summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
authorrunge <runge>2006-04-05 21:26:45 +0000
committerrunge <runge>2006-04-05 21:26:45 +0000
commitd14cf0a84c88a02222caad1692228584b610aacc (patch)
tree3482ef126e8b2bf3b9741f779539cfd74c77c698 /x11vnc/help.c
parent1602b345f3e7e508b043133d5c289d9984e39f18 (diff)
downloadlibtdevnc-d14cf0a84c88a02222caad1692228584b610aacc.tar.gz
libtdevnc-d14cf0a84c88a02222caad1692228584b610aacc.zip
SSL Java viewer work thru proxy. -sslGenCA, etc key/cert management utils for x11vnc. FBPM "support".
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c468
1 files changed, 427 insertions, 41 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index 544d26b..409ecd9 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -528,14 +528,14 @@ void print_help(int mode) {
"-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n"
" use the traditional getpwnam(3) + crypt(3) method to\n"
" verify passwords instead. This requires that the\n"
-" encrpyted passwords be readable. Passwords stored\n"
+" encrypted passwords be readable. Passwords stored\n"
" in /etc/shadow will be inaccessible unless x11vnc\n"
" is run as root.\n"
"\n"
" This is called \"NIS\" mode simply because in most\n"
" NIS setups the user encrypted passwords are accessible\n"
" (e.g. \"ypcat passwd\"). NIS is not required for this\n"
-" mode to work (only that getpwnam(3) return the encrpyted\n"
+" mode to work (only that getpwnam(3) return the encrypted\n"
" password is required), but it is unlikely it will work\n"
" for any other modern environment. All of the -unixpw\n"
" options and contraints apply.\n"
@@ -549,18 +549,19 @@ void print_help(int mode) {
"\n"
" [pem] is optional, use \"-ssl /path/to/mycert.pem\"\n"
" to specify a PEM certificate file to use to identify\n"
-" and provide a key for this server. See openssl(1)\n"
-" for what a PEM can be.\n"
+" and provide a key for this server. See openssl(1) for\n"
+" more info about PEMs and the -sslGenCert option below.\n"
"\n"
-" Connecting VNC viewer SSL tunnels can optionally\n"
+" The connecting VNC viewer SSL tunnel can optionally\n"
" authenticate this server if they have the public\n"
" key part of the certificate (or a common certificate\n"
" authority, CA, is a more sophisicated way to verify\n"
-" this server's cert). This is used to prevent\n"
-" man-in-the-middle attacks. Otherwise, if the VNC\n"
-" viewer accepts this server's key without verification,\n"
-" at least the traffic is protected from passive sniffing\n"
-" on the network (but NOT from man-in-the-middle attacks).\n"
+" this server's cert, see -sslGenCA below). This is\n"
+" used to prevent man-in-the-middle attacks. Otherwise,\n"
+" if the VNC viewer accepts this server's key without\n"
+" verification, at least the traffic is protected\n"
+" from passive sniffing on the network (but NOT from\n"
+" man-in-the-middle attacks).\n"
"\n"
" If [pem] is not supplied and the openssl(1) utility\n"
" command exists in PATH, then a temporary, self-signed\n"
@@ -573,15 +574,34 @@ void print_help(int mode) {
" temporary certificate, the public part of it will be\n"
" displayed to stderr (e.g. one could copy it to the\n"
" client-side to provide authentication of the server to\n"
-" VNC viewers.)\n"
+" VNC viewers.) See following paragraphs for how to save\n"
+" keys to reuse when x11vnc is restarted.\n"
"\n"
" Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc\n"
" print out the entire certificate, including the PRIVATE\n"
" KEY part, to stderr. One could reuse this cert if saved\n"
" in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1\n"
" to not delete the temporary PEM file: the file name\n"
-" will be printed to stderr (so one could move it to a\n"
-" safe place for reuse).\n"
+" will be printed to stderr (so one could move it to\n"
