@ -19,6 +19,8 @@ void print_help(int mode) {
" \n "
" x11vnc: allow VNC connections to real X11 displays. %s \n "
" \n "
" (type \" x11vnc -opts \" to just list the options.) \n "
" \n "
" Typical usage is: \n "
" \n "
" Run this command in a shell on the remote machine \" far-host \" \n "
@ -423,20 +425,22 @@ void print_help(int mode) {
" send one before a 25 second timeout. Existing clients \n "
" are view-only during this period. \n "
" \n "
" Since the detailed behavior of su(1) can vary from OS \n "
" to OS and for local configurations, please test the mode\n "
" Since the detailed behavior of su(1) can vary from \n "
" OS to OS and for local configurations, test the mode\n "
" carefully on your systems before using it in production. \n "
" E.g. try different combinations of valid/invalid \n "
" usernames and valid/invalid passwords to see if it \n "
" behaves correctly. x11vnc will be conservative and \n "
" reject a user if anything abnormal occurs. \n "
" \n "
" For example, on FreeBSD and the other BSD's by default \n "
" it is impossible for the user running x11vnc to validate \n "
" his *own* password via su(1) (evidently commenting \n "
" out the pam_self.so entry in /etc/pam.d/su eliminates \n "
" the problem). So the x11vnc login will always fail for \n "
" this case. A possible workaround would be to start \n "
" Test different combinations of valid/invalid usernames \n "
" and valid/invalid passwords to see if it behaves as \n "
" expected. x11vnc will attempt to be conservative and \n "
" reject a login if anything abnormal occurs. \n "
" \n "
" On FreeBSD and the other BSD's by default it is \n "
" impossible for the user running x11vnc to validate \n "
" his *own* password via su(1) (evidently commenting out \n "
" the pam_self.so entry in /etc/pam.d/su eliminates this \n "
" problem). So the x11vnc login will always *fail* for \n "
" this case (even when the correct password is supplied). \n "
" \n "
" A possible workaround for this would be to start \n "
" x11vnc as root with the \" -users +nobody \" option to \n "
" immediately switch to user nobody. Another source of \n "
" problems are PAM modules that prompt for extra info, \n "
@ -459,48 +463,50 @@ void print_help(int mode) {
" -stunnel SSL mode be used for encryption over the \n "
" network.(see the description of -stunnel below). \n "
" \n "
" As a convenience, if you ssh(1) in and start x11vnc it \n "
" will check if the environment variable SSH_CONNECTION \n "
" is set and appears reasonable. If it does, then the \n "
" -ssl or -stunnel requirement will be dropped since it is \n "
" assumed you are using ssh for the encrypted tunnelling. \n "
" -localhost is still enforced. Use -ssl or -stunnel to \n "
" force SSL usage for this case. \n "
" Note: as a convenience, if you ssh(1) in and start \n "
" x11vnc it will check if the environment variable \n "
" SSH_CONNECTION is set and appears reasonable. If it \n "
" does, then the -ssl or -stunnel requirement will be \n "
" dropped since it is assumed you are using ssh for the \n "
" encrypted tunnelling. -localhost is still enforced. \n "
" Use -ssl or -stunnel to force SSL usage even if \n "
" SSH_CONNECTION is set. \n "
" \n "
" To override the se restrictions you can set environmen t\n "
" variables before starting x11vnc:\n "
" To override the above restrictions you can se t\n "
" environment variables before starting x11vnc:\n "
" \n "
" Set UNIXPW_DISABLE_SSL=1 to disable requiring either \n "
" -ssl or -stunnel. Evidently you will be using a \n "
" different method to encrypt the data between the \n "
" vncviewer and x11vnc: e.g. ssh(1) or a VPN. Note that \n "
" use of -localhost with ssh(1) is roughly the same as \n "
" requiring a Unix user login (since a Unix password or \n "
