summaryrefslogtreecommitdiffstats
path: root/x11vnc/misc/enhanced_tightvnc_viewer/bin
diff options
context:
space:
mode:
authorChristian Beier <dontmind@freeshell.org>2014-09-03 20:54:39 +0200
committerChristian Beier <dontmind@freeshell.org>2014-09-03 20:54:39 +0200
commit498d222976975f53dea885cfe43ef0f805abd412 (patch)
treebac684fbde46fdc3e4cc3817616816b71bb67f9f /x11vnc/misc/enhanced_tightvnc_viewer/bin
parent8d2db0486dcc167f1b02d4454ebf4624ce03e1de (diff)
downloadlibtdevnc-498d222976975f53dea885cfe43ef0f805abd412.tar.gz
libtdevnc-498d222976975f53dea885cfe43ef0f805abd412.zip
Remove x11vnc subdir.
The new x11vnc repo is at https://github.com/LibVNC/x11vnc.
Diffstat (limited to 'x11vnc/misc/enhanced_tightvnc_viewer/bin')
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/.cpover7
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh39
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.i386/.cpover6
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/sshvnc7
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc289
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd286
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/tsvnc7
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer3635
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl19041
-rw-r--r--x11vnc/misc/enhanced_tightvnc_viewer/bin/util/stunnel-server.conf38
10 files changed, 0 insertions, 23355 deletions
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/.cpover b/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/.cpover
deleted file mode 100755
index 45ec5ae..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/.cpover
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-cp -p vncviewer.sh vncviewer
-pwd
-ls -l vncviewer.sh vncviewer
-
-(cd ../Darwin.i386; .cpover)
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh b/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh
deleted file mode 100755
index 92dcefb..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/sh
-
-# copy "vncviewer.sh" back over to "vncviewer" in case you delete or overwrite it
-# via build.unix. etc
-
-dir=`dirname "$0"`
-
-if [ "X$SSVNC_DYLD_LIBRARY_PATH" != "X" ]; then
- if [ "X$DYLD_LIBRARY_PATH" = "X" ] ; then
- DYLD_LIBRARY_PATH=$SSVNC_DYLD_LIBRARY_PATH
- else
- DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$SSVNC_DYLD_LIBRARY_PATH
- fi
- export DYLD_LIBRARY_PATH
-fi
-
-if [ "X$DISPLAY" != "X" -a "X$DARWIN_COTVNC" != "X1" ]; then
- "$dir/vncviewer.x11" "$@"
-else
- args=""
- for a in "$@"
- do
- if echo "$a" | grep '^-' > /dev/null; then
- args="$args $a"
- elif echo "$a" | grep ':' > /dev/null; then
- h=`echo "$a" | awk -F: '{print $1}'`
- p=`echo "$a" | awk -F: '{print $2}'`
- if [ "X$p" != "X" ]; then
- if [ $p -lt 5900 ]; then
- p=`expr $p + 5900`
- fi
- fi
- args="$args $h:$p"
- else
- args="$args $a"
- fi
- done
- "$dir/../../MacOSX/Chicken of the VNC.app/Contents/MacOS/Chicken of the VNC" $args
-fi
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.i386/.cpover b/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.i386/.cpover
deleted file mode 100755
index c0080b1..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.i386/.cpover
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-cp -p ../Darwin.Power.Macintosh/vncviewer.sh .
-cp -p vncviewer.sh vncviewer
-pwd
-ls -l vncviewer.sh vncviewer
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/sshvnc b/x11vnc/misc/enhanced_tightvnc_viewer/bin/sshvnc
deleted file mode 100755
index a427b42..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/sshvnc
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-#
-# wrapper for SSH_ONLY mode
-#
-PATH=`dirname "$0"`:$PATH; export PATH
-SSVNC_SSH_ONLY=1; export SSVNC_SSH_ONLY
-exec ssvnc -ssh "$@"
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc b/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc
deleted file mode 100755
index 9cd636b..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc
+++ /dev/null
@@ -1,289 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2006-2009 by Karl J. Runge <runge@karlrunge.com>
-#
-# ssvnc:
-#
-# A wrapper for ssvnc_cmd using a tcl/tk gui.
-#
-# See ssvnc_cmd for details.
-#
-if [ "X$1" = "X-help" -o "X$1" = "X-h" ]; then
- cat << END
-ssvnc - a GUI wrapper for SSL and SSH VNC connections.
-
-SYNOPSIS
- ssvnc
- ssvnc [host][:display]
- ssvnc [saved-profile-name]
- ssvnc [options] [host-or-profile]
- ssvnc -cmd [ssvnc_cmd-args]
- ssvnc --help
-
-DESCRIPTION
- ssvnc is a tcl/tk gui wrapper that runs on Unix, MacOSX, and Windows.
- It sets up an SSL or SSH tunnel to the remote VNC Server and then
- launches the VNC viewer (either the one provided or another one that
- you have specified) to use that encrypted tunnel to connect to the VNC
- Server. The use of Proxies and Gateways to make the connections is
- implemented.
-
-OPTIONS
- -help, -h Print this help.
-
- --help Starts up the GUI as though the 'Help' button was pressed to
- show the main Help panel.
-
- -cmd [ssvnc_cmd-args]
- Launch the ssvnc_cmd utility command directly (no GUI) with the
- given arguments (for use when ssvnc_cmd is not in one's PATH.)
- If neither ssvnc_cmd nor ssvncviewer is in PATH, one can launch
- the viewer directly via: ssvnc -cmd -viewer [viewer-args]
-
- -profiles
- List the saved SSVNC profiles you have created. A profile is a
- destination host with specific parameter settings.
-
- -list Same as -profiles
-
- -ssh Start in "SSH Only Mode". No SSL aspects are shown. Same as
- running the command sshvnc
-
- -ts Start in "Terminal Services Mode". This is like "SSH Only
- Mode", but simpler and assumes x11vnc is available on the remote
- side to start and manage X and VNC sessions. Same as running
- the command tsvnc
-
- -tso Same as -ts "Terminal Services Mode", however never let the user
- leave this mode (no button to switch modes is provided.) Same
- as SSVNC_TS_ALWAYS=1.
-
- -ssl Force the full GUI Mode: both SSL and SSH. This is the default.
- Same as -ss.
-
- -nv Toggle the "Verify All Certs" button to be off at startup.
-
- -nvb Never show the "Verify All Certs" button. Same as SSVNC_NO_VER-
- IFY_ALL_BUTTON=1.
-
- -bigger
- Make the Profile Selection Dialog window bigger. Same as
- SSVNC_BIGGER_DIALOG=1.
-
- -noenc Start off in a mode where a 'No Encryption' check button is
- present. You can toggle the mode with Ctrl-E. Same as
- SSVNC_DISABLE_ENCRYPTION_BUTTON=1. Or noenc=1 in ~/.ssvncrc.
- Selecting no encryption is the same as the vnc:// and Vnc://
- prefixes described below. The -noenc mode is now the default,
- use -enc or noenc=0 for the opposite behavior.
-
- -killstunnel
- On Windows, automatically terminate the STUNNEL process when the
- viewer exits instead of prompting you (same as killstunnel=1 in
- ssvnc_rc or toggle in Options menu)
-
- -nokillstunnel
- On Windows, disable -killstunnel mode. Same as killstunnel=0 in
- ssvnc_rc or toggle in Options menu. Note that -killstunnel mode
- is now the default.
-
- -mycert /path/to/mycert.pem
- Set the default "MyCert" to be /path/to/mycert.pem. Same as
- -cert. If the file does not exist, ~/.vnc/certs is prefixed and
- tried. You can also set mycert=/path/to/mycert.pem in ~/.ssvncrc
-
- -cacert /path/to/cacert.crt
- Set the default "ServerCert" to be /path/to/cacert.crt. Same as
- -ca. If the file does not exist, ~/.vnc/certs is prefixed and
- tried. You can also set cacert=/path/to/cacert.crt in ~/.ssvncrc
-
- -crl /path/to/mycrl.pem
- Set the default Certificate Revocation List to be
- /path/to/mycrl.pem. If the file does not exist, ~/.vnc/certs is
- prefixed and tried. You can also set crl=/path/to/mycrl.pem in
- ~/.ssvncrc.
-END
- exit 0
-fi
-if [ "X$1" = "X-ssh" ]; then
- if [ "X$2" = "X-help" -o "X$2" = "X-h" ]; then
- cat << END
-sshvnc - a GUI wrapper for SSH VNC connections.
-
-SYNOPSIS
- sshvnc
- sshvnc [host][:display]
- sshvnc [saved-profile-name]
- sshvnc [options] [host-or-profile]
- sshvnc --help
-
-See 'ssvnc $2' and 'ssvnc --help' for more information.
-END
- exit 0
- fi
-fi
-
-if [ "X$1" = "X-ts" -o "X$1" = "X-tso" ]; then
- if [ "X$2" = "X-help" -o "X$2" = "X-h" ]; then
- cat << END
-tsvnc - a GUI wrapper for SSH VNC connections using x11vnc Terminal Services.
-
-SYNOPSIS
- tsvnc
- tsvnc [host][:display]
- tsvnc [saved-profile-name]
- tsvnc [options] [host-or-profile]
- tsvnc --help
-
-See 'ssvnc $2' and 'tsvnc --help' for more information.
