diff options
| author | runge <runge> | 2006-03-28 05:43:04 +0000 |
|---|---|---|
| committer | runge <runge> | 2006-03-28 05:43:04 +0000 |
| commit | 5920dc18d75a53690ed8690867f501c51595daf1 (patch) | |
| tree | 4f2eb03ac80b27ba03dedaa1a4b32640703b3d02 /x11vnc/help.c | |
| parent | 10c61b53c275f125432fa20d8348aafcfed2bf93 (diff) | |
| download | libtdevnc-5920dc18d75a53690ed8690867f501c51595daf1.tar.gz libtdevnc-5920dc18d75a53690ed8690867f501c51595daf1.zip | |
SSL patch for Java viewer. https support for x11vnc.
Diffstat (limited to 'x11vnc/help.c')
| -rw-r--r-- | x11vnc/help.c | 260 |
1 files changed, 156 insertions, 104 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c index 81e5f46..544d26b 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -19,6 +19,8 @@ void print_help(int mode) { "\n" "x11vnc: allow VNC connections to real X11 displays. %s\n" "\n" +"(type \"x11vnc -opts\" to just list the options.)\n" +"\n" "Typical usage is:\n" "\n" " Run this command in a shell on the remote machine \"far-host\"\n" @@ -423,20 +425,22 @@ void print_help(int mode) { " send one before a 25 second timeout. Existing clients\n" " are view-only during this period.\n" "\n" -" Since the detailed behavior of su(1) can vary from OS\n" -" to OS and for local configurations, please test the mode\n" +" Since the detailed behavior of su(1) can vary from\n" +" OS to OS and for local configurations, test the mode\n" " carefully on your systems before using it in production.\n" -" E.g. try different combinations of valid/invalid\n" -" usernames and valid/invalid passwords to see if it\n" -" behaves correctly. x11vnc will be conservative and\n" -" reject a user if anything abnormal occurs.\n" -" \n" -" For example, on FreeBSD and the other BSD's by default\n" -" it is impossible for the user running x11vnc to validate\n" -" his *own* password via su(1) (evidently commenting\n" -" out the pam_self.so entry in /etc/pam.d/su eliminates\n" -" the problem). So the x11vnc login will always fail for\n" -" this case. A possible workaround would be to start\n" +" Test different combinations of valid/invalid usernames\n" +" and valid/invalid passwords to see if it behaves as\n" +" expected. x11vnc will attempt to be conservative and\n" +" reject a login if anything abnormal occurs.\n" +"\n" +" On FreeBSD and the other BSD's by default it is\n" +" impossible for the user running x11vnc to validate\n" +" his *own* password via su(1) (evidently commenting out\n" +" the pam_self.so entry in /etc/pam.d/su eliminates this\n" +" problem). So the x11vnc login will always *fail* for\n" +" this case (even when the correct password is supplied).\n" +"\n" +" A possible workaround for this would be to start\n" " x11vnc as root with the \"-users +nobody\" option to\n" " immediately switch to user nobody. Another source of\n" " problems are PAM modules that prompt for extra info,\n" @@ -459,48 +463,50 @@ void print_help(int mode) { " -stunnel SSL mode be used for encryption over the\n" " network.(see the description of -stunnel below).\n" "\n" -" As a convenience, if you ssh(1) in and start x11vnc it\n" -" will check if the environment variable SSH_CONNECTION\n" -" is set and appears reasonable. If it does, then the\n" -" -ssl or -stunnel requirement will be dropped since it is\n" -" assumed you are using ssh for the encrypted tunnelling.\n" -" -localhost is still enforced. Use -ssl or -stunnel to\n" -" force SSL usage for this case.\n" +" Note: as a convenience, if you ssh(1) in and start\n" +" x11vnc it will check if the environment variable\n" +" SSH_CONNECTION is set and appears reasonable. If it\n" +" does, then the -ssl or -stunnel requirement will be\n" +" dropped since it is assumed you are using ssh for the\n" +" encrypted tunnelling. -localhost is still enforced.