summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c187
1 files changed, 134 insertions, 53 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index 65edf94..81e5f46 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -14,7 +14,7 @@ void nopassword_warning_msg(int gotloc);
void print_help(int mode) {
-#if !SMALL_FOOTPRINT
+#if !SKIP_HELP
char help[] =
"\n"
"x11vnc: allow VNC connections to real X11 displays. %s\n"
@@ -423,9 +423,9 @@ void print_help(int mode) {
" send one before a 25 second timeout. Existing clients\n"
" are view-only during this period.\n"
"\n"
-" Since the detailed behavior of su(1) can vary from\n"
-" OS to OS and for local configurations, please test\n"
-" the mode carefully on your systems before using it.\n"
+" Since the detailed behavior of su(1) can vary from OS\n"
+" to OS and for local configurations, please test the mode\n"
+" carefully on your systems before using it in production.\n"
" E.g. try different combinations of valid/invalid\n"
" usernames and valid/invalid passwords to see if it\n"
" behaves correctly. x11vnc will be conservative and\n"
@@ -443,53 +443,64 @@ void print_help(int mode) {
" e.g. password aging modules. These logins will fail\n"
" as well even when the correct password is supplied.\n"
"\n"
-" *IMPORTANT*: to prevent the Unix password being sent in\n"
-" *clear text* over the network, two x11vnc options are\n"
-" enforced: 1) -localhost and 2) -stunnel. The former\n"
-" requires the viewer connection to appear to come from\n"
-" the same machine x11vnc is running on (e.g. from a ssh\n"
-" -L port redirection). The latter requires the -stunnel\n"
-" SSL mode be used (see the description below).\n"
+" **IMPORTANT**: to prevent the Unix password being sent\n"
+" in *clear text* over the network, one of two schemes\n"
+" will be enforced: 1) the -ssl builtin SSL mode, or 2)\n"
+" require both -localhost and -stunnel be enabled.\n"
"\n"
-" To override these restrictions you can set environment\n"
-" variables before starting x11vnc:\n"
+" Method 1) ensures the traffic is encrypted between\n"
+" viewer and server. A PEM file will be required, see the\n"
+" discussion under -ssl below (under some circumstances\n"
+" a temporary one can be automatically generated).\n"
"\n"
-" Set UNIXPW_DISABLE_STUNNEL=1 to disable using -stunnel.\n"
-" Evidently you will be using a different method to\n"
-" encrypt the data between the vncviewer and x11vnc:\n"
-" e.g. ssh(1) or a VPN. Note that use of -localhost\n"
-" with ssh(1) is roughly the same as requiring a Unix\n"
-" user login (since a Unix password or the user's public\n"
-" key authentication is used by ssh on the machine where\n"
-" x11vnc runs and only local connections are accepted)\n"
+" Method 2) requires the viewer connection to appear\n"
+" to come from the same machine x11vnc is running on\n"
+" (e.g. from a ssh -L port redirection). And that the\n"
+" -stunnel SSL mode be used for encryption over the\n"
+" network.(see the description of -stunnel below).\n"
"\n"
" As a convenience, if you ssh(1) in and start x11vnc it\n"
" will check if the environment variable SSH_CONNECTION\n"
" is set and appears reasonable. If it does, then the\n"
-" stunnel requirement is dropped since it is assumed\n"
-" you are using ssh for the encrypted tunnelling.\n"
-" Use -stunnel to force stunnel usage for this case.\n"
+" -ssl or -stunnel requirement will be dropped since it is\n"
+" assumed you are using ssh for the encrypted tunnelling.\n"
+" -localhost is still enforced. Use -ssl or -stunnel to\n"
+" force SSL usage for this case.\n"
+"\n"
+" To override these restrictions you can set environment\n"
+" variables before starting x11vnc:\n"
+"\n"
+" Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n"
+" -ssl or -stunnel. Evidently you will be using a\n"
+" different method to encrypt the data between the\n"
+" vncviewer and x11vnc: e.g. ssh(1) or a VPN. Note that\n"
+" use of -localhost with ssh(1) is roughly the same as\n"
+" requiring a Unix user login (since a Unix password or\n"
+" the user's public key authentication is used by sshd on\n"
+" the machine where x11vnc runs and only local connections\n"
+" are accepted)\n"
"\n"
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