+" a safe place for reuse). You will be prompted for a\n"
+" passphrase for the private key.\n"
+"\n"
+" If [pem] is \"SAVE\" then the certificate will be saved\n"
+" to the file ~/.vnc/certs/server.pem, or if that file\n"
+" exists it will be used directly. Similarly, if [pem]\n"
+" is \"SAVE_PROMPT\" the server.pem certificate will be\n"
+" made based on your answers to its prompts for info such\n"
+" as OrganizationalName, CommonName, etc.\n"
+"\n"
+" Use \"SAVE-<string>\" and \"SAVE_PROMPT-<string>\"\n"
+" to refer to the file ~/.vnc/certs/server-<string>.pem\n"
+" instead. E.g. \"SAVE-charlie\" will store to the file\n"
+" ~/.vnc/certs/server-charlie.pem\n"
+"\n"
+" See -ssldir below to use a directory besides the\n"
+" default ~/.vnc/certs\n"
+"\n"
+" Example: x11vnc -ssl SAVE -display :0 ...\n"
"\n"
" Reverse connections are disabled in -ssl mode because\n"
" there is no way to ensure that data channel will\n"
@@ -589,33 +609,369 @@ void print_help(int mode) {
" override this.\n"
"\n"
" Your VNC viewer will also need to be able to connect\n"
-" via SSL. See the discussion below under -stunnel\n"
-" and the FAQ for how this might be achieved. E.g. on\n"
-" Unix it is easy to write a shell script that starts up\n"
-" stunnel and then vncviewer. Also in the x11vnc source\n"
-" a SSL enabled Java VNC Viewer applet is provided in\n"
-" the classes/ssl directory.\n"
+" via SSL. See the discussion below under -stunnel and\n"
+" the FAQ (ssl_vncviewer script) for how this might be\n"
+" achieved. E.g. on Unix it is easy to write a shell\n"
+" script that starts up stunnel and then vncviewer.\n"
+" Also in the x11vnc source a SSL enabled Java VNC Viewer\n"
+" applet is provided in the classes/ssl directory.\n"
+"\n"
+"-ssldir [dir] Use [dir] as an alternate ssl certificate and key\n"
+" management toplevel directory. The default is\n"
+" ~/.vnc/certs\n"
+"\n"
+" This directory is used to store server and other\n"
+" certificates and keys and also other materials. E.g. in\n"
+" the simplest case, \"-ssl SAVE\" will store the x11vnc\n"
+" server cert in [dir]/server.pem\n"
+"\n"
+" Use of alternate directories via -ssldir allows you to\n"
+" manage multiple VNC Certificate Authority (CA) keys.\n"
+" Another use is if ~/.vnc/cert is on an NFS share you\n"
+" might want your certificates and keys to be on a local\n"
+" filesystem to prevent network snooping (for example\n"
+" -ssldir /var/lib/x11vnc-certs).\n"
+"\n"
+" -ssldir effects the other -ssl* options. In the case\n"
+" of maintenance commands where the VNC server is not run\n"
+" (e.g. -sslGenCA), the -ssldir option must precede the\n"
+" command. E.g. x11vnc -ssldir ~/mydir -sslCertInfo LIST\n"
"\n"
"-sslverify [path] For either of the -ssl or -stunnel modes, use [path]\n"
" to provide certificates to authenticate incoming VNC\n"
-" client connections. This can be used as a method to\n"
-" replace standard password authentication of clients.\n"
+" *Client* connections (normally only the server is\n"
+" authenticated in SSL.) This can be used as a method\n"
+" to replace standard password authentication of clients.\n"
"\n"
" If [path] is a directory it contains the client (or CA)\n"
-" certificates in separate files. If [path] is a file, it\n"
-" contains multiple certificates. These correspond to the\n"
-" \"CApath = dir\" and \"CAfile = file\" stunnel options.\n"
-" See the stunnel(8) manpage for details.\n"
+" certificates in separate files. If [path] is a file,\n"
+" it contains multiple certificates. See special tokens\n"
+" below. These correspond to the \"CApath = dir\" and\n"
+" \"CAfile = file\" stunnel options. See the stunnel(8)\n"
+" manpage for details.\n"
+"\n"
+" Examples:\n"
+" x11vnc -ssl -sslverify ~/my.pem\n"
+" x11vnc -ssl -sslverify ~/my_pem_dir/\n"
+"\n"
