A graphical user interface (GUI) is a set of programs that allow a user to interact with the computer system via icons, windows, and various other visual elements. While some believe that you should only administer a system via the text-based command line, it is still important to understand the Linux GUI (pronounced “gooey”). You may need to use certain GUI utilities to administer the system and its security.
Different Linux distributions come with various default desktop environments, which you may need to install and manage for users who prefer a graphical-based UI. Administering the underlying software is necessary too. In addition, you need to understand remote desktops and their client/server model. Remote desktop interactions that travel over the network are prone to privacy problems, so it is crucial to secure these GUI transmissions.
Access to the various GUI desktops should provide universal access for all. A GUI desktop environment needs to be configured to work appropriately for any person who has problems with vision, hearing, hand and finger control, and so on. Thus, we are pleased to present a section on accessibility in this chapter.
With some operating systems, your GUI is fairly rigid. You may be able to move or add a few icons, change a background picture, or tweak a few settings. However, with Linux, the GUI choices are almost overwhelming and the flexibility is immense.
On Linux, a GUI is a series of components that work together to provide the graphical setting for the user interface (UI). One of these components is the desktop environment. A desktop environment provides a predetermined look and feel to the GUI. It is typically broken up into the following graphical sections and functions:
Desktop Settings Desktop settings consist of programs that allow you to make configuration changes to the desktop environment. For example, you may want desktop windows to activate when the cursor hovers over them instead of when you click them.
Display Manager The desktop environment’s login screen is where you choose a username and enter a password to gain system access. If multiple desktop environments are installed on the system, the display manager allows you to choose between them, prior to logging in. These login screens are often modified by corporations, to contain a legal statement concerning appropriate use of the system and/or a company logo.
File Manager This program allows you to perform file maintenance activities graphically. Often a folder icon is shown for directories within the manager program. You can perform such tasks as moving a file, viewing directory contents, copying files, and so on.
Icons An icon is a picture representation of a file or program. It is activated via mouse clicks, finger touches (if the screen is a touch screen), voice commands, and so on.
Favorites Bar This window area contains popular icons, which are typically used more frequently. These icons can be removed or added as desired. Some desktop environments update the bar automatically as you use the system to reflect your regularly used icons.
Launch This program(s) allows you to search for applications and files. It can also allow certain actions, such as start or open, to be performed on the search results.
Menus These window areas are typically accessed via an icon. They contain files and/or programs lists as well as sublists of additional files and/or programs selections.
Panels Panels are slim and typically rectangular areas that are located at the very top or bottom of a desktop environment’s main window. They can also be at the desktop’s far left or right. They often contain notifications, system date and/or time, program icons, and so on.
System Tray A system tray is a special menu, commonly attached to a panel. It provides access to programs that allow a user to log out, lock their screen, manage audio settings, view notifications, shut down or reboot the system, and so on.
Widgets Widgets are divided into applets, screenlets, desklets, and so on. They are programs that provide to the user information or functionality on the desktop. For example, current sports news may be displayed continually to a screenlet. Another example is a sticky note applet that allows the user to put graphical windows that look like sticky notes on their desktop and add content to them.
Window Manager These client programs determine how the windows (also called frames) are presented on the desktop. These programs control items such as the size and appearance of the windows. In addition, they manage how additional windows can be placed, such as either next to each other or overlapping.
Many Linux users are very passionate about the desktop environment they use and for good reason. There are several excellent ones from which you can choose. We’ll cover a few of these desktop environments in the following sections and look at universal accessibility to them as well.
The GNOME desktop environment, created around the late 1990s, is very popular and found by default on Linux distributions such as CentOS and Ubuntu. Currently a large volunteer group that belongs to the GNOME Foundation maintains it. For more about the GNOME project, visit www.gnome.org.
GNOME 2 was a more traditional desktop user interface, and when GNOME 3 (now formally called GNOME Shell) was released in 2011, with its nontraditional interface, many users reacted strongly. This spurred a few GNOME project forks. However, over time and with a few changes, GNOME Shell gained ground. For those who still prefer the traditional GNOME 2 environment, the GNOME Classic desktop is available.
Figure 8.1 shows a GNOME Shell desktop environment on an Ubuntu distribution.
In Figure 8.1, notice the panel at the frame’s top, containing a clock and a system tray on the far right. The Activities button on the panel’s far left allows you to switch between windows and provides the Search bar. The favorites bar on the UI frame’s left side shows various application icons as well as a multi-dot icon, which is the Apps button. The Apps button displays various application icons that allow you to quickly access a desired program.
Keep in mind that a default desktop environment may be modified slightly for each Linux distribution. For example, GNOME Shell on CentOS does not have a favorites bar displaying unless you click Activities in the panel, whereas GNOME Shell on Ubuntu automatically displays the favorites bar.
The best way to understand a graphical interface is try a desktop environment for yourself. However, to help you with memorizing the assorted components that make up these different desktops, we are providing tables. Some of the GNOME Shell’s various components are briefly described in Table 8.1.
Table 8.1 GNOME shell desktop environment default components
Name | Program Name and/or Description |
Display manager | GNOME Display Manager (GDM). |
File manager | GNOME Files (sometimes just called Files). Formerly called Nautilus. |
Favorites bar | GNOME Shell Dash (sometimes called the Doc). |
Panels | A single panel located at GNOME Shell frame’s top. |
System tray | Located on the right side of the single panel. |
Windows manager | Mutter. |
An interesting feature of GNOME Shell is that the panel, which contains the system tray, is available on the Display Manager as well as within the GNOME Shell.
