diff options
author | runge <runge> | 2008-12-10 17:12:27 +0000 |
---|---|---|
committer | runge <runge> | 2008-12-10 17:12:27 +0000 |
commit | 8bef644d17f62ea6daf7459b863f05de187966fe (patch) | |
tree | 5137fbbab354ccfe29622a99c3d913c558d1c87a /x11vnc/help.c | |
parent | e68192915936e173b887856a019d4a54ba96069c (diff) | |
download | libtdevnc-8bef644d17f62ea6daf7459b863f05de187966fe.tar.gz libtdevnc-8bef644d17f62ea6daf7459b863f05de187966fe.zip |
x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc
to -anontls. Disable ssl caching. No cert creation prompting
in inetd or bg modes. waitpid a bit more carefully on ssl
helpers. Tune ssl initial timeouts. Let -create user specify
starting X display. fix -rfbport prompt gui for older tk.
-sslonly option. Error if no -ssl with related options. -rand
option. -ssl implies -ssl SAVE
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r-- | x11vnc/help.c | 264 |
1 files changed, 152 insertions, 112 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c index cd78723..fbedbff 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -82,10 +82,12 @@ void print_help(int mode) { " before startup. Same as -xauth file. See Xsecurity(7),\n" " xauth(1) man pages for more info.\n" "\n" -"-N If the X display is :N, try to set the VNC display\n" -" to also be :N This just sets the -rfbport option\n" -" to 5900+N. The program will exit immediately if that\n" -" port is not available.\n" +"-N If the X display is :N, try to set the VNC display to\n" +" also be :N This just sets the -rfbport option to 5900+N\n" +" The program will exit immediately if that port is not\n" +" available. The -N option only works with normal -display\n" +" usage, e.g. :0 or :8, -N is ignored in the -display\n" +" WAIT:..., -create, -find, -svc, -redirect, etc modes.\n" "\n" "-autoport n Automatically probe for a free VNC port starting at n.\n" " The default is to start probing at 5900. Use this to\n" @@ -979,13 +981,13 @@ void print_help(int mode) { " added to get the actual port), if port < 0 then -port\n" " is used.\n" "\n" -" Probably the only reason to use the -redirect option is\n" -" in conjunction with SSL support, e.g. -ssl, -ssl SAVE.\n" +" Probably the only reason to use the -redirect option\n" +" is in conjunction with SSL support, e.g. -ssl SAVE.\n" " This provides an easy way to add SSL encryption to a VNC\n" " server that does not support SSL (e.g. Xvnc or vnc.so)\n" " In fact, the protocol does not even need to be VNC,\n" -" and so \"-ssl SAVE -redirect host:port\" can act as a\n" -" replacement for stunnel(1).\n" +" and so \"-rfbport port1 -ssl SAVE -redirect host:port2\"\n" +" can act as a replacement for stunnel(1).\n" "\n" " This mode only allows one redirected connection.\n" " The -forever option does not apply. Use -inetd or\n" @@ -1119,6 +1121,9 @@ void print_help(int mode) { " for the user. This is the only time x11vnc tries to\n" " actually start up an X server.\n" "\n" +" It will start looking for an open display number at :20\n" +" Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n\n" +"\n" " By default FINDCREATEDISPLAY will try Xdummy and then\n" " Xvfb:\n" "\n" @@ -1233,14 +1238,14 @@ void print_help(int mode) { "-vencrypt mode The VeNCrypt extension to the VNC protocol allows\n" " encrypted SSL/TLS connections. If the -ssl mode is\n" " enabled, then VeNCrypt is enabled as well BY DEFAULT\n" -" (they both use the SSL/TLS tunnel, only the protocol\n" +" (they both use a SSL/TLS tunnel, only the protocol\n" " handshake is a little different.)