summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
authorrunge <runge>2006-03-05 00:35:33 +0000
committerrunge <runge>2006-03-05 00:35:33 +0000
commita9a9c812f7feb5bfb1d017575762c6a6390227b9 (patch)
tree1f1e013d1c905b0e705ec245aa9fec1df6cb1c30 /x11vnc/help.c
parentb03a920cb996bf61af2d9351d2fe497ea3c0c99e (diff)
downloadlibtdevnc-a9a9c812f7feb5bfb1d017575762c6a6390227b9.tar.gz
libtdevnc-a9a9c812f7feb5bfb1d017575762c6a6390227b9.zip
x11vnc: -unixpw on *bsd, hpux and tru64. -unixpw_nis mode. stunnel and gui tweaks.
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c122
1 files changed, 70 insertions, 52 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index d31a038..a0c1bc3 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -401,34 +401,38 @@ void print_help(int mode) {
" and last line be \"__BEGIN_VIEWONLY__\" to have 2\n"
" full-access passwords)\n"
"\n"
-"-unixpw [list] Experimental option: use Unix username and password\n"
-" authentication. x11vnc uses the su(1) program to verify\n"
-" the user's password. [list] is an optional comma\n"
-" separated list of allowed Unix usernames. See below\n"
-" for per-user options that can be applied.\n"
+"-unixpw [list] Use Unix username and password authentication. x11vnc\n"
+" uses the su(1) program to verify the user's password.\n"
+" [list] is an optional comma separated list of allowed\n"
+" Unix usernames. See below for per-user options that\n"
+" can be applied.\n"
"\n"
" A familiar \"login:\" and \"Password:\" dialog is\n"
" presented to the user on a black screen inside the\n"
" vncviewer. The connection is dropped if the user fails\n"
" to supply the correct password in 3 tries or does not\n"
-" send one before a 20 second timeout. Existing clients\n"
+" send one before a 25 second timeout. Existing clients\n"
" are view-only during this period.\n"
"\n"
" Since the detailed behavior of su(1) can vary from\n"
" OS to OS and for local configurations, please test\n"
" the mode carefully on your systems before using it.\n"
-" Try different combinations of valid/invalid usernames\n"
-" and passwords.\n"
+" E.g. try different combinations of valid/invalid\n"
+" usernames and valid/invalid passwords to see if it\n"
+" behaves correctly. x11vnc will be conservative and\n"
+" reject a user if anything abnormal occurs.\n"
" \n"
-" For example, on FreeBSD and the other BSD's and Tru64\n"
-" it does not appear to be possible for the user running\n"
-" x11vnc to validate his *own* password via su(1).\n"
-" The x11vnc login will always fail in this case.\n"
-" A possible workaround would be to start x11vnc as\n"
-" root with the \"-users +nobody\" option to immediately\n"
-" switch to user nobody. Another source of problems are\n"
-" PAM modules that prompt for extra info, e.g. password\n"
-" aging modules. These logins will always fail as well.\n"
+" For example, on FreeBSD and the other BSD's by default\n"
+" it is impossible for the user running x11vnc to validate\n"
+" his *own* password via su(1) (evidently commenting\n"
+" out the pam_self.so entry in /etc/pam.d/su eliminates\n"
+" the problem). So the x11vnc login will always fail for\n"
+" this case. A possible workaround would be to start\n"
+" x11vnc as root with the \"-users +nobody\" option to\n"
+" immediately switch to user nobody. Another source of\n"
+" problems are PAM modules that prompt for extra info,\n"
+" e.g. password aging modules. These logins will always\n"
+" fail as well.\n"
"\n"
" *IMPORTANT*: to prevent the Unix password being sent in\n"
" *clear text* over the network, two x11vnc options are\n"
@@ -444,17 +448,18 @@ void print_help(int mode) {
" Set UNIXPW_DISABLE_STUNNEL=1 to disable using -stunnel.\n"
" Evidently you will be using a different method to\n"
" encrypt the data between the vncviewer and x11vnc:\n"
-" e.g. ssh(1) or a VPN. Note that use of ssh(1) with\n"
-" -localhost is roughly the same as requiring a Unix\n"
-" user login (since Unix password or the user's public\n"
-" key authentication is used by ssh)\n"
-"\n"
-" As a convenience, if you ssh(1) in and start x11vnc\n"
-" it will look to see if the environment variable\n"
-" SSH_CONNECTION is set and appears reasonable. If it\n"
-" does, then the stunnel requirement is dropped since\n"
-" it is assumed you are using ssh for the encrypted\n"
-" tunnelling. Use -stunnel to force stunnel usage.\n"
+" e.g. ssh(1) or a VPN. Note that use of -localhost\n"
+" with ssh(1) is roughly the same as requiring a Unix\n"
+" user login (since a Unix password or the user's public\n"
+" key authentication is used by ssh on the machine where\n"
+" x11vnc runs and only local connections are accepted)\n"
+"\n"
+" As a convenience, if you ssh(1) in and start x11vnc it\n"
+" will check if the environment variable SSH_CONNECTION\n"
