|
|
@ -1,8 +1,8 @@
|
|
|
|
.\" This file was automatically generated from x11vnc -help output.
|
|
|
|
.\" This file was automatically generated from x11vnc -help output.
|
|
|
|
.TH X11VNC "1" "July 2009" "x11vnc " "User Commands"
|
|
|
|
.TH X11VNC "1" "August 2009" "x11vnc " "User Commands"
|
|
|
|
.SH NAME
|
|
|
|
.SH NAME
|
|
|
|
x11vnc - allow VNC connections to real X11 displays
|
|
|
|
x11vnc - allow VNC connections to real X11 displays
|
|
|
|
version: 0.9.9, lastmod: 2009-07-11
|
|
|
|
version: 0.9.9, lastmod: 2009-08-10
|
|
|
|
.SH SYNOPSIS
|
|
|
|
.SH SYNOPSIS
|
|
|
|
.B x11vnc
|
|
|
|
.B x11vnc
|
|
|
|
[OPTION]...
|
|
|
|
[OPTION]...
|
|
|
@ -347,8 +347,8 @@ is needed for the latter, feel free to ask).
|
|
|
|
\fB-scale\fR \fIfraction\fR
|
|
|
|
\fB-scale\fR \fIfraction\fR
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
Scale the framebuffer by factor \fIfraction\fR. Values
|
|
|
|
Scale the framebuffer by factor \fIfraction\fR. Values
|
|
|
|
less than 1 shrink the fb, larger ones expand it. Note:
|
|
|
|
less than 1 shrink the fb, larger ones expand it. Note:
|
|
|
|
image may not be sharp and response may be slower.
|
|
|
|
the image may not be sharp and response may be slower.
|
|
|
|
If \fIfraction\fR contains a decimal point "." it
|
|
|
|
If \fIfraction\fR contains a decimal point "." it
|
|
|
|
is taken as a floating point number, alternatively
|
|
|
|
is taken as a floating point number, alternatively
|
|
|
|
the notation "m/n" may be used to denote fractions
|
|
|
|
the notation "m/n" may be used to denote fractions
|
|
|
@ -568,7 +568,7 @@ is running as root (e.g. via
|
|
|
|
Repeater mode: Some services provide an intermediate
|
|
|
|
Repeater mode: Some services provide an intermediate
|
|
|
|
"vnc repeater": http://www.uvnc.com/addons/repeater.html
|
|
|
|
"vnc repeater": http://www.uvnc.com/addons/repeater.html
|
|
|
|
(and also http://koti.mbnet.fi/jtko/ for linux port)
|
|
|
|
(and also http://koti.mbnet.fi/jtko/ for linux port)
|
|
|
|
that acts as a proxy / gateway. Modes like these require
|
|
|
|
that acts as a proxy/gateway. Modes like these require
|
|
|
|
an initial string to be sent for the reverse connection
|
|
|
|
an initial string to be sent for the reverse connection
|
|
|
|
before the VNC protocol is started. Here are the ways
|
|
|
|
before the VNC protocol is started. Here are the ways
|
|
|
|
to do this:
|
|
|
|
to do this:
|
|
|
@ -871,14 +871,14 @@ full-access passwords)
|
|
|
|
\fB-unixpw\fR \fI[list]\fR
|
|
|
|
\fB-unixpw\fR \fI[list]\fR
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
Use Unix username and password authentication. x11vnc
|
|
|
|
Use Unix username and password authentication. x11vnc
|
|
|
|
uses the
|
|
|
|
will use the
|
|
|
|
.IR su (1)
|
|
|
|
.IR su (1)
|
|
|
|
program to verify the user's password.
|
|
|
|
program to verify the user's
|
|
|
|
[list] is an optional comma separated list of allowed
|
|
|
|
password. [list] is an optional comma separated list
|
|
|
|
Unix usernames. If the [list] string begins with the
|
|
|
|
of allowed Unix usernames. If the [list] string begins
|
|
|
|
character "!" then the entire list is taken as an
|
|
|
|
with the character "!" then the entire list is taken
|
|
|
|
exclude list. See below for per-user options that can
|
|
|
|
as an exclude list. See below for per-user options
|
|
|
|
be applied.
|
|
|
|
that can be applied.
