summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c75
1 files changed, 46 insertions, 29 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index a0c1bc3..293104b 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -315,8 +315,9 @@ void print_help(int mode) {
"-novncconnect VNC program vncconnect(1). When the property is\n"
" set to \"host\" or \"host:port\" establish a reverse\n"
" connection. Using xprop(1) instead of vncconnect may\n"
-" work (see the FAQ). The -remote control mechanism also\n"
-" uses this VNC_CONNECT channel. Default: %s\n"
+" work (see the FAQ). The -remote control mechanism uses\n"
+" X11VNC_REMOTE channel, and this option disables/enables\n"
+" it as well. Default: %s\n"
"\n"
"-allow host1[,host2..] Only allow client connections from hosts matching\n"
" the comma separated list of hostnames or IP addresses.\n"
@@ -431,8 +432,8 @@ void print_help(int mode) {
" x11vnc as root with the \"-users +nobody\" option to\n"
" immediately switch to user nobody. Another source of\n"
" problems are PAM modules that prompt for extra info,\n"
-" e.g. password aging modules. These logins will always\n"
-" fail as well.\n"
+" e.g. password aging modules. These logins will fail\n"
+" as well even when the correct password is supplied.\n"
"\n"
" *IMPORTANT*: to prevent the Unix password being sent in\n"
" *clear text* over the network, two x11vnc options are\n"
@@ -459,17 +460,28 @@ void print_help(int mode) {
" is set and appears reasonable. If it does, then the\n"
" stunnel requirement is dropped since it is assumed\n"
" you are using ssh for the encrypted tunnelling.\n"
-" Use -stunnel to force stunnel usage.\n"
+" Use -stunnel to force stunnel usage for this case.\n"
"\n"
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
" requirement. One should never do this (i.e. allow the\n"
" Unix passwords to be sniffed on the network).\n"
"\n"
-" NOTE: in -inetd mode the two settings are not enforced\n"
-" since x11vnc does not make network connections in\n"
-" that case. Be sure to use encryption from the viewer\n"
-" to inetd. One can also have your own stunnel spawn\n"
-" x11vnc in -inetd mode. See the FAQ.\n"
+" Regarding reverse connections (e.g. -R connect:host),\n"
+" the -localhost constraint is in effect and the reverse\n"
+" connections can only be used to connect to the same\n"
+" machine x11vnc is running on (default port 5500).\n"
+" Please use a ssh or stunnel port redirection to the\n"
+" viewer machine to tunnel the reverse connection over\n"
+" an encrypted channel. Note that Unix username and\n"
+" password *will* be prompted for (unlike VNC passwords\n"
+" that are skipped for reverse connections).\n"
+"\n"
+" NOTE: in -inetd mode the two settings are attempted\n"
+" to be enforced for reverse connections. Be sure to\n"
+" use encryption from the viewer to inetd since x11vnc\n"
+" cannot guess easily if it is encrpyted. Note: you can\n"
+" also have your own stunnel spawn x11vnc in -inetd mode\n"
+" (i.e. bypassing inetd). See the FAQ.\n"
"\n"
" The user names in the comma separated [list] can have\n"
" per-user options after a \":\", e.g. \"fred:opts\"\n"
@@ -484,16 +496,21 @@ void print_help(int mode) {
" Use \"deny\" to explicitly deny some users if you use\n"
" \"*\" to set a global option.\n"
"\n"
-"-unixpw_nis [list] As -unixpw above, however do not run su(1) but rather\n"
-" use the traditional getpwnam() + crypt() method instead.\n"
-" This requires that the encrpyted passwords be readable.\n"
-" Passwords stored in /etc/shadow will be inaccessible\n"
-" unless run as root. This is called \"NIS\" mode\n"
-" simply because in most NIS setups the user encrypted\n"
-" passwords are accessible (e.g. \"ypcat passwd\").\n"
-" NIS is not required for this mode to work, but it\n"
-" is unlikely it will work for any other environment.\n"
-" All of the -unixpw options and contraints apply.\n"
+" There are also some tools for testing password if [list]\n"
+" starts with the \"%\" character. See the quick_pw()\n"
+" function for details.\n"
+"\n"
+"-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n"
+" use the traditional getpwnam(3) + crypt(3) method\n"
+" instead. This requires that the encrpyted passwords\n"
+" be readable. Passwords stored in /etc/shadow will\n"
+" be inaccessible unless run as root. This is called\n"
+" \"NIS\" mode simply because in most NIS setups the\n"
+" user encrypted passwords are accessible (e.g. \"ypcat\n"
+" passwd\"). NIS is not required for this mode to\n"
+" work, but it is unlikely it will work for any other\n"
+" environment. All of the -unixpw options and contraints\n"
+" apply.\n"
"\n"
"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n"
" an encrypted SSL tunnel between viewers and x11vnc.\n"
@@ -1767,7 +1784,7 @@ void print_help(int mode) {
" -remote command.\n"
"\n"
" The default communication channel is that of X\n"
-" properties (specifically VNC_CONNECT), and so this\n"
+" properties (specifically X11VNC_REMOTE), and so this\n"
" command must be run with correct settings for DISPLAY\n"
" and possibly XAUTHORITY to connect to the X server\n"
" and set the property. Alternatively, use the -display\n"
@@ -2056,9 +2073,9 @@ void print_help(int mode) {
" it comes back with prefix \"aro=\" instead of \"ans=\".\n"
"\n"
" Some -remote commands are pure actions that do not make\n"
-" sense as variables, e.g. \"stop\" or \"disconnect\",\n"
-" in these cases the value returned is \"N/A\". To direct\n"
-" a query straight to the VNC_CONNECT property or connect\n"
+" sense as variables, e.g. \"stop\" or \"disconnect\", in\n"
+" these cases the value returned is \"N/A\". To direct a\n"
+" query straight to the X11VNC_REMOTE property or connect\n"
" file use \"qry=...\" instead of \"cmd=...\"\n"
"\n"
" Here is the current list of \"variables\" that can\n"
@@ -2157,9 +2174,9 @@ void print_help(int mode) {
"\n"
" A note about security wrt remote control commands.\n"
" If someone can connect to the X display and change\n"
-" the property VNC_CONNECT, then they can remotely\n"
+" the property X11VNC_REMOTE, then they can remotely\n"
" control x11vnc. Normally access to the X display is\n"
-" protected. Note that if they can modify VNC_CONNECT\n"
+" protected. Note that if they can modify X11VNC_REMOTE\n"
" on the X server, they have enough permissions to also\n"
" run their own x11vnc and thus have complete control\n"
" of the desktop. If the \"-connect /path/to/file\"\n"
@@ -2169,9 +2186,9 @@ void print_help(int mode) {
" permissions. See -privremote below.\n"
"\n"
" If you are paranoid and do not think -noremote is\n"
-" enough, to disable the VNC_CONNECT property channel\n"
-" completely use -novncconnect, or use the -safer\n"
-" option that shuts many things off.\n"
+" enough, to disable the X11VNC_REMOTE property channel\n"
+" completely use -novncconnect, or use the -safer option\n"
+" that shuts many things off.\n"
"\n"
"-unsafe A few remote commands are disabled by default\n"
" (currently: id:pick, accept:<cmd>, gone:<cmd>, and\n"