\n" +" Use -ssl or -stunnel to force SSL usage even if\n" +" SSH_CONNECTION is set.\n" "\n" -" To override these restrictions you can set environment\n" -" variables before starting x11vnc:\n" +" To override the above restrictions you can set\n" +" environment variables before starting x11vnc:\n" "\n" " Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n" " -ssl or -stunnel. Evidently you will be using a\n" " different method to encrypt the data between the\n" -" vncviewer and x11vnc: e.g. ssh(1) or a VPN. Note that\n" -" use of -localhost with ssh(1) is roughly the same as\n" -" requiring a Unix user login (since a Unix password or\n" -" the user's public key authentication is used by sshd on\n" -" the machine where x11vnc runs and only local connections\n" -" are accepted)\n" +" vncviewer and x11vnc: perhaps ssh(1) or an IPSEC VPN.\n" +"\n" +" Note that use of -localhost with ssh(1) is roughly\n" +" the same as requiring a Unix user login (since a Unix\n" +" password or the user's public key authentication is\n" +" used by sshd on the machine where x11vnc runs and only\n" +" local connections from that machine are accepted)\n" "\n" " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" " requirement in Method 2). One should never do this\n" " (i.e. allow the Unix passwords to be sniffed on the\n" " network).\n" "\n" -" Regarding reverse connections (e.g. -R connect:host),\n" -" if the -localhost constraint is in effect then reverse\n" -" connections can only be used to connect to the same\n" -" machine x11vnc is running on (default port 5500).\n" -" Please use a ssh or stunnel port redirection to the\n" -" viewer machine to tunnel the reverse connection over\n" -" an encrypted channel. Note that in -ssl mode reverse\n" -" connection are disabled.\n" -"\n" -" XXX -inetd + -ssl\n" -" In -inetd mode the two settings are attempted to be\n" -" enforced for reverse connections. Be sure to also\n" -" use encryption from the viewer to inetd since x11vnc\n" -" cannot guess easily if it is encrpyted. Tip: you can\n" -" also have your own stunnel spawn x11vnc in -inetd mode\n" -" (i.e. bypassing inetd). See the FAQ for details.\n" +" Regarding reverse connections (e.g. -R connect:host\n" +" and -connect host), when the -localhost constraint is\n" +" in effect then reverse connections can only be used\n" +" to connect to the same machine x11vnc is running on\n" +" (default port 5500). Please use a ssh or stunnel port\n" +" redirection to the viewer machine to tunnel the reverse\n" +" connection over an encrypted channel. Note that in -ssl\n" +" mode reverse connection are disabled (see below).\n" +"\n" +" In -inetd mode the Method 1) will be enforced (not\n" +" Method 2). With -ssl in effect reverse connections\n" +" are disabled. If you override this via env. var, be\n" +" sure to also use encryption from the viewer to inetd.\n" +" Tip: you can also have your own stunnel spawn x11vnc\n" +" in -inetd mode (thereby bypassing inetd). See the FAQ\n" +" for details.\n" "\n" " The user names in the comma separated [list] can have\n" " per-user options after a \":\", e.g. \"fred:opts\"\n" @@ -515,22 +521,24 @@ void print_help(int mode) { " Use \"deny\" to explicitly deny some users if you use\n" " \"*\" to set a global option.\n" "\n" -" There are also some tools for testing password if [list]\n" -" starts with the \"%\" character. See the quick_pw()\n" -" function for details.\n" +" There are also some utilities for testing password\n" +" if [list] starts with the \"%\" character. See the\n" +" quick_pw() function in the source for details.