) By specifying `ask`, dom0 will ask each time a connection is attempted on that port - - Where CONTENT-QUBE is the Qube that has the window you want to share + - (not recommended) Rather than specifying `ask` you can use `allow` to allow all connections without a prompt, this leaves you unaware of new attempted connections. + +3. After you are done sharing you screen, remove this line to prevent further unwanted connections ## View The Shared Screen -In the Qube you want to view the shared screen from (referred to the Presentation Qube): +In the Presentation Qube: 1. Install package `sudo apt install -y tigervnc-viewer` @@ -58,8 +104,4 @@ In the Content Qube interact with the shared screen, the changes will be mirrore - To reset the VNC password delete `/home/user/.vnc/passwd` in the Content Qube -- The Content Qube does not need to have access to the internet - -- Opening up a TCP port between Qubes Should only be used as a last resort, use sparingly. - -- After you are done, remove the line you added in `/etc/qubes-rpc/policy/qubes.ConnectTCP` +- The Content Qube does not need to have access to the internet \ No newline at end of file From a8df34ff5405a1b2c3f8331659459ba0f413b37e Mon Sep 17 00:00:00 2001 From: ctrlaltf24 <70006231+ctrlaltf24@users.noreply.github.com> Date: Wed, 7 Apr 2021 10:21:47 -0700 Subject: [PATCH 3/4] misc updates --- docs/configuration/screen-share.md | 52 +++++++++++++++++------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/docs/configuration/screen-share.md b/docs/configuration/screen-share.md index 32bcbf7..b3b02bd 100644 --- a/docs/configuration/screen-share.md +++ b/docs/configuration/screen-share.md @@ -18,9 +18,17 @@ Choose one of these sub-sections depending on whether you want to open a new scr In the Content Qube: -1. Install packages `sudo apt install -y xfwm4 tigervnc-standalone-server tigervnc-viewer` or `sudo dnf install -y xfwm4 tigervnc-server tigervnc` +1. Install packages `sudo apt install xfwm4 tigervnc-standalone-server tigervnc-viewer` or `sudo dnf install xfwm4 tigervnc-server tigervnc` -2. Start the server `vncserver :10 -xstartup /usr/bin/xfwm4 -geometry 1920x1080 -localhost no` +2. Enter the password by executing `vncpasswd` + + 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` + + 2. Enter one password for read/write (first password and verify prompt) + + 3. Enter a different password for the view only password (second password and verify prompt) + +2. Start the server `vncserver :1 -xstartup /usr/bin/xfwm4 -geometry 1920x1080 -localhost no` 3. Enter passwords when prompted @@ -30,41 +38,39 @@ In the Content Qube: 3. (recommended) Enter a different password for the view only password (second password and verify prompt) -3. View the shared screen `vncviewer -passwd /home/user/.vnc/passwd :10` +3. View the shared screen `vncviewer -passwd ~/.vnc/passwd :1` -4. Open applications `DISPLAY=:10 xterm` where xterm can be any binary on your system +4. Open applications `DISPLAY=:1 xterm` where xterm can be any binary on your system ## If You Want To Share an Existing Monitor or Window In the Content Qube: -1. Install packages `sudo apt install -y xfwm4 x11vnc x11-utils` or `sudo dnf install -y xfwm4 x11vnc xwininfo` +1. Install packages `sudo apt install xfwm4 x11vnc x11-utils` or `sudo dnf install xfwm4 x11vnc xwininfo` -2. Start the server +2. Enter the password by executing `x11vnc -storepasswd` + + 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` + +3. Start the server - 1. If you want to share a window `x11vnc -rfbport 5910 -clip 1920x1080+0+0 -storepassword` + 1. If you want to share a window `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901 -clip 1920x1080+0+0 ` - - Replace `1920x1080+0+0` with the resolution and offset of the screen area you want to share. The origin for linux monitors is in the top left, increasing down and to the right. + - Replace `1920x1080+0+0` with the resolution (e.g. `1920x1080`) and offset (e.g. `+0+0`) of the screen area you want to share. The coordinates 0,0 are in the top left, increasing down and to the right. - Use `xrandr --listactivemonitors` in Dom0 to get a list of all monitors and their offsets. That command returns in the form `W/_xH/_+X+Y`. For example to share