diff options
author | runge <runge> | 2006-10-07 14:54:56 +0000 |
---|---|---|
committer | runge <runge> | 2006-10-07 14:54:56 +0000 |
commit | 4af738e0c8b561b6f15c614037cc0ea5d1ccfd80 (patch) | |
tree | 3c996ef3a2a2957934feae7822aeba6b71698ece /x11vnc/misc | |
parent | 6f47809af2e44e28d9f97c11b26726e62ee2654f (diff) | |
download | libtdevnc-4af738e0c8b561b6f15c614037cc0ea5d1ccfd80.tar.gz libtdevnc-4af738e0c8b561b6f15c614037cc0ea5d1ccfd80.zip |
Changes for ETV, double SSL/SSH.
Diffstat (limited to 'x11vnc/misc')
7 files changed, 612 insertions, 66 deletions
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/README b/x11vnc/misc/enhanced_tightvnc_viewer/README index 0946d89..6811b9d 100644 --- a/x11vnc/misc/enhanced_tightvnc_viewer/README +++ b/x11vnc/misc/enhanced_tightvnc_viewer/README @@ -17,6 +17,7 @@ by others. See these sites and related ones for more information: http://www.tightvnc.com http://www.realvnc.com http://www.stunnel.org + http://stunnel.mirt.net http://www.openssl.org http://www.chiark.greenend.org.uk/~sgtatham/putty/ @@ -46,6 +47,9 @@ Also, a Windows SSL wrapper for the co-bundled TightVNC binary and other utilities are provided. (Launch ssl_tightvncviewer.exe in the Windows subdirectory). +It is a self-contained package, you could carry it around on, say, +a USB memory stick for secure VNC viewing from almost any machine, +Unix or Windows. Features: -------- @@ -215,6 +219,7 @@ See also: x11vnc -h | more http://www.stunnel.org + http://stunnel.mirt.net http://www.openssl.org http://www.tightvnc.com http://www.realvnc.com diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl new file mode 100755 index 0000000..e8654a3 --- /dev/null +++ b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl @@ -0,0 +1,239 @@ +#!/usr/bin/wish + +global env + +set proxy1 "" +set proxy2 "" +set client_fh "" +set server_fh "" + +set debug 0 +if {$debug} { + if {! [info exists env(SSL_VNC_DEST)]} { + set env(SSL_VNC_DEST) "haystack:2037" + } + if {! [info exists env(SSL_VNC_PROXY)]} { + set env(SSL_VNC_PROXY) "haystack:2037" + } + if {! [info exists env(SSL_VNC_LISTEN)]} { + set env(SSL_VNC_LISTEN) "6789" + } +} + +set dest $env(SSL_VNC_DEST) + +if [regexp {,} $env(SSL_VNC_PROXY)] { + set s [split $env(SSL_VNC_PROXY) ","] + set proxy1 [lindex $s 0] + set proxy2 [lindex $s 1] +} else { + set proxy1 $env(SSL_VNC_PROXY) +} + +set s [split $proxy1 ":"] +set proxy1_host [lindex $s 0] +set proxy1_port [lindex $s 1] + +if {$proxy2 != ""} { + set s [split $proxy2 ":"] + set proxy2_host [lindex $s 0] + set proxy2_port [lindex $s 1] +} + +set lport $env(SSL_VNC_LISTEN) + +set got_connection 0 +set lsock [socket -myaddr 127.0.0.1 -server handle_connection $lport] + +if {1} { + wm withdraw . +} +button .b -text "CONNECT_BR" -command {destroy .} +pack .b +after 1000 check_callback + +proc check_callback {} { + global debug + if {$debug} { + puts stderr "." + } + check_closed + after 1000 check_callback +} + +proc check_closed {} { + global client_fh server_fh debug + global got_connection + + if {! $got_connection} { + return + } + set delay 100 + if {$client_fh != "" && [eof $client_fh]} { + if {$debug} { + puts stderr "client_fh EOF" + } + catch {flush $client_fh} + after $delay + catch {close $client_fh} + after $delay + catch {flush $server_fh} + after $delay + catch {close $server_fh} + destroy . + exit + } + if {$server_fh != "" && [eof $server_fh]} { + if {$debug} { + puts stderr "server_fh EOF" + } + catch {flush $server_fh} + after $delay + catch {close $server_fh} + after $delay + catch {flush $client_fh} + after $delay + catch {close $client_fh} + destroy . + exit + } +} + +proc xfer_in_to_out {} { + global client_fh server_fh debug + if {$client_fh != "" && ![eof $client_fh]} { + set str [read $client_fh 4096] + if {$debug} { + puts stderr "xfer_in_to_out: $str" + } + if {$server_fh != ""} { + puts -nonewline $server_fh $str + flush $server_fh + } + } + check_closed +} + +proc xfer_out_to_in {} { + global client_fh server_fh debug + if {$server_fh != "" && ![eof $server_fh]} { + set str [read $server_fh 4096] + if {$debug} { + puts stderr "xfer_out_to_in: $str" + } + if {$client_fh != ""} { + puts -nonewline $client_fh $str + flush $client_fh + } + } + check_closed +} + +proc handle_connection {fh host port} { + global proxy1_host proxy1_port + global proxy2_host proxy2_port + global proxy1 proxy2 + global dest + global debug + global got_connection + + if {$got_connection} { + catch {close $fh} + return + } + set got_connection 1 + + if {$debug} { + puts stderr "connection from: $host $port" + puts stderr "socket $proxy1_host $proxy1_port" + } + + set sock [socket $proxy1_host $proxy1_port] + + global client_fh server_fh + set client_fh $fh + set server_fh $sock + + fconfigure $fh -translation binary -blocking 0 + fconfigure $sock -translation binary -blocking 0 + + set con "" + if {$proxy2 != ""} { + append con "CONNECT $proxy2 HTTP/1.1\r\n" + append con "Host: $proxy2\r\n\r\n" + } else { + append con "CONNECT $dest HTTP/1.1\r\n" + append con "Host: $dest\r\n\r\n" + } + + puts -nonewline $sock $con + flush $sock + + set r "" + set cnt 0 + while {1} { + set c [read $sock 1] + if {$c == ""} { + check_closed + after 20 + } + incr cnt + if {$debug} { + .b configure -text "A $cnt -- $c" + update + } + append r $c + if {[regexp "\r\n\r\n" $r] || [regexp "a--no--\n\n" $r]} { + break + } + if {$cnt > 3000} { + break + } + } + if {! [regexp {HTTP/.* 200} $r]} { + puts stderr "did not find HTTP 200 #1" + if {1} { + destroy . + exit 1 + } + } + + if {$proxy2 != ""} { + set con "" + append con "CONNECT $dest HTTP/1.1\r\n" + append con "Host: $dest\r\n\r\n" + + puts -nonewline $sock $con + flush $sock + + set r "" + set cnt 0 + while {1} { + set c [read $sock 1] + if {$c == ""} { + check_closed + after 20 + } + incr cnt + if {$debug} { + .b configure -text "B $cnt -- $c" + update + } + append r $c + if {[regexp "\r\n\r\n" $r] || [regexp "a--no--\n\n" $r]} { + break + } + if {$cnt > 3000} { + break + } + } + if {! [regexp {HTTP/.* 200} $r]} { + puts stderr "did not find HTTP 200 #2" + destroy . + exit 1 + } + } + + fileevent $fh readable xfer_in_to_out + fileevent $sock readable xfer_out_to_in +} diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url index c700866..4f87491 100644 --- a/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url +++ b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url @@ -1 +1,2 @@ http://www.stunnel.org/download/binaries.html +http://stunnel.mirt.net/ diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl index c055e0a..986edd0 100755 --- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl +++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl @@ -108,11 +108,16 @@ proc help {} { Proxies: If an intermediate proxy is needed to make the SSL connection (e.g. web gateway out of a firewall), supply both hosts separated - by spaces (with the proxy 2nd): + by spaces (with the proxy second): host:number gwhost:port - E.g.: far-way.east:0 mygateway.com:8080 + E.g.: far-away.east:0 mygateway.com:8080 + + If the "double proxy" case is required (e.g. coming out of a web + proxied firewall environment), separate them via a comma, e.g.: + + far-away:0 local-proxy:8080,mygateway.com:443 See the ssl_vncviewer description and x11vnc FAQ for info on proxies: @@ -164,8 +169,15 @@ proc help {} { 2) If you use "user@hostname cmd=SHELL" then you get an SSH shell only: no VNC viewer will be launched. On Windows "user@hostname cmd=PUTTY" - will try to use putty.exe (better terminal emulation than plink.exe) - A shortcut for