The Kool Desktop Environment (KDE) got its start in 1996, with its first version released in 1998. Through time the name KDE was no longer just referring to a desktop environment, but instead it specified the project’s organization and the strong community that supported it. KDE had many additional software projects besides its famous desktop environment. Thus in 2009, KDE’s desktop environment was rebranded as KDE Plasma. For more about the KDE group, visit www.kde.org.
Figure 8.2 shows a KDE Plasma desktop environment on an openSUSE LEAP distribution.
In Figure 8.2, the panel is located at the primary UI frame’s bottom. This is a more traditional panel location used on older systems and one of the reasons KDE Plasma is known for being a good desktop environment for those who are new to Linux. On this panel, the system tray, which contains notifications, the time, and various other plasmoids (widgets), is located on the panel’s right side. The Application Menu, a launcher for various programs as well as containing the favorites bar, is on the panel’s far left side. Table 8.2 briefly describes some of the KDE Plasma components.
Table 8.2 KDE Plasma desktop environment default components
Name | Program Name and/or Description |
Display manager | SDDM (Simple Desktop Display Manager) |
File manager | Dolphin |
Favorites bar | Displayed inside Application Menu |
Panels | A single panel located at the Plasma frame’s bottom |
System tray | Located on the right side of the single panel |
Widgets | Called Plasmoids |
Windows manager | Kwin |
To help those users familiar with accessing files via folder icons, KDE Plasma offers a folder view. Folders appear in the default UI on the openSUSE Leap distribution in Figure 8.2. These icons on the primary desktop window allow you to launch the Dolphin file manager and jump straight to the directory named on the folder icon.
Many desktop environments have multiple UIs called workspaces available for each user. Workspaces are individual desktops. For example, you can have two GUI apps open on one workspace and just a terminal emulator open on the other workspace. Switching between the workspaces can be done via mouse clicks or keystroke combinations, such as Ctrl+Alt+up arrow or down arrow on Fedora 28’s Wayland desktop environment. Using multiple workspaces can be very handy, especially if you need to quickly look productive at work when your boss walks by.
The Cinnamon desktop environment got its start in 2011, when many users reacted strongly to the release of GNOME 3 (now GNOME Shell). Developers of the Linux Mint distribution began creating Cinnamon as a fork of GNOME 3. It was officially “GNOME-free” as of late 2013. Cinnamon is still managed by the Mint development team, and you can find out more at their website, www.linuxmint.com.
Cinnamon, like KDE Plasma, is known for being a good UI for those who are new to Linux. Figure 8.3 shows a Cinnamon desktop environment on a Fedora Workstation distribution.
Notice the primary UI frame’s bottom panel on the right side. It has the system tray containing audio controls, the time, and various other widgets. The Menu, a launcher for various programs as well as containing the favorites bar, is on the panel’s far left. Note that the Cinnamon panel also contains icons for quick launching.
If you want to install a Cinnamon desktop environment on one of the distributions you installed in Chapter 1, we recommend you try it on Fedora 28 Workstation. Use an account that has super user privileges. This is typically the account you set up during the system installation. Access a terminal and enter the command sudo dnf groupinstall -y "Cinnamon Desktop"
at the command line. Be sure to include the command’s quotation marks. When the installation is complete, reboot your system. You can access the Cinnamon desktop environment via a menu provided by the system’s display manager’s gear icon.
The Cinnamon desktop environment layout should be somewhat familiar because it is similar to the KDE Plasma default layout. They both have folder icons on the main UI windows. Table 8.3 briefly describes some of the Cinnamon components.
Table 8.3 Cinnamon desktop environment default components
Name | Program Name and/or Description |
Display manager | LightDM |
File manager | Nemo (a fork of Nautilus) |
Favorites bar | Displayed inside Application Menu |
Panels | A single panel (called the Cinnamon panel) located at the Cinnamon frame’s bottom |
System tray | Located on the right side of the single panel |
Widgets | Cinnamon Spices |
Windows manager | Muffin (a fork of GNOME Shell’s Mutter) |
The Cinnamon Spices go beyond just applets and desklets for modifying your desktop environment. They also include themes and extensions that you can download and install to make your Cinnamon UI experience truly unique. The official Cinnamon Spices repository is at https://cinnamon-spices.linuxmint.com/.
The MATE desktop environment also got its start in 2011, when GNOME 3 (now called GNOME Shell) was released. It was started by an Arch Linux distribution user in Argentina. Pronounced “ma-tay,” this desktop environment was officially released only two months after it was announced and was derived from GNOME 2. The desktop environment is available on a wide variety of Linux distributions, such as Arch Linux, Debian, Fedora, Ubuntu, Linux Mint, and so on.
MATE is named after a tea made from a plant’s dried leaves. The plant (Ilex paraguariensis) is native to South America. Mate tea is the national drink of Argentina. It is purported to have the health benefits of tea as well as provide mental alertness similar to the benefit of drinking coffee.
If you’ve ever used the old GNOME 2 desktop environment, MATE will feel familiar. Figure 8.4 shows a MATE desktop environment on an Ubuntu Desktop distribution.
There are two panels in the MATE desktop environment: one is at the primary UI frame’s top, while the other is at its bottom. The system tray, which contains audio controls, the time, and various other widgets, is located on the top panel’s right side. The Applications, a menu-driven launcher for various programs, is on the top panel’s far-left side. Note that this top panel also contains icons for quick launching.
If you want to install a MATE desktop environment on one of the distributions you installed in Chapter 1, we recommend you try it on Ubuntu Desktop 18-04. Use an account that has super user privileges. This is typically the account you set up during the system installation. Access a terminal and enter the command sudo apt-get update
at the command line to update your system’s repositories. When you get a prompt back, install the tasksel
program. The tasksel
program is a graphical utility that installs multiple related packages as a harmonized process. In other words, it makes installing certain packages with lots of dependencies easier. To install it, type sudo apt-get install tasksel
at the command line. Now you can install the MATE desktop environment by entering sudo tasksel install ubuntu-mate-desktop
. When the installation is complete, reboot your system. You can access the MATE desktop environment via a menu provided by the system’s display manager’s gear icon.
