summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
authorrunge <runge>2008-12-10 17:12:27 +0000
committerrunge <runge>2008-12-10 17:12:27 +0000
commit8bef644d17f62ea6daf7459b863f05de187966fe (patch)
tree5137fbbab354ccfe29622a99c3d913c558d1c87a /x11vnc/help.c
parente68192915936e173b887856a019d4a54ba96069c (diff)
downloadlibtdevnc-8bef644d17f62ea6daf7459b863f05de187966fe.tar.gz
libtdevnc-8bef644d17f62ea6daf7459b863f05de187966fe.zip
x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc
to -anontls. Disable ssl caching. No cert creation prompting in inetd or bg modes. waitpid a bit more carefully on ssl helpers. Tune ssl initial timeouts. Let -create user specify starting X display. fix -rfbport prompt gui for older tk. -sslonly option. Error if no -ssl with related options. -rand option. -ssl implies -ssl SAVE
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c264
1 files changed, 152 insertions, 112 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index cd78723..fbedbff 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -82,10 +82,12 @@ void print_help(int mode) {
" before startup. Same as -xauth file. See Xsecurity(7),\n"
" xauth(1) man pages for more info.\n"
"\n"
-"-N If the X display is :N, try to set the VNC display\n"
-" to also be :N This just sets the -rfbport option\n"
-" to 5900+N. The program will exit immediately if that\n"
-" port is not available.\n"
+"-N If the X display is :N, try to set the VNC display to\n"
+" also be :N This just sets the -rfbport option to 5900+N\n"
+" The program will exit immediately if that port is not\n"
+" available. The -N option only works with normal -display\n"
+" usage, e.g. :0 or :8, -N is ignored in the -display\n"
+" WAIT:..., -create, -find, -svc, -redirect, etc modes.\n"
"\n"
"-autoport n Automatically probe for a free VNC port starting at n.\n"
" The default is to start probing at 5900. Use this to\n"
@@ -979,13 +981,13 @@ void print_help(int mode) {
" added to get the actual port), if port < 0 then -port\n"
" is used.\n"
"\n"
-" Probably the only reason to use the -redirect option is\n"
-" in conjunction with SSL support, e.g. -ssl, -ssl SAVE.\n"
+" Probably the only reason to use the -redirect option\n"
+" is in conjunction with SSL support, e.g. -ssl SAVE.\n"
" This provides an easy way to add SSL encryption to a VNC\n"
" server that does not support SSL (e.g. Xvnc or vnc.so)\n"
" In fact, the protocol does not even need to be VNC,\n"
-" and so \"-ssl SAVE -redirect host:port\" can act as a\n"
-" replacement for stunnel(1).\n"
+" and so \"-rfbport port1 -ssl SAVE -redirect host:port2\"\n"
+" can act as a replacement for stunnel(1).\n"
"\n"
" This mode only allows one redirected connection.\n"
" The -forever option does not apply. Use -inetd or\n"
@@ -1119,6 +1121,9 @@ void print_help(int mode) {
" for the user. This is the only time x11vnc tries to\n"
" actually start up an X server.\n"
"\n"
+" It will start looking for an open display number at :20\n"
+" Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n\n"
+"\n"
" By default FINDCREATEDISPLAY will try Xdummy and then\n"
" Xvfb:\n"
"\n"
@@ -1233,14 +1238,14 @@ void print_help(int mode) {
"-vencrypt mode The VeNCrypt extension to the VNC protocol allows\n"
" encrypted SSL/TLS connections. If the -ssl mode is\n"
" enabled, then VeNCrypt is enabled as well BY DEFAULT\n"
-" (they both use the SSL/TLS tunnel, only the protocol\n"
+" (they both use a SSL/TLS tunnel, only the protocol\n"
" handshake is a little different.)\n"
"\n"
" To control when and how VeNCrypt is used, specify the\n"
" mode string. If mode is \"never\", then VeNCrypt is\n"
