summaryrefslogtreecommitdiffstats
path: root/x11vnc/misc/enhanced_tightvnc_viewer/README
diff options
context:
space:
mode:
authorChristian Beier <dontmind@freeshell.org>2014-09-03 20:54:39 +0200
committerChristian Beier <dontmind@freeshell.org>2014-09-03 20:54:39 +0200
commit498d222976975f53dea885cfe43ef0f805abd412 (patch)
treebac684fbde46fdc3e4cc3817616816b71bb67f9f /x11vnc/misc/enhanced_tightvnc_viewer/README
parent8d2db0486dcc167f1b02d4454ebf4624ce03e1de (diff)
downloadlibtdevnc-498d222976975f53dea885cfe43ef0f805abd412.tar.gz
libtdevnc-498d222976975f53dea885cfe43ef0f805abd412.zip
Remove x11vnc subdir.
The new x11vnc repo is at https://github.com/LibVNC/x11vnc.
Diffstat (limited to 'x11vnc/misc/enhanced_tightvnc_viewer/README')
-rw-r--r--x11vnc/misc/enhanced_tightvnc_viewer/README756
1 files changed, 0 insertions, 756 deletions
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/README b/x11vnc/misc/enhanced_tightvnc_viewer/README
deleted file mode 100644
index 52eb93a..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/README
+++ /dev/null
@@ -1,756 +0,0 @@
- Enhanced TightVNC Viewer (SSVNC: SSL/SSH VNC viewer)
-
-Copyright (c) 2006-2009 Karl J. Runge <runge@karlrunge.com>
-All rights reserved.
-
-These bundles provide 1) An enhanced TightVNC Viewer on Unix, 2) Binaries
-for many Operating Systems (including Windows and Mac OS X) for your
-convenience, 3) Wrapper scripts and a GUI for gluing them all together.
-
-One can straight-forwardly download all of the components and get them
-to work together by oneself: this bundle is mostly for your convenience
-to combine and wrap together the freely available software.
-
-Bundled software co-shipped is copyright and licensed by others.
-See these sites and related ones for more information:
-
- http://www.tightvnc.com
- http://www.realvnc.com
- http://stunnel.mirt.net
- http://www.stunnel.org
- http://www.openssl.org
- http://www.chiark.greenend.org.uk/~sgtatham/putty/
- http://sourceforge.net/projects/cotvnc/
-
-Note: Some of the binaries included contain cryptographic software that
-you may not be allowed to download, use, or redistribute. Please check
-your situation first before downloading any of these bundles. See the
-survey http://rechten.uvt.nl/koops/cryptolaw/index.htm for useful
-information.
-
-All work done by Karl J. Runge in this project is
-Copyright (c) 2006-2008 Karl J. Runge and is licensed under the GPL as
-described in the file COPYING in this directory.
-
-All the files and information in this project are provided "AS IS"
-without any warranty of any kind. Use them at your own risk.
-
-
-=============================================================================
-
-This bundle contains a convenient collection of enhanced TightVNC
-viewers and stunnel binaries for different flavors of Unix and wrapper
-scripts and a GUI front-end to glue them together. Automatic SSL and
-SSH encryption tunnelling is provided.
-
-A Windows SSL wrapper for the bundled TightVNC binary and other utilities
-are provided. (Launch ssvnc.exe in the Windows subdirectory).
-
-The short name of the project is "ssvnc" for SSL/SSH VNC Viewer.
-
-It is a self-contained bundle, you could carry it around on, say,
-a USB memory stick for secure VNC viewing from almost any machine,
-Unix, Mac, or Windows.
-
-Features:
---------
-
-The enhanced TightVNC viewer features are:
-
- - SSL support for connections using the bundled stunnel program.
-
- - Automatic SSH connections from the GUI (ssh must already be
- installed on Unix; bundled plink is used on Windows)
-
- - Ability to Save and Load VNC profiles for different hosts.
-
- - You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
- with the front-end GUI or scripts if you like.
-
- - Create or Import SSL Certificates and Private Keys.
-
- - Reverse (viewer listening) VNC connections via SSL and SSH.