-END
- exit 0
- fi
-fi
-
-
-if [ "X$XTERM_PRINT" != "X" ]; then
- XTERM_PRINT=""
- cat > /dev/null
-fi
-if [ "X$1" = "X-bg" ]; then
- shift
- $0 "$@" &
- exit 0
-fi
-
-
-PATH=$PATH:/usr/bin:/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin:/usr/sfw/bin:/usr/local/bin
-export PATH
-
-if [ "X$FULLNAME" = "XKarl J. Runge" ]; then
- if [ "X$NOPOPUFIX" = "X" ]; then
- VNCVIEWER_POPUP_FIX=1
- export VNCVIEWER_POPUP_FIX
- fi
- PATH=`echo "$PATH" | sed -e 's,runge/bin/override,-------------,'`
-fi
-
-if [ "X$WISH" = "X" ]; then
- WISH=wish
- for try in wish8.4 wish wish8.3 wish8.5 wish8.6
- do
- if type $try > /dev/null 2>&1; then
- WISH=$try
- break
- fi
- done
- export WISH
-fi
-
-
-SSVNC_GUI_CMD="$0 $*"
-export SSVNC_GUI_CMD
-SSVNC_LAUNCH=$SSVNC_GUI_CMD
-export SSVNC_LAUNCH
-
-# work out os.arch platform string and check for binaries:
-#
-name=$UNAME
-if [ "X$name" = "X" ]; then
- name=`uname -sm | sed -e 's/ /./g' -e 's,/.*,,' -e 's/Linux\.i.86/Linux.i686/'`
-fi
-
-dL="-L"
-if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then
- dL="-h"
-fi
-
-f="$0"
-for t in 1 2 3 4 5
-do
- if [ $dL "$f" ]; then
- f0="$f"
- f=`ls -l "$f" | sed -e 's/^.* -> //'`
- if echo "$f" | grep '^/' > /dev/null; then
- :
- else
- f="`dirname "$f0"`/$f"
- fi
- else
- break
- fi
-done
-dir=`dirname "$f"`
-PATH="$dir:$PATH"
-
-nearby=0
-if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then
- nearby=1
-fi
-if [ "X$name" = "X." ]; then
- :
- #type vncviewer
- #type stunnel
-elif [ ! -d "$dir/$name" -a $nearby = 0 ]; then
- echo
- echo "Cannot find platform dir for your OS `uname -sm`:"
- echo
- echo " $dir/$name"
- echo
- PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin
-
- quit=0
- if type vncviewer >/dev/null 2>/dev/null; then
- :
- else
- echo "vncviewer not found in PATH."
- quit=1
- fi
- if type stunnel >/dev/null 2>/dev/null; then
- :
- else
- echo "stunnel not found in PATH."
- quit=1
- fi
- echo
- if [ "X$quit" = "X1" ]; then
- echo "You can set the \$UNAME env. var. to override the OS setting."
- echo "Or, if available, run the ./build.unix script to build it."
- echo "Or install external \"vncviewer\" and \"stunnel\" packages."
- exit 1
- fi
- echo "Using externel \"vncviewer\" and \"stunnel\" found in PATH."
-else
- STUNNEL=stunnel
- #STUNNEL_EXTRA_OPTS=${STUNNEL_EXTRA_OPTS:-"maxconn = 1"}
- #export STUNNEL STUNNEL_EXTRA_OPTS
- SSVNC_VIEWER_INTERNAL=1
- export SSVNC_VIEWER_INTERNAL
-fi
-
-
-# Put our os.arch and other utils dirs at head of PATH to be sure to
-# pick them up:
-#
-PATH="$dir:$dir/$name:$dir/util:$PATH"
-if echo "$dir" | grep '^/' > /dev/null; then
- :
-else
- dir=`pwd`/$dir
- PATH="$dir:$dir/$name:$dir/util:$PATH"
-fi
-
-SSVNC_BASEDIR="$dir"
-export SSVNC_BASEDIR
-SSVNC_BASEDIRNAME="$dir/$name"
-export SSVNC_BASEDIRNAME
-
-if [ -f "$dir/util/ultraftp.jar" ]; then
- SSVNC_ULTRA_FTP_JAR="$dir/util/ultraftp.jar"
- export SSVNC_ULTRA_FTP_JAR
-fi
-
-if [ "X$1" = "X-cmd" -o "X$1" = "X--cmd" ]; then
- shift
- exec ssvnc_cmd "$@"
-elif [ "X$WISH" = "Xwish" ]; then
- exec ssvnc.tcl "$@"
-else
- exec $WISH $dir/util/ssvnc.tcl "$@"
-fi
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd b/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd
deleted file mode 100755
index f84eb58..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd
+++ /dev/null
@@ -1,286 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2006-2009 by Karl J. Runge <runge@karlrunge.com>
-#
-# ssvnc_cmd:
-#
-# A wrapper that calls ss_vncviewer to use the enhanced TightVNC viewer.
-#
-# The enhanced TightVNC viewer features are:
-#
-# - SSL support for connections using the co-bundled stunnel program.
-# - rfbNewFBSize VNC support (screen resizing)
-# - cursor alphablending with x11vnc at 32bpp
-# - xgrabserver support for fullscreen mode (for old window mgrs)
-#
-#
-# Your platform (e.g. Linux.i686) is autodetected and enhanced
-# vncviewer and stunnel binaries for it are used (see the ./bin directory).
-#
-# See the build.unix script if your platform is not in this package.
-# You can also set the env. var. UNAME=os.arch to any "os.arch" you want
-# to override the autodetetion.
-#
-# Usage:
-#
-# ssvnc_cmd [ss_vncviewer-args] hostname:N [vncviewer-args]
-#
-# if, instead, this script is named "tightvncviewer" or "-viewer" is the
-# first argument it calls the vncviewer directly (there is no encryption)
-# and must be invoked as:
-#
-# tightvncviewer [vncviewer-args] hostname:N
-# or
-# ssvnc_cmd -viewer [vncviewer-args] hostname:N
-#
-# In both cases, "hostname:N" is the host and VNC display to connect to,
-# e.g. snoopy:0. (-listen N and -appshare N modes works too.)
-#
-# See the script util/ss_vncviewer for details about its arguments:
-#
-# -verify pemfile
-# -mycert pemfile
-# -proxy phost:pport
-# -alpha
-# -grab
-#
-# N.B. if this script is named "tightvncviewer" the vncviewer is called
-# directly, and there won't be any SSL or SSH encryption tunnels.
-#
-# If the *very first* argument is "-cotvnc" then it is assumed you are on
-# Darwin and want to run the Chicken of the VNC viewer via our wrapper.
-#
-#
-# See the TightVNC viewer documentation for on its cmdline arguments.
-#
-# For convenience, here is the TightVNC 1.3dev5 viewer -help output:
-#
-# TightVNC viewer version 1.3dev5
-#
-# Usage: vncviewer [<OPTIONS>] [<HOST>][:<DISPLAY#>]
-# vncviewer [<OPTIONS>] [<HOST>][::<PORT#>]
-# vncviewer [<OPTIONS>] -listen [<DISPLAY#>]
-# vncviewer -help
-#
-# <OPTIONS> are standard Xt options, or:
-# -via <GATEWAY>
-# -shared (set by default)
-# -noshared
-# -viewonly
-# -fullscreen
-# -noraiseonbeep
-# -passwd <PASSWD-FILENAME> (standard VNC authentication)
-# -user <USERNAME> (Unix login authentication)
-# -encodings <ENCODING-LIST> (e.g. "tight copyrect")
-# -bgr233
-# -owncmap
-# -truecolour
-# -depth <DEPTH>
-# -compresslevel <COMPRESS-VALUE> (0..9: 0-fast, 9-best)
-# -quality <JPEG-QUALITY-VALUE> (0..9: 0-low, 9-high)
-# -nojpeg
-# -nocursorshape
-# -x11cursor
-# -autopass
-#
-# Option names may be abbreviated, e.g. -bgr instead of -bgr233.
-# See the manual page for more information.
-#
-# Note: the enhanced tightvnc viewer (SSVNC) has many more options, run
-# this script as "ssvnc_cmd Vnc://a:0 -help" or "tightvncviewer -help"
-# to seem them.
-
-if [ "X$1" = "X-h" -o "X$1" = "X-helpxxx" -o "X$1" = "X--help" ]; then
- tail -n +2 "$0" | sed -e '/^$/ q' -e 's/^#//'
- exit
-fi
-
-# Include /usr/bin... to be sure to get regular utilities:
-#
-PATH=$PATH:/usr/bin:/bin
-export PATH
-
-if [ "X$FULLNAME" = "XKarl J. Runge" ]; then
- if [ "X$NOPOPUFIX" = "X" ]; then
- VNCVIEWER_POPUP_FIX=1
- export VNCVIEWER_POPUP_FIX
- fi
- PATH=`echo "$PATH" | sed -e 's,runge/bin/override,-------------,'`
-fi
-
-# Set this for ss_vncviewer to pick up:
-#
-if [ "X$1" = "X-cotvnc" ]; then
- shift
- DARWIN_COTVNC=1
- export DARWIN_COTVNC
-elif [ "X$DARWIN_COTVNC" = "X" -a "X$DISPLAY" = "X" ]; then
- uname=`uname`
- if [ "X$uname" = "XDarwin" ]; then
- DARWIN_COTVNC=1
- export DARWIN_COTVNC
- fi
-fi
-
-use_ours=0
-if [ "X$VNCVIEWERCMD" = "X" ]; then
- VNCVIEWERCMD="vncviewer"
- export VNCVIEWERCMD
- if [ "X$DARWIN_COTVNC" != "X1" ]; then
- use_ours=1
- fi
-fi
-
-# work out os.arch platform string and check for binaries:
-#
-name=$UNAME
-if [ "X$name" = "X" ]; then
- name=`uname -sm | sed -e 's/ /./g' -e 's,/.*,,' -e 's/Linux\.i.86/Linux.i686/'`
-fi
-
-dL="-L"
-if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then
- dL="-h"
-fi
-
-f="$0"
-for t in 1 2 3 4 5 6
-do
- if [ $dL "$f" ]; then
- f0="$f"
- f=`ls -l "$f" | sed -e 's/^.* -> //'`
- if echo "$f" | grep '^/' > /dev/null; then
- :
- else
- f="`dirname "$f0"`/$f"
- fi
- else
- break
- fi
-done
-dir=`dirname "$f"`
-PATH="$dir:$PATH"
-SSVNC_BASEDIR="$dir"
-export SSVNC_BASEDIR
-SSVNC_BASEDIRNAME="$dir/$name"
-export SSVNC_BASEDIRNAME
-SSVNC_UNAME="$name"
-export SSVNC_UNAME
-
-nearby=0
-if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then
- nearby=1
-fi
-if [ "X$name" = "X." ]; then
- :
- #type vncviewer
- #type stunnel
-elif [ ! -d "$dir/$name" -a $nearby = 0 ]; then
- echo
- echo "Cannot find platform dir for your OS `uname -sm`:"
- echo
- echo " $dir/$name"
- echo
- PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin
-
- quit=0
- if type vncviewer >/dev/null 2>/dev/null; then
- :
- else
- echo "vncviewer not found in PATH."
