diff options
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r-- | x11vnc/help.c | 187 |
1 files changed, 134 insertions, 53 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c index 65edf94..81e5f46 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -14,7 +14,7 @@ void nopassword_warning_msg(int gotloc); void print_help(int mode) { -#if !SMALL_FOOTPRINT +#if !SKIP_HELP char help[] = "\n" "x11vnc: allow VNC connections to real X11 displays. %s\n" @@ -423,9 +423,9 @@ void print_help(int mode) { " send one before a 25 second timeout. Existing clients\n" " are view-only during this period.\n" "\n" -" Since the detailed behavior of su(1) can vary from\n" -" OS to OS and for local configurations, please test\n" -" the mode carefully on your systems before using it.\n" +" Since the detailed behavior of su(1) can vary from OS\n" +" to OS and for local configurations, please test the mode\n" +" carefully on your systems before using it in production.\n" " E.g. try different combinations of valid/invalid\n" " usernames and valid/invalid passwords to see if it\n" " behaves correctly. x11vnc will be conservative and\n" @@ -443,53 +443,64 @@ void print_help(int mode) { " e.g. password aging modules. These logins will fail\n" " as well even when the correct password is supplied.\n" "\n" -" *IMPORTANT*: to prevent the Unix password being sent in\n" -" *clear text* over the network, two x11vnc options are\n" -" enforced: 1) -localhost and 2) -stunnel. The former\n" -" requires the viewer connection to appear to come from\n" -" the same machine x11vnc is running on (e.g. from a ssh\n" -" -L port redirection). The latter requires the -stunnel\n" -" SSL mode be used (see the description below).\n" +" **IMPORTANT**: to prevent the Unix password being sent\n" +" in *clear text* over the network, one of two schemes\n" +" will be enforced: 1) the -ssl builtin SSL mode, or 2)\n" +" require both -localhost and -stunnel be enabled.\n" "\n" -" To override these restrictions you can set environment\n" -" variables before starting x11vnc:\n" +" Method 1) ensures the traffic is encrypted between\n" +" viewer and server. A PEM file will be required, see the\n" +" discussion under -ssl below (under some circumstances\n" +" a temporary one can be automatically generated).\n" "\n" -" Set UNIXPW_DISABLE_STUNNEL=1 to disable using -stunnel.\n" -" Evidently you will be using a different method to\n" -" encrypt the data between the vncviewer and x11vnc:\n" -" e.g. ssh(1) or a VPN. Note that use of -localhost\n" -" with ssh(1) is roughly the same as requiring a Unix\n" -" user login (since a Unix password or the user's public\n" -" key authentication is used by ssh on the machine where\n" -" x11vnc runs and only local connections are accepted)\n" +" Method 2) requires the viewer connection to appear\n" +" to come from the same machine x11vnc is running on\n" +" (e.g. from a ssh -L port redirection). And that the\n" +" -stunnel SSL mode be used for encryption over the\n" +" network.(see the description of -stunnel below).\n" "\n" " As a convenience, if you ssh(1) in and start x11vnc it\n" " will check if the environment variable SSH_CONNECTION\n" " is set and appears reasonable. If it does, then the\n" -" stunnel requirement is dropped since it is assumed\n" -" you are using ssh for the encrypted tunnelling.\n" -" Use -stunnel to force stunnel usage for this case.\n" +" -ssl or -stunnel requirement will be dropped since it is\n" +" assumed you are using ssh for the encrypted tunnelling.\n" +" -localhost is still enforced. Use -ssl or -stunnel to\n" +" force SSL usage for this case.\n" +"\n" +" To override these restrictions you can set environment\n" +" variables before starting x11vnc:\n" +"\n" +" Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n" +" -ssl or -stunnel. Evidently you will be using a\n" +" different method to encrypt the data between the\n" +" vncviewer and x11vnc: e.g. ssh(1) or a VPN. Note that\n" +" use of -localhost with ssh(1) is roughly the same as\n" +" requiring a Unix user login (since a Unix password or\n" +" the user's public key authentication is used by sshd on\n" +" the machine where x11vnc runs and only local connections\n" +" are accepted)\n" "\n" " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" -" requirement. One should never do this (i.e. allow the\n" -" Unix passwords to be sniffed on the network).