-
- - VeNCrypt SSL/TLS VNC encryption support (used by VeNCrypt,
- QEMU, ggi, libvirt/virt-manager/xen, vinagre/gvncviewer/gtk-vnc)
-
- - ANONTLS SSL/TLS VNC encryption support (used by Vino)
-
- - VeNCrypt and ANONTLS are also enabled for any 3rd party VNC
- Viewer (e.g. RealVNC, TightVNC, UltraVNC ...) on Unix, MacOSX,
- and Windows via the provided SSVNC VeNCrypt Viewer Bridge tool
- (use 'Change VNC Viewer' to select the one you want.)
-
- - Support for Web Proxies, SOCKS Proxies, and the UltraVNC
- repeater proxy (e.g. repeater://host:port+ID:1234). Multiple
- proxies may be chained together (3 max).
-
- - Support for SSH Gateway connections and non-standard SSH ports.
-
- - Automatic Service tunnelling via SSH for CUPS and SMB Printing,
- ESD/ARTSD Audio, and SMB (Windows/Samba) filesystem mounting.
-
- - Sets up any additional SSH port redirections that you want.
-
- - Zeroconf (aka Bonjour) is used on Unix and Mac OS X to find
- VNC servers on your local network if the avahi-browse or dns-sd
- program is available and in your PATH.
-
- - Port Knocking for "closed port" SSH/SSL connections. In addition
- to a simple fixed port sequence and one-time-pad implementation,
- a hook is also provided to run any port knocking client before a
- connecting.
-
- - Support for native MacOS X usage with bundled Chicken of the
- VNC viewer (the Unix X11 viewer is also provided for MacOS X,
- and is better IMHO).
-
- - Dynamic VNC Server Port determination and redirection (using
- ssh's builtin SOCKS proxy, -D) for servers like x11vnc that
- print out PORT= at startup.
-
- - Unix Username and Password entry for use with "x11vnc -unixpw"
- type login dialogs.
-
- - Simplified mode launched by command "sshvnc" that is SSH Only.
-
- - Simplified mode launched by command "tsvnc" that provides a VNC
- "Terminal Services" mode (uses x11vnc on the remote side).
-
-
- (the following features only apply to the bundled Unix tightvnc viewer
- including MacOS X)
-
- - rfbNewFBSize VNC support (screen resizing)
-
- - Client-side Scaling of the Viewer.
-
- - ZRLE VNC encoding support (RealVNC's encoding)
-
- - Support for the ZYWRLE encoding, a wavelet based extension to
- ZRLE to improve compression of motion video and photo regions.
-
- - TurboVNC support (VirtualGL's modified TightVNC encoding;
- requires TurboJPEG library)
-
- - Pipelined Updates of the framebuffer as in TurboVNC (asks for
- the next update before the current one has finished downloading;
- this gives some speedup on high latency connections.)
-
- - Cursor alphablending with x11vnc at 32bpp (-alpha option)
-
- - Option "-unixpw ..." for use with "x11vnc -unixpw" login dialogs.
-
- - Support for UltraVNC extensions: Single Window, Disable
- Server-side Input, 1/n Server side scaling, Text Chat (shell
- terminal UI). Both UltraVNC and x11vnc servers support these
- extensions
-
- - UltraVNC File Transfer via an auxiliary Java helper program
- (java must be in $PATH). Note that the x11vnc server supports
- UltraVNC file transfer.
-
- - Connection support for the UltraVNC repeater proxy (-repeater
- option).
-
- - Support for UltraVNC Single Click operation. (both unencrypted:
- SC I, and SSL encrypted: SC III)
-
- - Support for UltraVNC DSM Encryption Plugin mode. (ARC4 and
- AESV2, MSRC4, and SecureVNC)
-
- - Support for UltraVNC MS-Logon authentication (NOTE: the
- UltraVNC MS-Logon key exchange implementation is very weak; an
- eavesdropper on the network can recover your Windows password
- easily in a few seconds; you need to use an additional encrypted
- tunnel with MS-Logon.)