\n" "\n" " To control when and how VeNCrypt is used, specify the\n" " mode string. If mode is \"never\", then VeNCrypt is\n" " not used. If mode is \"support\" (the default) then\n" " VeNCrypt is supported. If mode is \"only\", then the\n" -" similar and older TLSVNC protocol is not simultaneously\n" +" similar and older ANONTLS protocol is not simultaneously\n" " supported. x11vnc's normal SSL mode (vncs://) will be\n" " supported under -ssl unless you set mode to \"force\".\n" "\n" @@ -1250,14 +1255,16 @@ void print_help(int mode) { "\n" " To disable all Anonymous Diffie-Hellman access\n" " (susceptible to Man-In-The-Middle attack) you will need\n" -" to supply \"-vencrypt nodh:support -tlsvnc never\"\n" +" to supply \"-vencrypt nodh:support -anontls never\"\n" +" or \"-vencrypt nodh:only\"\n" "\n" " If mode is prefixed with \"newdh:\", then new Diffie\n" " Hellman parameters are generated for each connection\n" -" (this can be time consuming: 1-60 secs) rather than\n" -" using the fixed values in the program. Using fixed,\n" -" publicly known values is not known to be a security\n" -" problem. This setting applies to TLSVNC as well.\n" +" (this can be time consuming: 1-60 secs; see -dhparams\n" +" below for a faster way) rather than using the\n" +" fixed values in the program. Using fixed, publicly\n" +" known values is not known to be a security problem.\n" +" This setting applies to ANONTLS as well.\n" "\n" " Long example: -vencrypt newdh:nox509:support\n" "\n" @@ -1270,15 +1277,23 @@ void print_help(int mode) { " You *MUST* supply the -ssl option for VeNCrypt to be\n" " active. This option only fine-tunes its operation.\n" "\n" -"-tlsvnc mode The TLSVNC extension to the VNC protocol allows\n" +"-anontls mode The ANONTLS extension to the VNC protocol allows\n" " encrypted SSL/TLS connections. If the -ssl mode is\n" -" enabled, then TLSVNC is enabled as well BY DEFAULT\n" -" (they both use the SSL/TLS tunnel, only the protocol\n" +" enabled, then ANONTLS is enabled as well BY DEFAULT\n" +" (they both use a SSL/TLS tunnel, only the protocol\n" " handshake is a little different.)\n" "\n" -" To control when and how TLSVNC is used, specify the\n" -" mode string. If mode is \"never\", then TLSVNC is not\n" -" used. If mode is \"support\" (the default) then TLSVNC\n" +" ANONTLS is an older SSL/TLS mode introduced by vino.\n" +"\n" +" It is referred to as 'TLS' for its registered VNC\n" +" security-type name, but we use the more descriptive\n" +" 'ANONTLS' here because it provides only Anonymous\n" +" Diffie-Hellman encrypted connections, and hence no\n" +" possibility for certificate authentication.\n" +"\n" +" To control when and how ANONTLS is used, specify the\n" +" mode string. If mode is \"never\", then ANONTLS is not\n" +" used. If mode is \"support\" (the default) then ANONTLS\n" " is supported. If mode is \"only\", then the similar\n" " VeNCrypt protocol is not simultaneously supported.\n" " x11vnc's normal SSL mode (vncs://) will be supported\n" @@ -1286,24 +1301,30 @@ void print_help(int mode) { "\n" " If mode is prefixed with \"newdh:\", then new Diffie\n" " Hellman parameters are generated for each connection\n" -" (this can be time consuming: 1-60 secs) rather than\n" -" using the fixed values in the program. Using fixed,\n" -" publicly known values is not known to be a security\n" -" problem. This setting applies to VeNCrypt as well.\n" -" See the description of \"plain:\" under -vencrypt.\n" +" (this can be time consuming: 1-60 secs; see -dhparams\n" +" below for a faster way) rather than using the\n" +" fixed values in the program. Using fixed, publicly\n" +" known values is not known to be a security problem.\n" +" This setting applies to VeNCrypt as well. See the\n" +" description of \"plain:\" under -vencrypt.