|
|
|
@ -14,7 +14,7 @@ void nopassword_warning_msg(int gotloc);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void print_help(int mode) {
|
|
|
|
|
#if !SMALL_FOOTPRINT
|
|
|
|
|
#if !SKIP_HELP
|
|
|
|
|
char help[] =
|
|
|
|
|
"\n"
|
|
|
|
|
"x11vnc: allow VNC connections to real X11 displays. %s\n"
|
|
|
|
@ -423,9 +423,9 @@ void print_help(int mode) {
|
|
|
|
|
" send one before a 25 second timeout. Existing clients\n"
|
|
|
|
|
" are view-only during this period.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Since the detailed behavior of su(1) can vary from\n"
|
|
|
|
|
" OS to OS and for local configurations, please test\n"
|
|
|
|
|
" the mode carefully on your systems before using it.\n"
|
|
|
|
|
" Since the detailed behavior of su(1) can vary from OS\n"
|
|
|
|
|
" to OS and for local configurations, please test the mode\n"
|
|
|
|
|
" carefully on your systems before using it in production.\n"
|
|
|
|
|
" E.g. try different combinations of valid/invalid\n"
|
|
|
|
|
" usernames and valid/invalid passwords to see if it\n"
|
|
|
|
|
" behaves correctly. x11vnc will be conservative and\n"
|
|
|
|
@ -443,53 +443,64 @@ void print_help(int mode) {
|
|
|
|
|
" e.g. password aging modules. These logins will fail\n"
|
|
|
|
|
" as well even when the correct password is supplied.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" *IMPORTANT*: to prevent the Unix password being sent in\n"
|
|
|
|
|
" *clear text* over the network, two x11vnc options are\n"
|
|
|
|
|
" enforced: 1) -localhost and 2) -stunnel. The former\n"
|
|
|
|
|
" requires the viewer connection to appear to come from\n"
|
|
|
|
|
" the same machine x11vnc is running on (e.g. from a ssh\n"
|
|
|
|
|
" -L port redirection). The latter requires the -stunnel\n"
|
|
|
|
|
" SSL mode be used (see the description below).\n"
|
|
|
|
|
" **IMPORTANT**: to prevent the Unix password being sent\n"
|
|
|
|
|
" in *clear text* over the network, one of two schemes\n"
|
|
|
|
|
" will be enforced: 1) the -ssl builtin SSL mode, or 2)\n"
|
|
|
|
|
" require both -localhost and -stunnel be enabled.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" To override these restrictions you can set environment\n"
|
|
|
|
|
" variables before starting x11vnc:\n"
|
|
|
|
|
" Method 1) ensures the traffic is encrypted between\n"
|
|
|
|
|
" viewer and server. A PEM file will be required, see the\n"
|
|
|
|
|
" discussion under -ssl below (under some circumstances\n"
|
|
|
|
|
" a temporary one can be automatically generated).\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Set UNIXPW_DISABLE_STUNNEL=1 to disable using -stunnel.\n"
|
|
|
|
|
" Evidently you will be using a different method to\n"
|
|
|
|
|
" encrypt the data between the vncviewer and x11vnc:\n"
|
|
|
|
|
" e.g. ssh(1) or a VPN. Note that use of -localhost\n"
|
|
|
|
|
" with ssh(1) is roughly the same as requiring a Unix\n"
|
|
|
|
|
" user login (since a Unix password or the user's public\n"
|
|
|
|
|
" key authentication is used by ssh on the machine where\n"
|
|
|
|
|
" x11vnc runs and only local connections are accepted)\n"
|
|
|
|
|
" Method 2) requires the viewer connection to appear\n"
|
|
|
|
|
" to come from the same machine x11vnc is running on\n"
|
|
|
|
|
" (e.g. from a ssh -L port redirection). And that the\n"
|
|
|
|
|
" -stunnel SSL mode be used for encryption over the\n"
|
|
|
|
|
" network.(see the description of -stunnel below).\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" As a convenience, if you ssh(1) in and start x11vnc it\n"
|
|
|
|
|
" will check if the environment variable SSH_CONNECTION\n"
|
|
|
|
|
" is set and appears reasonable. If it does, then the\n"
|
|
|
|
|
" stunnel requirement is dropped since it is assumed\n"
|
|
|
|
|
" you are using ssh for the encrypted tunnelling.\n"
|
|
|
|
|