this is Ctrl-S as long as user@hostname is present. + will try to use putty.exe (better terminal emulation than + plink.exe). A shortcut for this is Ctrl-S as long as user@hostname + is present in the entry box. + + 3) If you use "user@hostname cmd=KNOCK" then only the port-knocking + is performed. A shortcut for this is Ctrl-P as long as hostname + is present in the entry box. If it matches cmd=KNOCKF, i.e. an + extra "F", then the port-knocking "FINISH" sequence is sent, if any. + A shortcut for this Shift-Ctrl-P as long as hostname is present. } .h.f.t insert end $msg @@ -265,18 +277,18 @@ set msg { tunnel. You must be able to log in via ssh to the remote host. On Unix the cmdline ssh(1) program will be run in an xterm - for authentication, etc. On Windows the cmdline plink.exe - program will be launched in a Windows Console window. + for passphrase authentication, etc. On Windows the cmdline + plink.exe program will be launched in a Windows Console window. - You can set the "VNC Server" to "user@host:disp" to indicate - ssh should log in as "user" on "host". On Windows you must + You can set the "VNC Server" to "user@host:disp" to indicate ssh + should log in as "user" on "host". NOTE: On Windows you MUST always supply the "user@" part (due to a plink deficiency). E.g.: fred@far-away.east:0 - If a gateway machine must be used (e.g. to enter a firewall; - the VNC Server is not running on it), put something like this - in the "VNC Server" entry box: + If an intermediate gateway machine must be used (e.g. to enter + a firewall; the VNC Server is not running on it), put something + like this in the "VNC Server" entry box: workstation:0 user@gateway-host:port @@ -285,6 +297,16 @@ set msg { ":port" is optional, use it if the gateway-host SSH port is not the default value 22. + One can also do a "double ssh", i.e. a first SSH to the + gateway login machine then a 2nd ssh to the destination machine + (presumably it is running the vnc server). Unlike the above + example, the "last leg" (gateway-host -> workstation) is also + encrypted by SSH this way. Do this by splitting the gateway + in two with a comma, the part before it is the first SSH: + + :0 user@gateway-host:port,user@workstation:port + + At the very end of the entry box, you can also append a cmd=... string to indicate that command should be run via ssh on the remote machine instead of the default "sleep 15". E.g.: @@ -293,6 +315,7 @@ set msg { (if a gateway is also needed, put it just before the cmd=...) + Trick: If you use "cmd=SHELL" then you get an SSH shell only: no VNC viewer will be launched. On Windows "cmd=PUTTY" will try to use putty.exe (better terminal emulation than plink.exe) @@ -345,18 +368,14 @@ set msg { with Load Profile. Use the Browse... button to select the filename via the GUI. - Include: Profile template(s) to load before loading a profile - (see Load Profile above). For example if you Save - a profile called "globals" that has some settings - you use often, then just supply "Include: globals" - to have them applied. - - You may supply a comma or space separated list of - templates to include. They can be full path names or - basenames relative to the profiles directory. You do - not need to supply the .vnc suffix. The non-default - settings in them will be applied first, and then any - values then in the loaded Profile will override them. + Note: On Windows since the TightVNC Viewer will save + its own settings in the registry, some unexpected + behavior is possible because the viewer is nearly + always directed to the VNC host "localhost:30". E.g. if + you specify "View Only" in this gui once but not next + time the Windows VNC Viewer may remember the setting. + Unfortunately there is not a /noreg option for the Viewer. + Clear Options: Set all options to their defaults (i.e. unset). @@ -880,6 +899,24 @@ proc make_plink {} { update } +proc ssh_split {str} { + if {! [regexp {:} $str]} { + append str ":22" + } + regsub {:.