- quit=1
- fi
- if type stunnel >/dev/null 2>/dev/null; then
- :
- else
- echo "stunnel not found in PATH."
- quit=1
- fi
- echo
- if [ "X$quit" = "X1" ]; then
- echo "You can set the \$UNAME env. var. to override the OS setting."
- echo "Or, if available, run the ./build.unix script to build it."
- echo "Or install external \"vncviewer\" and \"stunnel\" packages."
- exit 1
- fi
- echo "Using externel \"vncviewer\" and \"stunnel\" found in PATH."
-
-else
- STUNNEL=stunnel
- #STUNNEL_EXTRA_OPTS=${STUNNEL_EXTRA_OPTS:-"maxconn = 1"}
- #export STUNNEL STUNNEL_EXTRA_OPTS
- SSVNC_VIEWER_INTERNAL=1
- export SSVNC_VIEWER_INTERNAL
-fi
-
-if [ "X$DARWIN_COTVNC" != "X1" -a "X$VNCVIEWERCMD" = "Xvncviewer" ]; then
- hstr=`$VNCVIEWERCMD -h 2>&1 | head -5`
- if echo "$hstr" | grep 'SSVNC.*TightVNC.*version 1\.3' > /dev/null; then
- # we need to avoid raw encoding
- use_ours=1
- fi
-fi
-
-# Put our os.arch and other utils dirs at head of PATH to be sure to
-# pick them up:
-#
-PATH="$dir:$dir/$name:$dir/util:$PATH"
-if echo "$dir" | grep '^/' > /dev/null; then
- :
-else
- dir=`pwd`/$dir
- PATH="$dir:$dir/$name:$dir/util:$PATH"
-fi
-
-if [ -f "$dir/util/ultraftp.jar" ]; then
- SSVNC_ULTRA_FTP_JAR="$dir/util/ultraftp.jar"
- export SSVNC_ULTRA_FTP_JAR
-fi
-
-base=`basename "$0"`
-if [ "X$1" = "X-ssl" ]; then
- shift
- base="ssvnc_cmd"
-fi
-
-do_viewer_directly=""
-if [ "X$1" = "X-viewer" ]; then
- do_viewer_directly=1
- shift
-fi
-if [ "X$base" = "Xtightvncviewer" ]; then
- do_viewer_directly=1
-fi
-
-# If ours (and not cotvnc), force the use of tight encoding for localhost
-# redir connection:
-#
-#
-if [ $use_ours = 1 ]; then
- # avoid system vncviewer app-defaults
- #XFILESEARCHPATH="/tmp/path/nowhere"; export XFILESEARCHPATH
-
- SSVNC_USE_OURS=1; export SSVNC_USE_OURS
-
- if [ "X$SSVNC_TURBOVNC" != "X" ]; then
- if echo "$VNCVIEWERCMD" | grep '\.turbovnc' > /dev/null; then
- :
- else
- if type "$VNCVIEWERCMD.turbovnc" > /dev/null 2>/dev/null; then
- VNCVIEWERCMD="$VNCVIEWERCMD.turbovnc"
- fi
- fi
- fi
-
- if [ "X$do_viewer_directly" = "X1" ]; then
- $VNCVIEWERCMD -encodings 'copyrect tight zrle zlib hextile' "$@"
- else
- ss_vncviewer "$@" -encodings 'copyrect tight zrle zlib hextile'
- fi
-else
- if [ "X$do_viewer_directly" = "X1" ]; then
- $VNCVIEWERCMD "$@"
- else
- ss_vncviewer "$@"
- fi
-fi
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/tsvnc b/x11vnc/misc/enhanced_tightvnc_viewer/bin/tsvnc
deleted file mode 100755
index acf55c6..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/tsvnc
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-#
-# wrapper for TS_ONLY mode
-#
-PATH=`dirname "$0"`:$PATH; export PATH
-SSVNC_TS_ONLY=1; export SSVNC_TS_ONLY
-exec ssvnc -ts "$@"
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer
deleted file mode 100755
index b0245af..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer
+++ /dev/null
@@ -1,3635 +0,0 @@
-#!/bin/sh
-#
-# ss_vncviewer: wrapper for vncviewer to use an stunnel SSL tunnel
-# or an SSH tunnel.
-#
-# Copyright (c) 2006-2009 by Karl J. Runge <runge@karlrunge.com>
-#
-# ss_vncviewer is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or (at
-# your option) any later version.
-#
-# ss_vncviewer is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with ss_vncviewer; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
-# or see <http://www.gnu.org/licenses/>.
-#
-#
-# You must have stunnel(8) installed on the system and in your PATH
-# (however, see the -ssh option below, in which case you will need ssh(1)
-# installed) Note: stunnel is usually installed in an "sbin" subdirectory.
-#
-# You should have "x11vnc -ssl ..." or "x11vnc -stunnel ..."
-# already running as the VNC server on the remote machine.
-# (or use stunnel on the server side for any other VNC server)
-#
-#
-# Usage: ss_vncviewer [cert-args] host:display <vncviewer-args>
-#
-# e.g.: ss_vncviewer snoopy:0
-# ss_vncviewer snoopy:0 -encodings "copyrect tight zrle hextile"
-#
-# [cert-args] can be:
-#
-# -verify /path/to/cacert.pem
-# -mycert /path/to/mycert.pem
-# -crl /path/to/my_crl.pem (or directory)
-# -proxy host:port
-#
-# -verify specifies a CA cert PEM file (or a self-signed one) for
-# authenticating the VNC server.
-#
-# -mycert specifies this client's cert+key PEM file for the VNC server to
-# authenticate this client.
-#
-# -proxy try host:port as a Web proxy to use the CONNECT method
-# to reach the VNC server (e.g. your firewall requires a proxy).
-#
-# For the "double proxy" case use -proxy host1:port1,host2:port2
-# (the first CONNECT is done through host1:port1 to host2:port2
-# and then a 2nd CONNECT to the destination VNC server.)
-#
-# Use socks://host:port, socks4://host:port, or socks5://host,port
-# to force usage of a SOCKS proxy. Also repeater://host:port and
-# sslrepeater://host:port.
-#
-# -showcert Only fetch the certificate using the 'openssl s_client'
-# command (openssl(1) must in installed). On ssvnc 1.0.27 and
-# later the bundled command 'ultravnc_dsm_helper' is used.
-#
-# See http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-ca for details on
-# SSL certificates with VNC.
-#
-# A few other args (not related to SSL and certs):
-#
-# -2nd Run the vncviewer a 2nd time if the first connections fails.
-#
-# -ssh Use ssh instead of stunnel SSL. ssh(1) must be installed and you
-# must be able to log into the remote machine via ssh.
-#
-# In this case "host:display" may be of the form "user@host:display"
-# where "user@host" is used for the ssh login (see ssh(1) manpage).
-#
-# If -proxy is supplied it can be of the forms: "gwhost" "gwhost:port"
-# "user@gwhost" or "user@gwhost:port". "gwhost" is an incoming ssh
-# gateway machine (the VNC server is not running there), an ssh -L
-# redir is used to "host" in "host:display" from "gwhost". Any "user@"
-# part must be in the -proxy string (not in "host:display").
-#
-# Under -proxy use "gwhost:port" if connecting to any ssh port
-# other than the default (22). (even for the non-gateway case,
-# -proxy must be used to specify a non-standard ssh port)
-#
-# A "double ssh" can be specified via a -proxy string with the two
-# hosts separated by a comma:
-#
-# [user1@]host1[:port1],[user2@]host2[:port2]
-#
-# in which case a ssh to host1 and thru it via a -L redir a 2nd
-# ssh is established to host2.
-#
-# Examples:
-#
-# ss_vncviewer -ssh bob@bobs-home.net:0
-# ss_vncviewer -ssh -sshcmd 'x11vnc -localhost' bob@bobs-home.net:0
-#
-# ss_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0
-# ss_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0
-#
-# ss_vncviewer -ssh -proxy fred@gw-host,fred@peecee localhost:0
-#
-# -sshcmd cmd Run "cmd" via ssh instead of the default "sleep 15"
-# e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900'
-#
-# -sshargs "args" pass "args" to the ssh process, e.g. -L/-R port redirs.
-#
-# -sshssl Tunnel the SSL connection thru a SSH connection. The tunnel as
-# under -ssh is set up and the SSL connection goes thru it. Use
-# this if you want to have and end-to-end SSL connection but must
-# go thru a SSH gateway host (e.g. not the vnc server). Or use
-# this if you need to tunnel additional services via -R and -L
-# (see -sshargs above).
-#
-# ss_vncviewer -sshssl -proxy fred@mygate.com mymachine:0
-#
-# -listen (or -reverse) set up a reverse connection.
-#
-# -alpha turn on cursor alphablending hack if you are using the
-# enhanced tightvnc vncviewer.
-#
-# -grab turn on XGrabServer hack if you are using the enhanced tightvnc
-# vncviewer (e.g. for fullscreen mode in some windowmanagers like
-# fvwm that do not otherwise work in fullscreen mode)
-#
-#
-# set VNCVIEWERCMD to whatever vncviewer command you want to use.
-#
-VNCIPCMD=${VNCVIEWERCMD:-vncip}
-VNCVIEWERCMD=${VNCVIEWERCMD:-vncviewer}
-if [ "X$SSVNC_TURBOVNC" != "X" ]; then
- if echo "$VNCVIEWERCMD" | grep '\.turbovnc' > /dev/null; then
- :
- else
- if type "$VNCVIEWERCMD.turbovnc" > /dev/null 2>/dev/null; then
- VNCVIEWERCMD="$VNCVIEWERCMD.turbovnc"
- fi
- fi
-fi
-#
-# Same for STUNNEL, e.g. set it to /path/to/stunnel or stunnel4, etc.