\n" "\n" -" Long example: -tlsvnc newdh:plain:support\n" +" Long example: -anontls newdh:plain:support\n" "\n" -" You *MUST* supply the -ssl option for TLSVNC to be\n" +" You *MUST* supply the -ssl option for ANONTLS to be\n" " active. This option only fine-tunes its operation.\n" "\n" +"-sslonly Same as: \"-vencrypt never -anontls never\" i.e. it\n" +" disables the VeNCrypt and ANONTLS encryption methods\n" +" and only allows standard SSL tunneling. You must also\n" +" supply the -ssl ... option (see below.)\n" +"\n" "\n" "-dhparams file For some operations a set of Diffie Hellman parameters\n" " (prime and generator) is needed. If so, use the\n" " parameters in \"file\". In particular, the VeNCrypt and\n" -" TLSVNC anonymous DH mode need them. By default a\n" +" ANONTLS anonymous DH mode need them. By default a\n" " fixed set is used. If you do not want to do that you\n" -" can specify \"newdh:\" to the -vencrypt and -tlsvnc\n" +" can specify \"newdh:\" to the -vencrypt and -anontls\n" " options to generate a new set each session. If that\n" " is too slow for you, use -dhparams file to a set you\n" " created manually via \"openssl dhparam -out file 1024\"\n" @@ -1325,47 +1346,80 @@ void print_help(int mode) { " http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers\n" " x11vnc provides an SSL enabled Java viewer applet in\n" " the classes/ssl directory (-http or -httpdir options.)\n" -" The SSVNC viewer package supports SSL too.\n" +" The SSVNC viewer package supports SSL tunnels too.\n" +"\n" +" If the VNC Viewer supports VeNCrypt or ANONTLS (vino's\n" +" encryption mode) they are also supported by the -ssl\n" +" mode (see the -vencrypt and -anontls options for more\n" +" info; use -sslonly to disable both of them.)\n" "\n" -" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n" -" specify a PEM certificate file to use to identify and\n" +" Use \"-ssl /path/to/mycert.pem\" to specify an SSL\n" +" certificate file in PEM format to use to identify and\n" " provide a key for this server. See openssl(1) for more\n" " info about PEMs and the -sslGenCert and \"-ssl SAVE\"\n" " options below for how to create them.\n" "\n" -" The connecting VNC viewer SSL tunnel can (optionally)\n" -" authenticate this server if they have the public key\n" -" part of the certificate (or a common certificate\n" -" authority, CA, is a more sophisticated way to\n" -" verify this server's cert, see -sslGenCA below).\n" -" This is used to prevent Man-In-The-Middle attacks.\n" -" Otherwise, if the VNC viewer accepts this server's\n" -" key WITHOUT verification, the traffic is protected\n" -" from passive sniffing on the network, but *NOT* from\n" +" The connecting VNC viewer SSL tunnel can (at its option)\n" +" authenticate this server if it has the public key part\n" +" of the certificate (or a common certificate authority,\n" +" CA, is a more sophisticated way to verify this server's\n" +" cert, see -sslGenCA below). This authentication is\n" +" done to prevent Man-In-The-Middle attacks. Otherwise,\n" +" if the VNC viewer simply accepts this server's key\n" +" WITHOUT verification, the traffic is protected from\n" +" passive sniffing on the network, but *NOT* from\n" +" Man-In-The-Middle attacks. There are hacker tools\n" +" like dsniff/webmitm and cain that implement SSL\n" " Man-In-The-Middle attacks.\n" "\n" -" If [pem] is not supplied and the openssl(1) utility\n" +" If [pem] is empty or the string \"SAVE\" then the\n" +" openssl(1) command must be available to generate the\n" +" certificate the first time. A self-signed certificate\n" +" is generated (see -sslGenCA and -sslGenCert for use\n" +" of a Certificate Authority.) It will be saved to the\n" +" file ~/.vnc/certs/server.pem. On subsequent calls if\n" +" that file already exists it will be used directly.