+" is set and appears reasonable. If it does, then the\n"
+" stunnel requirement is dropped since it is assumed\n"
+" you are using ssh for the encrypted tunnelling.\n"
+" Use -stunnel to force stunnel usage.\n"
"\n"
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
" requirement. One should never do this (i.e. allow the\n"
@@ -471,16 +476,28 @@ void print_help(int mode) {
" where \"opts\" is a \"+\" separated list of\n"
" \"viewonly\", \"fullaccess\", \"input=XXXX\", or\n"
" \"deny\", e.g. \"karl,fred:viewonly,boss:input=M\".\n"
-" For \"input=\" it is the K,M,B,C describe under -input.\n"
-"\n"
-" If a user in the list is \"*\" that means those options\n"
-" apply to all users. It also means all users are allowed\n"
-" to log in. Use \"deny\" to explicitly deny some users\n"
-" if you use \"*\" to set a global option.\n"
-"\n"
-"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide an\n"
-" encrypted SSL tunnel between viewers and x11vnc.\n"
-" This requires stunnel be installed on the system and\n"
+" For \"input=\" it is the K,M,B,C described under -input.\n"
+"\n"
+" If a user in the list is \"*\" that means those\n"
+" options apply to all users. It also means all users\n"
+" are allowed to log in after supplying a valid password.\n"
+" Use \"deny\" to explicitly deny some users if you use\n"
+" \"*\" to set a global option.\n"
+"\n"
+"-unixpw_nis [list] As -unixpw above, however do not run su(1) but rather\n"
+" use the traditional getpwnam() + crypt() method instead.\n"
+" This requires that the encrpyted passwords be readable.\n"
+" Passwords stored in /etc/shadow will be inaccessible\n"
+" unless run as root. This is called \"NIS\" mode\n"
+" simply because in most NIS setups the user encrypted\n"
+" passwords are accessible (e.g. \"ypcat passwd\").\n"
+" NIS is not required for this mode to work, but it\n"
+" is unlikely it will work for any other environment.\n"
+" All of the -unixpw options and contraints apply.\n"
+"\n"
+"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n"
+" an encrypted SSL tunnel between viewers and x11vnc.\n"
+" This requires stunnel to be installed on the system and\n"
" available via PATH (n.b. stunnel is often installed in\n"
" sbin directories). Version 4.x of stunnel is assumed;\n"
" see -stunnel3 below.\n"
@@ -492,9 +509,9 @@ void print_help(int mode) {
"\n"
" stunnel is started up as a child process of x11vnc and\n"
" any SSL connections stunnel receives are decrypted and\n"
-" sent to x11vnc over a local socket. The strings \"The\n"
-" SSL VNC desktop is ...\" and SSLPORT=... are printed\n"
-" out at startup.\n"
+" sent to x11vnc over a local socket. The strings\n"
+" \"The SSL VNC desktop is ...\" and \"SSLPORT=...\"\n"
+" are printed out at startup.\n"
"\n"
" The -localhost option is enforced by default to\n"
" avoid people routing around the SSL channel. Set\n"
@@ -502,7 +519,7 @@ void print_help(int mode) {
"\n"
" Your VNC viewer will need to be able to connect via SSL.\n"
" Unfortunately not too many do this. UltraVNC seems to\n"
-" have a SSL plugin. It is not too difficult to set up\n"
+" have a SSL plugin. It is not too difficult to set up\n"
" an stunnel or other SSL tunnel on the viewer side.\n"
"\n"
" A simple example on Unix using stunnel 3.x is:\n"
@@ -2100,16 +2117,17 @@ void print_help(int mode) {
" http_url auth xauth users rootshift clipshift\n"
" scale_str scaled_x scaled_y scale_numer scale_denom\n"
" scale_fac scaling_blend scaling_nomult4 scaling_pad\n"
-" scaling_interpolate inetd privremote unsafe safer nocmds\n"
-" passwdfile unixpw unixpw_list stunnel stunnel_pem\n"
-" using_shm logfile o flag rc norc h help V version\n"
-" lastmod bg sigpipe threads readrate netrate netlatency\n"
-" pipeinput clients client_count pid ext_xtest ext_xtrap\n"
-" ext_xrecord ext_xkb ext_xshm ext_xinerama ext_overlay\n"
-" ext_xfixes ext_xdamage ext_xrandr rootwin num_buttons\n"
-" button_mask mouse_x mouse_y bpp depth indexed_color\n"
-" dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y\n"
-" coff_x coff_y rfbauth passwd viewpasswd\n"
+" scaling_interpolate inetd privremote unsafe safer\n"
+" nocmds passwdfile unixpw unixpw_nis unixpw_list stunnel\n"
+" stunnel_pem using_shm logfile o flag rc norc h help\n"
+" V version lastmod bg sigpipe threads readrate netrate\n"
+" netlatency pipeinput clients client_count pid ext_xtest\n"
+" ext_xtrap ext_xrecord ext_xkb ext_xshm ext_xinerama\n"
+" ext_overlay ext_xfixes ext_xdamage ext_xrandr rootwin\n"
+" num_buttons button_mask mouse_x mouse_y bpp depth\n"
+" indexed_color dpy_x dpy_y wdpy_x wdpy_y off_x off_y\n"
+" cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd\n"
+"\n"
"-QD variable Just like -query variable, but returns the default\n"
" value for that parameter (no running x11vnc server\n"
" is consulted)\n"