-#
-
-# turn on verbose debugging output
-if [ "X$SS_DEBUG" != "X" -a "X$SS_DEBUG" != "X0" ]; then
- set -xv
-fi
-
-PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH
-
-localhost="localhost"
-if uname | grep Darwin >/dev/null; then
- localhost="127.0.0.1"
-fi
-
-# work out which stunnel to use (debian installs as stunnel4)
-stunnel_set_here=""
-if [ "X$STUNNEL" = "X" ]; then
- check_stunnel=1
- if [ "X$SSVNC_BASEDIRNAME" != "X" ]; then
- if [ -x "$SSVNC_BASEDIRNAME/stunnel" ]; then
- type stunnel > /dev/null 2>&1
- if [ $? = 0 ]; then
- # found ours
- STUNNEL=stunnel
- check_stunnel=0
- fi
- fi
- fi
- if [ "X$check_stunnel" = "X1" ]; then
- type stunnel4 > /dev/null 2>&1
- if [ $? = 0 ]; then
- STUNNEL=stunnel4
- else
- STUNNEL=stunnel
- fi
- fi
- stunnel_set_here=1
-fi
-
-help() {
- tail -n +2 "$0" | sed -e '/^$/ q'
-}
-
-secondtry=""
-gotalpha=""
-use_ssh=""
-use_sshssl=""
-direct_connect=""
-ssh_sleep=15
-
-# sleep longer in -listen mode:
-if echo "$*" | grep '.*-listen' > /dev/null; then
- ssh_sleep=1800
-fi
-
-
-ssh_cmd=""
-# env override of ssh_cmd:
-if [ "X$SS_VNCVIEWER_SSH_CMD" != "X" ]; then
- ssh_cmd="$SS_VNCVIEWER_SSH_CMD"
-fi
-
-ssh_args=""
-showcert=""
-reverse=""
-
-ciphers=""
-anondh="ALL:RC4+RSA:+SSLv2:@STRENGTH"
-anondh_set=""
-stunnel_debug="6"
-if [ "X$SS_DEBUG" != "X" -o "X$SSVNC_VENCRYPT_DEBUG" != "X" -o "X$SSVNC_STUNNEL_DEBUG" != "X" ]; then
- stunnel_debug="7"
-fi
-
-if [ "X$1" = "X-viewerflavor" ]; then
- # special case, try to guess which viewer:
- #
- if echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then
- echo "unknown"
- exit 0
- fi
- if echo "$VNCVIEWERCMD" | grep -i chicken.of > /dev/null; then
- echo "cotvnc"
- exit 0
- fi
- if echo "$VNCVIEWERCMD" | grep -i ultra > /dev/null; then
- echo "ultravnc"
- exit 0
- fi
- # OK, run it for help output...
- str=`$VNCVIEWERCMD -h 2>&1 | head -n 5`
- if echo "$str" | grep -i 'TightVNC.viewer' > /dev/null; then
- echo "tightvnc"
- elif echo "$str" | grep -i 'VNC viewer version 3' > /dev/null; then
- echo "realvnc3"
- elif echo "$str" | grep -i 'VNC viewer .*Edition 4' > /dev/null; then
- echo "realvnc4"
- elif echo "$str" | grep -i 'RealVNC.Ltd' > /dev/null; then
- echo "realvnc4"
- else
- echo "unknown"
- fi
- exit 0
-fi
-if [ "X$1" = "X-viewerhelp" ]; then
- $VNCVIEWERCMD -h 2>&1
- exit 0
-fi
-
-# grab our cmdline options:
-while [ "X$1" != "X" ]
-do
- case $1 in
- "-verify") shift; verify="$1"
- ;;
- "-mycert") shift; mycert="$1"
- ;;
- "-crl") shift; crl="$1"
- ;;
- "-proxy") shift; proxy="$1"
- ;;
- "-ssh") use_ssh=1
- ;;
- "-sshssl") use_ssh=1
- use_sshssl=1
- ;;
- "-sshcmd") shift; ssh_cmd="$1"
- ;;
- "-sshargs") shift; ssh_args="$1"
- ;;
- "-anondh") ciphers="ciphers=$anondh"
- ULTRAVNC_DSM_HELPER_SHOWCERT_ADH=1
- export ULTRAVNC_DSM_HELPER_SHOWCERT_ADH
- anondh_set=1
- ;;
- "-ciphers") shift; ciphers="ciphers=$1"
- ;;
- "-alpha") gotalpha=1
- ;;
- "-showcert") showcert=1
- ;;
- "-listen") reverse=1
- ;;
- "-reverse") reverse=1
- ;;
- "-2nd") secondtry=1
- ;;
- "-grab") VNCVIEWER_GRAB_SERVER=1; export VNCVIEWER_GRAB_SERVER
- ;;
- "-x11cursor") VNCVIEWER_X11CURSOR=1; export VNCVIEWER_X11CURSOR
- ;;
- "-rawlocal") VNCVIEWER_RAWLOCAL=1; export VNCVIEWER_RAWLOCAL
- ;;
- "-scale") shift; SSVNC_SCALE="$1"; export SSVNC_SCALE
- ;;
- "-onelisten") SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
- ;;
- "-sendclipboard") VNCVIEWER_SEND_CLIPBOARD=1; export VNCVIEWER_SEND_CLIPBOARD
- ;;
- "-sendalways") VNCVIEWER_SEND_ALWAYS=1; export VNCVIEWER_SEND_ALWAYS
- ;;
- "-recvtext") shift; VNCVIEWER_RECV_TEXT="$1"; export VNCVIEWER_RECV_TEXT
- ;;
- "-escape") shift; VNCVIEWER_ESCAPE="$1"; export VNCVIEWER_ESCAPE
- ;;
- "-ssvnc_encodings") shift; VNCVIEWER_ENCODINGS="$1"; export VNCVIEWER_ENCODINGS
- ;;
- "-ssvnc_extra_opts") shift; VNCVIEWERCMD_EXTRA_OPTS="$1"; export VNCVIEWERCMD_EXTRA_OPTS
- ;;
- "-rfbversion") shift; VNCVIEWER_RFBVERSION="$1"; export VNCVIEWER_RFBVERSION
- ;;
- "-nobell") VNCVIEWER_NOBELL=1; export VNCVIEWER_NOBELL
- ;;
- "-popupfix") VNCVIEWER_POPUP_FIX=1; export VNCVIEWER_POPUP_FIX
- ;;
- "-realvnc4") VNCVIEWER_IS_REALVNC4=1; export VNCVIEWER_IS_REALVNC4
- ;;
- "-h"*) help; exit 0
- ;;
- "--h"*) help; exit 0
- ;;
- *) break
- ;;
- esac
- shift
-done
-
-# maxconn is something we added to stunnel, this disables it:
-if [ "X$SS_VNCVIEWER_NO_MAXCONN" != "X" ]; then
- STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
-elif echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then
- STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
-elif [ "X$reverse" != "X" ]; then
- STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
-else
- # new way (our patches). other than the above, we set these:
- if [ "X$SKIP_STUNNEL_ONCE" = "X" ]; then
- STUNNEL_ONCE=1; export STUNNEL_ONCE
- fi
- if [ "X$SKIP_STUNNEL_MAX_CLIENTS" = "X" ]; then
- STUNNEL_MAX_CLIENTS=1; export STUNNEL_MAX_CLIENTS
- fi
-fi
-# always set this one:
-if [ "X$SKIP_STUNNEL_NO_SYSLOG" = "X" ]; then
- STUNNEL_NO_SYSLOG=1; export STUNNEL_NO_SYSLOG
-fi
-
-# this is the -t ssh option (gives better keyboard response thru SSH tunnel)
-targ="-t"
-if [ "X$SS_VNCVIEWER_NO_T" != "X" ]; then
- targ=""
-fi
-
-# set the alpha blending env. hack:
-if [ "X$gotalpha" = "X1" ]; then
- VNCVIEWER_ALPHABLEND=1
- export VNCVIEWER_ALPHABLEND
-else
- NO_ALPHABLEND=1
- export NO_ALPHABLEND
-fi
-
-if [ "X$reverse" != "X" ]; then
- ssh_sleep=1800
- if [ "X$proxy" != "X" ]; then
- # check proxy usage under reverse connection:
- if [ "X$use_ssh" = "X" -a "X$use_sshssl" = "X" ]; then
- echo ""
- if echo "$proxy" | egrep -i "(repeater|vencrypt)://" > /dev/null; then
- :
- else
- echo "*Warning*: SSL -listen and a Web proxy does not make sense."
- sleep 2
- fi
- elif echo "$proxy" | grep "," > /dev/null; then
- :
- else
- echo ""
- echo "*Warning*: -listen and a single proxy/gateway does not make sense."
- sleep 2
- fi
-
- # we now try to PPROXY_LOOP_THYSELF, set this var to disable that.
- #SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
- fi
-fi
-if [ "X$ssh_cmd" = "X" ]; then
- # if no remote ssh cmd, sleep a bit:
- ssh_cmd="sleep $ssh_sleep"
-fi
-
-# this should be a host:display:
-#
-orig="$1"
-shift
-
-dL="-L"
-if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then
- dL="-h"
-fi
-
-have_uvnc_dsm_helper_showcert=""
-if [ "X$showcert" = "X1" -a "X$SSVNC_USE_S_CLIENT" = "X" -a "X$reverse" = "X" ]; then
- if type ultravnc_dsm_helper >/dev/null 2>&1; then
- if ultravnc_dsm_helper -help 2>&1 | grep -w showcert >/dev/null; then
- have_uvnc_dsm_helper_showcert=1
- fi
- fi
-fi
-have_uvnc_dsm_helper_ipv6=""
-if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
- if type ultravnc_dsm_helper >/dev/null 2>&1; then
- if ultravnc_dsm_helper -help 2>&1 | grep -iw ipv6 >/dev/null; then
- have_uvnc_dsm_helper_ipv6=1
- fi
- fi
-fi
-
-rchk() {
- # a kludge to set $RANDOM if we are not bash:
- if [ "X$BASH_VERSION" = "X" ]; then
- RANDOM=`date +%S``sh -c 'echo $$'``ps -elf 2>&1 | sum 2>&1 | awk '{print $1}'`
- fi
-}
-rchk
-
-# a portable, but not absolutely safe, tmp file creator
-mytmp() {
- tf=$1
- if type mktemp > /dev/null 2>&1; then
- # if we have mktemp(1), use it:
- tf2="$tf.XXXXXX"
- tf2=`mktemp "$tf2"`
- if [ "X$tf2" != "X" -a -f "$tf2" ]; then
- if [ "X$DEBUG_MKTEMP" != "X" ]; then
- echo "mytmp-mktemp: $tf2" 1>&2
- fi
- echo "$tf2"
- return
- fi
- fi
- # fallback to multiple cmds:
- rm -rf "$tf" || exit 1
- if [ -d "$tf" ]; then
- echo "tmp file $tf still exists as a directory."