DP-1, with xrandr output of ` 0: +DP-1 1920/510x1080/287+1280+0 DP-1`, 1920x1080+1280+0 would share just that screen. - `arandr` is a useful graphical tool to show where all the monitors are in relation to each other. - 2. If you want to share a monitor `x11vnc -rfbport 5910 -id pick -storepassword` + 2. If you want to share a monitor `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901 -id pick` - - This uses the `xwininfo` (or `x11-utils`o on debian) package installed earlier to get the numerical id of the next window you click on. + - This retrieves the numerical id of the next window you click on. -3. Enter passwords when prompted + 3. If you want to share all the monitors use `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901` - 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` - - 2. Enter one password for read/write (first password and verify prompt) +4. View the shared screen as specified in "View The Shared Screen" - 3. Enter a different password for the view only password (second password and verify prompt) - -3. View the shared screen like normal - -4. Open applications like normal +5. Open applications like normal ## Qubes Connect TCP Service @@ -86,13 +92,13 @@ In the Presentation Qube: 1. Install package `sudo apt install -y tigervnc-viewer` -2. Bind TCP port using Qubes Connect TCP service `qvm-connect-tcp ::5910` +2. Bind TCP port using Qubes Connect TCP service `qvm-connect-tcp ::5901` -3. Start the VNC Viewer `vncviewer -Shared -ViewOnly -RemoteResize=0 -SendPrimary=0 -SendClipboard=0 -SetPrimary=0 127.0.0.1:5910` +3. Start the VNC Viewer `vncviewer -Shared -ViewOnly -RemoteResize=0 -SendPrimary=0 -SendClipboard=0 -SetPrimary=0 127.0.0.1:5901` 4. Confirm that you want to connect to the Presentation Qube in the dom0 prompt -5. Enter the view only password given during step 3 of Setup The Shared Screen Server +5. Enter password for the VNC server you created above 6. In your presentation software share the VNC viewer @@ -102,6 +108,6 @@ In the Content Qube interact with the shared screen, the changes will be mirrore ## Notes -- To reset the VNC password delete `/home/user/.vnc/passwd` in the Content Qube +- To reset the VNC password delete `~/.vnc/passwd` in the Content Qube - The Content Qube does not need to have access to the internet \ No newline at end of file From cac288b6a47fa1ca5b1f9ceb5110ebd07a451277 Mon Sep 17 00:00:00 2001 From: ctrlaltf24 <70006231+ctrlaltf24@users.noreply.github.com> Date: Wed, 7 Apr 2021 10:43:46 -0700 Subject: [PATCH 4/4] cleanup --- docs/configuration/screen-share.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/docs/configuration/screen-share.md b/docs/configuration/screen-share.md index b3b02bd..f2b8d17 100644 --- a/docs/configuration/screen-share.md +++ b/docs/configuration/screen-share.md @@ -28,19 +28,11 @@ In the Content Qube: 3. Enter a different password for the view only password (second password and verify prompt) -2. Start the server `vncserver :1 -xstartup /usr/bin/xfwm4 -geometry 1920x1080 -localhost no` +3. Start the server `vncserver :1 -xstartup /usr/bin/xfwm4 -geometry 1920x1080 -localhost no` -3. Enter passwords when prompted +4. View the shared screen `vncviewer -passwd ~/.vnc/passwd :1` - 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` - - 2. Enter one password for read/write (first password and verify prompt) - - 3. (recommended) Enter a different password for the view only password (second password and verify prompt) - -3. View the shared screen `vncviewer -passwd ~/.vnc/passwd :1` - -4. Open applications `DISPLAY=:1 xterm` where xterm can be any binary on your system +5. Open applications `DISPLAY=:1 xterm` where xterm can be any binary on your system ## If You Want To Share an Existing Monitor or Window @@ -54,7 +46,7 @@ In the Content Qube: 3. Start the server - 1. If you want to share a window `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901 -clip 1920x1080+0+0 ` + 1. If you want to share a window `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901 -clip 1920x1080+0+0` - Replace `1920x1080+0+0` with the resolution (e.g. `1920x1080`) and offset (e.g. `+0+0`) of the screen area you want to share. The coordinates 0,0 are in the top left, increasing down and to the right.