\n" "\n" "-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n" -" use the traditional getpwnam(3) + crypt(3) method\n" -" instead. This requires that the encrpyted passwords\n" -" be readable. Passwords stored in /etc/shadow will\n" -" be inaccessible unless run as root. This is called\n" -" \"NIS\" mode simply because in most NIS setups the\n" -" user encrypted passwords are accessible (e.g. \"ypcat\n" -" passwd\"). NIS is not required for this mode to work\n" -" (only that getpwnam(3) return the encrpyted password\n" -" is required), but it is unlikely it will work for any\n" -" other environment. All of the -unixpw options and\n" -" contraints apply.\n" +" use the traditional getpwnam(3) + crypt(3) method to\n" +" verify passwords instead. This requires that the\n" +" encrpyted passwords be readable. Passwords stored\n" +" in /etc/shadow will be inaccessible unless x11vnc\n" +" is run as root.\n" +"\n" +" This is called \"NIS\" mode simply because in most\n" +" NIS setups the user encrypted passwords are accessible\n" +" (e.g. \"ypcat passwd\"). NIS is not required for this\n" +" mode to work (only that getpwnam(3) return the encrpyted\n" +" password is required), but it is unlikely it will work\n" +" for any other modern environment. All of the -unixpw\n" +" options and contraints apply.\n" "\n" "-ssl [pem] Use the openssl library (www.openssl.org) to provide a\n" " built-in encrypted SSL tunnel between VNC viewers and\n" @@ -539,30 +547,33 @@ void print_help(int mode) { " with libssl support it will exit immediately when -ssl\n" " is prescribed.\n" "\n" -" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n" -" specify a PEM certificate file to use to identify and\n" -" provide a key for this server.\n" -"\n" -" Connecting VNC viewer SSL tunnels can authenticate\n" -" this server if they have the public key part of the\n" -" certificate (or a common certificate authority, CA,\n" -" verifies this server's cert). This is used to prevent\n" -" man-in-the-middle attacks. Otherwise, if the VNC viewer\n" -" accepts this server's key without verification, at\n" -" least the traffic is protected from passive sniffing\n" -" on the network.\n" +" [pem] is optional, use \"-ssl /path/to/mycert.pem\"\n" +" to specify a PEM certificate file to use to identify\n" +" and provide a key for this server. See openssl(1)\n" +" for what a PEM can be.\n" +"\n" +" Connecting VNC viewer SSL tunnels can optionally\n" +" authenticate this server if they have the public\n" +" key part of the certificate (or a common certificate\n" +" authority, CA, is a more sophisicated way to verify\n" +" this server's cert). This is used to prevent\n" +" man-in-the-middle attacks. Otherwise, if the VNC\n" +" viewer accepts this server's key without verification,\n" +" at least the traffic is protected from passive sniffing\n" +" on the network (but NOT from man-in-the-middle attacks).\n" "\n" " If [pem] is not supplied and the openssl(1) utility\n" " command exists in PATH, then a temporary, self-signed\n" " certificate will be generated for this session (this\n" -" may take 5-20 seconds on slow machines). If openssl(1)\n" +" may take 5-30 seconds on slow machines). If openssl(1)\n" " cannot be used to generate a temporary certificate\n" " x11vnc exits immediately.\n" "\n" " If successful in using openssl(1) to generate a\n" -" certificate, the public part of it will be displayed\n" -" to stdout (e.g. one could copy it to the client-side\n" -" to provide authentication of the server to VNC viewers.)\n" +" temporary certificate, the public part of it will be\n" +" displayed to stderr (e.g. one could copy it to the\n" +" client-side to provide authentication of the server to\n" +" VNC viewers.)\n" "\n" " Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc\n" " print out the entire certificate, including the PRIVATE\n" @@ -572,20 +583,23 @@ void print_help(int mode) { " will be printed to stderr (so one could move it to a\n" " safe place for reuse).\n" "\n" -" Reverse connections are disabled in -ssl\n" -" mode because the data cannot be encrypted.