+" Note that if [path] is a directory, it must contain\n"
+" the certs in separate files named like <HASH>.0, where\n"
+" the value of <HASH> is found by running the command\n"
+" \"openssl x509 -hash -noout -in file.crt\". Evidently\n"
+" one uses <HASH>.1 if there is a collision...\n"
+"\n"
+" The the key-management utility \"-sslCertInfo HASHON\"\n"
+" and \"-sslCertInfo HASHOFF\" will create/delete these\n"
+" hashes for you automatically (via symlink) in the HASH\n"
+" subdirs it manages. Then you can point -sslverify to\n"
+" the HASH subdir.\n"
+"\n"
+" Special tokens: in -ssl mode, if [path] is not a file or\n"
+" a directory, it is taken as a comma separated list of\n"
+" tokens that are interpreted as follows:\n"
+"\n"
+" If a token is \"CA\" that means load the CA/cacert.pem\n"
+" file from the ssl directory. If a token is \"clients\"\n"
+" then all the files clients/*.crt in the ssl directory\n"
+" are loaded. Otherwise the file clients/token.crt\n"
+" is attempted to be loaded. As a kludge, use a token\n"
+" like ../server-foo to load a server cert if you find\n"
+" that necessary.\n"
+" \n"
+" Use -ssldir to use a directory different from the\n"
+" ~/.vnc/certs default.\n"
+" \n"
+" Note that if the \"CA\" cert is loaded you do not need\n"
+" to load any of the certs that have been signed by it.\n"
+" You will need to load any additional self-signed certs\n"
+" however.\n"
+" \n"
+" Examples:\n"
+" x11vnc -ssl -sslverify CA\n"
+" x11vnc -ssl -sslverify self:fred,self:jim\n"
+" x11vnc -ssl -sslverify CA,clients\n"
+" \n"
+" Usually \"-sslverify CA\" is the most effective.\n"
+" See the -sslGenCA and -sslGenCert options below for\n"
+" how to set up and manage the CA framework.\n"
+" \n"
+"\n"
+"\n"
+" NOTE: the following utilities, -sslGenCA, -sslGenCert,\n"
+" -sslEncKey, and -sslCertInfo are provided for\n"
+" completeness, but for casual usage they are overkill.\n"
+"\n"
+" They provide VNC Certificate Authority (CA) key creation\n"
+" and server / client key generation and signing. So they\n"
+" provide a basic Public Key management framework for\n"
+" VNC-ing with x11vnc. (note that they require openssl(1)\n"
+" be installed on the system)\n"
+"\n"
+" However, the simplest usage mode (where x11vnc\n"
+" automatically generates its own, self-signed, temporary\n"
+" key and the VNC viewers always accept it, e.g. accepting\n"
+" via a dialog box) is probably safe enough for most\n"
+" scenarios. CA management is not needed.\n"
+"\n"
+" To protect against Man-In-The-Middle attacks the\n"
+" simplest mode can be improved by using \"-ssl SAVE\"\n"
+" to have x11vnc create a longer term self-signed\n"
+" certificate, and then (safely) copy the corresponding\n"
+" public key cert to the desired client machines (care\n"
+" must be taken the private key part is not stolen;\n"
+" you will be prompted for a passphrase).\n"
+"\n"
+" So keep in mind no CA key creation or management\n"
+" (-sslGenCA and -sslGenCert) is needed for either of\n"
+" the above two common usage modes.\n"
+"\n"
+" One might want to use -sslGenCA and -sslGenCert\n"
+" if you had a large number of VNC client and server\n"
+" workstations. That way the administrator could generate\n"
+" a single CA key with -sslGenCA and distribute its\n"
+" certificate part to all of the workstations.\n"
+"\n"
+" Next, he could create signed VNC server keys\n"
+" (-sslGenCert server ...) for each workstation or user\n"
+" that then x11vnc would use to authenticate itself to\n"
+" any VNC client that has the CA cert.\n"
+"\n"
+" Optionally, the admin could also make it so the\n"
+" VNC clients themselves are authenticated to x11vnc\n"
+" (-sslGenCert client ...) For this -sslverify would be\n"
+" pointed to the CA cert (and/or self-signed certs).\n"
+"\n"
+" x11vnc will be able to use all of these cert and\n"