On the bottom panel of the MATE desktop environment, in the lower-left corner, is the Show Desktop Button icon. This is handy if you have several windows open in the main UI frame. Just click the Show Desktop Button, and all the windows currently open will be hidden to the lower panel. You can restore all the windows on the lower panel by clicking Show Desktop Button again. Table 8.4 briefly describes some of the MATE components.
Table 8.4 MATE desktop environment default components
Name | Program Name and/or Description |
Display manager | LightDM. |
File manager | Caja (a fork of Nautilus). |
Favorites bar | A Favorites menu is used instead and is accessed via the Applications menu-driven launcher. |
Panels | One panel located at the MATE frame’s bottom and the other panel occupies the top of the MATE UI. |
System tray | Located on the right side of the top panel. |
Windows manager | Marco (a fork of Metacity). |
You can add additional widgets to your MATE UI’s top panel. Just right-click the panel, and from the drop-down menu, select Add To Panel. This will open a window of applets you can install.
The Unity desktop environment got its name from the project’s goal, which was to provide a single UI experience for workstations, tablets, and mobile devices. The project was started by Canonical in 2010 and was the default desktop environment on Ubuntu distributions until 18.04 LTS. However, Unity is no longer being developed. It was announced in 2017 by Canonical that work would stop on the Unity desktop environment.
Even though Unity will eventually fade from our memory, you may still have some older Ubuntu systems supporting this desktop environment. Thus, it’s a good idea to be familiar with its configuration. Figure 8.5 shows Unity on an Ubuntu 14.04 LTS system.
There is a single panel in the Unity desktop environment, and it is at the primary UI frame’s top. The system tray is located on the right side of this panel. On the left side is a menu bar.
The favorites bar, called the Launcher, is located in a frame on the UI’s left side. At the Launcher’s top is a button called Dash. Clicking the Dash button displays all of your recently used files and applications. You can filter this display by clicking one of the window’s bottom buttons. These buttons are called lenses. At the top of the Dash display window is a search bar, which is similar to the search bar feature in GNOME Shell. Table 8.5 shows the basic components in a Unity UI.
Table 8.5 Unity desktop environment default components
Name | Program Name and/or Description |
Display manager | LightDM |
File manager | Nautilus |
Favorites bar | Displayed inside the Launcher |
Panels | A single panel located at the Unity frame’s top |
System tray | Located on the right side of the top panel |
Windows manager | Metacity |
Another sometimes confusing feature of the Unity desktop environment occurs when you open an application. You’ll see the common three buttons for application management: close, minimize, and restore. However, additional application menu features are available on the Unity UI’s top panel. To see them, you must hover your mouse over the top panel. In addition, if you restore an application that is already open, the application management buttons will move to the top panel.
In a GUI environment, accessibility deals with a user’s ability to use the desktop environment. While the default desktop environment provided by a Linux distribution works for many people, accessibility settings accommodate all potential users. This includes individuals who may have vision impairment, challenges using the mouse, finger movement issues, and so on. It’s important to know the desktop environment configurations concerning these accommodations so that you can help to provide access for all.
Each desktop environment will provide slightly different methods for configuring accessibility. But most settings can be accomplished through desktop environment control panels, such as the Universal Access panel in GNOME Shell settings.
Even though most desktop environments provide accessibility control panels of different names, you can usually find the panels using the environment’s search facilities. Good search terms include “universal access,” “accessibility,” and “assistive technologies.”
Figure 8.6 shows the Universal Access menu opened from the UI top panel. You can find more accessibility settings in the access control panel by searching for “universal access” in the GNOME Shell’s search feature.
For users with serious visual impairments or just poor eyesight, several accessibility settings may help. Table 8.6 describes the more common visual impairment settings.
Table 8.6 Common visual impairment accessibility settings
Name | Description |
Cursor Blinking | Modifies the cursor blink rate to make it easier to locate the cursor on the screen. |
Cursor Size | Modifies the cursor size. |
High Contrast | Increases the brightness of windows and buttons and darkens window edges as well as text and the cursor. |
Large Text | Modifies the font size. |
Screen Reader | Uses a screen reader to read the UI aloud. Popular choices include Orca screen reader and Emacspeak. |
Sound Keys | Beeps when Caps Lock or Num Lock is turned on (off). Also called toggle keys. |
Zoom | Amplifies the screen or a screen portion to different magnification levels. |
If a blind user has access to a braille display, you can install the brltty
package, which is available in most Linux distribution’s repositories. The BRLTTY operates as a Linux daemon and provides console (text mode) access via a braille display. You can find out more about this software at its official headquarters, http://mielke.cc/brltty/. Be aware that you can also use the Orca screen reader with a refreshable Braille display.
If you are not able to hear sound alerts on your Linux system, you can enable visual alerts. Thus, if something occurs that normally produces a sound, a visual flash is performed instead. You can set the visual alert to flash a single window or flash the entire display.
For users with hand and/or finger impairments, several accessibility settings allow full functional system use. The more common settings are listing in Table 8.7.