*$} $str "" ssh_host + regsub {^.*:} $str "" ssh_port + if {$ssh_port == ""} { + set ssh_port 22 + } + if [regexp {@} $ssh_host] { + regsub {@.*$} $ssh_host "" ssh_user + regsub {^.*@} $ssh_host "" ssh_host + } else { + set ssh_user "" + } + return [list $ssh_user $ssh_host $ssh_port] +} + proc launch_windows_ssh {hp file n} { global is_win9x env global use_sshssl use_ssh putty_pw @@ -918,16 +955,65 @@ proc launch_windows_ssh {hp file n} { set ssh_host $hpnew regsub {:.*$} $ssh_host "" ssh_host + set double_ssh "" + set p_port "" if {$proxy != ""} { - set ssh_host $proxy + if [regexp {,} $proxy] { + if {$is_win9x} { + mesg "Double proxy does not work on Win9x" + bell + return 0 + } + # user1@gateway:port1,user2@workstation:port2 + set proxy1 "" + set proxy2 "" + set s [split $proxy ","] + set proxy1 [lindex $s 0] + set proxy2 [lindex $s 1] + + set p_port [expr 3000 + 1000 * rand()] + set p_port [expr round($p_port)] + + set s [ssh_split $proxy1] + set ssh_user1 [lindex $s 0] + set ssh_host1 [lindex $s 1] + set ssh_port1 [lindex $s 2] + + set s [ssh_split $proxy2] + set ssh_user2 [lindex $s 0] + set ssh_host2 [lindex $s 1] + set ssh_port2 [lindex $s 2] + + set u1 "" + if {$ssh_user1 != ""} { + set u1 "${ssh_user1}@" + } + set u2 "" + if {$ssh_user2 != ""} { + set u2 "${ssh_user2}@" + } + + set double_ssh "-L $p_port:$ssh_host2:$ssh_port2 -P $ssh_port1 $u1$ssh_host1" + set proxy_use "${u2}localhost:$p_port" + + } else { + # user1@gateway:port1 + set proxy_use $proxy + } + + set ssh_host $proxy_use regsub {:.*$} $ssh_host "" ssh_host - set ssh_port $proxy + set ssh_port $proxy_use regsub {^.*:} $ssh_port "" ssh_port if {$ssh_port == ""} { set ssh_port 22 } + set vnc_host $hpnew regsub {:.*$} $vnc_host "" vnc_host + if {$vnc_host == ""} { + set vnc_host "localhost" + } } if {![regexp {^[^ ][^ ]*@} $ssh_host]} { @@ -974,6 +1060,8 @@ proc launch_windows_ssh {hp file n} { set tag [contag] + set file_double "" + set file_pre "" set file_pre_cmd "" if {$do_pre} { @@ -1077,6 +1165,10 @@ proc launch_windows_ssh {hp file n} { append extra_redirs [get_additional_redir] } + if {$vnc_host == ""} { + set vnc_host "localhost" + } + set plink_str "plink.exe -ssh -P $ssh_port $verb -L $use:$vnc_host:$vnc_port $extra_redirs -t" if {$extra_redirs != ""} { regsub {exe} $plink_str "exe -C" plink_str @@ -1125,6 +1217,41 @@ proc launch_windows_ssh {hp file n} { return 0 } + if {$double_ssh != ""} { + set plink_str_double_ssh "plink.exe -ssh -t $pw $double_ssh \"echo sleep 60 ...; sleep 60; echo done.\"" + + regsub {\.bat} $file "dob.bat" file_double + set fhdouble [open $file_double "w"] + puts $fhdouble $plink_str_double_ssh + puts $fhdouble "del $file_double" + close $fhdouble + + set com "cmd.exe" + if [info exists env(COMSPEC)] { + set com $env(COMSPEC) + } + + exec $com /c $file_double & + + set waited 0 + set gotit 0 + while {$waited < 30000} { + after 500 + update + set ns [get_netstat] + set re ":$p_port" + append re {[ ][ ]*[0:.][0:.]*[ ][ ]*LISTEN} + if [regexp $re $ns] { + set gotit 1 + break + } + set waited [expr "$waited + 500"] + } + if {! $gotit} { + after 5000 + } + } + if {$is_win9x} { wm withdraw . update @@ -1282,6 +1409,9 @@ proc launch_windows_ssh {hp file n} { if {$file_pre_cmd != ""} { catch {file delete $file_pre_cmd} } + if {$file_double != ""} { + catch {file delete $file_double} + } global sound_daemon_local_kill if {! $is_win9x && $use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} { @@ -1453,6 +1583,35 @@ proc do_unix_pre {tag proxy hp pk_hp} { } } +proc port_knock_only {hp {mode KNOCK}} { + if {$hp == ""} { + global vncdisplay + set