- exit 1
- elif [ $dL "$tf" ]; then
- echo "tmp file $tf still exists as a symlink."
- exit 1
- elif [ -f "$tf" ]; then
- echo "tmp file $tf still exists."
- exit 1
- fi
- touch "$tf" || exit 1
- chmod 600 "$tf" || exit 1
- rchk
- if [ "X$DEBUG_MKTEMP" != "X" ]; then
- echo "mytmp-touch: $tf" 1>&2
- fi
- echo "$tf"
-}
-
-# set up special case of ultravnc single click III mode:
-if echo "$proxy" | egrep "^sslrepeater://" > /dev/null; then
- pstr=`echo "$proxy" | sed -e 's,sslrepeater://,,'`
- pstr1=`echo "$pstr" | sed -e 's/+.*$//'`
- pstr2=`echo "$pstr" | sed -e 's/^[^+]*+//'`
- SSVNC_REPEATER="SCIII=$pstr2"; export SSVNC_REPEATER
- orig=$pstr1
- echo
- echo "reset: SSVNC_REPEATER=$SSVNC_REPEATER orig=$orig proxy=''"
- proxy=""
-fi
-if echo "$proxy" | egrep "vencrypt://" > /dev/null; then
- vtmp="/tmp/ss_handshake${RANDOM}.$$.txt"
- vtmp=`mytmp "$vtmp"`
- SSVNC_PREDIGESTED_HANDSHAKE="$vtmp"
- export SSVNC_PREDIGESTED_HANDSHAKE
- if [ "X$SSVNC_USE_OURS" = "X" ]; then
- NEED_VENCRYPT_VIEWER_BRIDGE=1
- fi
-fi
-if [ "X$SSVNC_USE_OURS" = "X" ]; then
- VNCVIEWERCMD_EXTRA_OPTS=""
-fi
-
-
-# check -ssh and -mycert/-verify conflict:
-if [ "X$use_ssh" = "X1" -a "X$use_sshssl" = "X" ]; then
- if [ "X$mycert" != "X" -o "X$verify" != "X" ]; then
- echo "-mycert and -verify cannot be used in -ssh mode"
- exit 1
- fi
-fi
-
-# direct mode Vnc:// means show no warnings.
-# direct mode vnc:// will show warnings.
-if echo "$orig" | grep '^V[Nn][Cc]://' > /dev/null; then
- SSVNC_NO_ENC_WARN=1
- export SSVNC_NO_ENC_WARN
- orig=`echo "$orig" | sed -e 's/^...:/vnc:/'`
-fi
-
-# interprest the pseudo URL proto:// strings:
-if echo "$orig" | grep '^vnc://' > /dev/null; then
- orig=`echo "$orig" | sed -e 's,vnc://,,'`
- verify=""
- mycert=""
- crl=""
- use_ssh=""
- use_sshssl=""
- direct_connect=1
-elif echo "$orig" | grep '^vncs://' > /dev/null; then
- orig=`echo "$orig" | sed -e 's,vncs://,,'`
-elif echo "$orig" | grep '^vncssl://' > /dev/null; then
- orig=`echo "$orig" | sed -e 's,vncssl://,,'`
-elif echo "$orig" | grep '^vnc+ssl://' > /dev/null; then
- orig=`echo "$orig" | sed -e 's,vnc.ssl://,,'`
-elif echo "$orig" | grep '^vncssh://' > /dev/null; then
- orig=`echo "$orig" | sed -e 's,vncssh://,,'`
- use_ssh=1
-elif echo "$orig" | grep '^vnc+ssh://' > /dev/null; then
- orig=`echo "$orig" | sed -e 's,vnc.ssh://,,'`
- use_ssh=1
-fi
-
-if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
- verify=""
- mycert=""
- crl=""
- use_ssh=""
- use_sshssl=""
- direct_connect=1
- if echo "$SSVNC_ULTRA_DSM" | grep 'noultra:' > /dev/null; then
- SSVNC_NO_ULTRA_DSM=1; export SSVNC_NO_ULTRA_DSM
- fi
-fi
-
-# rsh mode is an internal/secret thing only I use.
-rsh=""
-if echo "$orig" | grep '^rsh://' > /dev/null; then
- use_ssh=1
- rsh=1
- orig=`echo "$orig" | sed -e 's,rsh://,,'`
-elif echo "$orig" | grep '^rsh:' > /dev/null; then
- use_ssh=1
- rsh=1
- orig=`echo "$orig" | sed -e 's,rsh:,,'`
-fi
-
-# play around with host:display port:
-if echo "$orig" | grep ':' > /dev/null; then
- :
-else
- # add or assume :0 if no ':'
- if [ "X$reverse" = "X" ]; then
- orig="$orig:0"
- elif [ "X$orig" = "X" ]; then
- orig=":0"
- fi
-fi
-
-# extract host and disp number:
-
-# try to see if it is ipv6 address:
-ipv6=0
-if echo "$orig" | grep '\[' > /dev/null; then
- # ipv6 [fe80::219:dbff:fee5:3f92%eth1]:5900
- host=`echo "$orig" | sed -e 's/\].*$//' -e 's/\[//'`
- disp=`echo "$orig" | sed -e 's/^.*\]://'`
- ipv6=1
-elif echo "$orig" | grep ':..*:' > /dev/null; then
- # ipv6 fe80::219:dbff:fee5:3f92%eth1:5900
- host=`echo "$orig" | sed -e 's/:[^:]*$//'`
- disp=`echo "$orig" | sed -e 's/^.*://'`
- ipv6=1
-else
- # regular host:port
- host=`echo "$orig" | awk -F: '{print $1}'`
- disp=`echo "$orig" | awk -F: '{print $2}'`
-fi
-
-if [ "X$reverse" != "X" -a "X$STUNNEL_LISTEN" = "X" -a "X$host" != "X" ]; then
- STUNNEL_LISTEN=$host
- echo "set STUNNEL_LISTEN=$STUNNEL_LISTEN"
-fi
-
-if [ "X$host" = "X" ]; then
- host=$localhost
-fi
-
-if [ "X$SSVNC_IPV6" = "X0" ]; then
- # disable checking for it.
- ipv6=0
-#elif [ "X$reverse" != "X" -a "X$ipv6" = "X1" ]; then
-# ipv6=0
-elif [ "X$ipv6" = "X1" ]; then
- :
-elif echo "$host" | grep '^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' > /dev/null; then
- :
-else
- # regular hostname, can't be sure...
- gout=""
- if type getent > /dev/null 2>/dev/null; then
- gout=`getent hosts "$host" 2>/dev/null`
- fi
- if echo "$gout" | grep ':.*:' > /dev/null; then
- if echo "$gout" | grep '^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' > /dev/null; then
- :
- else
- echo "ipv6: "`echo "$gout" | grep ':.*:' | head -n 1`
- ipv6=1
- fi
- fi
- if [ "X$ipv6" = "X0" ]; then
- hout=""
- if type host > /dev/null 2>/dev/null; then
- host "$host" >/dev/null 2>&1
- host "$host" >/dev/null 2>&1
- hout=`host "$host" 2>/dev/null`
- fi
- if echo "$hout" | grep -i 'has ipv6 address' > /dev/null; then
- if echo "$hout" | grep -i 'has address' > /dev/null; then
- :
- else
- echo "ipv6: "`echo "$hout" | grep -i 'has ipv6 address' | head -n 1`
- ipv6=1
- fi
- fi
- fi
- if [ "X$ipv6" = "X0" ]; then
- dout=""
- if type dig > /dev/null 2>/dev/null; then
- dout=`dig -t any "$host" 2>/dev/null`
- fi
- if echo "$dout" | grep -i "^$host" | grep '[ ]AAAA[ ]' > /dev/null; then
- if echo "$dout" | grep -i "^$host" | grep '[ ]A[ ]' > /dev/null; then
- :
- else
- echo "ipv6: "`echo "$dout" | grep -i '[ ]AAAA[ ]' | head -n 1`
- ipv6=1
- fi
- fi
- fi
- if [ "X$ipv6" = "X0" ]; then
- sout=`env LOOKUP="$host" \
- perl -e ' eval {use Socket}; exit 0 if $@;
- eval {use Socket6}; exit 0 if $@;
- @res = getaddrinfo($ENV{LOOKUP}, "daytime", AF_UNSPEC, SOCK_STREAM);
- $ipv4 = 0;
- $ipv6 = 0;
- $ip6 = "";
- while (scalar(@res) >= 5) {
- ($family, $socktype, $proto, $saddr, $canon, @res) = @res;
- $ipv4 = 1 if $family == AF_INET;
- $ipv6 = 1 if $family == AF_INET6;
- if ($family == AF_INET6 && $ip6 eq "") {
- my ($host, $port) = getnameinfo($saddr, NI_NUMERICHOST | NI_NUMERICSERV);
- $ip6 = $host;
- }
- }
- if (! $ipv4 && $ipv6) {
- print "AF_INET6_ONLY: $ENV{LOOKUP}: $ip6\n";
- }
- exit 0;
- ' 2>/dev/null`
- if echo "$sout" | grep AF_INET6_ONLY > /dev/null; then
- echo "$sout"
- ipv6=1
- fi
- fi
-fi
-if [ "X$ipv6" = "X1" ]; then
- echo "ipv6: addr=$host disp=$disp"
-fi
-if [ "X$disp" = "X" ]; then
- port="" # probably -listen mode.