Table 8.7 Common hand and finger impairment accessibility settings
Name | Description |
Bounce Keys | Keyboard option that helps compensate for single keys accidentally pressed multiple times. |
Double-Click Delay | Mouse option that modifies the amount of time allowed between double mouse clicks. |
Gestures | Mouse option that activates programs and/or options via combining both mouse clicks and keyboard presses. |
Hover Click | Mouse option that triggers a mouse click when the pointer is hovered over an item. |
Mouse Keys | Mouse option that allows you to use keyboard keys to emulate the mouse functions. |
Repeat Keys | Keyboard option that modifies how long a key must be pressed down as well as a delay to acknowledge the key repeat. Also called keyboard repeat rate. |
Screen Keyboard | Keyboard option that displays a visual keyboard on the UI that can be manipulated by a mouse or other pointing device to emulate key strokes. |
Simulated Secondary Click | Mouse option that sets a primary key to be pressed along with a mouse click to emulate secondary mouse clicks. |
Slow Keys | Keyboard option that modifies the how long a key must be pressed down to acknowledge the key. |
Sticky Keys | Keyboard option that sets keyboard modifier keys, such as Ctrl and Shift, to maintain their pressed status until a subsequent key is pressed. |
AccessX was a program that provided many of the options in Table 8.7. Thus, you will often see it referred to in the accessibility control panels, such as in the Typing Assist (AccessX) option. One interesting AccessX setting is Enable By Keyboard, which allows you to turn on or off accessibility settings via keystrokes on the keyboard.
Many players are involved in providing a Linux system user interface. The desktop environment components are only a piece of this puzzle. Figure 8.7 is a rudimentary depiction of serving a GUI to a user.
In Figure 8.7, notice that the window manager is a middleman in this scenario. A window manager is a program that communicates with the display server (sometimes called a windows manager) on behalf of the UI. Each particular desktop environment has its own default window manager, such as Mutter, Kwin, Muffin, Marco, and Metacity.
In the following sections, we will focus on the display server, a program(s) that uses a communication protocol to transmit the desires of the UI to the operating system, and vice versa. The communication protocol is called the display server protocol and can operate over a network.
Another member in the display server team is the compositor. A compositor program arranges various display elements within a window to create a screen image to be passed back to the client.
Before computers printed documents, compositors were people. Physical frames (called chases) held wooden blocks with letters or images carved on them. A compositor arranged the wooden blocks into the frames to make words and/or images. The compositor handed the frames to the printer, who was also a person. The printer inked the blocks and then pressed the frames onto paper, which resulted in a printed document. A compositor program operates in a similar manner, except it uses multiple elements composed into a single screen image and handed off to the client.
Wayland is a replacement for the X11 display server (described later). It is designed to be simpler, more secure, and easier to develop and maintain. Wayland specifically defines the communication protocol between a display server and its various clients. However, Wayland is also an umbrella term that covers the compositor, the windows server, and the display server.
The Wayland protocol was initially released back in 2009, and it is now used by many current Linux desktop environments, such as GNOME Shell and KDE Plasma. If you really want to dig down into Wayland, visit its website at https://wayland.freedesktop.org/.
You can quickly determine what display server your desktop uses, X11 or Wayland, with the following steps:
echo $WAYLAND_DISPLAY
at the command line and press the Enter key. If you get no response and just a command line prompt back, most likely your system is using the X11. If you receive a response, then your desktop environment is probably using Wayland. An additional test will help you ensure what is in use.loginctl
and press Enter. Note the session number.loginctl show-session session-number -p Type
at the command line, where session-number
is the number you obtained in the previous step. If you receive Type=Wayland
, then your desktop environment is using Wayland. If instead you receive Type=X11
, then your system is using the X11 display server.The Wayland compositor is Weston, which provides a rather basic desktop experience. It was created as a Wayland compositor reference implementation, which is a compositor requirements example for developers who want to create their own Wayland compositor. Thus, Weston’s core focus is correctness and reliability.
Wayland’s compositor is swappable. In other words, you can use a different compositor if you need a more full-featured desktop experience. Several compositors are available for use with Wayland, including Arcan, Sway, Lipstick, and Clayland. However, you may not need to go out and get a Wayland compositor. Many desktop environments create their own Wayland compositors, which is typically embedded within their window manager. For example, Kwin and Mutter both fully handle Wayland compositor tasks.
If you have any legacy X11 applications that will not support Wayland, do not despair. The XWayland software is available in the Weston package. XWayland allows X-dependent applications to run on the X server and display via a Wayland session.
If your UI is using Wayland but you are having GUI issues, you can try a few troubleshooting techniques. The following list steps through some basic approaches.
Try the GUI without Wayland. If your Linux distribution has multiple flavors of the desktop environment (with Wayland or with X11), log out of your GUI session and pick the desktop environment without Wayland. If your UI problems are resolved, then you know it has most likely something to do with Wayland.
If you do not have multiple flavors of the desktop environment and you are using the GNOME Shell user interface, turn off Wayland. Do this by using super user privileges and editing the /etc/gdm3/custom.conf
file. Remove the #
from the #WaylandEnable=false
line and save the file. Reboot the system and log in to a GUI session and see if the problems are gone.
Check your system’s graphics card. If your system seems to be running fine under X11 but gets problematic when under Wayland, check your graphics card. Go to the graphics card vendor’s website and see if its drivers support Wayland. Many do, but there are a few famous holdouts that shall go unnamed.
Use a different compositor. If you are using a desktop environment’s built-in compositor or one of the other compositors, try installing and using the Weston compositor package instead. Remember that Weston was built for reliability. If Weston is not in your distribution’s software repository, you can get it from https://github.com/wayland-project/Weston. This site also contains helpful documentation. If using Weston solves your GUI problem, then you have narrowed down the culprit.
Be aware that some desktop environment commands won’t work when you have a Wayland session. For example, if you are using GNOME Shell, the gnome-shell --replace
command will do nothing but generate the message Window manager warning: Unsupported session type
.