\n" +"\n" +" Use \"SAVE_NOPROMPT\" to avoid being prompted to\n" +" protect the generated key with a passphrase. However in\n" +" -inetd and -bg modes there will be no prompting for a\n" +" passphrase in either case.\n" +"\n" +" If [pem] is \"SAVE_PROMPT\" the server.pem certificate\n" +" will be created based on your answers to its prompts for\n" +" all info such as OrganizationalName, CommonName, etc.\n" +"\n" +" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n" +" to refer to the file ~/.vnc/certs/server-<string>.pem\n" +" instead (it will be generated if it does not already\n" +" exist). E.g. \"SAVE-charlie\" will store to the file\n" +" ~/.vnc/certs/server-charlie.pem\n" +"\n" +" Examples: x11vnc -ssl SAVE -display :0 ...\n" +" x11vnc -ssl SAVE-someother -display :0 ...\n" +"\n" +" If [pem] is \"TMP\" and the openssl(1) utility\n" " command exists in PATH, then a temporary, self-signed\n" -" certificate will be generated for this session\n" -" (this may take 5-30 seconds on very slow machines).\n" -" If openssl(1) cannot be used to generate a temporary\n" -" certificate x11vnc exits immediately.\n" +" certificate will be generated for this session. If\n" +" openssl(1) cannot be used to generate a temporary\n" +" certificate x11vnc exits immediately. The temporary\n" +" cert will be discarded when x11vnc exits.\n" "\n" " If successful in using openssl(1) to generate a\n" -" temporary certificate, the public part of it will be\n" -" displayed to stderr (e.g. one could copy it to the\n" -" client-side to provide authentication of the server to\n" -" VNC viewers.)\n" -"\n" -" NOTE: Unless you safely copy the public part of the\n" -" temporary Cert to the viewer for authenticate *every\n" -" time* (unlikely...), then only passive sniffing\n" -" attacks are prevented and you are still open to\n" -" Man-In-The-Middle attacks. See the following\n" -" paragraphs for how to save keys to reuse them when\n" -" x11vnc is restarted. With saved keys AND the VNC viewer\n" -" authenticating them by using the public certificate,\n" -" then Man-In-The-Middle attacks are prevented.\n" +" temporary certificate in \"SAVE\" or \"TMP\" creation\n" +" modes, the public part of it will be displayed to stderr\n" +" (e.g. one could copy it to the client-side to provide\n" +" authentication of the server to VNC viewers.)\n" +"\n" +" NOTE: In \"TMP\" mode, unless you safely copy the\n" +" public part of the temporary Cert to the viewer for\n" +" authenticate *every time* (unlikely...), then only\n" +" passive sniffing attacks are prevented and you are\n" +" still open to Man-In-The-Middle attacks. This is\n" +" why the default \"SAVE\" mode is preferred (and more\n" +" sophisticated CA mode too). Only with saved keys AND\n" +" the VNC viewer authenticating them (via the public\n" +" certificate), are Man-In-The-Middle attacks prevented.\n" "\n" " If [pem] is \"ANON\" then the Diffie-Hellman anonymous\n" " key exchange method is used. In this mode there\n" @@ -1374,34 +1428,16 @@ void print_help(int mode) { " Thus only passive network sniffing attacks are avoided:\n" " the \"ANON\" method is susceptible to Man-In-The-Middle\n" " attacks. \"ANON\" is not recommended; instead use\n" -" a SSL PEM you created or the \"SAVE\" method in the\n" -" next paragraph.