+" key files. On the VNC client side, they will need to\n"
+" be \"imported\" somehow. Web browsers have \"Manage\n"
+" Certificates\" actions as does the Java applet plugin\n"
+" Control Panel. stunnel can also use these files (see\n"
+" the ssl_vncviewer example script in the FAQ.)\n"
+"\n"
+"-sslGenCA [dir] Generate your own Certificate Authority private key,\n"
+" certificate, and other files in directory [dir].\n"
+"\n"
+" If [dir] is not supplied, a -ssldir setting is used,\n"
+" or otherwise ~/.vnc/certs is used.\n"
+"\n"
+" This command also creates directories where server and\n"
+" client certs and keys will be stored. The openssl(1)\n"
+" program must be installed on the system and available\n"
+" in PATH.\n"
+"\n"
+" After the CA files and directories are created the\n"
+" command exits; the VNC server is not run.\n"
+"\n"
+" You will be prompted for information to put into the CA\n"
+" certificate. The info does not have to be accurate just\n"
+" as long as clients accept the cert for VNC connections.\n"
+" You will also need to supply a passphrase of at least\n"
+" 4 characters for the CA private key.\n"
+"\n"
+" Once you have generated the CA you can distribute\n"
+" its certificate part, [dir]/CA/cacert.pem, to other\n"
+" workstations where VNC viewers will be run. One will\n"
+" need to \"import\" this certicate in the applications,\n"
+" e.g. Web browser, Java applet plugin, stunnel, etc.\n"
+" Next, you can create and sign keys using the CA with\n"
+" the -sslGenCert option below.\n"
+"\n"
+" Examples:\n"
+" x11vnc -sslGenCA\n"
+" x11vnc -sslGenCA ~/myCAdir\n"
+" x11vnc -ssldir ~/myCAdir -sslGenCA\n"
+"\n"
+" (the last two lines are equivalent)\n"
+"\n"
+"-sslGenCert type name Generate a VNC server or client certificate and private\n"
+" key pair signed by the CA created previously with\n"
+" -sslGenCA. The openssl(1) program must be installed\n"
+" on the system and available in PATH.\n"
+"\n"
+" After the Certificate is generated the command exits;\n"
+" the VNC server is not run.\n"
+"\n"
+" The type of key to be generated is the string \"type\".\n"
+" It is either \"server\" (i.e. for use by x11vnc) or\n"
+" \"client\" (for a VNC viewer). Note that typically\n"
+" only \"server\" is used: the VNC clients authenticate\n"
+" themselves by a non-public-key method (e.g. VNC or\n"
+" unix password). \"type\" is required.\n"
+"\n"
+" An arbitrary default name you want to associate with\n"
+" the key is supplied by the \"name\" string. You can\n"
+" change it at the various prompts when creating the key.\n"
+" \"name\" is optional.\n"
+"\n"
+" If name is left blank for clients keys then \"nobody\"\n"
+" is used. If left blank for server keys, then the\n"
+" primary server key: \"server.pem\" is created (this\n"
+" is the saved one referenced by \"-ssl SAVE\" when the\n"
+" server is started)\n"
+"\n"
+" If \"name\" begins with the string \"self:\" then\n"
+" a self-signed certificate is created instead of one\n"
+" signed by your CA key.\n"
+"\n"
+" If \"name\" begins with the string \"req:\" then only a\n"
+" key (.key) and a certificate signing *request* (.req)\n"
+" are generated. You can then send the .req file to\n"
+" an external CA (even a professional one, e.g. Thawte)\n"
+" and then combine the .key and the received cert into\n"
+" the .pem file with the same basename.\n"
+"\n"
+" The distinction between \"server\" and \"client\" is\n"
+" simply the choice of output filenames and sub-directory.\n"
+" This makes it so the -ssl SAVE-name option can easily\n"
+" pick up the x11vnc PEM file this option generates.\n"
+" And similarly makes it easy for the -sslverify option\n"
+" to pick up your client certs.\n"
+"\n"
+" There is nothing special about the filename or directory\n"