" the user's public key authentication is used by sshd on \n "
" the machine where x11vnc runs and only local connections \n "
" are accepted) \n "
" vncviewer and x11vnc: perhaps ssh(1) or an IPSEC VPN. \n "
" \n "
" Note that use of -localhost with ssh(1) is roughly \n "
" the same as requiring a Unix user login (since a Unix \n "
" password or the user's public key authentication is \n "
" used by sshd on the machine where x11vnc runs and only \n "
" local connections from that machine are accepted) \n "
" \n "
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost \n "
" requirement in Method 2). One should never do this \n "
" (i.e. allow the Unix passwords to be sniffed on the \n "
" network). \n "
" \n "
" Regarding reverse connections (e.g. -R connect:host ), \n "
" if the -localhost constraint is in effect then reverse \n "
" connections can only be used to connect to the same \n "
" machine x11vnc is running on (default port 5500). \n "
" Please use a ssh or stunnel port redirection to the \n "
" viewer machine to tunnel the reverse connection over \n "
" an encrypted channel. Note that in -ssl mode reverse \n "
" connection are disabled.\n "
" \n "
" XXX -inetd + -ssl \n "
" In -inetd mode the two settings are attempted to be \n "
" enforced for reverse connections. Be sure to also \n "
" use encryption from the viewer to inetd since x11vnc \n "
" cannot guess easily if it is encrpyted. Tip: you can \n "
" also have your own stunnel spawn x11vnc in -inetd mode \n "
" (i.e. bypassing inetd). See the FAQ for details.\n "
" Regarding reverse connections (e.g. -R connect:host \n "
" and -connect host), when the -localhost constraint is \n "
" in effect then reverse connections can only be used\n "
" to connect to the same machine x11vnc is running on\n "
" (default port 5500). Please use a ssh or stunnel port\n "
" redirection to the viewer machine to tunnel the reverse\n "
" connection over an encrypted channel. Note that in -ssl\n "
" mode reverse connection are disabled (see below) .\n "
" \n "
" In -inetd mode the Method 1) will be enforced (not \n "
" Method 2). With -ssl in effect reverse connections \n "
" are disabled. If you override this via env. var, be \n "
" sure to also use encryption from the viewer to inetd. \n "
" Tip: you can also have your own stunnel spawn x11vnc \n "
" in -inetd mode (thereby bypassing inetd). See the FAQ \n "
" for details.\n "
" \n "
" The user names in the comma separated [list] can have \n "
" per-user options after a \" : \" , e.g. \" fred:opts \" \n "
@ -515,22 +521,24 @@ void print_help(int mode) {
" Use \" deny \" to explicitly deny some users if you use \n "
" \" * \" to set a global option. \n "
" \n "
" There are also some tools for testing password if [list] \n "
" starts with the \" % \" character. See the quick_pw() \n "
" function for details.\n "
" There are also some utilities for testing password \n "
" if [list] starts with the \" % \" character. See the \n "
" quick_pw() function in the source for details.\n "
" \n "
" -unixpw_nis [list] As -unixpw above, however do not use su(1) but rather \n "
" use the traditional getpwnam(3) + crypt(3) method \n "
" instead. This requires that the encrpyted passwords \n "
" be readable. Passwords stored in /etc/shadow will \n "
" be inaccessible unless run as root. This is called \n "
" \" NIS \" mode simply because in most NIS setups the \n "
" user encrypted passwords are accessible (e.g. \" ypcat \n "
" passwd \" ). NIS is not required for this mode to work \n "
" (only that getpwnam(3) return the encrpyted password \n "
" is required), but it is unlikely it will work for any \n "
" other environment. All of the -unixpw options and \n "
" contraints apply. \n "
" use the traditional getpwnam(3) + crypt(3) method to \n "