hp $vncdisplay + if {$hp == ""} { + mesg "No host port found" + bell + return + } + } + set hpnew [get_ssh_hp $hp] + set proxy [get_ssh_proxy $hp] + set sshcmd [get_ssh_cmd $hp] + set hp $hpnew + + set pk_hp "" + if {$proxy != ""} { + set pk_hp $proxy + } + if {$pk_hp == ""} { + set pk_hp $hp + } + if {$mode == "KNOCK"} { + do_port_knock $pk_hp start + } elseif {$mode == "FINISH"} { + do_port_knock $pk_hp finish + } +} + proc launch_unix {hp} { global smb_redir_0 smb_mounts env @@ -1823,6 +1982,7 @@ proc launch {{hp ""}} { global vncdisplay tcl_platform is_windows global mycert svcert crtdir global pids_before pids_after pids_new + global env global use_ssh use_sshssl set debug 0 @@ -1844,6 +2004,16 @@ proc launch {{hp ""}} { mesg "Using: $hp" after 600 + set sc [get_ssh_cmd $hp] + if {[regexp {^KNOCK} $sc]} { + if [regexp {^KNOCKF} $sc] { + port_knock_only $hp "FINISH" + } else { + port_knock_only $hp "KNOCK" + } + return + } + if {$debug} { mesg "\"$tcl_platform(os)\" | \"$tcl_platform(osVersion)\"" after 1000 @@ -1896,6 +2066,11 @@ proc launch {{hp ""}} { set n2 "" set now [clock seconds] + set proxy [get_ssh_proxy $hp] + if {$use_sshssl} { + set proxy "" + } + for {set i 30} {$i < 90} {incr i} { set try "$prefix-$i.$suffix" if {[file exists $try]} { @@ -1907,7 +2082,7 @@ proc launch {{hp ""}} { } } if {! [file exists $try]} { - if {$use_sshssl} { + if {$use_sshssl || $proxy != ""} { if {$file != ""} { set file2 $try set n2 $i @@ -1916,7 +2091,7 @@ proc launch {{hp ""}} { } set file $try set n $i - if {! $use_sshssl} { + if {! $use_sshssl && $proxy == ""} { break } } @@ -1947,23 +2122,13 @@ proc launch {{hp ""}} { return } - if [regexp {[ ]} $hp] { - # proxy or cmd case (should not happen? yet?) - regsub {[ ].*$} $hp "" hp2 - } else { - set list [split $hp ":"] - set host [lindex $list 0] - set disp [lindex $list 1] - set disp [string trim $disp] - regsub { .*$} $disp "" disp - if {$disp == ""} { - set disp 0 - } - set port [expr "$disp + 5900"] - } - set list [split $hp ":"] + set host [lindex $list 0] + if {$host == ""} { + set host "localhost" + } + set disp [lindex $list 1] set disp [string trim $disp] regsub { .*$} $disp "" disp @@ -1972,6 +2137,12 @@ proc launch {{hp ""}} { } set port [expr "$disp + 5900"] + if {$proxy != ""} { + set env(SSL_VNC_PROXY) $proxy + set env(SSL_VNC_LISTEN) [expr "$n2 + 5900"] + set env(SSL_VNC_DEST) "$host:$port" + } + if {$debug} { mesg "file: $file" after 1000 @@ -2024,7 +2195,7 @@ proc launch {{hp ""}} { set port2 [expr "$n + 5900"] puts $fh "accept = localhost:$port2" - if {$use_sshssl} { + if {$use_sshssl || $proxy != ""} { set port [expr "$n2 + 5900"] puts $fh "connect = localhost:$port" } else { @@ -2047,6 +2218,16 @@ proc launch {{hp ""}} { return } + set proxy_pid "" + if {$proxy != ""} { + mesg "Starting TCP helper on port $port ..." + after 600 + set proxy_pid [exec "connect_br.exe" &] + unset -nocomplain env(SSL_VNC_PROXY) + unset -nocomplain env(SSL_VNC_LISTEN) + unset -nocomplain env(SSL_VNC_DEST) + } + mesg "Starting STUNNEL on port $port2 ..." after 600 @@ -2158,6 +2339,7 @@ proc set_mycert {} { set mycert $t } catch {wm deiconify .c} + v_mycert update } @@ -2192,6 +2374,26 @@ proc show_cert {crt} { catch {raise $w} } +proc v_svcert {} { + global svcert + if {$svcert == "" || ! [file exists $svcert]} { + catch {.c.svcert.i configure -state disabled} + } else { + catch {.c.svcert.i configure -state normal} + } + return 1 +} + +proc v_mycert {} { + global mycert + if {$mycert == "" || ! [file exists $mycert]} { + catch {.c.mycert.i configure -state disabled} + } else { + catch {.c.mycert.i configure -state normal} + } + return 1 +} + proc show_mycert {} { global mycert show_cert $mycert @@ -2216,6 +2418,7 @@ proc set_svcert {} { set svcert $t } catch {wm deiconify .c} + v_svcert