" Use -stunnel to force stunnel usage for this case.\n"
|
|
|
|
|
" -ssl or -stunnel requirement will be dropped since it is\n"
|
|
|
|
|
" assumed you are using ssh for the encrypted tunnelling.\n"
|
|
|
|
|
" -localhost is still enforced. Use -ssl or -stunnel to\n"
|
|
|
|
|
" force SSL usage for this case.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" To override these restrictions you can set environment\n"
|
|
|
|
|
" variables before starting x11vnc:\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n"
|
|
|
|
|
" -ssl or -stunnel. Evidently you will be using a\n"
|
|
|
|
|
" different method to encrypt the data between the\n"
|
|
|
|
|
" vncviewer and x11vnc: e.g. ssh(1) or a VPN. Note that\n"
|
|
|
|
|
" use of -localhost with ssh(1) is roughly the same as\n"
|
|
|
|
|
" requiring a Unix user login (since a Unix password or\n"
|
|
|
|
|
" the user's public key authentication is used by sshd on\n"
|
|
|
|
|
" the machine where x11vnc runs and only local connections\n"
|
|
|
|
|
" are accepted)\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
|
|
|
|
|
" requirement. One should never do this (i.e. allow the\n"
|
|
|
|
|
" Unix passwords to be sniffed on the network).\n"
|
|
|
|
|
" requirement in Method 2). One should never do this\n"
|
|
|
|
|
" (i.e. allow the Unix passwords to be sniffed on the\n"
|
|
|
|
|
" network).\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Regarding reverse connections (e.g. -R connect:host),\n"
|
|
|
|
|
" the -localhost constraint is in effect and the reverse\n"
|
|
|
|
|
" if the -localhost constraint is in effect then reverse\n"
|
|
|
|
|
" connections can only be used to connect to the same\n"
|
|
|
|
|
" machine x11vnc is running on (default port 5500).\n"
|
|
|
|
|
" Please use a ssh or stunnel port redirection to the\n"
|
|
|
|
|
" viewer machine to tunnel the reverse connection over\n"
|
|
|
|
|
" an encrypted channel. Note that Unix username and\n"
|
|
|
|
|
" password *will* be prompted for (unlike VNC passwords\n"
|
|
|
|
|
" that are skipped for reverse connections).\n"
|
|
|
|
|
" an encrypted channel. Note that in -ssl mode reverse\n"
|
|
|
|
|
" connection are disabled.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" NOTE: in -inetd mode the two settings are attempted\n"
|
|
|
|
|
" to be enforced for reverse connections. Be sure to\n"
|
|
|
|
|
" XXX -inetd + -ssl\n"
|
|
|
|
|
" In -inetd mode the two settings are attempted to be\n"
|
|
|
|
|
" enforced for reverse connections. Be sure to also\n"
|
|
|
|
|
" use encryption from the viewer to inetd since x11vnc\n"
|
|
|
|
|
" cannot guess easily if it is encrpyted. Note: you can\n"
|
|
|
|
|
" cannot guess easily if it is encrpyted. Tip: you can\n"
|
|
|
|
|
" also have your own stunnel spawn x11vnc in -inetd mode\n"
|
|
|
|
|
" (i.e. bypassing inetd). See the FAQ.\n"
|
|
|
|
|
" (i.e. bypassing inetd). See the FAQ for details.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" The user names in the comma separated [list] can have\n"
|
|
|
|
|
" per-user options after a \":\", e.g. \"fred:opts\"\n"
|
|
|
|
@ -521,17 +532,84 @@ void print_help(int mode) {
|
|
|
|
|
" other environment. All of the -unixpw options and\n"
|
|
|
|
|
" contraints apply.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n"
|
|
|
|
|
"-ssl [pem] Use the openssl library (www.openssl.org) to provide a\n"
|
|
|
|
|
" built-in encrypted SSL tunnel between VNC viewers and\n"
|
|
|
|
|
" x11vnc. This requires libssl support to be compiled\n"
|
|
|
|
|
" into x11vnc at build time. If x11vnc is not built\n"
|
|
|
|
|
" with libssl support it will exit immediately when -ssl\n"
|
|
|
|
|
" is prescribed.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n"
|
|
|
|
|
" specify a PEM certificate file to use to identify and\n"
|
|
|
|
|
