VNC authentication failure

Question

I try to connect to my vncserver running on CentOs from home computer, behind firewall. I have installed Win7 and Ubuntu both on this machine. I have an error:

VNC conenction failed: vncserver too many security failures

even when logging with right credentials (I reset passwd on CentOs) I get: authentication failure.

I observe that I have to wait a whole day to be able to relogin at all.

Is it something regarding that I try as root? I think important is also that I have to login to remote Centos through port 6050 - none else port works for me. Do I have to do something with other ports? I see that vncserver is listening on 5901, 5902 if another added - and I consider connection is established because from time to time (long time) the passwd prompt appears,... right?

I have created additional user1, password for him to CentOS and to VNC, also user2. I do:

service vncserver start

and two servers starts, one :1, and second on :2. When I try to connect to vncserverIP:1 I get what described above, but when I try connect to vncserverIP:2 it says that the trial was unsuccessful.

please help, what to do?

additionally: how to disable this lockout for a testing purposes?

score 17 · Accepted Answer · answered Jun 17 '12 at 20:42

17

VNC uses a separate password system. It does not check passwords against /etc/passwd but rather against ~/.vnc/passwd, which contains a single primary password and optionally a secondary password that allows only viewing the screen.

To set your VNC password(s), use the vncpasswd command. VNC passwords must be between five and eight characters in length – characters beyond the eighth are silently ignored. So if you are using VNC over the Internet, pick a strong, random password, as attackers may use botnets that have numerous IP addresses to circumvent the lockout while cracking your password.

If you must use VNC over the Internet, run it on a randomly chosen port number (not 5900) to avoid detection in port scans that cover only the common ports. Preferably, tunnel your VNC connection over SSH to protect yourself against eavesdropping and man-in-the-middle attacks. If you do this, you should set vncserver to not accept connections from the Internet, disable password-only authentication on the SSH service and use public-key authentication to protect against common brute-force password cracking attempts.

Restarting vncserver should reset the lockout. The manual page does not mention any way to disable the (already inadequate?) lockout entirely.

answered Jun 17 '12 at 20:42

PleaseStand

4,879
1
19
24

thanks, as I said I have created users and set them password both on terminal (passwd) and VNC (vncpasswd) so passwords are set already. but I have choosen 9 letter passwords. you said that VNC ignore then the last letter, but does the VNC viewer ignore it also when I put that 9-letters long passwords when logging? restarting by: service vncserver restart doesn't remove the lockout: still have authentication failure without option to login. so, should I try to login (when it allow again) using the truncated passwords (only take first 8 letters) or do I have to set it again? – 4pie0 Jun 17 '12 at 21:59
another question: how to login as root? is it possible? when logging you are asked only about IP and password, so how to login as root to see root session? – 4pie0 Jun 17 '12 at 22:08
@cf16: The simple answer (to "how to login as root?") is to run vncserver as root. If you want to log in to multiple different user accounts without having to use su or sudo, you would need to set up an [X display manager](https://en.wikipedia.org/wiki/X_display_manager_%28program_type%29) such as LightDM. – PleaseStand Jun 17 '12 at 22:26
I started as root, so it tells me that servers for user1 and user2 have been created. request for password appears only when trying IP:1, when trying to connect to IP:2 it doesn't connect at all. – 4pie0 Jun 17 '12 at 22:43
@cf16: Try IP:0. This should connect to port 5900. – PleaseStand Jun 17 '12 at 22:46
IP:0 also doesn't connect at all. only IP:1 and it gives me still authentication failure. I can try to login on this IP:1 after very long, long time (2nd day) and only once and the story repeats. – 4pie0 Jun 18 '12 at 04:22
and why IP:0, I know what you want but on a server I can see that it listens on the 5901 for user1 and 5902 for user2, there is info about screen number and log file when starting service, and it is all correct, however as I said: on IP:2 I can not connect to server at all. – 4pie0 Jun 18 '12 at 04:28
"passwords must be between five and eight characters in length – characters beyond the eighth are silently ignored" and "pick a strong, random password" --> yeh, right. and then start the vnc on a internet faceing device. Made my day. seriously, even at the time posted 8 char was NOTHING. VNC is NOT considered secure by any means and nothing anyone should put on a insecure network like the internet. – omni Aug 01 '15 at 08:45

jono3030 · Answer 2 · 2020-01-28T00:22:39.683

Adding to the answers already given:

You are not mentioning this explicitly in your post but the description of your problem implies that you have been blocked after too many unsuccessful login attempts. I ran into this problem recently when a coworker couldn't log in after having tried an incorrect password too many times. I came across this post at SOLVEOPTIMIZED that explains how to solve it.

You have to define your firewall rules to allow incoming connections at the port that VNC server is using. VNC server uses port 5900+N where N stands for every new instance. So let's say your instance of VNC server runs at port 5901 you would have to allow incoming connections to this port in your firewall settings. You can find the port numbers for all instances with

$ vncserver -l

After having changed your firewall rules you just have to wait for the server timeout to end and you'll be able to log in again.

Alternatively, if you do not want to wait or if you do not want to mess with your firewall settings you can restart the VNC server by killing all instances of it. That's different from restarting the service like you did. You do a hard restart by first grepping for VNC's PID

$ pgrep vnc

and then killing all instances with

$ kill pid

Make sure to actually kill all instances if pgrep returns multiple PID's.

score -1 · Answer 3 · edited Feb 06 '14 at 05:19

-1

I had this VNC lockout problem. I solved it by installing the gufw firewall.

edited Feb 06 '14 at 05:19

Jon

9,181
39
95
127

answered Feb 06 '14 at 04:55

H2ONaCl

1,396
3
20
35

1

Can you tell me more about the setup of this firewall ? Thanks. – zeflex Apr 28 '17 at 19:06
I also need solution for this VNC lockout – creator Apr 16 '18 at 01:33
Just install gufw and add entries for whichever ports you want to use. For example for SSH add an entry for port 22. – H2ONaCl Apr 17 '18 at 02:07
The answer might be useful, but it should be more detailed. – sancho.s ReinstateMonicaCellio Dec 09 '21 at 22:19

VNC authentication failure

3 Answers3