The X Window System (X for short) has been around since the 1980s, so it has endured the test of time. On Linux until 2004, the dominant server implementing X was XFree86, when a licensing change occurred. This change caused many Linux distributions to switch to the X.Org foundation’s implementation of X.
The X.Org’s server implements the X Window System version 11. Thus, you will see a wide variety of names concerning the Linux X display server, such as X.org-X11, X, X11, X.Org Server, and so on. We’ll use either X or X11 in this chapter.
Currently X11 is being rapidly replaced by Wayland. Not only does Wayland provide better security, but it is far easier to maintain. There are many old and obscure options in the older X11 configuration. However, you still may have distributions using X11, so it is important to understand its basics.
If for some reason your X11 session becomes hung, you can quickly kill it off; go back to the display manager screen and log back onto the system. Just press the Ctrl+Alt+Backspace key combination. The X11 session will stop and then restart for you, providing the display manager screen so you can log in.
The X11 primary configuration file is /etc/X11/xorg.conf
, though it sometimes is stored in the /etc/
directory. Typically this file is no longer used. Instead, X11 creates a session configuration on the fly using runtime auto-detection of the hardware involved with each GUI’s session.
However, in some cases, auto-detect might not work properly and you need to make X11 configuration changes. In those cases, you can create the configuration file. To do this, shut down the X server, open a terminal emulator, and using super user privileges, generate the file via the Xorg -configure
command. The file, named xorg.conf.new
, will be in your local directory. Make any necessary tweaks, rename the file, move the file to its proper location, and restart the X server.
The xorg.conf
file has several sections. Each section contains important configuration information as follows:
Keep in mind that many desktop environments also provide dialog boxes in their UI, which allow you to configure your GUI X sessions. Most likely you will have little to no need to ever create or tweak the X11 configuration file. However, if you really want to dig into the X11 configuration file’s details, view its man page via the man 5 xorg.conf
command.
While, most desktop environments use their own display manager, the X display manager is a basic one available for use. It employs the X Display Manager Control Protocol (XDMCP). The main configuration file is /etc/X11/xdm/xdm-config
.
If you need to troubleshoot X problems, two utilities can help. They are xdpyinfo
and xwininfo
. The xdpyinfo
command provides information about the X server, including the different screen types available, the default communication parameter values, protocol extension information, and so on.
The xwininfo
utility is focused on providing window information. If no options are given, an interactive utility asks you to click the window for which you desire statistics. The displayed stats include location information, the window’s dimensions (width and height), color map ID, and so on.
Be aware that the xwininfo
command will hang if you are running a Wayland session instead of an X session. Press Ctrl+C to exit out of the hung command.
Although Wayland is replacing X as the default display server on many Linux systems, the X server will be around for a while. Thus, understanding them both is invaluable not only for certification purposes but to work effectively as well.
Sitting down at a monitor directly attached to your Linux server is a rarity nowadays. Most servers are either rack-mounted systems in condition-controlled environments or virtual machines running on those rack-mounted systems. To access these servers, a user from a desktop in another room typically employs the text-based OpenSSH utility. However, there are times you need a fully functional desktop environment.
Remote desktop software uses a client/server model. The server runs on the remote Linux system, while the client runs on the local system. For example, say you need to access a Linux virtual machine located on a server somewhere else in the office building. You could use your laptop, which is running the remote desktop client software, to log into the Linux virtual machine, which is running the remote desktop server software, and get a full-fledged desktop experience over the network.
In the following sections will take a look at some of the more common remote desktop implementations for Linux. They include VNC, Xrdp, NX, and SPICE.
Virtual Network Computing (VNC®) was developed by the Olivetti & Oracle Research Lab. It is multiplatform and employs the Remote Frame Buffer (RFB) protocol. This protocol allows a user on the client side to send GUI commands, such as mouse clicks, to the server. The server sends desktop frames back to the client’s monitor. RealVNC Ltd, which consists of the original VNC project team developers, now trademarks VNC.
If you are using KVM virtual machines (covered in Chapters 28 and 29), then typically, by default, you access their desktop environment via VNC®. However, there are other options available, such as SPICE, which is covered later in this chapter.
The VNC server offers a GUI service at TCP port 5900 + n
, where n
equals the display number, usually 1
(port 5901). On the command line, you point the VNC client (called a viewer) to the VNC server’s hostname and TCP port. Alternatively, you can use the display number instead of the whole TCP port number. The client user is required to enter a predetermined password, which is for the VNC server, not Linux system authentication. Once the client user has authenticated with VNC, the user is served up the desktop environment’s display manager output so system authentication can take place.
The VNC server is flexible in that you can also use a Java-enabled web browser to access it. It provides that service at TCP port 5800 + n
. HTML5 client web browsers are supported as well.
Two types of desktop UIs are available for VNC® clients, persistent and static. Persistent desktops are UIs that do not change when presented. This is similar to a local desktop experience: The user has certain windows open; the user locks the screen and engages in an activity away from the local system; the user comes back and unlocks the screen; and the user finds the GUI in the exact same state it was left in. Persistent desktops are available only via web browser access. Static desktops do not provide a saved-state GUI.
The following are positive benefits when using VNC:
ssh
or a client viewer command-line option to encrypt traffic.The following are potential difficulties or concerns with VNC:
Besides VNC, there are alternatives that implement the VNC technology. A popular implementation of VNC for Linux is TigerVNC. The TigerVNC website is at https://tigervnc.org/. It also works on Windows, so you can connect to either a remote Linux or remote Windows system. For installing the server on a Linux system, use the tigervnc-server
package name. You’ll need to perform some setup to prepare for clients and configure the server to provide the proper client requirements. There are several excellent tutorials on the Web. If you want to install the VNC client, just use the tigervnc
package name.