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
A familiar "login:" and "Password:" dialog is
|
|
|
|
A familiar "login:" and "Password:" dialog is
|
|
|
|
presented to the user on a black screen inside the
|
|
|
|
presented to the user on a black screen inside the
|
|
|
@ -896,8 +896,9 @@ Since the detailed behavior of
|
|
|
|
.IR su (1)
|
|
|
|
.IR su (1)
|
|
|
|
can vary from
|
|
|
|
can vary from
|
|
|
|
OS to OS and for local configurations, test the mode
|
|
|
|
OS to OS and for local configurations, test the mode
|
|
|
|
carefully. x11vnc will attempt to be conservative and
|
|
|
|
before deployment to make sure it is working properly.
|
|
|
|
reject a login if anything abnormal occurs.
|
|
|
|
x11vnc will attempt to be conservative and reject a
|
|
|
|
|
|
|
|
login if anything abnormal occurs.
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
One case to note: FreeBSD and the other BSD's by
|
|
|
|
One case to note: FreeBSD and the other BSD's by
|
|
|
|
default it is impossible for the user running x11vnc to
|
|
|
|
default it is impossible for the user running x11vnc to
|
|
|
@ -932,7 +933,7 @@ Method 2) requires the viewer connection to appear
|
|
|
|
to come from the same machine x11vnc is running on
|
|
|
|
to come from the same machine x11vnc is running on
|
|
|
|
(e.g. from a ssh \fB-L\fR port redirection). And that the
|
|
|
|
(e.g. from a ssh \fB-L\fR port redirection). And that the
|
|
|
|
\fB-stunnel\fR SSL mode be used for encryption over the
|
|
|
|
\fB-stunnel\fR SSL mode be used for encryption over the
|
|
|
|
network.(see the description of \fB-stunnel\fR below).
|
|
|
|
network. (see the description of \fB-stunnel\fR below).
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
Note: as a convenience, if you
|
|
|
|
Note: as a convenience, if you
|
|
|
|
.IR ssh (1)
|
|
|
|
.IR ssh (1)
|
|
|
@ -966,7 +967,7 @@ local connections from that machine are accepted).
|
|
|
|
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
|
|
|
|
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
|
|
|
|
requirement in Method 2). One should never do this
|
|
|
|
requirement in Method 2). One should never do this
|
|
|
|
(i.e. allow the Unix passwords to be sniffed on the
|
|
|
|
(i.e. allow the Unix passwords to be sniffed on the
|
|
|
|
network).
|
|
|
|
network.)
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
Regarding reverse connections (e.g. \fB-R\fR connect:host
|
|
|
|
Regarding reverse connections (e.g. \fB-R\fR connect:host
|
|
|
|
and \fB-connect\fR host), when the \fB-localhost\fR constraint is
|
|
|
|
and \fB-connect\fR host), when the \fB-localhost\fR constraint is
|
|
|
@ -984,7 +985,7 @@ Tip: you can also have your own stunnel spawn x11vnc
|
|
|
|
in \fB-inetd\fR mode (thereby bypassing inetd). See the FAQ
|
|
|
|
in \fB-inetd\fR mode (thereby bypassing inetd). See the FAQ
|
|
|
|
for details.
|
|
|
|
for details.