-elif [ $disp -lt 0 ]; then
- # negative means use |n| without question:
- port=`expr 0 - $disp`
-elif [ $disp -lt 200 ]; then
- # less than 200 means 5900+n
- if [ "X$reverse" = "X" ]; then
- port=`expr $disp + 5900`
- else
- port=`expr $disp + 5500`
- fi
-else
- # otherwise use the number directly, e.g. 443, 2345
- port=$disp
-fi
-
-if [ "X$ipv6" = "X1" -a "X$direct_connect" = "X1" ]; then
- if [ "X$proxy" = "X" -a "X$reverse" = "X" ]; then
- if [ "X$SSVNC_ULTRA_DSM" != "X" -a "X$have_uvnc_dsm_helper_ipv6" = "X1" ]; then
- :
- elif [ "X$SSVNC_NO_IPV6_PROXY" != "X" ]; then
- :
- elif [ "X$SSVNC_NO_IPV6_PROXY_DIRECT" != "X" ]; then
- :
- else
- proxy="ipv6://$host:$port"
- echo "direct connect: set proxy=$proxy"
- fi
- fi
-fi
-
-# (possibly) tell the vncviewer to only listen on lo:
-if [ "X$reverse" != "X" ]; then
- if [ "X$direct_connect" = "X" -o "X$proxy" != "X" -o "X$STUNNEL_LISTEN" != "X" ]; then
- VNCVIEWER_LISTEN_LOCALHOST=1
- export VNCVIEWER_LISTEN_LOCALHOST
- fi
-fi
-
-# try to find an open listening port via netstat(1):
-inuse=""
-if uname | grep Linux > /dev/null; then
- inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'`
-elif uname | grep SunOS > /dev/null; then
- inuse=`netstat -an -f inet -P tcp | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $1}' | sed 's/^.*\.//'`
-elif uname | egrep -i 'bsd|darwin' > /dev/null; then
- inuse=`netstat -ant -f inet | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*\.//'`
-# add others...
-fi
-
-# this is a crude attempt for unique ports tags, etc.
-date_sec=`date +%S`
-
-# these are special cases of no vnc, e.g. sleep or xmessage.
-# these are for using ssvnc as a general port redirector.
-if echo "$VNCVIEWERCMD" | grep '^sleep[ ][ ]*[0-9][0-9]*' > /dev/null; then
- if [ "X$SS_VNCVIEWER_LISTEN_PORT" = "X" ]; then
- p=`echo "$VNCVIEWERCMD" | awk '{print $3}'`
- if [ "X$p" != "X" ]; then
- SS_VNCVIEWER_LISTEN_PORT=$p
- fi
- fi
- p2=`echo "$VNCVIEWERCMD" | awk '{print $2}'`
- VNCVIEWERCMD="eval sleep $p2; echo Local "
-elif echo "$VNCVIEWERCMD" | grep '^xmessage[ ][ ]*[0-9][0-9]*' > /dev/null; then
- if [ "X$SS_VNCVIEWER_LISTEN_PORT" = "X" ]; then
- p=`echo "$VNCVIEWERCMD" | awk '{print $2}'`
- SS_VNCVIEWER_LISTEN_PORT=$p
- fi
-fi
-
-# utility to find a free port to listen on.
-findfree() {
- try0=$1
- try=$try0
- use0=""
-
- if [ "X$SS_VNCVIEWER_LISTEN_PORT" != "X" ]; then
- echo "$SS_VNCVIEWER_LISTEN_PORT"
- return
- fi
- if [ $try -ge 6000 ]; then
- fmax=`expr $try + 1000`
- else
- fmax=6000
- fi
-
- while [ $try -lt $fmax ]
- do
- if [ "X$inuse" = "X" ]; then
- break
- fi
- if echo "$inuse" | grep -w $try > /dev/null; then
- :
- else
- use0=$try
- break
- fi
- try=`expr $try + 1`
- done
- if [ "X$use0" = "X" ]; then
- use0=`expr $date_sec + $try0`
- fi
-
- echo $use0
-}
-
-# utility for exiting; kills some helper processes,
-# removes files, etc.
-final() {
- echo ""
- if [ "X$tmp_cfg" != "X" ]; then
- rm -f $tmp_cfg
- fi
- if [ "X$SS_VNCVIEWER_RM" != "X" ]; then
- rm -f $SS_VNCVIEWER_RM 2>/dev/null
- fi
- if [ "X$tcert" != "X" ]; then
- rm -f $tcert
- fi
- if [ "X$pssh" != "X" ]; then
- echo "Terminating background ssh process"
- echo kill -TERM "$pssh"
- kill -TERM "$pssh" 2>/dev/null
- sleep 1
- kill -KILL "$pssh" 2>/dev/null
- pssh=""
- fi
- if [ "X$stunnel_pid" != "X" ]; then
- echo "Terminating background stunnel process"
- echo kill -TERM "$stunnel_pid"
- kill -TERM "$stunnel_pid" 2>/dev/null
- sleep 1
- kill -KILL "$stunnel_pid" 2>/dev/null
- stunnel_pid=""
- fi
- if [ "X$dsm_pid" != "X" ]; then
- echo "Terminating background ultravnc_dsm_helper process"
- echo kill -TERM "$dsm_pid"
- kill -TERM "$dsm_pid" 2>/dev/null
- sleep 1
- kill -KILL "$dsm_pid" 2>/dev/null
- stunnel_pid=""
- fi
- if [ "X$tail_pid" != "X" ]; then
- kill -TERM $tail_pid
- fi
- if [ "X$tail_pid2" != "X" ]; then
- kill -TERM $tail_pid2
- fi
-}
-
-if [ "X$reverse" = "X" ]; then
- # normal connections try 5930-5999:
- if [ "X$showcert" = "X" ]; then
- use=`findfree 5930`
- else
- # move away from normal place for (possibly many) -showcert
- pstart=`date +%S`
- pstart=`expr 6130 + $pstart + $pstart`
- use=`findfree $pstart`
- fi
- if [ $use -ge 5900 ]; then
- N=`expr $use - 5900`
- else
- N=$use
- fi
-else
- # reverse connections:
- p2=`expr $port + 30`
- use=`findfree $p2`
- if [ $use -ge 5500 ]; then
- N=`expr $use - 5500`
- else
- N=$use
- fi
-fi
-
-# this is for my special use of ss_vncip -> vncip viewer.
-if echo "$0" | grep vncip > /dev/null; then
- VNCVIEWERCMD="$VNCIPCMD"
-fi
-
-if echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then
- :
-elif [ "X$VNCVIEWERCMD_EXTRA_OPTS" != "X" ]; then
- VNCVIEWERCMD="$VNCVIEWERCMD $VNCVIEWERCMD_EXTRA_OPTS"
-fi
-
-# trick for the undocumented rsh://host:port method.
-rsh_setup() {
- if echo "$ssh_host" | grep '@' > /dev/null; then
- ul=`echo "$ssh_host" | awk -F@ '{print $1}'`
- ul="-l $ul"
- ssh_host=`echo "$ssh_host" | awk -F@ '{print $2}'`
- else
- ul=""
- fi
- ssh_cmd=`echo "$ssh_cmd" | sed -e 's/ -localhost/ /g'`
-}
-
-# trick for the undocumented rsh://host:port method.
-rsh_viewer() {
- trap "final" 0 2 15
- if [ "X$PORT" = "X" ]; then
- exit 1
- elif [ $PORT -ge 5900 ]; then
- vdpy=`expr $PORT - 5900`
- else
- vdpy=":$PORT"
- fi
- stty sane
- echo "$VNCVIEWERCMD" "$@" $ssh_host:$vdpy
- echo ""
- $VNCVIEWERCMD "$@" $ssh_host:$vdpy
- if [ $? != 0 ]; then
- sleep 2
- $VNCVIEWERCMD "$@" $ssh_host:$vdpy
- fi
-}
-
-check_perl() {
- if type "$1" > /dev/null 2>&1; then
- :
- elif [ ! -x "$1" ]; then
- echo ""
- echo "*******************************************************"
- echo "** Problem finding the Perl command '$1': **"
- echo ""
- type "perl"
- echo ""
- echo "** Perhaps you need to install the Perl package. **"
- echo "*******************************************************"
- echo ""
- sleep 5
- fi
-}
-
-# this is the PPROXY tool. used only here for now...
-pcode() {
- tf=$1
- PPROXY_PROXY=$proxy; export PPROXY_PROXY
- PPROXY_DEST="$host:$port"; export PPROXY_DEST
- check_perl /usr/bin/perl
-
- cod='#!/usr/bin/perl
-
-# A hack to glue stunnel to a Web or SOCKS proxy, UltraVNC repeater for
-# client connections.
-# Also acts as a VeNCrypt bridge (by redirecting to stunnel.)
-
-use IO::Socket::INET;
-
-my $have_inet6 = "";
-eval "use IO::Socket::INET6;";
-$have_inet6 = 1 if $@ eq "";
-
-#my $have_sock6 = "";
-#eval "use Socket; use Socket6;";
-#$have_sock6 = 1 if $@ eq "";
-
-if (exists $ENV{PPROXY_LOOP_THYSELF}) {
- # used for reverse vnc, run a repeating outer loop.