When accessing a remote desktop via commands at the command line, be sure to use a terminal emulator in the GUI environment. If you attempt to use a text-mode terminal outside the GUI to issue these commands, you will not be successful.
Once you have the TigerVNC server installed, you control it with the vncserver
and vncconfig
commands. After making the appropriate server firewall modifications, the client can use the vncviewer
command to connect to the server system and get a remote desktop. For example, a server (example.com) has been configured properly to serve a remote desktop to you at display number 1. You would access the desktop from another system via the vncviewer example.com:1
command. Figure 8.8 shows a TigerVNC connection from a Fedora system into a CentOS server, which is providing the user a GNOME Shell desktop environment.
When configuring your VNC server, be sure to employ OpenSSH port forwarding for the VNC server ports (covered later in this chapter.) Also configure your firewalls to allow traffic through port 22 (or whatever port number you are using for SSH traffic).
Xrdp is an alternative to VNC®. It supports the Remote Desktop Protocol (RDP). It uses X11rdp or Xvnc to manage the GUI session.
Xrdp provides only the server-side of an RDP connection. It allows access from several RDP client implementations, such as rdesktop, FreeFDP, and Microsoft Remote Desktop Connection.
Xrdp comes systemd ready, so you can simply install, enable, and start the server using the systemctl
commands. The package name on Linux is xrdp
. Note that it may not be in your Linux distribution’s standard repositories.
After installing and starting the Xrdp server, adjust the firewall so that traffic can access the standard RDP port (TCP 3389). Now direct your RDP client choice to the server via its hostname or IP address and, if necessary, provide the client with the RDP port number.
Depending on your RDP client, you may be presented with a screen that denotes that the server is not trusted. If this is the server you just set up, you are fine to continue on. You will need to enter the Linux system’s user authentication information, but the login screen depends on the Xrdp client software you are using. An example of Xrdp in action is shown in Figure 8.9.
Figure 8.9 shows a connection from a Windows 10 system to a CentOS 7 Linux server, which is running the Xrdp server. Notice the output from the commands run in the terminal emulator. You can see that an X11 session is being deployed.
The following are positive benefits of using Xrdp:
You can determine the various Xrdp configuration settings in the /etc/xrdp/xrdp.ini
file. An important setting in this file is the security_layer
directive. If set to negotiate
, the default, the Xrdp server will negotiate with the client for the security method to use. There are three methods available:
tls
provides SSL (TLS 1.0) encryption for server authentication and data transfer. Be aware that this falls short of the encryption level needed for compliance with the Payment Card Industry (PCI) standards.negotiate
sets the security method to be the highest the client can use. This is problematic if the connection is over a public network and the client must use the Standard RDP Security method.rdp
sets the security method to standard RDP Security. This method is not safe from man-in-the-middle attacks.Xrdp is fairly simple to use. Also, because so many Windows-oriented users are already familiar with Remote Desktop Connection, it typically does not take long to employ it in the office environment.
The NX protocol, sometimes called NX technology, was created by NoMachine at www.nomachine.com around 2001. NX is another remote desktop sharing protocol. Its v3.5 core technology was open source and available under the GNU GPL2 license. Yet, when version 4 was released, NX became proprietary and closed source.
However, several open-source variations are available based upon the NX3 technology, including FreeNX and X2Go. Both are available on various Linux distributions but not necessarily in their default software repositories.
The following are positive benefits of using NX products:
NX technology compresses the X11 data so that there is less data to send over the network, which improves response times. It also heavily employs caching data to provide an improved remote desktop experience.
Another interesting remote connection protocol is Simple Protocol for Independent Computing Environments (SPICE). Originally it was a closed-source product developed by Qumranet in 2007. However, Red Hat purchased Qumranet in 2008 and made SPICE open source. Its website is at www.spice-space.org.
SPICE (sometimes written as Spice) was developed to provide a good remote desktop product that would allow connections to your various virtual machines. Now, typically Spice is used primarily for providing connections with KVM virtual machines, moving into VNC’s territory.
Both VNC® and Spice provide remote desktop connections to KVM virtual machines. Virtual machines are covered in more detail in Chapters 28 and 29.
Spice is platform independent and has some nice additional features as well:
While Spice has a single server implementation, it has several client implementations. These include remote-viewer and GNOME Boxes.
Another benefit of employing Spice is its strong security features. Transmitted data can either be sent plain text or have its traffic encrypted using TLS. Authentication between the Spice client and remote Spice server is implemented using Simple Authentication and Security Layer (SASL). This framework allows various authentication methods, as long as they are supported by SASL. Kerberos is a supported method.
If you are still dealing with X11, you can use Xspice. X.Org-created Xspice acts as a stand-alone Spice server as well as an X server.
Providing data access to only those who are authorized is imperative. Whether it’s sending plaintext data or remote desktop GUI client/server interaction information, both need to be secured across the network.
One way to provide security is via SSH port forwarding, sometimes called SSH tunneling. SSH port forwarding allows you to redirect a connection from one particular network port to port 22, where the SSH service is waiting to receive it. This allows data traffic to move back and forth through a secure encrypted tunnel, similar to a virtual private network (VPN).
To use SSH port forwarding, you must have the OpenSSH service installed and enabled on your Linux system. Fortunately, most distributions come with this service already available. You can check to see if it is running using the systemctl
command, covered in Chapter 6. In Listing 8.1, a check of the OpenSSH service on a CentOS 7 system is conducted. It shows that OpenSSH is active
(running) as well as enabled
(will start at boot time).