\n" +" requirement in Method 2). One should never do this\n" +" (i.e. allow the Unix passwords to be sniffed on the\n" +" network).\n" "\n" " Regarding reverse connections (e.g. -R connect:host),\n" -" the -localhost constraint is in effect and the reverse\n" +" if the -localhost constraint is in effect then reverse\n" " connections can only be used to connect to the same\n" " machine x11vnc is running on (default port 5500).\n" " Please use a ssh or stunnel port redirection to the\n" " viewer machine to tunnel the reverse connection over\n" -" an encrypted channel. Note that Unix username and\n" -" password *will* be prompted for (unlike VNC passwords\n" -" that are skipped for reverse connections).\n" +" an encrypted channel. Note that in -ssl mode reverse\n" +" connection are disabled.\n" "\n" -" NOTE: in -inetd mode the two settings are attempted\n" -" to be enforced for reverse connections. Be sure to\n" +" XXX -inetd + -ssl\n" +" In -inetd mode the two settings are attempted to be\n" +" enforced for reverse connections. Be sure to also\n" " use encryption from the viewer to inetd since x11vnc\n" -" cannot guess easily if it is encrpyted. Note: you can\n" +" cannot guess easily if it is encrpyted. Tip: you can\n" " also have your own stunnel spawn x11vnc in -inetd mode\n" -" (i.e. bypassing inetd). See the FAQ.\n" +" (i.e. bypassing inetd). See the FAQ for details.\n" "\n" " The user names in the comma separated [list] can have\n" " per-user options after a \":\", e.g. \"fred:opts\"\n" @@ -521,17 +532,84 @@ void print_help(int mode) { " other environment. All of the -unixpw options and\n" " contraints apply.\n" "\n" -"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n" +"-ssl [pem] Use the openssl library (www.openssl.org) to provide a\n" +" built-in encrypted SSL tunnel between VNC viewers and\n" +" x11vnc. This requires libssl support to be compiled\n" +" into x11vnc at build time. If x11vnc is not built\n" +" with libssl support it will exit immediately when -ssl\n" +" is prescribed.\n" +"\n" +" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n" +" specify a PEM certificate file to use to identify and\n" +" provide a key for this server.\n" +"\n" +" Connecting VNC viewer SSL tunnels can authenticate\n" +" this server if they have the public key part of the\n" +" certificate (or a common certificate authority, CA,\n" +" verifies this server's cert). This is used to prevent\n" +" man-in-the-middle attacks. Otherwise, if the VNC viewer\n" +" accepts this server's key without verification, at\n" +" least the traffic is protected from passive sniffing\n" +" on the network.\n" +"\n" +" If [pem] is not supplied and the openssl(1) utility\n" +" command exists in PATH, then a temporary, self-signed\n" +" certificate will be generated for this session (this\n" +" may take 5-20 seconds on slow machines). If openssl(1)\n" +" cannot be used to generate a temporary certificate\n" +" x11vnc exits immediately.\n" +"\n" +" If successful in using openssl(1) to generate a\n" +" certificate, the public part of it will be displayed\n" +" to stdout (e.g. one could copy it to the client-side\n" +" to provide authentication of the server to VNC viewers.)\n" +"\n" +" Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc\n" +" print out the entire certificate, including the PRIVATE\n" +" KEY part, to stderr. One could reuse this cert if saved\n" +" in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1\n" +" to not delete the temporary PEM file: the file name\n" +" will be printed to stderr (so one could move it to a\n" +" safe place for reuse).\n" +"\n" +" Reverse connections are disabled in -ssl\n" +" mode because the data cannot be encrypted.\n" +" Set X11VNC_SSL_ALLOW_REVERSE=1 to override this.\n" +"\n" +" Your VNC viewer will also need to be able to connect\n" +" via SSL. See the discussion below under -stunnel and\n" +" the FAQ for how this might be achieved. E.g. on Unix it\n" +" is easy to write a shell script that starts up stunnel\n" +" and then vncviewer.\n" +"\n" +"-sslverify [path] For either of the -ssl or -stunnel modes, use [path]\n" +" to provide certificates to authenticate incoming VNC\n" +" client connections. This can be used as a method to\n" +" replace standard password authentication.