" not used. If mode is \"support\" (the default) then\n"
" VeNCrypt is supported. If mode is \"only\", then the\n"
-" similar and older TLSVNC protocol is not simultaneously\n"
+" similar and older ANONTLS protocol is not simultaneously\n"
" supported. x11vnc's normal SSL mode (vncs://) will be\n"
" supported under -ssl unless you set mode to \"force\".\n"
"\n"
@@ -1250,14 +1255,16 @@ void print_help(int mode) {
"\n"
" To disable all Anonymous Diffie-Hellman access\n"
" (susceptible to Man-In-The-Middle attack) you will need\n"
-" to supply \"-vencrypt nodh:support -tlsvnc never\"\n"
+" to supply \"-vencrypt nodh:support -anontls never\"\n"
+" or \"-vencrypt nodh:only\"\n"
"\n"
" If mode is prefixed with \"newdh:\", then new Diffie\n"
" Hellman parameters are generated for each connection\n"
-" (this can be time consuming: 1-60 secs) rather than\n"
-" using the fixed values in the program. Using fixed,\n"
-" publicly known values is not known to be a security\n"
-" problem. This setting applies to TLSVNC as well.\n"
+" (this can be time consuming: 1-60 secs; see -dhparams\n"
+" below for a faster way) rather than using the\n"
+" fixed values in the program. Using fixed, publicly\n"
+" known values is not known to be a security problem.\n"
+" This setting applies to ANONTLS as well.\n"
"\n"
" Long example: -vencrypt newdh:nox509:support\n"
"\n"
@@ -1270,15 +1277,23 @@ void print_help(int mode) {
" You *MUST* supply the -ssl option for VeNCrypt to be\n"
" active. This option only fine-tunes its operation.\n"
"\n"
-"-tlsvnc mode The TLSVNC extension to the VNC protocol allows\n"
+"-anontls mode The ANONTLS extension to the VNC protocol allows\n"
" encrypted SSL/TLS connections. If the -ssl mode is\n"
-" enabled, then TLSVNC is enabled as well BY DEFAULT\n"
-" (they both use the SSL/TLS tunnel, only the protocol\n"
+" enabled, then ANONTLS is enabled as well BY DEFAULT\n"
+" (they both use a SSL/TLS tunnel, only the protocol\n"
" handshake is a little different.)\n"
"\n"
-" To control when and how TLSVNC is used, specify the\n"
-" mode string. If mode is \"never\", then TLSVNC is not\n"
-" used. If mode is \"support\" (the default) then TLSVNC\n"
+" ANONTLS is an older SSL/TLS mode introduced by vino.\n"
+"\n"
+" It is referred to as 'TLS' for its registered VNC\n"
+" security-type name, but we use the more descriptive\n"
+" 'ANONTLS' here because it provides only Anonymous\n"
+" Diffie-Hellman encrypted connections, and hence no\n"
+" possibility for certificate authentication.\n"
+"\n"
+" To control when and how ANONTLS is used, specify the\n"
+" mode string. If mode is \"never\", then ANONTLS is not\n"
+" used. If mode is \"support\" (the default) then ANONTLS\n"
" is supported. If mode is \"only\", then the similar\n"
" VeNCrypt protocol is not simultaneously supported.\n"
" x11vnc's normal SSL mode (vncs://) will be supported\n"
@@ -1286,24 +1301,30 @@ void print_help(int mode) {
"\n"
" If mode is prefixed with \"newdh:\", then new Diffie\n"
" Hellman parameters are generated for each connection\n"
-" (this can be time consuming: 1-60 secs) rather than\n"
-" using the fixed values in the program. Using fixed,\n"
-" publicly known values is not known to be a security\n"
-" problem. This setting applies to VeNCrypt as well.\n"
-" See the description of \"plain:\" under -vencrypt.\n"
+" (this can be time consuming: 1-60 secs; see -dhparams\n"
+" below for a faster way) rather than using the\n"
+" fixed values in the program. Using fixed, publicly\n"
+" known values is not known to be a security problem.\n"
+" This setting applies to VeNCrypt as well. See the\n"
+" description of \"plain:\" under -vencrypt.\n"