Listing 8.1: Checking the OpenSSH service status
$ systemctl is-active sshd
active
$ systemctl is-enabled sshd
enabled
$
If your system does not have the OpenSSH server, you can typically install both the server and client via the openssh
package. Installing and managing Linux packages are covered in detail within Chapter 13.
Another item to check before attempting SSH port forwarding is the OpenSSH configuration file, /etc/ssh/sshd_config
. The directive AllowTcpForwarding
should be set to yes
. If the directive is set to no
, you must modify it to employ SSH port forwarding. In Listing 8.2, a check is performed on the configuration file for this directive on an openSUSE distribution.
Listing 8.2: Checking the AllowTCPForwarding directive
$ sudo grep "AllowTcpForwarding yes" /etc/ssh/sshd_config
#AllowTcpForwarding yes
$
Notice in Listing 8.2 that the directive is commented out via a pound sign (#). This is not a problem because, by default, AllowTcpFowarding
is set to yes
.
SSH port forwarding comes in the following three flavors:
Each of these varieties allows you to perform various types of tunneled traffic. However, since we are focusing on the GUI environment, we’ll only cover local and remote SSH port forwarding for remote desktops.
Local port forwarding sends traffic from the OpenSSH client on your system to the client’s OpenSSH server. The client’s OpenSSH server then forwards that traffic onto the destination server via a secured tunnel. In other words, the outbound traffic is rerouted to a different outbound port and tunneled via OpenSSH prior to leaving the client system.
To enact this on the command line, the -L
option of the ssh
command is used along with some additional arguments. Concerning remote desktops, the command has the following syntax:
ssh -L local-port:127.0.0.1:remote-port -Nf user@destination-host
In the command’s syntax are the following arguments:
destination-host
is the computer you are logging into in order to use the desktop environment residing there.user
is the desktop host username you wish to use to authenticate so that the secure tunnel can be established.local-port
is the application’s port number you are employing on the client side.remote-port
is the port where the application is listening on the destination host.127.0.0.1
designates that you are using a local SSH port forwarding method.Keep in mind that this command only establishes the tunnel. It does not provide a remote desktop connection. Therefore, there are two additional important command options: the -N
option lets OpenSSH know that no remote terminal process is desired, while the -f
option indicates that after the user is authenticated to the server, the ssh
command should move into the background. These two options allow the user to issue additional commands, such as a remote desktop command, after the secured tunnel is established.
A practical example can be described using VNC®. Recall that VNC uses the port 5900 + n
, where n
equals the display number. Thus, if on the remote system, your desktop is available at display 2, you can issue the following command to use SSH port forwarding and forward your local VNC port 5901 to the remote hosts’ port 5902:
ssh -L 5901:127.0.0.1:5902 -Nf D[email protected]
Once the tunnel is established, you can use the VNC remote desktop commands to access and view your desktop environment on the remote host. Keep in mind that you will need to perform some firewall configurations to allow access to the remote host.
Fortunately TigerVNC provides a much simpler method for local SSH port forwarding. Just employ the -via localhost
option on the vncviewer
command, as shown in Figure 8.10.
The -via localhost
option used in conjunction with the vncviewer
command forces the connection to use local SSH port forwarding. The last command argument is the destination host’s IPv4 address (you could also use a hostname), followed by a colon and the remote desktop’s display number (1
). This is far easier to use and certainly requires fewer commands and options.
The remote SSH port forwarding method starts at the destination host (server), as opposed to the remote client. Therefore, on the destination host, you create the remote desktop secure tunnel via the following command syntax:
ssh -R local-port:127.0.0.1:remote-port -Nf user@client-host
There are some important differences in this command from the local method:
-R
option is used instead of the -L
option.client-host
is the remote client’s IP address or hostname (where you will issue the remote desktop commands).local-port
is the port number you use on the client-host
with the vncviewer
command.remote-port
is on the remote desktop server.Another method that provides remote GUI interactions within a secure tunnel is X11 forwarding. X11 forwarding allows you to interact with various X11-based graphical utilities on a remote system through an encrypted network connection. This method is also enacted using the OpenSSH service.
First you need to check and see if X11 forwarding is permitted. This setting is in the OpenSSH configuration file, /etc/ssh/sshd_config
. The directive X11Forwarding
should be set to yes
in the remote system’s configuration file. If the directive is set to no
, then you must modify it to employ X11 forwarding. In Listing 8.3, a check is performed on the configuration file for this directive on a CentOS distribution.
Listing 8.3: Checking the AllowTCPForwarding directive
# grep "X11Forwarding yes" /etc/ssh/sshd_config
X11Forwarding yes
#
Once you have made any necessary configuration file modifications, the command to use is ssh -X
user
@
remote-host
. Similar to earlier ssh
command uses, the user
is the user account that resides on the remote-host
system. The remote-host
has the GUI utilities you wish to employ and can be designated via an IP address or a hostname. Figure 8.11 shows connecting from a remote Fedora client to a CentOS server and using a graphical utility on that server.
It’s always a good idea to check your IP address to ensure that you have successfully reached the remote system. In Figure 8.11, the ip addr show
command is employed for this purpose. Once you have completed your work, just type in exit
to log out of the X11 forwarding session.
You may read about using X11 forwarding via the ssh -Y
command, which is called trusted X11. This does not mean the connection is more secure. In fact, it is quite the opposite. When employing this command, you are treating the remote server as a trusted system. This can cause many security issues and should be avoided.
Creating, managing, and troubleshooting a GUI environment for yourself and the system’s users involves an important skill set. You need to understand the distinct desktop environments, their supporting frameworks, and how to transmit them safely and securely across the network.