" provide a key for this server.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Connecting VNC viewer SSL tunnels can authenticate\n"
|
|
|
|
|
" this server if they have the public key part of the\n"
|
|
|
|
|
" certificate (or a common certificate authority, CA,\n"
|
|
|
|
|
" verifies this server's cert). This is used to prevent\n"
|
|
|
|
|
" man-in-the-middle attacks. Otherwise, if the VNC viewer\n"
|
|
|
|
|
" accepts this server's key without verification, at\n"
|
|
|
|
|
" least the traffic is protected from passive sniffing\n"
|
|
|
|
|
" on the network.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" If [pem] is not supplied and the openssl(1) utility\n"
|
|
|
|
|
" command exists in PATH, then a temporary, self-signed\n"
|
|
|
|
|
" certificate will be generated for this session (this\n"
|
|
|
|
|
" may take 5-20 seconds on slow machines). If openssl(1)\n"
|
|
|
|
|
" cannot be used to generate a temporary certificate\n"
|
|
|
|
|
" x11vnc exits immediately.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" If successful in using openssl(1) to generate a\n"
|
|
|
|
|
" certificate, the public part of it will be displayed\n"
|
|
|
|
|
" to stdout (e.g. one could copy it to the client-side\n"
|
|
|
|
|
" to provide authentication of the server to VNC viewers.)\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc\n"
|
|
|
|
|
" print out the entire certificate, including the PRIVATE\n"
|
|
|
|
|
" KEY part, to stderr. One could reuse this cert if saved\n"
|
|
|
|
|
" in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1\n"
|
|
|
|
|
" to not delete the temporary PEM file: the file name\n"
|
|
|
|
|
" will be printed to stderr (so one could move it to a\n"
|
|
|
|
|
" safe place for reuse).\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Reverse connections are disabled in -ssl\n"
|
|
|
|
|
" mode because the data cannot be encrypted.\n"
|
|
|
|
|
" Set X11VNC_SSL_ALLOW_REVERSE=1 to override this.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Your VNC viewer will also need to be able to connect\n"
|
|
|
|
|
" via SSL. See the discussion below under -stunnel and\n"
|
|
|
|
|
" the FAQ for how this might be achieved. E.g. on Unix it\n"
|
|
|
|
|
" is easy to write a shell script that starts up stunnel\n"
|
|
|
|
|
" and then vncviewer.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
"-sslverify [path] For either of the -ssl or -stunnel modes, use [path]\n"
|
|
|
|
|
" to provide certificates to authenticate incoming VNC\n"
|
|
|
|
|
" client connections. This can be used as a method to\n"
|
|
|
|
|
" replace standard password authentication.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" If [path] is a directory it contains the client (or CA)\n"
|
|
|
|
|
" certificates in separate files. If [path] is a file, it\n"
|
|
|
|
|
" contains multiple certificates. These correspond to the\n"
|
|
|
|
|
" \"CApath = dir\" and \"CAfile = file\" stunnel options.\n"
|
|
|
|
|
" See the stunnel(8) manpage for details.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" To create certificates for all sorts of authentications\n"
|
|
|
|
|
" (clients, servers, via CA, etc) see the openssl(1)\n"
|
|
|
|
|
" command. Of particular usefulness is the x509\n"
|
|
|
|
|
" subcommand of openssl(1).\n"
|
|
|
|
|
"\n"
|
|
|
|
|
"-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide\n"
|
|
|
|
|
" an encrypted SSL tunnel between viewers and x11vnc.\n"
|
|
|
|
|
" This requires stunnel to be installed on the system and\n"
|
|
|
|
|
" available via PATH (n.b. stunnel is often installed in\n"
|
|
|
|
|
" sbin directories). Version 4.x of stunnel is assumed;\n"
|
|
|
|
|
" see -stunnel3 below.\n"
|
|
|
|
|
" sbin directories). Version 4.x of stunnel is assumed\n"
|
|
|
|
|
" (but see -stunnel3 below.)\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" [pem] is optional, use \"-stunnel /path/to/stunnel.pem\"\n"