" verify passwords instead. This requires that the \n "
" encrpyted passwords be readable. Passwords stored \n "
" in /etc/shadow will be inaccessible unless x11vnc \n "
" is run as root. \n "
" \n "
" This is called \" NIS \" mode simply because in most \n "
" NIS setups the user encrypted passwords are accessible \n "
" (e.g. \" ypcat passwd \" ). NIS is not required for this \n "
" mode to work (only that getpwnam(3) return the encrpyted \n "
" password is required), but it is unlikely it will work \n "
" for any other modern environment. All of the -unixpw \n "
" options and contraints apply. \n "
" \n "
" -ssl [pem] Use the openssl library (www.openssl.org) to provide a \n "
" built-in encrypted SSL tunnel between VNC viewers and \n "
@ -539,30 +547,33 @@ void print_help(int mode) {
" with libssl support it will exit immediately when -ssl \n "
" is prescribed. \n "
" \n "
" [pem] is optional, use \" -ssl /path/to/mycert.pem \" to \n "
" specify a PEM certificate file to use to identify and \n "
" provide a key for this server. \n "
" \n "
" Connecting VNC viewer SSL tunnels can authenticate \n "
" this server if they have the public key part of the \n "
" certificate (or a common certificate authority, CA, \n "
" verifies this server's cert). This is used to prevent \n "
" man-in-the-middle attacks. Otherwise, if the VNC viewer \n "
" accepts this server's key without verification, at \n "
" least the traffic is protected from passive sniffing \n "
" on the network. \n "
" [pem] is optional, use \" -ssl /path/to/mycert.pem \" \n "
" to specify a PEM certificate file to use to identify \n "
" and provide a key for this server. See openssl(1) \n "
" for what a PEM can be. \n "
" \n "
" Connecting VNC viewer SSL tunnels can optionally \n "
" authenticate this server if they have the public \n "
" key part of the certificate (or a common certificate \n "
" authority, CA, is a more sophisicated way to verify \n "
" this server's cert). This is used to prevent \n "
" man-in-the-middle attacks. Otherwise, if the VNC \n "
" viewer accepts this server's key without verification, \n "
" at least the traffic is protected from passive sniffing \n "
" on the network (but NOT from man-in-the-middle attacks). \n "
" \n "
" If [pem] is not supplied and the openssl(1) utility \n "
" command exists in PATH, then a temporary, self-signed \n "
" certificate will be generated for this session (this \n "
" may take 5- 2 0 seconds on slow machines). If openssl(1)\n "
" may take 5- 3 0 seconds on slow machines). If openssl(1)\n "
" cannot be used to generate a temporary certificate \n "
" x11vnc exits immediately. \n "
" \n "
" If successful in using openssl(1) to generate a \n "
" certificate, the public part of it will be displayed \n "
" to stdout (e.g. one could copy it to the client-side \n "
" to provide authentication of the server to VNC viewers.) \n "
" temporary certificate, the public part of it will be \n "
" displayed to stderr (e.g. one could copy it to the \n "
" client-side to provide authentication of the server to \n "
" VNC viewers.) \n "
" \n "
" Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc \n "
" print out the entire certificate, including the PRIVATE \n "
@ -572,20 +583,23 @@ void print_help(int mode) {
" will be printed to stderr (so one could move it to a \n "
" safe place for reuse). \n "
" \n "
" Reverse connections are disabled in -ssl \n "
" mode because the data cannot be encrypted. \n "
" Set X11VNC_SSL_ALLOW_REVERSE=1 to override this. \n "
" Reverse connections are disabled in -ssl mode because \n "
" there is no way to ensure that data channel will \n "
" be encrypted. Set X11VNC_SSL_ALLOW_REVERSE=1 to \n "
" override this. \n "
" \n "
" Your VNC viewer will also need to be able to connect \n "