The various desktop environments, such as GNOME Shell, KDE Plasma, MATE, Cinnamon, and Unity, provide many various environments to meet different needs and tastes. The currently evolving world of display servers, which include primarily Wayland and the older X11, support these GUI desktops.
Linux provides GUI desktop environments with many accessibility features, which allow almost any UI need to be met. The various keyboard and mouse settings help those with hand or finger difficulties. There are also many utilities for the vison impaired, including screen readers and zoom features.
Accessing a GUI across the network is accomplished through remote desktop software. VNC, Xrdp, and NX are a few examples. Spice is unique in that its primary focus is providing remote desktop access to virtual machines.
Whether you are accessing a rack-mounted physical server or a virtual machine running on that server, it is important to secure the remote desktop connection. This is accomplished via SSH port forwarding and, if needed, X11 forwarding. If employed correctly, both allow an encrypted tunnel for data and GUI interactions to travel securely.
Outline the various GUI sections and functions. A desktop environment provides a predetermined look and feel to the GUI. It has graphical sections, such as a favorites bar, launch areas, menus, panels, and a system tray. The GUI also has typical functions like desktop settings, a display manager, a file manager, icons to access programs, widgets, and a window manager.
Describe the various GUI desktop environments. The primary desktop environments used for current Linux distributions include GNOME Shell, KDE Plasma, MATE, and Cinnamon. The no-longer-developed Unity is also important to know because it’s still around on slightly older Linux systems.
Summarize available universal access utilities. The distinct accessibility tools are located in menus or panels. These panels have various locations around the desktop environments and have names like Universal Access, Accessibility, Assistive Technologies, and so on. It is best to use a desktop environment’s search feature to locate them. The various access tools for vison-impaired users include cursor blinking, cursor size, contract modifications, text size enlargement, sound keys, zoom functions, and screen readers. For those individuals who need access to braille technologies, the brltty
software is available. Displayed windows can be set to flash instead of providing a sound alert for those who are hearing impaired. When someone has trouble using the keyboard, there are many settings available such as bounce keys, repeat keys, screen keyboard, slow keys, and sticky keys. For mouse use difficulties, the tools to explore are double-click delays, gestures, hover clicks, mouse keys, and simulated secondary clicks.
Explain the display servers’ role. A display server is a program or program group that uses a communication protocol to convey information between the GUI and the operating system. The communication protocol is called the display server protocol and can operate over a network. One critical program used with the display server is the compositor. The compositor arranges display elements within a window to create a screen image. Two important display servers are Wayland and X11. X11 is an older display server, which has been around for a while. Wayland is a newer display server, which adds many needed security features and is easier to maintain.
Describe the available remote desktop software. Remote desktop software provides a fully functioning desktop environment over the network from a remote server. It uses a client/server model, and there are several packages from which to choose. They include VNC, Xrdp, NX, and SPICE.
Summarize SSH port and X11 forwarding. SSH port forwarding, sometimes called SSH tunneling, redirects a connection from one particular network port to the SSH service at port 22. This allows data traffic to move back and forth through a secure encrypted tunnel, similar to a virtual private network (VPN). SSH port forwarding has three distinct methods, which are local, remote, and dynamic. Besides SSH port forwarding, X11 forwarding is also available. It also provides a secure tunnel for GUI interactions. However, instead of a full desktop environment, you can start X11-based graphical utilities from the remote system’s command line
Which of the following best describes a desktop environment?
Which of the following are GUI components? (Choose all that apply.)
Which of the following is not used by default within GNOME Shell?
Which of the following is the KDE Plasma files manager?
Which of the following is true concerning the MATE desktop environment? (Choose all that apply.)
Which of the following describes the sound keys accessibility setting?
A blind coworker who is programming on the Linux server is suddenly having odd problems with his braille display device. You determine that you need to restart the braille service. Assuming the appropriate systemd unit file is available, which command would you use?
systemctl restart braille
systemctl reload braille
systemctl restart brailled
systemctl restart brltty
systemctl reload brltty
Which of the following best describes the slow keys accessibility setting?
Which of the following communicates with the Linux operating system to transmit the UI wants and needs?
Which of the following is true of a compositor? (Choose all that apply.)
Which of the following are true concerning Wayland? (Choose all that apply.)
$WAYLAND_DISPLAY
environment variable.WaylandDisable
to true
to disable Wayland in GNOME Shell.Which of the following commands will help you determine whether your display server is Wayland or X11?
$WAYLAND_DISPLAY
echo $AccessX
loginctl
echo $X11
runlevel
You use the command gnome-shell --replace
at the command line and receive an error message from the utility. What does this indicate?
--replace
option should be swapped for the -R
option.Which of the following is true concerning X11? (Choose all that apply.)
Your system is running an X display server and a user’s graphical user interface is not acting properly. Which of the following commands can you use first to diagnose potential problems? Choose all that apply.
xwininfo
Xorg -configure
xcpyinfo
xdpyinfo
loginctl
Which of the following are remote desktops? (Choose all that apply.)
Which of the following are remote desktops typically used with virtual machines? (Choose all that apply.)
Which of the following protocols does Xrdp employ?
You want to employ SSH port forwarding and use its local mode. Which ssh
command switches should you employ? (Choose all that apply.)
-N
-X
-f
-R
-L
You (username Samantha) are logged into a laptop (IP address 192.168.0.42) running a Linux GNOME Classic desktop environment at your company desk in Building A. A problem has occurred on a rack-mounted Linux system (IP address 192.168.0.7) in Building C. You need to securely access a GUI application on the remote system that uses X11. What command should you use?
ssh -Y S
[email protected]ssh -X S
[email protected]ssh -Y S
[email protected]ssh -X S
[email protected]ssh -L S
[email protected]