|
|
|
|
|
" to specify a PEM certificate file to pass to stunnel.\n"
|
|
|
|
|
" Whether one is needed or not depends on your stunnel\n"
|
|
|
|
|
" configuration.\n"
|
|
|
|
|
" configuration. stunnel often generates one at install\n"
|
|
|
|
|
" time.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" stunnel is started up as a child process of x11vnc and\n"
|
|
|
|
|
" any SSL connections stunnel receives are decrypted and\n"
|
|
|
|
@ -543,14 +621,15 @@ void print_help(int mode) {
|
|
|
|
|
" avoid people routing around the SSL channel. Set\n"
|
|
|
|
|
" STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" Your VNC viewer will need to be able to connect via SSL.\n"
|
|
|
|
|
" Unfortunately not too many do this. UltraVNC seems to\n"
|
|
|
|
|
" have a SSL plugin. It is not too difficult to set up\n"
|
|
|
|
|
" an stunnel or other SSL tunnel on the viewer side.\n"
|
|
|
|
|
" Your VNC viewer will also need to be able to connect\n"
|
|
|
|
|
" via SSL. Unfortunately not too many do this. UltraVNC\n"
|
|
|
|
|
" seems to have an encryption plugin. It is not too\n"
|
|
|
|
|
" difficult to set up an stunnel or other SSL tunnel on\n"
|
|
|
|
|
" the viewer side.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" A simple example on Unix using stunnel 3.x is:\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" %% stunnel -c -d localhost:5901 -r remote:5900\n"
|
|
|
|
|
" %% stunnel -c -d localhost:5901 -r remotehost:5900\n"
|
|
|
|
|
" %% vncviewer localhost:1\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" For Windows, stunnel has been ported to it and there\n"
|
|
|
|
@ -2175,22 +2254,24 @@ void print_help(int mode) {
|
|
|
|
|
" debug_xdamage debug_wireframe nodebug_wireframe\n"
|
|
|
|
|
" debug_wireframe debug_scroll nodebug_scroll debug_scroll\n"
|
|
|
|
|
" debug_tiles dbt nodebug_tiles nodbt debug_tiles\n"
|
|
|
|
|
" debug_grabs nodebug_grabs dbg nodbg noremote\n"
|
|
|
|
|
" debug_grabs nodebug_grabs debug_sel nodebug_sel dbg\n"
|
|
|
|
|
" nodbg noremote\n"
|
|
|
|
|
"\n"
|
|
|
|
|
" aro= noop display vncdisplay desktopname guess_desktop\n"
|
|
|
|
|
" http_url auth xauth users rootshift clipshift\n"
|
|
|
|
|
" scale_str scaled_x scaled_y scale_numer scale_denom\n"
|
|
|
|
|
" scale_fac scaling_blend scaling_nomult4 scaling_pad\n"
|
|
|
|
|
" scaling_interpolate inetd privremote unsafe safer\n"
|
|
|
|
|
" nocmds passwdfile unixpw unixpw_nis unixpw_list stunnel\n"
|
|
|
|
|
" stunnel_pem using_shm logfile o flag rc norc h help\n"
|
|
|
|
|
" V version lastmod bg sigpipe threads readrate netrate\n"
|
|
|
|
|
" netlatency pipeinput clients client_count pid ext_xtest\n"
|
|
|
|
|
" ext_xtrap ext_xrecord ext_xkb ext_xshm ext_xinerama\n"
|
|
|
|
|
" ext_overlay ext_xfixes ext_xdamage ext_xrandr rootwin\n"
|
|
|
|
|
" num_buttons button_mask mouse_x mouse_y bpp depth\n"
|
|
|
|
|
" indexed_color dpy_x dpy_y wdpy_x wdpy_y off_x off_y\n"
|
|
|
|
|
" cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd\n"
|
|
|
|
|
" nocmds passwdfile unixpw unixpw_nis unixpw_list ssl\n"
|
|
|
|
|
" ssl_pem sslverify stunnel stunnel_pem usepw using_shm\n"
|
|
|
|
|
" logfile o flag rc norc h help V version lastmod bg\n"
|
|
|
|
|
" sigpipe threads readrate netrate netlatency pipeinput\n"
|
|
|
|
|
" clients client_count pid ext_xtest ext_xtrap ext_xrecord\n"
|
|
|
|
|
" ext_xkb ext_xshm ext_xinerama ext_overlay ext_xfixes\n"
|
|
|
|
|
" ext_xdamage ext_xrandr rootwin num_buttons button_mask\n"
|
|
|
|
|
" mouse_x mouse_y bpp depth indexed_color dpy_x dpy_y\n"
|
|
|
|
|
" wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y coff_x coff_y\n"
|
|
|
|
|
" rfbauth passwd viewpasswd\n"
|
|
|
|
|
"\n"
|
|
|
|
|
"-QD variable Just like -query variable, but returns the default\n"
|
|
|
|
|
" value for that parameter (no running x11vnc server\n"
|
|
|
|
|