-
- - Support for symmetric encryption (including blowfish and 3des
- ciphers) to Non-UltraVNC Servers. Any server using the same
- encryption method will work, e.g.: x11vnc -enc blowfish:./my.key
-
- - Instead of hostname:display one can also supply "exec=command
- args..." to connect the viewer to the stdio of an external command
- (e.g. stunnel or socat) rather than using a TCP/IP socket. Unix
- domain sockets, e.g. /path/to/unix/socket, and a previously
- opened file descriptor fd=0, work too.
-
- - Local Port Protections for STUNNEL and SSH: avoid having for
- long periods of time a listening port on the the local (VNC
- viewer) side that redirects to the remote side.
-
- - Reverse (viewer listening) VNC connections can show a
- Popup dialog asking whether to accept the connection or not
- (-acceptpopup.) The extra info provided by UltraVNC Single Click
- reverse connections is also supported (-acceptpopupsc)
-
- - Extremely low color modes: 64 and 8 colors in 8bpp
- (-use64/-bgr222, -use8/-bgr111)
-
- - Medium color mode: 16bpp mode even for 32bpp Viewer display
- (-16bpp/-bgr565)
-
- - x11vnc's client-side caching -ncache method cropping option
- (-ycrop n). This will "hide" the large pixel buffer cache
- below the actual display. Set to actual height or use -1 for
- autodetection (tall screens are autodetected by default).
-
- - Escape Keys: enable a set of modifier keys so when they
- are all pressed down you can invoke Popup menu actions via
- keystrokes. I.e., a set of 'Hot Keys'. One can also pan (move)
- the desktop inside the viewport via Arrow keys or a mouse drag.
-
- - Scrollbar width setting: -sbwidth n, the default is very thin,
- 2 pixels, for less distracting -ycrop usage.
-
- - Selection text sending and receiving can be fine-tuned with the
- -sendclipboard, -sendalways, and -recvtext options.
-
- - TightVNC compression and quality levels are automatically set
- based on observed network latency (n.b. not bandwidth.)
-
- - Improvements to the Popup menu, all of these can now be changed
- dynamically via the menu: ViewOnly, Toggle Bell, CursorShape
- updates, X11 Cursor, Cursor Alphablending, Toggle Tight/ZRLE,
- Toggle JPEG, FullColor/16bpp/8bpp (256/64/8 colors), Greyscale
- for low color modes, Scaling the Viewer resolution, Escape Keys,
- Pipeline Updates, and others, including UltraVNC extensions.
-
- - Maintains its own BackingStore if the X server does not
-
- - The default for localhost:0 connections is not raw encoding
- (local machine). Default assumes you are using SSH tunnel. Use
- -rawlocal to revert.
-
- - XGrabServer support for fullscreen mode, for old window managers
- (-grab/-graball option).
-
- - Fix for Popup menu positioning for old window managers
- (-popupfix option).
-
- - Run vncviewer -help for all options.
-
-
-
-The list of software bundled in the archive files:
-
- TightVNC Viewer (windows, unix, macosx)
- Chicken of the VNC Viewer (macosx)
- Stunnel (windows, unix, macosx)
- Putty/Plink/Pageant (windows)
- OpenSSL (windows)
- esound (windows)
-
-These are all self-contained in the bundle directory: they will not be
-installed on your system. Just un-zip or un-tar the file you downloaded
-and run it straight from its directory.
-
-
-Quick Start:
------------
-
-Unix and Mac OS X:
-
- Inside a Terminal do something like the following.
-
- Unpack the archive:
-
- % gzip -dc ssvnc-1.0.28.tar.gz | tar xvf -
-
- Run the GUI:
-
- % ./ssvnc/Unix/ssvnc (for Unix)
-
- % ./ssvnc/MacOSX/ssvnc (for Mac OS X)
-
- The smaller file "ssvnc_no_windows-1.0.28.tar.gz"
- could have been used as well.
-
- On MacOSX you could also click on the SSVNC app icon in the Finder.
-
- On MacOSX if you don't like the Chicken of the VNC (e.g. no local
- cursors, no screen size rescaling, and no password prompting), and you
- have the XDarwin X server installed, you can set DISPLAY before starting
- ssvnc (or type DISPLAY=... in Host:Disp and hit Return). Then our
- enhanced TightVNC viewer will be used instead of COTVNC.
- Update: there is now a 'Use X11 vncviewer on MacOSX' under Options ...