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
The user names in the comma separated [list] can have
|
|
|
|
The user names in the comma separated [list] may have
|
|
|
|
per-user options after a ":", e.g. "fred:opts"
|
|
|
|
per-user options after a ":", e.g. "fred:opts"
|
|
|
|
where "opts" is a "+" separated list of
|
|
|
|
where "opts" is a "+" separated list of
|
|
|
|
"viewonly", "fullaccess", "input=XXXX", or
|
|
|
|
"viewonly", "fullaccess", "input=XXXX", or
|
|
|
@ -992,13 +993,13 @@ where "opts" is a "+" separated list of
|
|
|
|
For "input=" it is the K,M,B,C described under \fB-input.\fR
|
|
|
|
For "input=" it is the K,M,B,C described under \fB-input.\fR
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
If an item in the list is "*" that means those
|
|
|
|
If an item in the list is "*" that means those
|
|
|
|
options apply to all users. It also means all users
|
|
|
|
options apply to all users. It ALSO implies all users
|
|
|
|
are allowed to log in after supplying a valid password.
|
|
|
|
are allowed to log in after supplying a valid password.
|
|
|
|
Use "deny" to explicitly deny some users if you use
|
|
|
|
Use "deny" to explicitly deny some users if you use
|
|
|
|
"*" to set a global option. If [list] begins with
|
|
|
|
"*" to set a global option. If [list] begins with the
|
|
|
|
the "!" character then "*" is ignored for checking
|
|
|
|
"!" character then "*" is ignored for checking if
|
|
|
|
if the user is allowed, but the any value of options
|
|
|
|
the user is allowed, but the option values associated
|
|
|
|
associated with it does apply as normal.
|
|
|
|
with it do apply as normal.
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
There are also some utilities for testing password
|
|
|
|
There are also some utilities for testing password
|
|
|
|
if [list] starts with the "%" character. See the
|
|
|
|
if [list] starts with the "%" character. See the
|
|
|
@ -1032,18 +1033,27 @@ user can authenticate ANY user.
|
|
|
|
NIS is not required for this mode to work (only that
|
|
|
|
NIS is not required for this mode to work (only that
|
|
|
|
.IR getpwnam (3)
|
|
|
|
.IR getpwnam (3)
|
|
|
|
return the encrypted password is required),
|
|
|
|
return the encrypted password is required),
|
|
|
|
but it is unlikely it will work for any most modern
|
|
|
|
but it is unlikely it will work (as an ordinary user)
|
|
|
|
environments unless x11vnc is run as root to be able
|
|
|
|
for most modern environments unless NIS is available.
|
|
|
|
to access /etc/shadow (note running as root is often
|
|
|
|
On the other hand, when x11vnc is run as root it will
|
|
|
|
done when running x11vnc from inetd and xdm/gdm/kdm).
|
|
|
|
be able to to access /etc/shadow even if NIS is not
|
|
|
|
|
|
|
|
available (note running as root is often done when
|
|
|
|
|
|
|
|
running x11vnc from inetd and xdm/gdm/kdm).
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
Looked at another way, if you do not want to use the
|
|
|
|
Looked at another way, if you do not want to use the
|
|
|
|
.IR su (1)
|
|
|
|
.IR su (1)
|
|
|
|
method provided by \fB-unixpw,\fR you can run x11vnc
|
|
|
|
method provided by \fB-unixpw\fR (i.e. su_verify()), you
|
|
|
|
as root and use \fB-unixpw_nis.\fR Any users with passwords
|
|
|
|
can run x11vnc as root and use \fB-unixpw_nis.\fR Any users
|
|
|
|
in /etc/shadow can then be authenticated. You may want
|
|
|
|
with passwords in /etc/shadow can then be authenticated.
|
|
|
|
to use \fB-users\fR unixpw= to switch the process user after
|
|
|
|
.IP
|
|
|
|
the user logs in.
|
|
|
|
In \fB-unixpw_nis\fR mode, under no circumstances is x11vnc's
|
|
|
|
|
|
|
|
user password verifying function based on su called
|
|
|
|
|
|
|
|
(i.e. the function su_verify() that runs /bin/su
|
|
|
|
|
|
|
|
in a pseudoterminal to verify passwords.) However,
|
|
|
|
|
|
|
|
if \fB-unixpw_nis\fR is used in conjunction with the \fB-find\fR
|
|
|
|
|
|
|
|
and \fB-create\fR \fB-display\fR WAIT:... modes then, if x11vnc is
|
|
|
|
|
|
|
|
running as root, /bin/su may be called externally to
|
|
|
|
|
|
|
|
run the find or create commands.