update } @@ -2452,6 +2655,8 @@ emailAddress_max = 64 set geometry [xterm_center_geometry] update eval exec xterm -geometry $geometry -title Running_OpenSSL -e $cmd + catch {file attributes $pem -permissions go-rw} + catch {file attributes $crt -permissions go-w} } catch {file delete $tmp} @@ -2851,6 +3056,13 @@ proc do_save {} { -message $emess -title "Save File: $import_save_file" return } + global is_windows + if {! $is_windows} { + catch {file attributes $import_save_file -permissions go-w} + if {[regexp {PRIVATE} $str] || [regexp {\.pem$} $import_save_file]} { + catch {file attributes $import_save_file -permissions go-rw} + } + } puts -nonewline $fh $str close $fh catch {destroy .icrt} @@ -2988,12 +3200,22 @@ proc getcerts {} { label .c.svcert.l -anchor w -width 12 -text "ServerCert:" label .c.crtdir.l -anchor w -width 12 -text "CertsDir:" - entry .c.mycert.e -width 32 -textvariable mycert - entry .c.svcert.e -width 32 -textvariable svcert + entry .c.mycert.e -width 32 -textvariable mycert -vcmd v_mycert + entry .c.svcert.e -width 32 -textvariable svcert -vcmd v_svcert + bind .c.mycert.e <Enter> {.c.mycert.e validate} + bind .c.mycert.e <Leave> {.c.mycert.e validate} + bind .c.svcert.e <Enter> {.c.svcert.e validate} + bind .c.svcert.e <Leave> {.c.svcert.e validate} entry .c.crtdir.e -width 32 -textvariable crtdir button .c.mycert.b -text "Browse..." -command {set_mycert; catch {raise .c}} button .c.svcert.b -text "Browse..." -command {set_svcert; catch {raise .c}} button .c.crtdir.b -text "Browse..." -command {set_crtdir; catch {raise .c}} + button .c.mycert.i -text "Info" -command {show_mycert} + button .c.svcert.i -text "Info" -command {show_svcert} + button .c.crtdir.i -text "Info" -command {} + .c.mycert.i configure -state disabled + .c.svcert.i configure -state disabled + .c.crtdir.i configure -state disabled bind .c.mycert.b <B3-ButtonRelease> "show_mycert" bind .c.svcert.b <B3-ButtonRelease> "show_svcert" @@ -3010,6 +3232,7 @@ proc getcerts {} { pack .c.$w.l -side left pack .c.$w.e -side left -expand 1 -fill x pack .c.$w.b -side left + pack .c.$w.i -side left bind .c.$w.e <Return> ".c.$w.b invoke" if {$use_ssh} { .c.$w.l configure -state disabled @@ -3722,19 +3945,21 @@ set cmd(5) { if [ "$rc" = 0 ]; then if [ "X$have_perl_done" = "X1" -o 1 = 1 ] ; then echo - echo "Your SMB shares will be be unmounted when the VNC connection" - echo "closes. If that fails follow these instructions:" + echo "Your SMB shares will be unmounted when the VNC connection closes," + echo "*As Long As* No Applications have any of the share files opened or are" + echo "cd-ed into any of the share directories." + echo + echo "Try to make sure nothing is accessing the SMB shares before disconnecting" + echo "the VNC session. If you fail to do that follow these instructions:" fi echo - echo "To unmount your SMB shares make sure no applications are still using" - echo "any of the files and no shells are still cd-ed into the share area," - echo "then type:" + echo "To unmount your SMB shares make sure no applications are still using any of" + echo "the files and no shells are still cd-ed into the share area, then type:" echo echo " rm -f $smb_script" echo - echo "(to avoid a 2nd ssh, try to do this before terminating the VNC Viewer)" - echo - echo "In the worst case run: smbumount /path/to/mount/point for each mount." + echo "In the worst case run: smbumount /path/to/mount/point for each mount as root" + echo "Even with the remote redirection gone the kernel should umount after a timeout." else echo if [ "$DO_SMB_SU" = "1" ]; then @@ -3819,7 +4044,6 @@ set cmd(6) { fi - echo #FINMSG echo echo "--vnc-helper-exiting--" @@ -4927,7 +5151,7 @@ proc smb_dialog {} { VERY IMPORTANT: Before terminating the VNC Connection, make sure no applications