- print STDERR "PPROXY_LOOP: $ENV{PPROXY_LOOP_THYSELF}\n";
- my $rm = $ENV{PPROXY_REMOVE};
- my $lp = $ENV{PPROXY_LOOP_THYSELF};
- delete $ENV{PPROXY_REMOVE};
- delete $ENV{PPROXY_LOOP_THYSELF};
- $ENV{PPROXY_LOOP_THYSELF_MASTER} = $$;
- my $pid = $$;
- my $dbg = 0;
- my $c = 0;
- use POSIX ":sys_wait_h";
- while (1) {
- $pid = fork();
- last if ! defined $pid;
- if ($pid eq "0") {
- last;
- }
- $c++;
- print STDERR "\nPPROXY_LOOP: pid=$$ child=$pid count=$c\n";
- while (1) {
- waitpid(-1, WNOHANG);
- fsleep(0.25);
- if (! kill 0, $pid) {
- print STDERR "PPROXY_LOOP: child=$pid gone.\n";
- last;
- }
- print STDERR "PPROXY_LOOP: child=$pid alive.\n" if $dbg;
- if (! -f $lp) {
- print STDERR "PPROXY_LOOP: flag file $lp gone, killing $pid\n";
- kill TERM, $pid;
- fsleep(0.1);
- wait;
- last;
- }
- print STDERR "PPROXY_LOOP: file exists $lp\n" if $dbg;
- }
- last if ! -f $lp;
- fsleep(0.25);
- }
- if ($pid ne "0") {
- unlink($0) if $rm;
- exit 0;
- }
-}
-
-if (exists $ENV{PPROXY_SLEEP} && $ENV{PPROXY_SLEEP} > 0) {
- print STDERR "PPROXY_PID: $$\n";
- sleep $ENV{PPROXY_SLEEP};
-}
-
-foreach my $var (qw(
- PPROXY_DEST
- PPROXY_KILLPID
- PPROXY_LISTEN
- PPROXY_PROXY
- PPROXY_REMOVE
- PPROXY_REPEATER
- PPROXY_REVERSE
- PPROXY_SLEEP
- PPROXY_SOCKS
- PPROXY_VENCRYPT
- PPROXY_VENCRYPT_VIEWER_BRIDGE
- )) {
- if (0 || $ENV{SS_DEBUG} || $ENV{SSVNC_VENCRYPT_DEBUG}) {
- print STDERR "$var: $ENV{$var}\n";
- }
-}
-
-if ($ENV{PPROXY_SOCKS} ne "" && $ENV{PPROXY_PROXY} !~ m,^socks5?://,i) {
- if ($ENV{PPROXY_SOCKS} eq "5") {
- $ENV{PPROXY_PROXY} = "socks5://$ENV{PPROXY_PROXY}";
- } else {
- $ENV{PPROXY_PROXY} = "socks://$ENV{PPROXY_PROXY}";
- }
-}
-
-my $rfbSecTypeAnonTls = 18;
-my $rfbSecTypeVencrypt = 19;
-
-my $rfbVencryptPlain = 256;
-my $rfbVencryptTlsNone = 257;
-my $rfbVencryptTlsVnc = 258;
-my $rfbVencryptTlsPlain = 259;
-my $rfbVencryptX509None = 260;
-my $rfbVencryptX509Vnc = 261;
-my $rfbVencryptX509Plain = 262;
-
-my $handshake_file = "";
-if (exists $ENV{SSVNC_PREDIGESTED_HANDSHAKE}) {
- $handshake_file = $ENV{SSVNC_PREDIGESTED_HANDSHAKE};
-}
-
-my $have_gettimeofday = 0;
-eval "use Time::HiRes;";
-if ($@ eq "") {
- $have_gettimeofday = 1;
-}
-sub gettime {
- my $t = "0.0";
- if ($have_gettimeofday) {
- $t = Time::HiRes::gettimeofday();
- }
- return $t;
-}
-
-my $listen_handle = "";
-my $sock = "";
-my $parent = $$;
-
-my $initial_data = "";
-
-if ($ENV{PPROXY_VENCRYPT_VIEWER_BRIDGE}) {
- my ($from, $to) = split(/,/, $ENV{PPROXY_VENCRYPT_VIEWER_BRIDGE});
- do_vencrypt_viewer_bridge($from, $to);
- exit 0;
-}
-
-my ($first, $second, $third) = split(/,/, $ENV{PPROXY_PROXY}, 3);
-my ($mode_1st, $mode_2nd, $mode_3rd) = ("", "", "");
-
-($first, $mode_1st) = url_parse($first);
-
-my ($proxy_host, $proxy_port) = ($first, "");
-if ($proxy_host =~ /^(.*):(\d+)$/) {
- $proxy_host = $1;
- $proxy_port = $2;
-}
-my $connect = $ENV{PPROXY_DEST};
-
-if ($second ne "") {
- ($second, $mode_2nd) = url_parse($second);
-}
-
-if ($third ne "") {
- ($third, $mode_3rd) = url_parse($third);
-}
-
-
-print STDERR "\n";
-print STDERR "PPROXY v0.4: a tool for Web, SOCKS, and UltraVNC proxies and for\n";
-print STDERR "PPROXY v0.4: IPv6 and VNC VeNCrypt bridging.\n";
-print STDERR "proxy_host: $proxy_host\n";
-print STDERR "proxy_port: $proxy_port\n";
-print STDERR "proxy_connect: $connect\n";
-print STDERR "pproxy_params: $ENV{PPROXY_PROXY}\n";
-print STDERR "pproxy_listen: $ENV{PPROXY_LISTEN}\n";
-print STDERR "pproxy_reverse: $ENV{PPROXY_REVERSE}\n";
-print STDERR "io_socket_inet6: $have_inet6\n";
-print STDERR "\n";
-if (! $have_inet6) {
- print STDERR "PPROXY: To enable IPv6 connections, install the IO::Socket::INET6 perl module.\n\n";
-}
-
-if (1) {
- print STDERR "pproxy 1st: $first\t- $mode_1st\n";
- print STDERR "pproxy 2nd: $second\t- $mode_2nd\n";
- print STDERR "pproxy 3rd: $third\t- $mode_3rd\n";
- print STDERR "\n";
-}
-
-sub pdie {
- my $msg = shift;
- kill_proxy_pids();
- die "$msg";
-}
-
-if ($ENV{PPROXY_REVERSE} ne "") {
- my ($rhost, $rport) = ($ENV{PPROXY_REVERSE}, "");
- if ($rhost =~ /^(.*):(\d+)$/) {
- $rhost = $1;
- $rport = $2;
- }
- $rport = 5900 unless $rport;
- my $emsg = "";
- $listen_handle = IO::Socket::INET->new(
- PeerAddr => $rhost,
- PeerPort => $rport,
- Proto => "tcp"
- );
- $emsg = $!;
- if (! $listen_handle && $have_inet6) {
- eval {$listen_handle = IO::Socket::INET6->new(
- PeerAddr => $rhost,
- PeerPort => $rport,
- Proto => "tcp"
- );};
- $emsg .= " / $!";
- }
- if (! $listen_handle) {
- pdie "pproxy: $emsg -- PPROXY_REVERSE\n";
- }
- print STDERR "PPROXY_REVERSE: connected to $rhost $rport\n";
-
-} elsif ($ENV{PPROXY_LISTEN} ne "") {
- my $listen_sock = "";
- my $maxtry = 12;
- my $sleep = 5;
- my $p2 = "";
- my $emsg = "";
- for (my $i=0; $i < $maxtry; $i++) {
- my ($if, $p) = ("", $ENV{PPROXY_LISTEN});
- if ($p =~ /^(.*):(\d+)$/) {
- $if = $1;
- $p = $2;
- }
- $p2 = "*:$p";
- if ($if eq "") {
- $if = "localhost";
- }
- print STDERR "pproxy interface: $if\n";
-
- $emsg = "";
- if (($if eq "INADDR_ANY6" || $if eq "::") && $have_inet6) {
- eval {$listen_sock = IO::Socket::INET6->new(
- Listen => 2,
- ReuseAddr => 1,
- Domain => AF_INET6,
- LocalAddr => "::",
- LocalPort => $p,
- Proto => "tcp"
- );};
- $p2 = ":::$p";
- } elsif ($if =~ /^INADDR_ANY/) {
- $listen_sock = IO::Socket::INET->new(
- Listen => 2,
- ReuseAddr => 1,
- LocalPort => $p,
- Proto => "tcp"
- );
- } elsif (($if eq "INADDR_LOOPBACK6" || $if eq "::1") && $have_inet6) {
- $p2 = "::1:$p";
- eval {$listen_sock = IO::Socket::INET6->new(
- Listen => 2,
- ReuseAddr => 1,
- Domain => AF_INET6,
- LocalAddr => "::1",
- LocalPort => $p,
- Proto => "tcp"
- );};
- $p2 = "::1:$p";
- } else {
- $p2 = "$if:$p";
- $listen_sock = IO::Socket::INET->new(
- Listen => 2,
- ReuseAddr => 1,
- LocalAddr => $if,
- LocalPort => $p,
- Proto => "tcp"
- );
- $emsg = $!;
-
- if (! $listen_sock && $have_inet6) {
- print STDERR "PPROXY_LISTEN: retry with INET6\n";
- eval {$listen_sock = IO::Socket::INET6->new(
- Listen => 2,
- ReuseAddr => 1,
- Domain => AF_INET6,
- LocalAddr => $if,
- LocalPort => $p,
- Proto => "tcp"
- );};
- $emsg .= " / $!";
- }
- }
- if (! $listen_sock) {
- if ($i < $maxtry - 1) {
- warn "pproxy: $emsg $!\n";
- warn "Could not listen on port $p2, retrying in $sleep seconds... (Ctrl-C to quit)\n";
- sleep $sleep;
- }
- } else {
- last;
- }
- }
- if (! $listen_sock) {
- pdie "pproxy: $emsg -- PPROXY_LISTEN\n";
- }
- print STDERR "pproxy: listening on $p2\n";
- my $ip;
- ($listen_handle, $ip) = $listen_sock->accept();
- my $err = $!;
- close $listen_sock;
- if (! $listen_handle) {
- pdie "pproxy: $err\n";
- }
-
- if ($ENV{PPROXY_LOOP_THYSELF_MASTER}) {
- my $sml = $ENV{SSVNC_MULTIPLE_LISTEN};
- if ($sml ne "" && $sml ne "0") {
- setpgrp(0, 0);
- if (fork()) {
- close $viewer_sock;
- wait;
- exit 0;
- }
- if (fork()) {