"\n"
-" Long example: -tlsvnc newdh:plain:support\n"
+" Long example: -anontls newdh:plain:support\n"
"\n"
-" You *MUST* supply the -ssl option for TLSVNC to be\n"
+" You *MUST* supply the -ssl option for ANONTLS to be\n"
" active. This option only fine-tunes its operation.\n"
"\n"
+"-sslonly Same as: \"-vencrypt never -anontls never\" i.e. it\n"
+" disables the VeNCrypt and ANONTLS encryption methods\n"
+" and only allows standard SSL tunneling. You must also\n"
+" supply the -ssl ... option (see below.)\n"
+"\n"
"\n"
"-dhparams file For some operations a set of Diffie Hellman parameters\n"
" (prime and generator) is needed. If so, use the\n"
" parameters in \"file\". In particular, the VeNCrypt and\n"
-" TLSVNC anonymous DH mode need them. By default a\n"
+" ANONTLS anonymous DH mode need them. By default a\n"
" fixed set is used. If you do not want to do that you\n"
-" can specify \"newdh:\" to the -vencrypt and -tlsvnc\n"
+" can specify \"newdh:\" to the -vencrypt and -anontls\n"
" options to generate a new set each session. If that\n"
" is too slow for you, use -dhparams file to a set you\n"
" created manually via \"openssl dhparam -out file 1024\"\n"
@@ -1325,47 +1346,80 @@ void print_help(int mode) {
" http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers\n"
" x11vnc provides an SSL enabled Java viewer applet in\n"
" the classes/ssl directory (-http or -httpdir options.)\n"
-" The SSVNC viewer package supports SSL too.\n"
+" The SSVNC viewer package supports SSL tunnels too.\n"
+"\n"
+" If the VNC Viewer supports VeNCrypt or ANONTLS (vino's\n"
+" encryption mode) they are also supported by the -ssl\n"
+" mode (see the -vencrypt and -anontls options for more\n"
+" info; use -sslonly to disable both of them.)\n"
"\n"
-" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n"
-" specify a PEM certificate file to use to identify and\n"
+" Use \"-ssl /path/to/mycert.pem\" to specify an SSL\n"
+" certificate file in PEM format to use to identify and\n"
" provide a key for this server. See openssl(1) for more\n"
" info about PEMs and the -sslGenCert and \"-ssl SAVE\"\n"
" options below for how to create them.\n"
"\n"
-" The connecting VNC viewer SSL tunnel can (optionally)\n"
-" authenticate this server if they have the public key\n"
-" part of the certificate (or a common certificate\n"
-" authority, CA, is a more sophisticated way to\n"
-" verify this server's cert, see -sslGenCA below).\n"
-" This is used to prevent Man-In-The-Middle attacks.\n"
-" Otherwise, if the VNC viewer accepts this server's\n"
-" key WITHOUT verification, the traffic is protected\n"
-" from passive sniffing on the network, but *NOT* from\n"
+" The connecting VNC viewer SSL tunnel can (at its option)\n"
+" authenticate this server if it has the public key part\n"
+" of the certificate (or a common certificate authority,\n"
+" CA, is a more sophisticated way to verify this server's\n"
+" cert, see -sslGenCA below). This authentication is\n"
+" done to prevent Man-In-The-Middle attacks. Otherwise,\n"
+" if the VNC viewer simply accepts this server's key\n"
+" WITHOUT verification, the traffic is protected from\n"
+" passive sniffing on the network, but *NOT* from\n"
+" Man-In-The-Middle attacks. There are hacker tools\n"
+" like dsniff/webmitm and cain that implement SSL\n"
" Man-In-The-Middle attacks.\n"
"\n"
-" If [pem] is not supplied and the openssl(1) utility\n"
+" If [pem] is empty or the string \"SAVE\" then the\n"
+" openssl(1) command must be available to generate the\n"
+" certificate the first time. A self-signed certificate\n"
+" is generated (see -sslGenCA and -sslGenCert for use\n"