are using any of the SMB shares (or shells are cd-ed - into the share). This way the shares will be automatically umounted. + into the share). This way the shares will be automatically unmounted. Otherwise you will need to log in again, stop processes from using the share, become root and umount the shares manually ("smbumount /path/to/share", etc.) @@ -5022,7 +5246,18 @@ proc help_advanced_opts {} { firewall ports in a certain way to open the door for SSH or SSL. The port can also be closed when the encrypted VNC connection finishes. - + + Include: Profile template(s) to load before loading a profile + (see Load Profile under "Options"). For example if you Save a + profile called "globals" that has some settings you use often, + then just supply "Include: globals" to have them applied. + You may supply a comma or space separated list of templates + to include. They can be full path names or basenames relative + to the profiles directory. You do not need to supply the .vnc + suffix. The non-default settings in them will be applied first, + and then any values in the loaded Profile will override them. + + About the CheckButtons: Ahem, Well...., yes quite a klunky UI: you have to toggle the @@ -5268,6 +5503,7 @@ proc do_port_knock {hp mode} { if {$mode == "finish"} { if {! [regexp {FINISH} $list]} { + mesg "PortKnock(finish): done" return 1 } else { regsub {^.*FINISH} $list "" list @@ -5407,6 +5643,7 @@ proc do_port_knock {hp mode} { mesg $m return 0 } + regsub {,.*$} $host "" host if {[regexp {[ \t]} $host]} { bell set m "PortKnock: Invalid host: \"$host\"" @@ -5520,7 +5757,11 @@ proc do_port_knock {hp mode} { if {$m != ""} { set m "$m," } - mesg "PortKnock: done" + if {$mode == "finish"} { + mesg "PortKnock(finish): done" + } else { + mesg "PortKnock: done" + } return 1 } @@ -5699,6 +5940,16 @@ proc port_knocking_dialog {} { delay 1000 PAD=C:\My Pads\work-pad1.txt sleep 4000 + + + Port knock only: + + If, in the 'VNC Server' entry box, you use "user@hostname cmd=KNOCK" + then only the port-knocking is performed. A shortcut for this is + Ctrl-P as long as hostname is present in the entry box. If it + matches cmd=KNOCKF, i.e. an extra "F", then the port-knocking + "FINISH" sequence is sent, if any. A shortcut for this Shift-Ctrl-P + as long as hostname is present. } .pk.f.t insert end $msg @@ -5761,6 +6012,15 @@ proc set_advanced_options {} { -command {if {$use_port_knocking} {port_knocking_dialog}} incr i + global include_list + frame .oa.b$i + label .oa.b$i.l -text "Include:" + entry .oa.b$i.e -width 10 -textvariable include_list + pack .oa.b$i.l -side left + pack .oa.b$i.e -side right -expand 1 -fill x + + incr i + for {set j 1} {$j < $i} {incr j} { pack .oa.b$j -side top -fill x } @@ -5995,20 +6255,13 @@ proc set_options {} { pack .o.sa -side top -fill x } - global include_list - frame .o.inc - label .o.inc.l -text "Include:" - entry .o.inc.e -width 10 -textvariable include_list - pack .o.inc.l -side left - pack .o.inc.e -side right -expand 1 -fill x - button .o.s_prof -text "Save Profile ..." -command {save_profile; raise .o} button .o.l_prof -text " Load Profile ..." -command {load_profile; raise .o} button .o.advanced -text "Advanced ..." -command set_advanced_options button .o.clear -text "Clear Options" -command set_defaults pack .o.s_prof -side top -fill x pack .o.l_prof -side top -fill x - pack .o.inc -side top -fill x + #pack .o.inc -side top -fill x pack .o.clear -side top -fill x pack .o.advanced -side top -fill x @@ -6091,6 +6344,8 @@ if {[info exists env(SSL_VNC_GUI_CMD)]} { bind . <Control-q> "destroy .; exit" bind . <Shift-Escape> "destroy .; exit" bind . <Control-s> "launch_shell_only" +bind . <Control-p> {port_knock_only "" "KNOCK"} +bind . <Control-P> {port_knock_only "" "FINISH"} global entered_gui_top