-
-
- If you want a SSH-only tool (without the distractions of SSL) run
- the command:
-
- sshvnc
-
- instead of "ssvnc". Or click "SSH-Only Mode" under Options.
- Control-h will toggle between the two modes.
-
-
- If you want a simple VNC Terminal Services only mode (requires x11vnc
- on the remote server) run the command:
-
- tsvnc
-
- instead of "ssvnc". Or click "Terminal Services" under Options.
- Control-t will toggle between the two modes.
-
- "tsvnc profile-name" and "tsvnc user@hostname" work too.
-
-
-Unix/MacOSX Install:
-
- There is no standard install for the bundles, but you can make
- symlinks like so:
-
- cd /a/directory/in/PATH
- ln -s /path/to/ssvnc/bin/{s,t}* .
-
- Or put /path/to/ssvnc/bin, /path/to/ssvnc/Unix, or /path/to/ssvnc/MacOSX
- in your PATH.
-
- For the conventional source tarball it will compile and install, e.g.:
-
- gzip -dc ssvnc-1.0.28.src.tar.gz | tar xvf -
- cd ssvnc-1.0.28
- make config
- make all
- make PREFIX=/my/install/dir install
-
- then have /my/install/dir/bin in your PATH.
-
-
-Windows:
-
- Unzip, using WinZip or a similar utility, the zip file:
-
- ssvnc-1.0.28.zip
-
- Run the GUI, e.g.:
-
- Start -> Run -> Browse
-
- and then navigate to
-
- .../ssvnc/Windows/ssvnc.exe
-
- select Open, and then OK to launch it.
-
- The smaller file "ssvnc_windows_only-1.0.28.zip"
- could have been used as well.
-
- You can make a Windows shortcut to this program if you want to.
-
- See the Windows/README.txt for more info.
-
-
- If you want a SSH-only tool (without the distractions of SSL) run
- the command:
-
- sshvnc.bat
-
- Or click "SSH-Only Mode" under Options.
-
-
- If you want a simple VNC Terminal Services only mode (requires x11vnc
- on the remote server) run the command:
-
- tsvnc.bat
-
- Or click "Terminal Services" under Options. Control-t will toggle
- between the two modes. "tsvnc profile-name" and "tsvnc user@hostname"
- work too.
-
-
-
-Important Note for Windows Vista: One user reports that on Windows Vista
-if you move or extract the "ssvnc" folder down to the "Program Files"
-folder you will be prompted to do this as the Administrator. But then
-when you start up ssvnc, as a regular user, it cannot create files in
-that folder and so it fails to run properly. We recommend to not copy
-or extract the "ssvnc" folder into "Program Files". Rather, extract
-it to somewhere you have write permission (e.g. C:\ or your User dir)
-and create a Shortcut to ssvnc.exe on the desktop.
-
-If you must put a launcher file down in "Program Files", perhaps an
-"ssvnc.bat" that looks like this:
-
-C:
-cd \ssvnc\Windows
-ssvnc.exe
-
-
-SSH-ONLY Mode:
---------------
-
-If you don't care for SSL and the distractions it provides in the GUI,
-run "sshvnc" (unix/macosx) or "sshvnc.bat" (windows) to run an SSH only
-version of the GUI.
-
-Terminal Services Mode
-----------------------
-
-There is an even simpler mode that uses x11vnc on the remote side for the
-session finding and management. Run "tsvnc" (unix/macosx) or "tsvnc.bat"
-(windows) to run the Terminal Services version of the GUI.
-
-
-Bundle Info:
-------------
-
-The bundle files unpack a directory/folder named: ssvnc
-
-It contains these programs to launch the GUI:
-
- Windows/ssvnc.exe for Windows
- MacOSX/ssvnc for Mac OS X
- Unix/ssvnc for Unix
-
-(the Mac OS X and Unix launchers are simply links to the bin directory).
-
-
-Your bundle file should have included binaries for many OS's: Linux,
-Solaris, FreeBSD, etc. Unpack your archive and see the subdirectories of
-
- ./bin
-
-for the ones that were shipped in this project, e.g. ./bin/Linux.i686
-Run "uname -sm" to see your OS+arch combination (n.b. all Linux x86 are
-mapped to Linux.i686). (See the ./bin/ssvnc_cmd -h output for how to
-override platform autodection via the UNAME env. var).