|
|
|
|
.PP
|
|
|
|
.PP
|
|
|
|
\fB-unixpw_cmd\fR \fIcmd\fR
|
|
|
|
\fB-unixpw_cmd\fR \fIcmd\fR
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
@ -1051,18 +1061,66 @@ As \fB-unixpw\fR above, however do not use
|
|
|
|
.IR su (1)
|
|
|
|
.IR su (1)
|
|
|
|
but rather
|
|
|
|
but rather
|
|
|
|
run the externally supplied command \fIcmd\fR. The first
|
|
|
|
run the externally supplied command \fIcmd\fR. The first
|
|
|
|
line of its stdin will the username and the second line
|
|
|
|
line of its stdin will be the username and the second
|
|
|
|
the received password. If the command exits with status
|
|
|
|
line the received password. If the command exits
|
|
|
|
0 (success) the VNC client will be accepted. It will be
|
|
|
|
with status 0 (success) the VNC user will be accepted.
|
|
|
|
rejected for any other return status.
|
|
|
|
It will be rejected for any other return status.
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
Dynamic passwords and non-unix passwords can be
|
|
|
|
Dynamic passwords and non-unix passwords, e.g. LDAP,
|
|
|
|
implemented this way by providing your own custom helper
|
|
|
|
can be implemented this way by providing your own custom
|
|
|
|
program. Note that under unixpw mode the remote viewer
|
|
|
|
helper program. Note that the remote viewer is given 3
|
|
|
|
is given 3 tries to enter the correct password.
|
|
|
|
tries to enter the correct password, and so the program
|
|
|
|
.IP
|
|
|
|
may be called in a row that many (or more) times.
|
|
|
|
If a list of allowed users is needed use \fB-unixpw\fR [list]
|
|
|
|
.IP
|
|
|
|
in addition to this option.
|
|
|
|
If a list of allowed users is needed to limit who can
|
|
|
|
|
|
|
|
log in, use \fB-unixpw\fR [list] in addition to this option.
|
|
|
|
|
|
|
|
.IP
|
|
|
|
|
|
|
|
In FINDDISPLAY and FINDCREATEDISPLAY modes the \fIcmd\fR
|
|
|
|
|
|
|
|
will also be run with the RFB_UNIXPW_CMD_RUN env. var.
|
|
|
|
|
|
|
|
non-empty and set to the corresponding display
|
|
|
|
|
|
|
|
find/create command. The first two lines of input are
|
|
|
|
|
|
|
|
the username and passwd as in the normal case described
|
|
|
|
|
|
|
|
above. To support FINDDISPLAY and FINDCREATEDISPLAY,
|
|
|
|
|
|
|
|
\fIcmd\fR should run the requested command as the user
|
|
|
|
|
|
|
|
(and most likely refusing to run it if the password is
|
|
|
|
|
|
|
|
not correct.) Here is an example script (note it has
|
|
|
|
|
|
|
|
a hardwired bogus password "abc"!)