" via SSL. See the discussion below under -stunnel and \n "
" the FAQ for how this might be achieved. E.g. on Unix it \n "
" is easy to write a shell script that starts up stunnel \n "
" and then vncviewer. \n "
" via SSL. See the discussion below under -stunnel \n "
" and the FAQ for how this might be achieved. E.g. on \n "
" Unix it is easy to write a shell script that starts up \n "
" stunnel and then vncviewer. Also in the x11vnc source \n "
" a SSL enabled Java VNC Viewer applet is provided in \n "
" the classes/ssl directory. \n "
" \n "
" -sslverify [path] For either of the -ssl or -stunnel modes, use [path] \n "
" to provide certificates to authenticate incoming VNC \n "
" client connections. This can be used as a method to \n "
" replace standard password authentication .\n "
" replace standard password authentication of clients .\n "
" \n "
" If [path] is a directory it contains the client (or CA) \n "
" certificates in separate files. If [path] is a file, it \n "
@ -595,37 +609,44 @@ void print_help(int mode) {
" \n "
" To create certificates for all sorts of authentications \n "
" (clients, servers, via CA, etc) see the openssl(1) \n "
" command. Of particular usefulness is the x509\n "
" command. Of particular usefulness is the \" \" \n "
" subcommand of openssl(1). \n "
" \n "
" -stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide \n "
" an encrypted SSL tunnel between viewers and x11vnc. \n "
" This requires stunnel to be installed on the system and \n "
" available via PATH (n.b. stunnel is often installed in \n "
" sbin directories). Version 4.x of stunnel is assumed \n "
" (but see -stunnel3 below.) \n "
" -stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide an \n "
" encrypted SSL tunnel between viewers and x11vnc. This \n "
" was implemented prior to the integrated -ssl encrpytion. \n "
" It works well. This requires stunnel to be installed \n "
" on the system and available via PATH (n.b. stunnel is \n "
" often installed in sbin directories). Version 4.x of \n "
" stunnel is assumed (but see -stunnel3 below.) \n "
" \n "
" [pem] is optional, use \" -stunnel /path/to/stunnel.pem \" \n "
" to specify a PEM certificate file to pass to stunnel. \n "
" Whether one is needed or not depends on your stunnel \n "
" configuration. stunnel often generates one at install \n "
" time. \n "
" time. See the stunnel documentation for details. \n "
" \n "
" stunnel is started up as a child process of x11vnc and \n "
" any SSL connections stunnel receives are decrypted and \n "
" sent to x11vnc over a local socket. The strings \n "
" \" The SSL VNC desktop is ... \" and \" SSLPORT=... \" \n "
" are printed out at startup .\n "
" are printed out at startup to indicate this .\n "
" \n "
" The -localhost option is enforced by default to \n "
" avoid people routing around the SSL channel. Set \n "
" STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement. \n "
" The -localhost option is enforced by default \n "
" to avoid people routing around the SSL channel. \n "
" Set STUNNEL_DISABLE_LOCALHOST=1 before starting x11vnc \n "
" to disable the requirement. \n "
" \n "
" Your VNC viewer will also need to be able to connect \n "
" via SSL. Unfortunately not too many do this. UltraVNC \n "
" seems to have an encryption plugin. It is not too \n "
" difficult to set up an stunnel or other SSL tunnel on \n "
" the viewer side. \n "
" Your VNC viewer will also need to be able to connect via \n "
" SSL. Unfortunately not too many do this. UltraVNC has \n "
" an encryption plugin but it does not seem to be SSL. \n "
" \n "
" In the x11vnc distribution, a patched TightVNC Java \n "
" applet is provided in classes/ssl that does SSL \n "
" connections (only). \n "
" \n "
" It is also not too difficult to set up an stunnel or \n "