-
-
-Memory Stick Usage:
--------------------
-
-If you create a directory named "Home" in that toplevel ssvnc directory
-then that will be used as the base for storing VNC profiles and
-certificates. Also, for convenience, if you first run the command with
-"." as an argument (e.g. "ssvnc .") it will automatically create that
-"Home" directory for you. This is handy if you want to place SSVNC
-on a USB flash drive that you carry around for mobile use and you want
-the profiles you create to stay with the drive (otherwise you'd have to
-browse to the drive directory each time you load or save).
-
-One user on Windows created a BAT file to launch SSVNC and needed to
-do this to get the Home directory correct:
-
-cd \ssvnc\Windows
-start \ssvnc\Windows\ssvnc.exe
-
-(an optional profile name can be supplied to the ssvnc.exe line)
-
-WARNING: if you use ssvnc from an "Internet Cafe", i.e. an untrusted
-computer, an intruder may be capturing keystrokes etc.
-
-
-External Dependencies:
-----------------------
-
-On Windows everything is included. Let us know if you find otherwise.
-
-On Unix depending on what you do you need these programs installed:
-
- - basic unix utilities (sh, ls, cat, awk, sed, etc..)
- - tcl/tk (wish interpreter)
- - xterm
- - perl
- - ssh
- - openssl
-
- Lesser used ones: netcat, esd/artsd, smbclient, smbmount, cups
-
-On Mac OS X depending on what you do you need these programs installed:
-
- - basic unix utilities (sh, ls, cat, awk, sed, etc..)
- - tcl/tk (wish interpreter)
- - Terminal
- - perl
- - ssh
- - openssl
-
- Lesser used ones: netcat, smbclient, cups
-
-Most Mac OS X and Unix OS come with the main components installed.
-
-See the README.src for a more detailed description of dependencies.
-
-
-TurboVNC Support:
-----------------
-
-TurboVNC is supported in an experimental way. To it build via the
-build.unix script described in the next section, do something like:
-
- env TURBOVNC='-L/DIR -Xlinker --rpath=/DIR -lturbojpeg' ./build.unix
-
-where you replace /DIR with the directory where the libturbojpeg.so
-(http://sourceforge.net/project/showfiles.php?group_id=117509&package_id=166100)
-is installed.
-
-You may not need to set rpath if libturbojpeg.so is installed in a
-standard location or you use LD_LIBRARY_PATH to point to it.
-
-See the turbovnc/README in the vnc_unixsrc/vncviewer directory for
-more info. You can find it in the ssvnc source tarball and also
-in:
-
- src/zips/vnc_unixsrc_vncviewer.patched.tar
-
-More TurboVNC features will be enabled in the future.
-
-
-If you need to Build:
---------------------
-
-If your OS/arch is not included or the provided binary has the wrong
-library dependencies, etc. the script "build.unix" may be able to
-successfully build on for you and deposit the binaries down in ./bin/...
-using the included source code. It is a hack but usually works.
-
-You MUST run the build.unix script from this directory (that this toplevel
-README is in, i.e "ssvnc") and like this:
-
- ./build.unix
-
-To use custom locations for libraries see the LDFLAGS_OS and CPPFLAGS_OS
-description at the top of the build.unix script.
-
-You can set these env. vars to customize the build:
-
- SSVNC_BUILD_NO_STATIC=1 do not try to statically link libs
- SSVNC_BUILD_FORCE_OVERWRITE=1 do not prompt about existing binaries
- SSVNC_BUILD_SKIP_VIEWER=1 do not build vncviewer
- SSVNC_BUILD_SKIP_STUNNEL=1 do not build stunnel
- SSVNC_BUILD_ULTRAFTP=1 only build the file xfer helper jar
-
-here is an example to build only the vncviewer and with normal library
-linking (and in a more or less automated way):
-
- env SSVNC_BUILD_NO_STATIC=1 SSVNC_BUILD_FORCE_OVERWRITE=1 SSVNC_BUILD_SKIP_STUNNEL=1 ./build.unix
-
-Feel free to ask us if you need help running ./build.unix
-
-
-Convential Build:
-
-A more conventional source tarball is provided in ssvnc-x.y.z.src.tar.gz.