+" of a Certificate Authority.) It will be saved to the\n"
+" file ~/.vnc/certs/server.pem. On subsequent calls if\n"
+" that file already exists it will be used directly.\n"
+"\n"
+" Use \"SAVE_NOPROMPT\" to avoid being prompted to\n"
+" protect the generated key with a passphrase. However in\n"
+" -inetd and -bg modes there will be no prompting for a\n"
+" passphrase in either case.\n"
+"\n"
+" If [pem] is \"SAVE_PROMPT\" the server.pem certificate\n"
+" will be created based on your answers to its prompts for\n"
+" all info such as OrganizationalName, CommonName, etc.\n"
+"\n"
+" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n"
+" to refer to the file ~/.vnc/certs/server-<string>.pem\n"
+" instead (it will be generated if it does not already\n"
+" exist). E.g. \"SAVE-charlie\" will store to the file\n"
+" ~/.vnc/certs/server-charlie.pem\n"
+"\n"
+" Examples: x11vnc -ssl SAVE -display :0 ...\n"
+" x11vnc -ssl SAVE-someother -display :0 ...\n"
+"\n"
+" If [pem] is \"TMP\" and the openssl(1) utility\n"
" command exists in PATH, then a temporary, self-signed\n"
-" certificate will be generated for this session\n"
-" (this may take 5-30 seconds on very slow machines).\n"
-" If openssl(1) cannot be used to generate a temporary\n"
-" certificate x11vnc exits immediately.\n"
+" certificate will be generated for this session. If\n"
+" openssl(1) cannot be used to generate a temporary\n"
+" certificate x11vnc exits immediately. The temporary\n"
+" cert will be discarded when x11vnc exits.\n"
"\n"
" If successful in using openssl(1) to generate a\n"
-" temporary certificate, the public part of it will be\n"
-" displayed to stderr (e.g. one could copy it to the\n"
-" client-side to provide authentication of the server to\n"
-" VNC viewers.)\n"
-"\n"
-" NOTE: Unless you safely copy the public part of the\n"
-" temporary Cert to the viewer for authenticate *every\n"
-" time* (unlikely...), then only passive sniffing\n"
-" attacks are prevented and you are still open to\n"
-" Man-In-The-Middle attacks. See the following\n"
-" paragraphs for how to save keys to reuse them when\n"
-" x11vnc is restarted. With saved keys AND the VNC viewer\n"
-" authenticating them by using the public certificate,\n"
-" then Man-In-The-Middle attacks are prevented.\n"
+" temporary certificate in \"SAVE\" or \"TMP\" creation\n"
+" modes, the public part of it will be displayed to stderr\n"
+" (e.g. one could copy it to the client-side to provide\n"
+" authentication of the server to VNC viewers.)\n"
+"\n"
+" NOTE: In \"TMP\" mode, unless you safely copy the\n"
+" public part of the temporary Cert to the viewer for\n"
+" authenticate *every time* (unlikely...), then only\n"
+" passive sniffing attacks are prevented and you are\n"
+" still open to Man-In-The-Middle attacks. This is\n"
+" why the default \"SAVE\" mode is preferred (and more\n"
+" sophisticated CA mode too). Only with saved keys AND\n"
+" the VNC viewer authenticating them (via the public\n"
+" certificate), are Man-In-The-Middle attacks prevented.\n"
"\n"
" If [pem] is \"ANON\" then the Diffie-Hellman anonymous\n"
" key exchange method is used. In this mode there\n"
@@ -1374,34 +1428,16 @@ void print_help(int mode) {
" Thus only passive network sniffing attacks are avoided:\n"
" the \"ANON\" method is susceptible to Man-In-The-Middle\n"
" attacks. \"ANON\" is not recommended; instead use\n"
-" a SSL PEM you created or the \"SAVE\" method in the\n"
-" next paragraph.\n"
-"\n"
-" If [pem] is \"SAVE\" then the certificate will be saved\n"
-" to the file ~/.vnc/certs/server.pem, or if that file\n"