button_gui_top set entered_gui_top 0 diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer index 5827601..85d5920 100755 --- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer +++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer @@ -33,7 +33,10 @@ # # -proxy try host:port as a Web proxy to use the CONNECT method # to reach the VNC server (e.g. your firewall requires a proxy). +# # For the "double proxy" case use -proxy host1:port1,host2:port2 +# (the first CONNECT is done through host1:port1 to host2:port2 +# and then a 2nd CONNECT to the destination VNC server.) # # See http://www.karlrunge.com/x11vnc/#faq-ssl-ca for details on SSL # certificates with VNC. @@ -56,6 +59,14 @@ # other than the default (22). (even for the non-gateway case, # -proxy must be used to specify a non-standard ssh port) # +# A "double ssh" can be specified via a -proxy string with the two +# hosts separated by a comma: +# +# [user1@]host1[:port1],[user2@]host2[:port2] +# +# in which case a ssh to host1 and thru it via a -L redir a 2nd +# ssh is established to host2. +# # Examples: # # ssl_vncviewer -ssh bob@bobs-home.net:0 @@ -64,6 +75,8 @@ # ssl_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0 # ssl_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0 # +# ssl_vncviewer -ssh -proxy fred@gw-host,fred@peecee localhost:0 +# # -sshcmd cmd Run "cmd" via ssh instead of the default "sleep 15" # e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900' # @@ -239,6 +252,38 @@ if [ "X$use_ssh" = "X1" ]; then ssh_host="$host" vnc_host="localhost" ssh=${SSH:-"ssh -x"} + if echo "$proxy" | grep "," > /dev/null; then + proxy1=`echo "$proxy" | awk -F, '{print $1}'` + proxy2=`echo "$proxy" | awk -F, '{print $2}'` + # user1@gw1.com:port1,user2@ws2:port2 + ssh_host1=`echo "$proxy1" | awk -F: '{print $1}'` + ssh_port1=`echo "$proxy1" | awk -F: '{print $2}'` + if [ "X$ssh_port1" = "X" ]; then + ssh_port1="22" + fi + ssh_host2=`echo "$proxy2" | awk -F: '{print $1}'` + ssh_user2=`echo "$ssh_host2" | awk -F@ '{print $1}'` + ssh_host2=`echo "$ssh_host2" | awk -F@ '{print $2}'` + if [ "X$ssh_host2" = "X" ]; then + ssh_host2=$ssh_user2 + ssh_user2="" + else + ssh_user2="${ssh_user2}@" + fi + ssh_port2=`echo "$proxy2" | awk -F: '{print $2}'` + if [ "X$ssh_port2" = "X" ]; then + ssh_port2="22" + fi + proxport=`findfree 3500` + echo + echo "Running 1st ssh proxy:" + echo "$ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 \"sleep 30\"" + $ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 "sleep 30" + ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes" + sleep 1 + stty sane + proxy="${ssh_user2}localhost:$proxport" + fi if [ "X$proxy" != "X" ]; then ssh_port=`echo "$proxy" | awk -F: '{print $2}'` if [ "X$ssh_port" = "X" ]; then diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle b/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle index 379e229..f31e673 100755 --- a/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle +++ b/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle @@ -1,7 +1,7 @@ #!/bin/sh rm -rf ./src/tmp/* || exit 1 -vers=1.0.4 +vers=1.0.5 cd .. || exit 1 diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README b/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README index 776d4bf..e2405b2 100644 --- a/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README +++ b/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README @@ -2,6 +2,7 @@ This is where we keep the 3rd party source zip and tar.gz files used to build this package. www.stunnel.org source 488512 Jul 25 15:09 stunnel-4.14.tar.gz +http://stunnel.mirt.net www.tightvnc.com source 2182134 Jul 25 15:11 tightvnc-1.3dev7_unixsrc.tar.gz www.tightvnc.com windows standalone viewer binary: 209149 Jul 25 15:10 tightvnc-1.3dev7_x86_viewer.zip |