-" requirement. One should never do this (i.e. allow the\n"
-" Unix passwords to be sniffed on the network).\n"
+" requirement in Method 2). One should never do this\n"
+" (i.e. allow the Unix passwords to be sniffed on the\n"
+" network).\n"
"\n"
" Regarding reverse connections (e.g. -R connect:host),\n"
-" the -localhost constraint is in effect and the reverse\n"
+" if the -localhost constraint is in effect then reverse\n"
" connections can only be used to connect to the same\n"
" machine x11vnc is running on (default port 5500).\n"
" Please use a ssh or stunnel port redirection to the\n"
" viewer machine to tunnel the reverse connection over\n"
-" an encrypted channel. Note that Unix username and\n"
-" password *will* be prompted for (unlike VNC passwords\n"
-" that are skipped for reverse connections).\n"
+" an encrypted channel. Note that in -ssl mode reverse\n"
+" connection are disabled.\n"
"\n"
-" NOTE: in -inetd mode the two settings are attempted\n"
-" to be enforced for reverse connections. Be sure to\n"
+" XXX -inetd + -ssl\n"
+" In -inetd mode the two settings are attempted to be\n"
+" enforced for reverse connections. Be sure to also\n"
" use encryption from the viewer to inetd since x11vnc\n"
-" cannot guess easily if it is encrpyted. Note: you can\n"
+" cannot guess easily if it is encrpyted. Tip: you can\n"
" also have your own stunnel spawn x11vnc in -inetd mode\n"
-" (i.e. bypassing inetd). See the FAQ.\n"
+" (i.e. bypassing inetd). See the FAQ for details.\n"
"\n"
" The user names in the comma separated [list] can have\n"
" per-user options after a \":\", e.g. \"fred:opts\"\n"
@@ -521,17 +532,84 @@ void print_help(int mode) {
" other environment. All of the -unixpw options and\n"
" contraints apply.\n"
"\n"
-"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n"
+"-ssl [pem] Use the openssl library (www.openssl.org) to provide a\n"
+" built-in encrypted SSL tunnel between VNC viewers and\n"
+" x11vnc. This requires libssl support to be compiled\n"
+" into x11vnc at build time. If x11vnc is not built\n"
+" with libssl support it will exit immediately when -ssl\n"
+" is prescribed.\n"
+"\n"
+" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n"
+" specify a PEM certificate file to use to identify and\n"
+" provide a key for this server.\n"
+"\n"
+" Connecting VNC viewer SSL tunnels can authenticate\n"
+" this server if they have the public key part of the\n"
+" certificate (or a common certificate authority, CA,\n"
+" verifies this server's cert). This is used to prevent\n"
+" man-in-the-middle attacks. Otherwise, if the VNC viewer\n"
+" accepts this server's key without verification, at\n"
+" least the traffic is protected from passive sniffing\n"
+" on the network.\n"
+"\n"
+" If [pem] is not supplied and the openssl(1) utility\n"
+" command exists in PATH, then a temporary, self-signed\n"
+" certificate will be generated for this session (this\n"
+" may take 5-20 seconds on slow machines). If openssl(1)\n"
+" cannot be used to generate a temporary certificate\n"
+" x11vnc exits immediately.\n"
+"\n"
+" If successful in using openssl(1) to generate a\n"
+" certificate, the public part of it will be displayed\n"
+" to stdout (e.g. one could copy it to the client-side\n"
+" to provide authentication of the server to VNC viewers.)\n"
+"\n"
+" Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc\n"
+" print out the entire certificate, including the PRIVATE\n"
+" KEY part, to stderr. One could reuse this cert if saved\n"
+" in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1\n"
+" to not delete the temporary PEM file: the file name\n"
+" will be printed to stderr (so one could move it to a\n"
+" safe place for reuse).\n"
+"\n"
+" Reverse connections are disabled in -ssl\n"
+" mode because the data cannot be encrypted.\n"
+" Set X11VNC_SSL_ALLOW_REVERSE=1 to override this.\n"
+"\n"
+" Your VNC viewer will also need to be able to connect\n"
+" via SSL. See the discussion below under -stunnel and\n"
+" the FAQ for how this might be achieved. E.g. on Unix it\n"
+" is easy to write a shell script that starts up stunnel\n"
+" and then vncviewer.\n"
+"\n"
+"-sslverify [path] For either of the -ssl or -stunnel modes, use [path]\n"
+" to provide certificates to authenticate incoming VNC\n"