+" location of either the \"server\" and \"client\" certs.\n"
+" You can rename the files or move them to wherever\n"
+" you like.\n"
+"\n"
+" Precede this option with -ssldir [dir] to use a\n"
+" directory other than the default ~/.vnc/certs You will\n"
+" need to run -sslGenCA on that directory first before\n"
+" doing any -sslGenCert key creation.\n"
+"\n"
+" Note you cannot recreate a cert with exactly the same\n"
+" distiguished name (DN) as an existing one. To do so,\n"
+" you will need to edit the [dir]/CA/index.txt file to\n"
+" delete the line.\n"
+"\n"
+" Similar to -sslGenCA, you will be prompted to fill\n"
+" in some information that will be recorded in the\n"
+" certificate when it is created. Tip: if you know\n"
+" the fully-quailified hostname other people will be\n"
+" connecting to you can use that as the CommonName \"CN\"\n"
+" to avoid some applications (e.g. web browsers and java\n"
+" plugin) complaining it does not match the hostname.\n"
+"\n"
+" You will also need to supply the CA private key\n"
+" passphrase to unlock the private key created from\n"
+" -sslGenCA. This private key is used to sign the server\n"
+" or client certicate.\n"
+"\n"
+" The \"server\" certs can be used by x11vnc directly by\n"
+" pointing to them via the -ssl [pem] option. The default\n"
+" file will be ~/.vnc/certs/server.pem. This one would\n"
+" be used by simply typing -ssl SAVE. The pem file\n"
+" contains both the certificate and the private key.\n"
+" server.crt file contains the cert only.\n"
+"\n"
+" The \"client\" cert + private key file will need\n"
+" to be copied and imported into the VNC viewer\n"
+" side applications (Web browser, Java plugin,\n"
+" stunnel, etc.) Once that is done you can delete the\n"
+" \"client\" private key file on this machine since\n"
+" it is only needed on the VNC viewer side. The,\n"
+" e.g. ~/.vnc/certs/clients/<name>.pem contains both\n"
+" the cert and private key. The <name>.crt contains the\n"
+" certificate only.\n"
+"\n"
+" NOTE: It is very important to know one should always\n"
+" generate new keys with a passphrase. Otherwise if an\n"
+" untrusted user steals the key file he could use it to\n"
+" masquerade as the x11vnc server (or VNC viewer client).\n"
+" You will be prompted whether to encrypt the key with\n"
+" a passphrase or not. It is recommended that you do.\n"
+" One inconvenience to a passphrase is that it must\n"
+" be suppled every time x11vnc or the client app is\n"
+" started up.\n"
+"\n"
+" Examples:\n"
+"\n"
+" x11vnc -sslGenCert server\n"
+" x11vnc -ssl SAVE -display :0 ...\n"
+"\n"
+" and then on viewer using ssl_vncviewer stunnel wrapper\n"
+" (see the FAQ):\n"
+
+" ssl_vncviewer -verify ./cacert.crt hostname:0\n"
+"\n"
+" (this assumes the cacert.crt cert from -sslGenCA\n"
+" was safely copied to the VNC viewer machine where\n"
+" ssl_vncviewer is run)\n"
+"\n"
+" Example using a name:\n"
+"\n"
+" x11vnc -sslGenCert server charlie\n"
+" x11vnc -ssl SAVE-charlie -display :0 ...\n"
+"\n"
+" Example for a client certificate (rarely used):\n"
+"\n"
+" x11vnc -sslGenCert client roger\n"
+" scp ~/.vnc/certs/clients/roger.pem somehost:.\n"
+" rm ~/.vnc/certs/clients/roger.pem\n"
+"\n"
+" x11vnc is then started with the the option -sslverify\n"
+" ~/.vnc/certs/clients/roger.crt (or simply -sslverify\n"
+" roger), and on the viewer user on somehost could do\n"
+" for example:\n"
+"\n"
+" ssl_vncviewer -mycert ./roger.pem hostname:0\n"
+"\n"
+"-sslEncKey [pem] Utility to encrypt an existing PEM file with a\n"
+" passphrase you supply when prompted. For that key to be\n"
+" used (e.g. by x11vnc) the passphrase must be supplied\n"
+" each time.\n"
+"\n"
+" The \"SAVE\" notation described under -ssl applies as\n"
+" well. (precede this option with -ssldir [dir] to refer\n"
+" a directory besides the default ~/.vnc/certs)\n"