-It uses a more or less familiar 'make config; make all; make PREFIX=path install'
-method. It does not include stunnel, so that must be installed on the
-system separately.
-
-
-The programs:
-------------
-
-Unpack your archive, and you will see "bin", "Windows", "src" directories
-and other files. The command line wrapper scripts:
-
- ./bin/ssvnc_cmd
- ./bin/tightvncviewer
-
-are the main programs that are run and will try to autodetect your OS+arch
-combination and if binaries are present for it automatically use them.
-(if not found try the running the build.unix script).
-
-If you prefer a GUI to prompt for parameters and then start ssvnc_cmd
-you can run this instead:
-
- ./bin/ssvnc
-
-this is the same GUI that is run on Windows (the ssvnc.exe).
-There are also:
-
- ./bin/sshvnc (SSH-Only)
- ./bin/tsvnc (Terminal Services Mode)
-
-For convenience, you can make symlinks from a directory in your PATH to
-any of the 3 programs above you wish to run. That is all you usually
-need to do for it to pick up all of the binaries, utils, etc. E.g.
-assuming $HOME/bin is in your $PATH:
-
- cd $HOME/bin
- ln -s /path/to/ssvnc/bin/{s,t}* .
-
-(note the "." at the end). The above commands is basically the way to
-"install" this on Unix or MacOS X.
-
-Also links to the GUI launcher script are provided in:
-
- MacOSX/ssvnc
- Unix/ssvnc
-
-and sshvnc and tsvnc. You could also put the Unix or MacOSX directory
-in your PATH.
-
-
-On Windows unpack your archive and run:
-
- Windows/ssvnc.exe
-
-
-Examples:
---------
-
-The following assume you are in the toplevel directory of the
-archive you unpacked.
-
-Use enhanced TightVNC unix viewer to connect to x11vnc via SSL:
-
- ./bin/ssvnc_cmd far-away.east:0
-
- ./bin/tightvncviewer -ssl far-away.east:0 (same)
-
- ./bin/ssvnc (start GUI launcher)
-
-Use enhanced TightVNC unix viewer without SSL:
-
- ./bin/tightvncviewer far-away.east:0
-
-Use SSL to connect to a x11vnc server, and also verify the server's
-identity using the SSL Certificate in the file ./x11vnc.pem:
-
- ./bin/ssvnc_cmd -alpha -verify ./x11vnc.pem far-away.east:0
-
-(also turns on the viewer-side cursor alphablending hack).
-
-
-Brief description of the subdirectories:
----------------------------------------
-
- ./bin/util some utility scripts, e.g. ss_vncviewer
- and ssvnc.tcl
-
- ./src source code and patches.
- ./src/zips zip files of source code and binaries.
-
- ./src/vnc_unixsrc unpacked tightvnc source code tree.
- ./src/stunnel-4.14 unpacked stunnel source code tree.
- ./src/patches patches to TightVNC viewer for the new
- features on Unix (used by build.unix).
- ./src/tmp temporary build dir for build.unix
- (the last four are used by build.unix)
-
-
- ./man man pages for TightVNC viewer and stunnel.
-
- ./Windows Stock TightVNC viewer and Stunnel, Openssl
- etc Windows binaries. ssvnc.exe is the
- program to run.
-
- ./MacOSX contains an unpacked Chicken of the VNC
- viewer and a symlink to ssvnc.
-
- ./Unix contains a symlink to ssvnc.
-
-Depending on which bundle you use not all of the above may be present.
-The smallest bundles with binaries are:
-
- ssvnc_windows_only-1.x.y.zip Windows
- ssvnc_no_windows-1.x.y.tar.gz Unix and MacOSX
-
-however, the tiny scripts only one (only 60KB) will run properly on Unix
-as long as you install external vncviewer and stunnel packages:
-
- ssvnc_unix_minimal-1.x.y.tar.gz
-
-
-Untrusted Local Users:
----------------------
-
- *IMPORTANT WARNING*: If you run SSVNC on a workstation or computer
- that other users can log into and you DO NOT TRUST these users
- (it is a shame but sometimes one has to work in an environment like
- this), then please note the following warning.
