diff options
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r-- | x11vnc/help.c | 75 |
1 files changed, 46 insertions, 29 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c index a0c1bc3..293104b 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -315,8 +315,9 @@ void print_help(int mode) { "-novncconnect VNC program vncconnect(1). When the property is\n" " set to \"host\" or \"host:port\" establish a reverse\n" " connection. Using xprop(1) instead of vncconnect may\n" -" work (see the FAQ). The -remote control mechanism also\n" -" uses this VNC_CONNECT channel. Default: %s\n" +" work (see the FAQ). The -remote control mechanism uses\n" +" X11VNC_REMOTE channel, and this option disables/enables\n" +" it as well. Default: %s\n" "\n" "-allow host1[,host2..] Only allow client connections from hosts matching\n" " the comma separated list of hostnames or IP addresses.\n" @@ -431,8 +432,8 @@ void print_help(int mode) { " x11vnc as root with the \"-users +nobody\" option to\n" " immediately switch to user nobody. Another source of\n" " problems are PAM modules that prompt for extra info,\n" -" e.g. password aging modules. These logins will always\n" -" fail as well.\n" +" e.g. password aging modules. These logins will fail\n" +" as well even when the correct password is supplied.\n" "\n" " *IMPORTANT*: to prevent the Unix password being sent in\n" " *clear text* over the network, two x11vnc options are\n" @@ -459,17 +460,28 @@ void print_help(int mode) { " is set and appears reasonable. If it does, then the\n" " stunnel requirement is dropped since it is assumed\n" " you are using ssh for the encrypted tunnelling.\n" -" Use -stunnel to force stunnel usage.\n" +" Use -stunnel to force stunnel usage for this case.\n" "\n" " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" " requirement. One should never do this (i.e. allow the\n" " Unix passwords to be sniffed on the network).\n" "\n" -" NOTE: in -inetd mode the two settings are not enforced\n" -" since x11vnc does not make network connections in\n" -" that case. Be sure to use encryption from the viewer\n" -" to inetd. One can also have your own stunnel spawn\n" -" x11vnc in -inetd mode. See the FAQ.\n" +" Regarding reverse connections (e.g. -R connect:host),\n" +" the -localhost constraint is in effect and the reverse\n" +" connections can only be used to connect to the same\n" +" machine x11vnc is running on (default port 5500).\n" +" Please use a ssh or stunnel port redirection to the\n" +" viewer machine to tunnel the reverse connection over\n" +" an encrypted channel. Note that Unix username and\n" +" password *will* be prompted for (unlike VNC passwords\n" +" that are skipped for reverse connections).\n" +"\n" +" NOTE: in -inetd mode the two settings are attempted\n" +" to be enforced for reverse connections. Be sure to\n" +" use encryption from the viewer to inetd since x11vnc\n" +" cannot guess easily if it is encrpyted. Note: you can\n" +" also have your own stunnel spawn x11vnc in -inetd mode\n" +" (i.e. bypassing inetd). See the FAQ.\n" "\n" " The user names in the comma separated [list] can have\n" " per-user options after a \":\", e.g. \"fred:opts\"\n" @@ -484,16 +496,21 @@ void print_help(int mode) { " Use \"deny\" to explicitly deny some users if you use\n" " \"*\" to set a global option.\n" "\n" -"-unixpw_nis [list] As -unixpw above, however do not run su(1) but rather\n" -" use the traditional getpwnam() + crypt() method instead.\n" -" This requires that the encrpyted passwords be readable.\n" -" Passwords stored in /etc/shadow will be inaccessible\n" -" unless run as root. This is called \"NIS\" mode\n" -" simply because in most NIS setups the user encrypted\n" -" passwords are accessible (e.g. \"ypcat passwd\").\n" -" NIS is not required for this mode to work, but it\n" -" is unlikely it will work for any other environment.\n" -" All of the -unixpw options and contraints apply.\n" +" There are also some tools for testing password if [list]\n" +" starts with the \"%\" character. See the quick_pw()\n" +" function for details.\n" +"\n" +"-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n" +" use the traditional getpwnam(3) + crypt(3) method\n" +" instead. This requires that the encrpyted passwords\n" +" be readable. Passwords stored in /etc/shadow will\n" +" be inaccessible unless run as root. This is called\n" +" \"NIS\" mode simply because in most NIS setups the\n" +" user encrypted passwords are accessible (e.g. \"ypcat\n" +" passwd\"). NIS is not required for this mode to\n" +" work, but it is unlikely it will work for any other\n" +" environment. All of the -unixpw options and contraints\n" +" apply.\n" "\n" "-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n" " an encrypted SSL tunnel between viewers and x11vnc.\n" @@ -1767,7 +1784,7 @@ void print_help(int mode) { " -remote command.\n" "\n" " The default communication channel is that of X\n" -" properties (specifically VNC_CONNECT), and so this\n" +" properties (specifically X11VNC_REMOTE), and so this\n" " command must be run with correct settings for DISPLAY\n" " and possibly XAUTHORITY to connect to the X server\n" " and set the property. Alternatively, use the -display\n" @@ -2056,9 +2073,9 @@ void print_help(int mode) { " it comes back with prefix \"aro=\" instead of \"ans=\".\n" "\n" " Some -remote commands are pure actions that do not make\n" -" sense as variables, e.g. \"stop\" or \"disconnect\",\n" -" in these cases the value returned is \"N/A\". To direct\n" -" a query straight to the VNC_CONNECT property or connect\n" +" sense as variables, e.g. \"stop\" or \"disconnect\", in\n" +" these cases the value returned is \"N/A\". To direct a\n" +" query straight to the X11VNC_REMOTE property or connect\n" " file use \"qry=...\" instead of \"cmd=...\"\n" "\n" " Here is the current list of \"variables\" that can\n" @@ -2157,9 +2174,9 @@ void print_help(int mode) { "\n" " A note about security wrt remote control commands.\n" " If someone can connect to the X display and change\n" -" the property VNC_CONNECT, then they can remotely\n" +" the property X11VNC_REMOTE, then they can remotely\n" " control x11vnc. Normally access to the X display is\n" -" protected. Note that if they can modify VNC_CONNECT\n" +" protected. Note that if they can modify X11VNC_REMOTE\n" " on the X server, they have enough permissions to also\n" " run their own x11vnc and thus have complete control\n" " of the desktop. If the \"-connect /path/to/file\"\n" @@ -2169,9 +2186,9 @@ void print_help(int mode) { " permissions. See -privremote below.\n" "\n" " If you are paranoid and do not think -noremote is\n" -" enough, to disable the VNC_CONNECT property channel\n" -" completely use -novncconnect, or use the -safer\n" -" option that shuts many things off.\n" +" enough, to disable the X11VNC_REMOTE property channel\n" +" completely use -novncconnect, or use the -safer option\n" +" that shuts many things off.\n" "\n" "-unsafe A few remote commands are disabled by default\n" " (currently: id:pick, accept:<cmd>, gone:<cmd>, and\n" |