\n" +"\n" +" If [path] is a directory it contains the client (or CA)\n" +" certificates in separate files. If [path] is a file, it\n" +" contains multiple certificates. These correspond to the\n" +" \"CApath = dir\" and \"CAfile = file\" stunnel options.\n" +" See the stunnel(8) manpage for details.\n" +"\n" +" To create certificates for all sorts of authentications\n" +" (clients, servers, via CA, etc) see the openssl(1)\n" +" command. Of particular usefulness is the x509\n" +" subcommand of openssl(1).\n" +"\n" +"-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide\n" " an encrypted SSL tunnel between viewers and x11vnc.\n" " This requires stunnel to be installed on the system and\n" " available via PATH (n.b. stunnel is often installed in\n" -" sbin directories). Version 4.x of stunnel is assumed;\n" -" see -stunnel3 below.\n" +" sbin directories). Version 4.x of stunnel is assumed\n" +" (but see -stunnel3 below.)\n" "\n" " [pem] is optional, use \"-stunnel /path/to/stunnel.pem\"\n" " to specify a PEM certificate file to pass to stunnel.\n" " Whether one is needed or not depends on your stunnel\n" -" configuration.\n" +" configuration. stunnel often generates one at install\n" +" time.\n" "\n" " stunnel is started up as a child process of x11vnc and\n" " any SSL connections stunnel receives are decrypted and\n" @@ -543,14 +621,15 @@ void print_help(int mode) { " avoid people routing around the SSL channel. Set\n" " STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.\n" "\n" -" Your VNC viewer will need to be able to connect via SSL.\n" -" Unfortunately not too many do this. UltraVNC seems to\n" -" have a SSL plugin. It is not too difficult to set up\n" -" an stunnel or other SSL tunnel on the viewer side.\n" +" Your VNC viewer will also need to be able to connect\n" +" via SSL. Unfortunately not too many do this. UltraVNC\n" +" seems to have an encryption plugin. It is not too\n" +" difficult to set up an stunnel or other SSL tunnel on\n" +" the viewer side.\n" "\n" " A simple example on Unix using stunnel 3.x is:\n" "\n" -" %% stunnel -c -d localhost:5901 -r remote:5900\n" +" %% stunnel -c -d localhost:5901 -r remotehost:5900\n" " %% vncviewer localhost:1\n" "\n" " For Windows, stunnel has been ported to it and there\n" @@ -2175,22 +2254,24 @@ void print_help(int mode) { " debug_xdamage debug_wireframe nodebug_wireframe\n" " debug_wireframe debug_scroll nodebug_scroll debug_scroll\n" " debug_tiles dbt nodebug_tiles nodbt debug_tiles\n" -" debug_grabs nodebug_grabs dbg nodbg noremote\n" +" debug_grabs nodebug_grabs debug_sel nodebug_sel dbg\n" +" nodbg noremote\n" "\n" " aro= noop display vncdisplay desktopname guess_desktop\n" " http_url auth xauth users rootshift clipshift\n" " scale_str scaled_x scaled_y scale_numer scale_denom\n" " scale_fac scaling_blend scaling_nomult4 scaling_pad\n" " scaling_interpolate inetd privremote unsafe safer\n" -" nocmds passwdfile unixpw unixpw_nis unixpw_list stunnel\n" -" stunnel_pem using_shm logfile o flag rc norc h help\n" -" V version lastmod bg sigpipe threads readrate netrate\n" -" netlatency pipeinput clients client_count pid ext_xtest\n" -" ext_xtrap ext_xrecord ext_xkb ext_xshm ext_xinerama\n" -" ext_overlay ext_xfixes ext_xdamage ext_xrandr rootwin\n" -" num_buttons button_mask mouse_x mouse_y bpp depth\n" -" indexed_color dpy_x dpy_y wdpy_x wdpy_y off_x off_y\n" -" cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd\n" +" nocmds passwdfile unixpw unixpw_nis unixpw_list ssl\n" +" ssl_pem sslverify stunnel stunnel_pem usepw using_shm\n" +" logfile o flag rc norc h help V version lastmod bg\n" +" sigpipe threads readrate netrate netlatency pipeinput\n" +" clients client_count pid ext_xtest ext_xtrap ext_xrecord\n" +" ext_xkb ext_xshm ext_xinerama ext_overlay ext_xfixes\n" +" ext_xdamage ext_xrandr rootwin num_buttons button_mask\n" +" mouse_x mouse_y bpp depth indexed_color dpy_x dpy_y\n" +" wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y coff_x coff_y\n" +" rfbauth passwd viewpasswd\n" "\n" "-QD variable Just like -query variable, but returns the default\n" " value for that parameter (no running x11vnc server\n" |