\n" -" Set X11VNC_SSL_ALLOW_REVERSE=1 to override this.\n" +" Reverse connections are disabled in -ssl mode because\n" +" there is no way to ensure that data channel will\n" +" be encrypted. Set X11VNC_SSL_ALLOW_REVERSE=1 to\n" +" override this.\n" "\n" " Your VNC viewer will also need to be able to connect\n" -" via SSL. See the discussion below under -stunnel and\n" -" the FAQ for how this might be achieved. E.g. on Unix it\n" -" is easy to write a shell script that starts up stunnel\n" -" and then vncviewer.\n" +" via SSL. See the discussion below under -stunnel\n" +" and the FAQ for how this might be achieved. E.g. on\n" +" Unix it is easy to write a shell script that starts up\n" +" stunnel and then vncviewer. Also in the x11vnc source\n" +" a SSL enabled Java VNC Viewer applet is provided in\n" +" the classes/ssl directory.\n" "\n" "-sslverify [path] For either of the -ssl or -stunnel modes, use [path]\n" " to provide certificates to authenticate incoming VNC\n" " client connections. This can be used as a method to\n" -" replace standard password authentication.\n" +" replace standard password authentication of clients.\n" "\n" " If [path] is a directory it contains the client (or CA)\n" " certificates in separate files. If [path] is a file, it\n" @@ -595,37 +609,44 @@ void print_help(int mode) { "\n" " To create certificates for all sorts of authentications\n" " (clients, servers, via CA, etc) see the openssl(1)\n" -" command. Of particular usefulness is the x509\n" +" command. Of particular usefulness is the \"x509\"\n" " subcommand of openssl(1).\n" "\n" -"-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide\n" -" an encrypted SSL tunnel between viewers and x11vnc.\n" -" This requires stunnel to be installed on the system and\n" -" available via PATH (n.b. stunnel is often installed in\n" -" sbin directories). Version 4.x of stunnel is assumed\n" -" (but see -stunnel3 below.)\n" +"-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide an\n" +" encrypted SSL tunnel between viewers and x11vnc. This\n" +" was implemented prior to the integrated -ssl encrpytion.\n" +" It works well. This requires stunnel to be installed\n" +" on the system and available via PATH (n.b. stunnel is\n" +" often installed in sbin directories). Version 4.x of\n" +" stunnel is assumed (but see -stunnel3 below.)\n" "\n" " [pem] is optional, use \"-stunnel /path/to/stunnel.pem\"\n" " to specify a PEM certificate file to pass to stunnel.\n" " Whether one is needed or not depends on your stunnel\n" " configuration. stunnel often generates one at install\n" -" time.\n" +" time. See the stunnel documentation for details.\n" "\n" " stunnel is started up as a child process of x11vnc and\n" " any SSL connections stunnel receives are decrypted and\n" " sent to x11vnc over a local socket. The strings\n" " \"The SSL VNC desktop is ...\" and \"SSLPORT=...\"\n" -" are printed out at startup.\n" +" are printed out at startup to indicate this.\n" "\n" -" The -localhost option is enforced by default to\n" -" avoid people routing around the SSL channel. Set\n" -" STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.\n" +" The -localhost option is enforced by default\n" +" to avoid people routing around the SSL channel.\n" +" Set STUNNEL_DISABLE_LOCALHOST=1 before starting x11vnc\n" +" to disable the requirement.\n" "\n" -" Your VNC viewer will also need to be able to connect\n" -" via SSL. Unfortunately not too many do this. UltraVNC\n" -" seems to have an encryption plugin. It is not too\n" -" difficult to set up an stunnel or other SSL tunnel on\n" -" the viewer side.\n" +" Your VNC viewer will also need to be able to connect via\n" +" SSL. Unfortunately not too many do this. UltraVNC has\n" +" an encryption plugin but it does not seem to be SSL.