+"\n"
+" The openssl(1) program must be installed on the system\n"
+" and available in PATH. After the Key file is encrypted\n"
+" the command exits; the VNC server is not run.\n"
+"\n"
+" Examples:\n"
+" x11vnc -sslEncKey /path/to/foo.pem\n"
+" x11vnc -sslEncKey SAVE\n"
+" x11vnc -sslEncKey SAVE-charlie\n"
+"\n"
+"-sslCertInfo [pem] Prints out information about an existing PEM file.\n"
+" In addition the public certificate is also printed.\n"
+" The openssl(1) program must be in PATH. Basically the\n"
+" command \"openssl x509 -text\" is run on the pem.\n"
+"\n"
+" The \"SAVE\" notation described under -ssl applies\n"
+" as well.\n"
+"\n"
+" Using \"LIST\" will give a list of all certs being\n"
+" managed (in the ~/.vnc/certs dir, use -ssldir to refer\n"
+" to another dir). \"ALL\" will print out the info for\n"
+" every managed key (this can be very long). Giving a\n"
+" client or server cert shortname will also try a lookup\n"
+" (e.g. -sslCertInfo charlie). Use \"LISTL\" or \"LL\"\n"
+" for a long (ls -l style) listing.\n"
+"\n"
+" Using \"HASHON\" will create subdirs [dir]/HASH and\n"
+" [dir]/HASH with OpenSSL hash filenames (e.g. 0d5fbbf1.0)\n"
+" symlinks pointing up to the corresponding *.crt file.\n"
+" ([dir] is ~/.vnc/certs or one given by -ssldir.)\n"
+" This is a useful way for other OpenSSL applications\n"
+" (e.g. stunnel) to access all of the certs without\n"
+" having to concatenate them. x11vnc will not use them\n"
+" unless you specifically reference them. \"HASHOFF\"\n"
+" removes these HASH subdirs.\n"
+"\n"
+" The LIST, LISTL, LL, ALL, HASHON, HASHOFF words can\n"
+" also be lowercase, e.g. \"list\".\n"
+"\n"
+"-sslDelCert [pem] Prompts you to delete all .crt .pem .key .req files\n"
+" associated with [pem]. \"SAVE\" and lookups as in\n"
+" -sslCertInfo apply as well.\n"
"\n"
-" To create certificates for all sorts of authentications\n"
-" (clients, servers, via CA, etc) see the openssl(1)\n"
-" command. Of particular usefulness is the \"x509\"\n"
-" subcommand of openssl(1).\n"
"\n"
"-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide an\n"
-" encrypted SSL tunnel between viewers and x11vnc. This\n"
-" was implemented prior to the integrated -ssl encrpytion.\n"
-" It works well. This requires stunnel to be installed\n"
+" encrypted SSL tunnel between viewers and x11vnc.\n"
+"\n"
+" This external tunnel method was implemented prior to the\n"
+" integrated -ssl encryption described above. It still\n"
+" works well. This requires stunnel to be installed\n"
" on the system and available via PATH (n.b. stunnel is\n"
" often installed in sbin directories). Version 4.x of\n"
" stunnel is assumed (but see -stunnel3 below.)\n"
@@ -641,14 +997,13 @@ void print_help(int mode) {
" SSL. Unfortunately not too many do this. UltraVNC has\n"
" an encryption plugin but it does not seem to be SSL.\n"
"\n"
-" In the x11vnc distribution, a patched TightVNC Java\n"
-" applet is provided in classes/ssl that does SSL\n"
+" Also, in the x11vnc distribution, a patched TightVNC\n"
+" Java applet is provided in classes/ssl that does SSL\n"
" connections (only).\n"
"\n"
" It is also not too difficult to set up an stunnel or\n"
-" other SSL tunnel on the viewer side.\n"
-"\n"
-" A simple example on Unix using stunnel 3.x is:\n"
+" other SSL tunnel on the viewer side. A simple example\n"
+" on Unix using stunnel 3.x is:\n"
"\n"
" %% stunnel -c -d localhost:5901 -r remotehost:5900\n"
" %% vncviewer localhost:1\n"
@@ -704,9 +1059,10 @@ void print_help(int mode) {
" file \"file\". Once the password is stored the\n"
" program exits. Use the password via \"-rfbauth file\"\n"
"\n"
-" If called with no arguments, i.e., \"-storepasswd\",\n"
+" If called with no arguments, \"x11vnc -storepasswd\",\n"
" the user is prompted for a password and it is stored\n"