|
|
|
|
|
|
|
|
.IP
|
|
|
|
|
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
# Example x11vnc \fB-unixpw_cmd\fR script.
|
|
|
|
|
|
|
|
# Read the first two lines of stdin (user and passwd)
|
|
|
|
|
|
|
|
read user
|
|
|
|
|
|
|
|
read pass
|
|
|
|
|
|
|
|
.IP
|
|
|
|
|
|
|
|
debug=0
|
|
|
|
|
|
|
|
if [ $debug = 1 ]; then
|
|
|
|
|
|
|
|
echo "user: $user" 1>&2
|
|
|
|
|
|
|
|
echo "pass: $pass" 1>&2
|
|
|
|
|
|
|
|
env | egrep \fB-i\fR 'rfb|vnc' 1>&2
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
.IP
|
|
|
|
|
|
|
|
# Check if the password is valid.
|
|
|
|
|
|
|
|
# (A real example would use ldap lookup, etc!)
|
|
|
|
|
|
|
|
if [ "X$pass" != "Xabc" ]; then
|
|
|
|
|
|
|
|
exit 1 # incorrect password
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
.IP
|
|
|
|
|
|
|
|
if [ "X$RFB_UNIXPW_CMD_RUN" = "X" ]; then
|
|
|
|
|
|
|
|
exit 0 # correct password
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
# Run the requested command (finddisplay)
|
|
|
|
|
|
|
|
if [ $debug = 1 ]; then
|
|
|
|
|
|
|
|
echo "run: $RFB_UNIXPW_CMD_RUN" 1>&2
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
exec /bin/su - "$user" \fB-c\fR "$RFB_UNIXPW_CMD_RUN"
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
.IP
|
|
|
|
|
|
|
|
In \fB-unixpw_cmd\fR mode, under no circumstances is x11vnc's
|
|
|
|
|
|
|
|
user password verifying function based on su called
|
|
|
|
|
|
|
|
(i.e. the function su_verify() that runs /bin/su in a
|
|
|
|
|
|
|
|
pseudoterminal to verify passwords.) It is up to the
|
|
|
|
|
|
|
|
supplied unixpw_cmd to do user switching if desired
|
|
|
|
|
|
|
|
and if it has the permissions to do so.
|
|
|
|
.PP
|
|
|
|
.PP
|
|
|
|
\fB-find\fR
|
|
|
|
\fB-find\fR
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
@ -1214,9 +1272,15 @@ xauthority data for the display. For example;
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
xauth extract - $DISPLAY"
|
|
|
|
xauth extract - $DISPLAY"
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
In the case of \fB-unixpw\fR (but not \fB-unixpw_nis),\fR then the
|
|
|
|
In the case of \fB-unixpw\fR (and \fB-unixpw_nis\fR only if x11vnc
|
|
|
|
cmd= command is run as the user who just authenticated
|
|
|
|
is running as root), then the cmd= command is run
|
|
|
|
via the login and password prompt.
|
|
|
|
as the user who just authenticated via the login and
|
|
|
|
|
|
|
|
password prompt.
|
|
|
|
|
|
|
|
.IP
|
|
|
|
|
|
|
|
In the case of \fB-unixpw_cmd,\fR the commands will also be
|
|
|
|
|
|
|
|
run as the logged-in user, as long as the user-supplied
|
|
|
|
|
|
|
|
helper program supports RFB_UNIXPW_CMD_RUN (see the
|
|
|
|
|
|
|
|
\fB-unixpw_cmd\fR option.)
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
Also in the case of \fB-unixpw,\fR the user logging in can
|
|
|
|
Also in the case of \fB-unixpw,\fR the user logging in can
|
|
|
|
place a colon at the end of her username and supply
|
|
|
|
place a colon at the end of her username and supply
|
|
|
@ -5827,7 +5891,7 @@ max time in ms to wait for RFB client
|
|
|
|
\fB-rfbauth\fR \fIpasswd-file\fR
|
|
|
|
\fB-rfbauth\fR \fIpasswd-file\fR
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|
use authentication on RFB protocol
|
|
|
|
use authentication on RFB protocol
|
|
|
|
(use 'storepasswd' to create a password file)
|
|
|
|
(use 'x11vnc \fB-storepasswd\fR pass file' to create a password file)
|
|
|
|
.PP
|
|
|
|
.PP
|
|
|
|
\fB-rfbversion\fR \fI3.x\fR
|
|
|
|
\fB-rfbversion\fR \fI3.x\fR
|
|
|
|
.IP
|
|
|
|
.IP
|
|
|
|