" other SSL tunnel on the viewer side. \n "
" \n "
" A simple example on Unix using stunnel 3.x is: \n "
" \n "
@ -639,6 +660,35 @@ void print_help(int mode) {
" -stunnel3 [pem] Use version 3.x stunnel command line syntax instead of \n "
" version 4.x \n "
" \n "
" -https [port] Choose a separate HTTPS port (-ssl mode only). \n "
" \n "
" In -ssl mode, it turns out you can use the \n "
" single VNC port (e.g. 5900) for both VNC and HTTPS \n "
" connections. (HTTPS is used to retrieve a SSL-aware \n "
" VncViewer.jar applet that is provided with x11vnc). \n "
" Since both use SSL the implementation was extended to \n "
" detect if HTTP traffic (i.e. GET) is taking place and \n "
" handle it accordingly. The URL would be, e.g.: \n "
" \n "
" https://mymachine.org:5900/ \n "
" \n "
" This is convenient for firewalls, etc, because only one \n "
" port needs to be allowed in. However, this heuristic \n "
" adds a few seconds delay to each connection and can be \n "
" unreliable (especially if the user takes much time to \n "
" ponder the Certificate dialogs in his browser, Java VM, \n "
" or VNC Viewer applet. That's right 3 separate \" Are \n "
" you sure you want to connect \" dialogs!) \n "
" \n "
" So use the -https option to provide a separate, more \n "
" reliable HTTPS port that x11vnc will listen on. If \n "
" [port] is not provided (or is 0), one is autoselected. \n "
" The URL to use is printed out at startup. \n "
" \n "
" The SSL Java applet directory is specified via the \n "
" -httpdir option. If not supplied it will try to guess \n "
" the directory as though the -http option was supplied. \n "
" \n "
" -usepw If no other password method was supplied on the command \n "
" line, first look for ~/.vnc/passwd and if found use it \n "
" with -rfbauth; next, look for ~/.vnc/passwdfile and \n "
@ -844,9 +894,10 @@ void print_help(int mode) {
" string \" noptr \" the mouse pointer will not be allowed \n "
" to go into a blacked out region. \n "
" -xinerama If your screen is composed of multiple monitors \n "
" glued together via XINERAMA, and that screen is\n "
" -noxinerama glued together via XINERAMA, and that screen is\n "
" not a rectangle this option will try to guess the \n "
" areas to black out (if your system has libXinerama). \n "
" default: %s \n "
" \n "
" In general, we have noticed on XINERAMA displays you \n "
" may need to use the \" -xwarppointer \" option if the mouse \n "
@ -2261,9 +2312,9 @@ void print_help(int mode) {
" http_url auth xauth users rootshift clipshift \n "
" scale_str scaled_x scaled_y scale_numer scale_denom \n "
" scale_fac scaling_blend scaling_nomult4 scaling_pad \n "
" scaling_interpolate inetd privremote unsafe safer \n "
" nocmds passwdfile unixpw unixpw_nis unixpw_list ssl\n "
" ssl _pem ssl verify stunnel stunnel_pem usepw using_shm\n "
" scaling_interpolate inetd privremote unsafe safer nocmds \n "
" passwdfile unixpw unixpw_nis unixpw_list ssl ssl_pem \n "
" ssl verify stunnel stunnel_pem https usepw using_shm\n "
" logfile o flag rc norc h help V version lastmod bg \n "
" sigpipe threads readrate netrate netlatency pipeinput \n "
" clients client_count pid ext_xtest ext_xtrap ext_xrecord \n "
@ -2364,7 +2415,7 @@ void print_help(int mode) {
strncpy ( tmp , p , w ) ;
fprintf ( stderr , " %s " , tmp ) ;
l + + ;
if ( l % 2 = = 0 ) {
if ( l % 3 = = 0 ) {
fprintf ( stderr , " \n " ) ;
}
}
@ -2381,6 +2432,7 @@ void print_help(int mode) {
view_only ? " on " : " off " ,
shared ? " on " : " off " ,
vnc_connect ? " -vncconnect " : " -novncconnect " ,
xinerama ? " -xinerama " : " -noxinerama " ,
use_modifier_tweak ? " -modtweak " : " -nomodtweak " ,
skip_duplicate_key_events ? " -skip_dups " : " -noskip_dups " ,
add_keysyms ? " -add_keysyms " : " -noadd_keysyms " ,
runge
17 years ago