\n" +"\n" +" In the x11vnc distribution, a patched TightVNC Java\n" +" applet is provided in classes/ssl that does SSL\n" +" connections (only).\n" +"\n" +" It is also not too difficult to set up an stunnel or\n" +" other SSL tunnel on the viewer side.\n" "\n" " A simple example on Unix using stunnel 3.x is:\n" "\n" @@ -639,6 +660,35 @@ void print_help(int mode) { "-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of\n" " version 4.x\n" "\n" +"-https [port] Choose a separate HTTPS port (-ssl mode only).\n" +"\n" +" In -ssl mode, it turns out you can use the\n" +" single VNC port (e.g. 5900) for both VNC and HTTPS\n" +" connections. (HTTPS is used to retrieve a SSL-aware\n" +" VncViewer.jar applet that is provided with x11vnc).\n" +" Since both use SSL the implementation was extended to\n" +" detect if HTTP traffic (i.e. GET) is taking place and\n" +" handle it accordingly. The URL would be, e.g.:\n" +"\n" +" https://mymachine.org:5900/\n" +"\n" +" This is convenient for firewalls, etc, because only one\n" +" port needs to be allowed in. However, this heuristic\n" +" adds a few seconds delay to each connection and can be\n" +" unreliable (especially if the user takes much time to\n" +" ponder the Certificate dialogs in his browser, Java VM,\n" +" or VNC Viewer applet. That's right 3 separate \"Are\n" +" you sure you want to connect\" dialogs!)\n" +"\n" +" So use the -https option to provide a separate, more\n" +" reliable HTTPS port that x11vnc will listen on. If\n" +" [port] is not provided (or is 0), one is autoselected.\n" +" The URL to use is printed out at startup.\n" +"\n" +" The SSL Java applet directory is specified via the\n" +" -httpdir option. If not supplied it will try to guess\n" +" the directory as though the -http option was supplied.\n" +"\n" "-usepw If no other password method was supplied on the command\n" " line, first look for ~/.vnc/passwd and if found use it\n" " with -rfbauth; next, look for ~/.vnc/passwdfile and\n" @@ -844,9 +894,10 @@ void print_help(int mode) { " string \"noptr\" the mouse pointer will not be allowed\n" " to go into a blacked out region.\n" "-xinerama If your screen is composed of multiple monitors\n" -" glued together via XINERAMA, and that screen is\n" +"-noxinerama glued together via XINERAMA, and that screen is\n" " not a rectangle this option will try to guess the\n" " areas to black out (if your system has libXinerama).\n" +" default: %s\n" "\n" " In general, we have noticed on XINERAMA displays you\n" " may need to use the \"-xwarppointer\" option if the mouse\n" @@ -2261,9 +2312,9 @@ void print_help(int mode) { " http_url auth xauth users rootshift clipshift\n" " scale_str scaled_x scaled_y scale_numer scale_denom\n" " scale_fac scaling_blend scaling_nomult4 scaling_pad\n" -" scaling_interpolate inetd privremote unsafe safer\n" -" nocmds passwdfile unixpw unixpw_nis unixpw_list ssl\n" -" ssl_pem sslverify stunnel stunnel_pem usepw using_shm\n" +" scaling_interpolate inetd privremote unsafe safer nocmds\n" +" passwdfile unixpw unixpw_nis unixpw_list ssl ssl_pem\n" +" sslverify stunnel stunnel_pem https usepw using_shm\n" " logfile o flag rc norc h help V version lastmod bg\n" " sigpipe threads readrate netrate netlatency pipeinput\n" " clients client_count pid ext_xtest ext_xtrap ext_xrecord\n" @@ -2364,7 +2415,7 @@ void print_help(int mode) { strncpy(tmp, p, w); fprintf(stderr, " %s", tmp); l++; - if (l % 2 == 0) { + if (l % 3 == 0) { fprintf(stderr, "\n"); } } @@ -2381,6 +2432,7 @@ void print_help(int mode) { view_only ? "on":"off", shared ? "on":"off", vnc_connect ? "-vncconnect":"-novncconnect", + xinerama ? "-xinerama":"-noxinerama", use_modifier_tweak ? "-modtweak":"-nomodtweak", skip_duplicate_key_events ? "-skip_dups":"-noskip_dups", add_keysyms ? "-add_keysyms":"-noadd_keysyms", |