+" client connections. This can be used as a method to\n"
+" replace standard password authentication.\n"
+"\n"
+" If [path] is a directory it contains the client (or CA)\n"
+" certificates in separate files. If [path] is a file, it\n"
+" contains multiple certificates. These correspond to the\n"
+" \"CApath = dir\" and \"CAfile = file\" stunnel options.\n"
+" See the stunnel(8) manpage for details.\n"
+"\n"
+" To create certificates for all sorts of authentications\n"
+" (clients, servers, via CA, etc) see the openssl(1)\n"
+" command. Of particular usefulness is the x509\n"
+" subcommand of openssl(1).\n"
+"\n"
+"-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide\n"
" an encrypted SSL tunnel between viewers and x11vnc.\n"
" This requires stunnel to be installed on the system and\n"
" available via PATH (n.b. stunnel is often installed in\n"
-" sbin directories). Version 4.x of stunnel is assumed;\n"
-" see -stunnel3 below.\n"
+" sbin directories). Version 4.x of stunnel is assumed\n"
+" (but see -stunnel3 below.)\n"
"\n"
" [pem] is optional, use \"-stunnel /path/to/stunnel.pem\"\n"
" to specify a PEM certificate file to pass to stunnel.\n"
" Whether one is needed or not depends on your stunnel\n"
-" configuration.\n"
+" configuration. stunnel often generates one at install\n"
+" time.\n"
"\n"
" stunnel is started up as a child process of x11vnc and\n"
" any SSL connections stunnel receives are decrypted and\n"
@@ -543,14 +621,15 @@ void print_help(int mode) {
" avoid people routing around the SSL channel. Set\n"
" STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.\n"
"\n"
-" Your VNC viewer will need to be able to connect via SSL.\n"
-" Unfortunately not too many do this. UltraVNC seems to\n"
-" have a SSL plugin. It is not too difficult to set up\n"
-" an stunnel or other SSL tunnel on the viewer side.\n"
+" Your VNC viewer will also need to be able to connect\n"
+" via SSL. Unfortunately not too many do this. UltraVNC\n"
+" seems to have an encryption plugin. It is not too\n"
+" difficult to set up an stunnel or other SSL tunnel on\n"
+" the viewer side.\n"
"\n"
" A simple example on Unix using stunnel 3.x is:\n"
"\n"
-" %% stunnel -c -d localhost:5901 -r remote:5900\n"
+" %% stunnel -c -d localhost:5901 -r remotehost:5900\n"
" %% vncviewer localhost:1\n"
"\n"
" For Windows, stunnel has been ported to it and there\n"
@@ -2175,22 +2254,24 @@ void print_help(int mode) {
" debug_xdamage debug_wireframe nodebug_wireframe\n"
" debug_wireframe debug_scroll nodebug_scroll debug_scroll\n"
" debug_tiles dbt nodebug_tiles nodbt debug_tiles\n"
-" debug_grabs nodebug_grabs dbg nodbg noremote\n"
+" debug_grabs nodebug_grabs debug_sel nodebug_sel dbg\n"
+" nodbg noremote\n"
"\n"
" aro= noop display vncdisplay desktopname guess_desktop\n"
" http_url auth xauth users rootshift clipshift\n"
" scale_str scaled_x scaled_y scale_numer scale_denom\n"
" scale_fac scaling_blend scaling_nomult4 scaling_pad\n"
" scaling_interpolate inetd privremote unsafe safer\n"
-" nocmds passwdfile unixpw unixpw_nis unixpw_list stunnel\n"
-" stunnel_pem using_shm logfile o flag rc norc h help\n"
-" V version lastmod bg sigpipe threads readrate netrate\n"
-" netlatency pipeinput clients client_count pid ext_xtest\n"
-" ext_xtrap ext_xrecord ext_xkb ext_xshm ext_xinerama\n"
-" ext_overlay ext_xfixes ext_xdamage ext_xrandr rootwin\n"
-" num_buttons button_mask mouse_x mouse_y bpp depth\n"
-" indexed_color dpy_x dpy_y wdpy_x wdpy_y off_x off_y\n"
-" cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd\n"
+" nocmds passwdfile unixpw unixpw_nis unixpw_list ssl\n"
+" ssl_pem sslverify stunnel stunnel_pem usepw using_shm\n"
+" logfile o flag rc norc h help V version lastmod bg\n"
+" sigpipe threads readrate netrate netlatency pipeinput\n"
+" clients client_count pid ext_xtest ext_xtrap ext_xrecord\n"
+" ext_xkb ext_xshm ext_xinerama ext_overlay ext_xfixes\n"
+" ext_xdamage ext_xrandr rootwin num_buttons button_mask\n"
+" mouse_x mouse_y bpp depth indexed_color dpy_x dpy_y\n"
+" wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y coff_x coff_y\n"
+" rfbauth passwd viewpasswd\n"
"\n"
"-QD variable Just like -query variable, but returns the default\n"
" value for that parameter (no running x11vnc server\n"