-" exists it will be used directly. Similarly, if [pem]\n"
-" is \"SAVE_PROMPT\" the server.pem certificate will be\n"
-" made based on your answers to its prompts for info such\n"
-" as OrganizationalName, CommonName, etc.\n"
-"\n"
-" We expect most users to use \"-ssl SAVE\".\n"
-"\n"
-" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n"
-" to refer to the file ~/.vnc/certs/server-<string>.pem\n"
-" instead. E.g. \"SAVE-charlie\" will store to the file\n"
-" ~/.vnc/certs/server-charlie.pem\n"
-"\n"
-" Examples: x11vnc -ssl SAVE -display :0 ...\n"
-" x11vnc -ssl SAVE-other -display :0 ...\n"
+" a SSL PEM you created or the defaut \"SAVE\" method.\n"
"\n"
" See -ssldir below to use a directory besides the\n"
" default ~/.vnc/certs\n"
"\n"
-" Misc Info: In temporary cert creation mode, set the\n"
-" env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out\n"
-" the entire certificate, including the PRIVATE KEY part,\n"
-" to stderr. There are better ways to get/save this info.\n"
-" See \"SAVE\" above and \"-sslGenCert\" below.\n"
+" Misc Info: In temporary cert creation mode \"TMP\", set\n"
+" the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print\n"
+" out the entire certificate, including the PRIVATE KEY\n"
+" part, to stderr. There are better ways to get/save this\n"
+" info. See \"SAVE\" above and \"-sslGenCert\" below.\n"
"\n"
"-ssltimeout n Set SSL read timeout to n seconds. In some situations\n"
" (i.e. an iconified viewer in Windows) the viewer stops\n"
@@ -1446,7 +1482,7 @@ void print_help(int mode) {
"\n"
" If [path] is a directory it contains the client (or CA)\n"
" certificates in separate files. If [path] is a file,\n"
-" it contains multiple certificates. See special tokens\n"
+" it contains one or more certificates. See special tokens\n"
" below. These correspond to the \"CApath = dir\" and\n"
" \"CAfile = file\" stunnel options. See the stunnel(8)\n"
" manpage for details.\n"
@@ -1508,19 +1544,19 @@ void print_help(int mode) {
" VNC-ing with x11vnc. (note that they require openssl(1)\n"
" be installed on the system)\n"
"\n"
-" However, the simplest usage mode (where x11vnc\n"
-" automatically generates its own, self-signed, temporary\n"
-" key and the VNC viewers always accept it, e.g. accepting\n"
-" via a dialog box) is probably safe enough for most\n"
-" scenarios. CA management is not needed.\n"
+" However, the simplest usage mode, \"-ssl TMP\" (where\n"
+" x11vnc automatically generates its own, self-signed,\n"
+" temporary key and the VNC viewers always accept it,\n"
+" e.g. accepting via a dialog box) is probably safe enough\n"
+" for most scenarios. CA management is not needed.\n"
"\n"
-" To protect against Man-In-The-Middle attacks the\n"
-" simplest mode can be improved by using \"-ssl SAVE\"\n"
-" to have x11vnc create a longer term self-signed\n"
-" certificate, and then (safely) copy the corresponding\n"
-" public key cert to the desired client machines (care\n"
-" must be taken the private key part is not stolen;\n"
-" you will be prompted for a passphrase).\n"
+" To protect against Man-In-The-Middle attacks the \"TMP\"\n"
+" mode can be improved by using \"-ssl SAVE\" (same as\n"
+" \"-ssl\", i.e. the default) to have x11vnc create a\n"
+" longer term self-signed certificate, and then (safely)\n"
+" copy the corresponding public key cert to the desired\n"
+" client machines (care must be taken the private key part\n"
+" is not stolen; you will be prompted for a passphrase).\n"
"\n"
" So keep in mind no CA key creation or management\n"
" (-sslGenCA and -sslGenCert) is needed for either of\n"
@@ -1547,7 +1583,7 @@ void print_help(int mode) {