\n" -"\n" -" If [pem] is \"SAVE\" then the certificate will be saved\n" -" to the file ~/.vnc/certs/server.pem, or if that file\n" -" exists it will be used directly. Similarly, if [pem]\n" -" is \"SAVE_PROMPT\" the server.pem certificate will be\n" -" made based on your answers to its prompts for info such\n" -" as OrganizationalName, CommonName, etc.\n" -"\n" -" We expect most users to use \"-ssl SAVE\".\n" -"\n" -" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n" -" to refer to the file ~/.vnc/certs/server-<string>.pem\n" -" instead. E.g. \"SAVE-charlie\" will store to the file\n" -" ~/.vnc/certs/server-charlie.pem\n" -"\n" -" Examples: x11vnc -ssl SAVE -display :0 ...\n" -" x11vnc -ssl SAVE-other -display :0 ...\n" +" a SSL PEM you created or the defaut \"SAVE\" method.\n" "\n" " See -ssldir below to use a directory besides the\n" " default ~/.vnc/certs\n" "\n" -" Misc Info: In temporary cert creation mode, set the\n" -" env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out\n" -" the entire certificate, including the PRIVATE KEY part,\n" -" to stderr. There are better ways to get/save this info.\n" -" See \"SAVE\" above and \"-sslGenCert\" below.\n" +" Misc Info: In temporary cert creation mode \"TMP\", set\n" +" the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print\n" +" out the entire certificate, including the PRIVATE KEY\n" +" part, to stderr. There are better ways to get/save this\n" +" info. See \"SAVE\" above and \"-sslGenCert\" below.\n" "\n" "-ssltimeout n Set SSL read timeout to n seconds. In some situations\n" " (i.e. an iconified viewer in Windows) the viewer stops\n" @@ -1446,7 +1482,7 @@ void print_help(int mode) { "\n" " If [path] is a directory it contains the client (or CA)\n" " certificates in separate files. If [path] is a file,\n" -" it contains multiple certificates. See special tokens\n" +" it contains one or more certificates. See special tokens\n" " below. These correspond to the \"CApath = dir\" and\n" " \"CAfile = file\" stunnel options. See the stunnel(8)\n" " manpage for details.\n" @@ -1508,19 +1544,19 @@ void print_help(int mode) { " VNC-ing with x11vnc. (note that they require openssl(1)\n" " be installed on the system)\n" "\n" -" However, the simplest usage mode (where x11vnc\n" -" automatically generates its own, self-signed, temporary\n" -" key and the VNC viewers always accept it, e.g. accepting\n" -" via a dialog box) is probably safe enough for most\n" -" scenarios. CA management is not needed.\n" +" However, the simplest usage mode, \"-ssl TMP\" (where\n" +" x11vnc automatically generates its own, self-signed,\n" +" temporary key and the VNC viewers always accept it,\n" +" e.g. accepting via a dialog box) is probably safe enough\n" +" for most scenarios. CA management is not needed.\n" "\n" -" To protect against Man-In-The-Middle attacks the\n" -" simplest mode can be improved by using \"-ssl SAVE\"\n" -" to have x11vnc create a longer term self-signed\n" -" certificate, and then (safely) copy the corresponding\n" -" public key cert to the desired client machines (care\n" -" must be taken the private key part is not stolen;\n" -" you will be prompted for a passphrase).\n" +" To protect against Man-In-The-Middle attacks the \"TMP\"\n" +" mode can be improved by using \"-ssl SAVE\" (same as\n" +" \"-ssl\", i.e. the default) to have x11vnc create a\n" +" longer term self-signed certificate, and then (safely)\n" +" copy the corresponding public key cert to the desired\n" +" client machines (care must be taken the private key part\n" +" is not stolen; you will be prompted for a passphrase).