-
- By 'do not trust' we mean they might try to gain access to remote
- machines you connect to via SSVNC. Note that an untrusted local
- user can often obtain root access in a short amount of time; if a
- user has achieved that, then all bets are off for ANYTHING that you
- do on the workstation. It is best to get rid of Untrusted Local
- Users as soon as possible.
-
- Both the SSL and SSH tunnels set up by SSVNC listen on certain ports
- on the 'localhost' address and redirect TCP connections to the remote
- machine; usually the VNC server running there (but it could also be
- another service, e.g. CUPS printing). These are the stunnel(8) SSL
- redirection and the ssh(1) '-L' port redirection. Because 'localhost'
- is used only users or programs on the same workstation that is
- running SSVNC can connect to these ports, however this includes any
- local users (not just the user running SSVNC.)
-
- If the untrusted local user tries to connect to these ports, he may
- succeed in varying degrees to gain access to the remote machine.
- We now list some safeguards one can put in place to try to make this
- more difficult to achieve.
-
- It probably pays to have the VNC server require a password, even
- though there has already been SSL or SSH authentication (via
- certificates or passwords). In general if the VNC Server requires
- SSL authentication of the viewer that helps, unless the untrusted
- local user has gained access to your SSVNC certificate keys.
-
- If the VNC server is configured to only allow one viewer connection
- at a time, then the window of opportunity that the untrusted local
- user can use is greatly reduced: he might only have a second or two
- between the tunnel being set up and the SSVNC vncviewer connecting
- to it (i.e. if the VNC server only allows a single connection, the
- untrusted local user cannot connect once your session is established).
- Similarly, when you disconnect the tunnel is torn down quickly and
- there is little or no window of opportunity to connect (e.g. x11vnc
- in its default mode exits after the first client disconnects).
-
- Also for SSL tunnelling with stunnel(8) on Unix using one of the SSVNC
- prebuilt 'bundles', a patched stunnel is provided that denies all
- connections after the first one, and exits when the first one closes.
- This is not true if the system installed stunnel(8) is used and is
- not true when using SSVNC on Windows.
-
- The following are two experimental features that are added to SSVNC
- to improve the situation for the SSL/stunnel case. Set them via
- Options -> Advanced -> "STUNNEL Local Port Protections".
-
- 1) For SSL tunnelling with stunnel(8) on Unix there is a setting
- 'Use stunnel EXEC mode' (experimental) that will try to exec(2)
- stunnel instead of using a listening socket. This will require
- using the specially modified vncviewer unix viewer provided
- by SSVNC. If this mode proves stable it will become the default.
-
- 2) For SSL tunnelling with stunnel(8) on Unix there is a setting
- 'Use stunnel IDENT check' (experimental) to limit socket
- connections to be from you (this assumes the untrusted local
- user has not become root on your workstation and has modified
- your local IDENT check service; if he has you have much bigger
- problems to worry about...)
-
- There is also one simple LD_PRELOAD trick for SSH to limit the number
- of accepted port redirection connections. This makes the window of
- time the untrusted local user can connect to the tunnel much smaller.
- Enable it via Options -> Advanced -> "SSH Local Port Protections".
- You will need to have the lim_accept.so file in your SSVNC package.
-
- The main message is to 'Watch your Back' when you connect via the
- SSVNC tunnels and there are users you don't trust on your workstation.
- The same applies to ANY use of SSH '-L' port redirections or outgoing
- stunnel SSL redirection services.
-
-
-Help and Info:
--------------
-
-For more help on other options and usage patterns run these:
-
- ./bin/ssvnc_cmd -h
- ./bin/util/ss_vncviewer -h
-
-See also:
-
- http://www.karlrunge.com/x11vnc
- http://www.karlrunge.com/x11vnc/faq.html
- x11vnc -h | more
-
- http://stunnel.mirt.net
- http://www.stunnel.org
- http://www.openssl.org
- http://www.tightvnc.com
- http://www.realvnc.com
- http://www.chiark.greenend.org.uk/~sgtatham/putty/
- http://sourceforge.net/projects/cotvnc/