I want to access my Xubuntu desktop machine remotely, and see the same desktop as is shown on the remote machine's monitor. By default using both VNC and xrdp, one gets a new desktop session, and I don't want that.
The possibilities seem to be:
The only half-way secure solution I seem to be able to get is to use
UNIXPW_DISABLE_SSL=1 x11vnc -unixpw -localhost
and create my own systemd service file for that, and then connect to that over an SSH tunnel.
vino
I use a Danish keyboard, and vino doesn't seem to support that because of this bug. Not being able to use æøå or any special characters such as <>|;. rules out vino for me. Also, vino is poorly supported on XFCE, because vino-preferences has been removed.
x11vnc
x11vnc mostly works, but, but there doesn't seem to be any way to store a password securely. Using a VNC password file is possible, but is limited to 8 characters and and trivially decryptable, so is only security-by-obscurity at best. x11vnc using -nopw (and -local so it isn't available over the network requiring use over an SSH tunnel) works, but then any process (running as any user) on the desktop machine can access my logged-in desktop and that is not good.
x11vnc has options for secure connections: -ssl and -stunnel. For -ssl, Remmina showed: "TLS handshake failed: A TLS fatal alert has been received.." and xtightvncviewer showed: "Server did not offer supported security type" while if the server used -stunnel both viewers just sat there and didn't complain but also didn't start up a VNC window.
x11vnc has a -unixpw that "will use the su(1) program to verify the user's password". But that requires either -ssl or -stunnel and -localhost, but neither -ssl nor -stunnel worked for me when connecting with Remmina or xtightvncviewer. But setting the UNIXPW_DISABLE_SSL=1 environment variable "disables requiring either -ssl or -stunnel" according to the man page.
And UNIXPW_DISABLE_SSL=1 x11vnc -unixpw -localhost and then running it over an SSH tunnel seems to be almost nirvana. But with -unixpw I can't store the credentials in Remmina (that stores the password in gnome-keyring). But have to enter them every time. And frankly it looks horrible / bad user experience in my personal opinion.
xrdp
xrdp seems to either start an independent desktop session, or can connect to a running desktop over - drumroll - vino or x11vnc and so I get all the problems outlined above, in addition to whatever issues xrdp introduces.
Is there really no better secure way of accessing my desktop? For real?
What I ended up doing
Edit: In the end, I went for the hopelessly insecure -rfbauth /home/user/.vnc/passwd (and another password!) instead of -unixpw. Combined with -localhost and using an SSH tunnel because the user experience of -unixpw was just too bad.
l. And needed to add some more options, so the final systemd config was:
[Unit]
Description=x11vnc VNC Server for X11
Requires=lightdm.service
After=lightdm.service
[Service]
Type=simple
ExecStart=/usr/bin/x11vnc -auth /var/run/lightdm/root/:0 -display WAIT:0 -forever -shared -rfbauth /home/user/.vnc/passwd -rfbport 5900 -localhost
ExecStop=/usr/bin/killall x11vnc
Restart=on-failure
RestartSec=2
SuccessExitStatus=3
[Install]
WantedBy=graphical.target