\n" "\n" " So keep in mind no CA key creation or management\n" " (-sslGenCA and -sslGenCert) is needed for either of\n" @@ -1547,7 +1583,7 @@ void print_help(int mode) { " be \"imported\" somehow. Web browsers have \"Manage\n" " Certificates\" actions as does the Java applet plugin\n" " Control Panel. stunnel can also use these files (see\n" -" the ss_vncviewer example script in the FAQ.)\n" +" the ss_vncviewer example script in the FAQ and SSVNC.)\n" "\n" "-sslCRL path Set the Certificate Revocation Lists (CRL) to \"path\".\n" "\n" @@ -3359,6 +3395,8 @@ void print_help(int mode) { "-setdefer n When the -wait_ui mechanism cuts down the wait time ms,\n" " set the defer time to the same ms value. n=1 to enable,\n" " 0 to disable, and -1 to set defer to 0 (no delay).\n" +" Similarly, 2 and -2 indicate 'urgent_update' mode should\n" +" be used to push the updates even sooner. Default: 1\n" "-nowait_bog Do not detect if the screen polling is \"bogging down\"\n" " and sleep more. Some activities with no user input can\n" " slow things down a lot: consider a large terminal window\n" @@ -3367,10 +3405,11 @@ void print_help(int mode) { " (3 screen polls in a row each longer than 0.25 sec with\n" " no user input), and sleep up to 1.5 secs to let things\n" " \"catch up\". Use this option to disable that detection.\n" -"-slow_fb time Floating point time in seconds delay all screen polling.\n" -" For special purpose usage where a low frame rate is\n" -" acceptable and desirable, but you want the user input\n" -" processed at the normal rate so you cannot use -wait.\n" +"-slow_fb time Floating point time in seconds to delay all screen\n" +" polling. For special purpose usage where a low frame\n" +" rate is acceptable and desirable, but you want the\n" +" user input processed at the normal rate so you cannot\n" +" use -wait.\n" "-xrefresh time Floating point time in seconds to indicate how often to\n" " do the equivalent of xrefresh(1) to force all windows\n" " (in the viewable area if -id, -sid, or -clip is used)\n" @@ -4356,6 +4395,7 @@ void print_help(int mode) { " defer:n set -defer to n ms,same as deferupdate:n\n" " wait:n set -wait to n ms.\n" " wait_ui:f set -wait_ui factor to f.\n" +" setdefer:n set -setdefer to -2,-1,0,1, or 2.\n" " wait_bog disable -nowait_bog mode.\n" " nowait_bog enable -nowait_bog mode.\n" " slow_fb:f set -slow_fb to f seconds.\n" @@ -4515,15 +4555,15 @@ void print_help(int mode) { " nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n" " scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n" " scr_parms scrollcopyrect scr noscrollcopyrect noscr\n" -" fixscreen noxrecord xrecord reset_record pointer_mode\n" -" pm input_skip allinput noallinput input grabkbd\n" -" nograbkbd grabptr nograbptr grabalways nograbalways\n" -" grablocal client_input ssltimeout speeds wmdt\n" -" debug_pointer dp nodebug_pointer nodp debug_keyboard\n" -" dk nodebug_keyboard nodk keycode deferupdate defer\n" -" wait_ui wait_bog nowait_bog slow_fb xrefresh wait\n" -" readtimeout nap nonap sb screen_blank fbpm nofbpm dpms\n" -" nodpms clientdpms noclientdpms forcedpms noforcedpms\n" +" fixscreen noxrecord xrecord reset_record pointer_mode pm\n" +" input_skip allinput noallinput input grabkbd nograbkbd\n" +" grabptr nograbptr grabalways nograbalways grablocal\n" +" client_input ssltimeout speeds wmdt debug_pointer dp\n" +" nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n" +" nodk keycode deferupdate defer setdefer wait_ui\n" +" wait_bog nowait_bog slow_fb xrefresh wait readtimeout\n" +" nap nonap sb screen_blank fbpm nofbpm dpms nodpms\n" +" clientdpms noclientdpms forcedpms noforcedpms\n" " noserverdpms serverdpms noultraext ultraext chatwindow\n" " nochatwindow chaton chatoff fs gaps grow fuzz snapfb\n" " nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n" |