-" in the file ~/.vnc/passwd\n"
+" in the file ~/.vnc/passwd. Called with one argument,\n"
+" that will be the file to store the prompted password in.\n"
"\n"
"-nopw Disable the big warning message when you use x11vnc\n"
" without some sort of password.\n"
@@ -1718,6 +2074,22 @@ void print_help(int mode) {
" to really throttle down the screen polls (i.e. sleep\n"
" for about 1.5 secs). Use 0 to disable. Default: %d\n"
"\n"
+"-nofbpm If the system supports the FBPM (Frame Buffer Power\n"
+"-fbpm Management) extension (i.e. some Sun systems), then\n"
+" prevent the video h/w from going into a reduced power\n"
+" state when VNC clients are connected.\n"
+"\n"
+" FBPM capable video h/w save energy when the workstation\n"
+" is idle by going into low power states (similar to DPMS\n"
+" for monitors). This interferes with x11vnc's polling\n"
+" of the framebuffer data.\n"
+"\n"
+" \"-nofbpm\" means prevent FBPM low power states whenever\n"
+" VNC clients are connected, while \"-fbpm\" means to not\n"
+" monitor the FBPM state at all. See the xset(1) manpage\n"
+" for details. -nofbpm is basically the same as running\n"
+" \"xset fbpm force on\" periodically. Default: %s\n"
+"\n"
"-noxdamage Do not use the X DAMAGE extension to detect framebuffer\n"
" changes even if it is available. Use -xdamage if your\n"
" default is to have it off.\n"
@@ -2176,6 +2548,8 @@ void print_help(int mode) {
" nap enable -nap mode.\n"
" nonap disable -nap mode.\n"
" sb:n set -sb to n s, same as screen_blank:n\n"
+" fbpm disable -nofbpm mode.\n"
+" nofbpm enable -nofbpm mode.\n"
" xdamage enable xdamage polling hints.\n"
" noxdamage disable xdamage polling hints.\n"
" xd_area:A set -xd_area max pixel area to \"A\"\n"
@@ -2296,8 +2670,8 @@ void print_help(int mode) {
" debug_pointer dp nodebug_pointer nodp debug_keyboard\n"
" dk nodebug_keyboard nodk deferupdate defer wait_ui\n"
" wait_bog nowait_bog slow_fb wait readtimeout nap nonap\n"
-" sb screen_blank fs gaps grow fuzz snapfb nosnapfb\n"
-" rawfb progressive rfbport http nohttp httpport\n"
+" sb screen_blank fbpm nofbpm fs gaps grow fuzz snapfb\n"
+" nosnapfb rawfb progressive rfbport http nohttp httpport\n"
" httpdir enablehttpproxy noenablehttpproxy alwaysshared\n"
" noalwaysshared nevershared noalwaysshared dontdisconnect\n"
" nodontdisconnect desktop debug_xevents nodebug_xevents\n"
@@ -2458,6 +2832,7 @@ void print_help(int mode) {
rfbMaxClientWait/1000,
take_naps ? "take naps":"no naps",
screen_blank,
+ watch_fbpm ? "-nofbpm":"-fbpm",
xdamage_max_area, NSCAN, xdamage_memory,
use_threads ? "-threads":"-nothreads",
fs_frac,
@@ -2574,17 +2949,28 @@ void nopassword_warning_msg(int gotloc) {
"#@ @#\n"
"#@ an existing ~/.vnc/passwd file will work too. @#\n"
"#@ @#\n"
+"#@ Running \"x11vnc -storepasswd\" with no arguments @#\n"
+"#@ will prompt for a passwd to store in ~/.vnc/passwd. @#\n"
+"#@ @#\n"
"#@ You can also use the -passwdfile or -passwd options. @#\n"
"#@ (note -passwd is unsafe if local users are not trusted) @#\n"
"#@ @#\n"
"#@ Make sure any -rfbauth and -passwdfile password files @#\n"
"#@ cannot be read by untrusted users. @#\n"
"#@ @#\n"
+"#@ Use x11vnc -usepw to automatically use your @#\n"
+"#@ ~/.vnc/passwd or ~/.vnc/passwdfile password files. @#\n"
+"#@ (and prompt you to create ~/.vnc/passwd if neither @#\n"
+"#@ file exists.) @#\n"
+"#@ @#\n"
+"#@ @#\n"
"#@ Even with a password, the subsequent VNC traffic is @#\n"
"#@ sent in the clear. Consider tunnelling via ssh(1): @#\n"
"#@ @#\n"
"#@ http://www.karlrunge.com/x11vnc/#tunnelling @#\n"
"#@ @#\n"
+"#@ Or using the x11vnc SSL options: -ssl and -stunnel @#\n"
+"#@ @#\n"
"#@ Please Read the documention for more info about @#\n"
"#@ passwords, security, and encryption. @#\n"
"#@ @#\n"
generated by cgit v1.2.1 (git 2.18.0) at 2024-12-26 13:35:20 +0000