" be \"imported\" somehow. Web browsers have \"Manage\n"
" Certificates\" actions as does the Java applet plugin\n"
" Control Panel. stunnel can also use these files (see\n"
-" the ss_vncviewer example script in the FAQ.)\n"
+" the ss_vncviewer example script in the FAQ and SSVNC.)\n"
"\n"
"-sslCRL path Set the Certificate Revocation Lists (CRL) to \"path\".\n"
"\n"
@@ -3359,6 +3395,8 @@ void print_help(int mode) {
"-setdefer n When the -wait_ui mechanism cuts down the wait time ms,\n"
" set the defer time to the same ms value. n=1 to enable,\n"
" 0 to disable, and -1 to set defer to 0 (no delay).\n"
+" Similarly, 2 and -2 indicate 'urgent_update' mode should\n"
+" be used to push the updates even sooner. Default: 1\n"
"-nowait_bog Do not detect if the screen polling is \"bogging down\"\n"
" and sleep more. Some activities with no user input can\n"
" slow things down a lot: consider a large terminal window\n"
@@ -3367,10 +3405,11 @@ void print_help(int mode) {
" (3 screen polls in a row each longer than 0.25 sec with\n"
" no user input), and sleep up to 1.5 secs to let things\n"
" \"catch up\". Use this option to disable that detection.\n"
-"-slow_fb time Floating point time in seconds delay all screen polling.\n"
-" For special purpose usage where a low frame rate is\n"
-" acceptable and desirable, but you want the user input\n"
-" processed at the normal rate so you cannot use -wait.\n"
+"-slow_fb time Floating point time in seconds to delay all screen\n"
+" polling. For special purpose usage where a low frame\n"
+" rate is acceptable and desirable, but you want the\n"
+" user input processed at the normal rate so you cannot\n"
+" use -wait.\n"
"-xrefresh time Floating point time in seconds to indicate how often to\n"
" do the equivalent of xrefresh(1) to force all windows\n"
" (in the viewable area if -id, -sid, or -clip is used)\n"
@@ -4356,6 +4395,7 @@ void print_help(int mode) {
" defer:n set -defer to n ms,same as deferupdate:n\n"
" wait:n set -wait to n ms.\n"
" wait_ui:f set -wait_ui factor to f.\n"
+" setdefer:n set -setdefer to -2,-1,0,1, or 2.\n"
" wait_bog disable -nowait_bog mode.\n"
" nowait_bog enable -nowait_bog mode.\n"
" slow_fb:f set -slow_fb to f seconds.\n"
@@ -4515,15 +4555,15 @@ void print_help(int mode) {
" nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area\n"
" scr_skip scr_inc scr_keys scr_term scr_keyrepeat\n"
" scr_parms scrollcopyrect scr noscrollcopyrect noscr\n"
-" fixscreen noxrecord xrecord reset_record pointer_mode\n"
-" pm input_skip allinput noallinput input grabkbd\n"
-" nograbkbd grabptr nograbptr grabalways nograbalways\n"
-" grablocal client_input ssltimeout speeds wmdt\n"
-" debug_pointer dp nodebug_pointer nodp debug_keyboard\n"
-" dk nodebug_keyboard nodk keycode deferupdate defer\n"
-" wait_ui wait_bog nowait_bog slow_fb xrefresh wait\n"
-" readtimeout nap nonap sb screen_blank fbpm nofbpm dpms\n"
-" nodpms clientdpms noclientdpms forcedpms noforcedpms\n"
+" fixscreen noxrecord xrecord reset_record pointer_mode pm\n"
+" input_skip allinput noallinput input grabkbd nograbkbd\n"
+" grabptr nograbptr grabalways nograbalways grablocal\n"
+" client_input ssltimeout speeds wmdt debug_pointer dp\n"
+" nodebug_pointer nodp debug_keyboard dk nodebug_keyboard\n"
+" nodk keycode deferupdate defer setdefer wait_ui\n"
+" wait_bog nowait_bog slow_fb xrefresh wait readtimeout\n"
+" nap nonap sb screen_blank fbpm nofbpm dpms nodpms\n"
+" clientdpms noclientdpms forcedpms noforcedpms\n"
" noserverdpms serverdpms noultraext ultraext chatwindow\n"
" nochatwindow chaton chatoff fs gaps grow fuzz snapfb\n"
" nosnapfb rawfb uinput_accel uinput_thresh uinput_reset\n"