- close $viewer_sock;
- exit 0;
- }
- setpgrp(0, 0);
- $parent = $$;
- }
- }
-}
-
-$sock = IO::Socket::INET->new(
- PeerAddr => $proxy_host,
- PeerPort => $proxy_port,
- Proto => "tcp"
-);
-
-my $err = "";
-
-if (! $sock && $have_inet6) {
- $err = $!;
-
- eval {$sock = IO::Socket::INET6->new(
- PeerAddr => $proxy_host,
- PeerPort => $proxy_port,
- Proto => "tcp"
- );};
- $err .= " / $!";
-}
-
-if (! $sock) {
- unlink($0) if $ENV{PPROXY_REMOVE};
- pdie "pproxy: $err\n";
-}
-
-unlink($0) if $ENV{PPROXY_REMOVE};
-
-if ($ENV{PPROXY_PROXY} =~ /^vencrypt:/ && $ENV{PPROXY_VENCRYPT_REVERSE}) {
- print STDERR "\nPPROXY: vencrypt+reverse: swapping listen socket with connect socket.\n";
- my $tmp_swap = $sock;
- $sock = $listen_handle;
- $listen_handle = $tmp_swap;
-}
-
-$cur_proxy = $first;
-setmode($mode_1st);
-
-if ($second ne "") {
- connection($second, 1);
-
- setmode($mode_2nd);
- $cur_proxy = $second;
-
- if ($third ne "") {
- connection($third, 2);
- setmode($mode_3rd);
- $cur_proxy = $third;
- connection($connect, 3);
- } else {
- connection($connect, 2);
- }
-} else {
- connection($connect, 1);
-}
-
-sub kill_proxy_pids() {
- if ($ENV{PPROXY_VENCRYPT_VIEWER_BRIDGE}) {
- return;
- }
- if ($ENV{PPROXY_KILLPID}) {
- foreach my $p (split(/,/, $ENV{PPROXY_KILLPID})) {
- if ($p =~ /^(\+|-)/) {
- $p = $parent + $p;
- }
- print STDERR "kill TERM, $p (PPROXY_KILLPID)\n";
- kill "TERM", $p;
- }
- }
-}
-
-sub xfer {
- my($in, $out) = @_;
- $RIN = $WIN = $EIN = "";
- $ROUT = "";
- vec($RIN, fileno($in), 1) = 1;
- vec($WIN, fileno($in), 1) = 1;
- $EIN = $RIN | $WIN;
-
- while (1) {
- my $nf = 0;
- while (! $nf) {
- $nf = select($ROUT=$RIN, undef, undef, undef);
- }
- my $len = sysread($in, $buf, 8192);
- if (! defined($len)) {
- next if $! =~ /^Interrupted/;
- print STDERR "pproxy[$$]: $!\n";
- last;
- } elsif ($len == 0) {
- print STDERR "pproxy[$$]: Input is EOF.\n";
- last;
- }
- my $offset = 0;
- my $quit = 0;
- while ($len) {
- my $written = syswrite($out, $buf, $len, $offset);
- if (! defined $written) {
- print STDERR "pproxy[$$]: Output is EOF. $!\n";
- $quit = 1;
- last;
- }
- $len -= $written;
- $offset += $written;
- }
- last if $quit;
- }
- close($out);
- close($in);
- print STDERR "pproxy[$$]: finished xfer.\n";
-}
-
-sub handler {
- print STDERR "pproxy[$$]: got SIGTERM.\n";
- close $listen_handle if $listen_handle;
- close $sock if $sock;
- exit;
-}
-
-sub xfer_both {
- $child = fork;
-
- if (! defined $child) {
- kill_proxy_pids();
- exit 1;
- }
-
- $SIG{TERM} = "handler";
-
- if ($child) {
- if ($listen_handle) {
- print STDERR "pproxy parent[$$] listen_handle -> socket\n";
- xfer($listen_handle, $sock);
- } else {
- print STDERR "pproxy parent[$$] STDIN -> socket\n";
- xfer(STDIN, $sock);
- }
- select(undef, undef, undef, 0.25);
- if (kill 0, $child) {
- select(undef, undef, undef, 0.9);
- if (kill 0, $child) {
- print STDERR "pproxy[$$]: kill TERM child $child\n";
- kill "TERM", $child;
- } else {
- print STDERR "pproxy[$$]: child $child gone.\n";
- }
- }
- } else {
- select(undef, undef, undef, 0.05);
- if ($listen_handle) {
- print STDERR "pproxy child [$$] socket -> listen_handle\n";
- if ($initial_data ne "") {
- my $len = length $initial_data;
- print STDERR "pproxy child [$$] sending initial_data, length $len\n\n";
- syswrite($listen_handle, $initial_data, $len);
- } else {
- print STDERR "\n";
- }
- xfer($sock, $listen_handle);
- } else {
- print STDERR "pproxy child [$$] socket -> STDOUT\n";
- if ($initial_data ne "") {
- my $len = length $initial_data;
- print STDERR "pproxy child [$$] sending initial_data, length $len\n\n";
- syswrite(STDOUT, $initial_data, $len);
- } else {
- print STDERR "\n";
- }
- xfer($sock, STDOUT);
- }
- select(undef, undef, undef, 0.25);
- if (kill 0, $parent) {
- select(undef, undef, undef, 0.8);
- if (kill 0, $parent) {
- print STDERR "pproxy[$$]: kill TERM parent $parent\n";
- kill "TERM", $parent;
- } else {
- print STDERR "pproxy[$$]: parent $parent gone.\n";
- }
- }
- }
-
- kill_proxy_pids();
-}
-
-xfer_both();
-
-exit;
-
-sub fsleep {
- select(undef, undef, undef, shift);
-}
-
-sub url_parse {
- my $hostport = shift;
- my $mode = "http";
- if ($hostport =~ m,^socks4?://(\S*)$,i) {
- $mode = "socks4";
- $hostport = $1;
- } elsif ($hostport =~ m,^socks5://(\S*)$,i) {
- $mode = "socks5";
- $hostport = $1;
- } elsif ($hostport =~ m,^https?://(\S*)$,i) {
- $mode = "http";
- $hostport = $1;
- } elsif ($hostport =~ m,^ipv6://(\S*)$,i) {
- $mode = "ipv6";
- $hostport = $1;
- } elsif ($hostport =~ m,^repeater://(\S*)\+(\S*)$,i) {
- # ultravnc repeater proxy.
- $hostport = $1;
- $mode = "repeater:$2";
- if ($hostport !~ /:\d+$/) {
- $hostport .= ":5900";
- }
- } elsif ($hostport =~ m,^vencrypt://(\S*)$,i) {
- # vencrypt handshake.
- $hostport = $1;
- my $m = "connect";
- if ($hostpost =~ /^(\S+)\+(\S+)$/) {
- $hostport = $1;
- $mode = $2;
- }
- $mode = "vencrypt:$m";
- if ($hostport !~ /:\d+$/) {
- $hostport .= ":5900";
- }
- }
- return ($hostport, $mode);
-}
-
-sub setmode {
- my $mode = shift;
- $ENV{PPROXY_REPEATER} = "";
- $ENV{PPROXY_VENCRYPT} = "";
- if ($mode =~ /^socks/) {
- if ($mode =~ /^socks5/) {
- $ENV{PPROXY_SOCKS} = 5;
- } else {
- $ENV{PPROXY_SOCKS} = 1;
- }
- } elsif ($mode =~ /^ipv6/i) {
- $ENV{PPROXY_SOCKS} = 0;
- } elsif ($mode =~ /^repeater:(.*)/) {
- $ENV{PPROXY_REPEATER} = $1;
- $ENV{PPROXY_SOCKS} = "";
- } elsif ($mode =~ /^vencrypt:(.*)/) {
- $ENV{PPROXY_VENCRYPT} = $1;
- $ENV{PPROXY_SOCKS} = "";
- } else {
- $ENV{PPROXY_SOCKS} = "";
- }
-}
-
-sub connection {
- my ($CONNECT, $w) = @_;
-
- my $con = "";
- my $msg = "";
-
- if ($ENV{PPROXY_SOCKS} eq "5") {
- # SOCKS5
- my ($h, $p) = ($CONNECT, "");
- if ($h =~ /^(.*):(\d+)$/) {
- $h = $1;
- $p = $2;
- }
- $con .= pack("C", 0x05);
- $con .= pack("C", 0x01);
- $con .= pack("C", 0x00);
-
- $msg = "SOCKS5 via $cur_proxy to $h:$p\n\n";
- print STDERR "proxy_request$w: $msg";
-
- syswrite($sock, $con, length($con));
-
- my ($n1, $n2, $n3, $n4, $n5, $n6);
- my ($r1, $r2, $r3, $r4, $r5, $r6);
- my ($s1, $s2, $s3, $s4, $s5, $s6);
-
- $n1 = sysread($sock, $r1, 1);
- $n2 = sysread($sock, $r2, 1);
-
- $s1 = unpack("C", $r1);
- $s2 = unpack("C", $r2);
- if ($s1 != 0x05 || $s2 != 0x00) {
- print STDERR "SOCKS5 fail s1=$s1 s2=$s2 n1=$n1 n2=$n2\n";
- close $sock;
- exit(1);
- }
-
- $con = "";
- $con .= pack("C", 0x05);
- $con .= pack("C", 0x01);
- $con .= pack("C", 0x00);
- $con .= pack("C", 0x03);
- $con .= pack("C", length($h));
- $con .= $h;
- $con .= pack("C", $p >> 8);
- $con .= pack("C", $p & 0xff);
-
- syswrite($sock, $con, length($con));
-
- $n1 = sysread($sock, $r1, 1);
- $n2 = sysread($sock, $r2, 1);
- $n3 = sysread($sock, $r3, 1);
- $n4 = sysread($sock, $r4, 1);
- $s1 = unpack("C", $r1);
- $s2 = unpack("C", $r2);
- $s3 = unpack("C", $r3);
- $s4 = unpack("C", $r4);
-
- if ($s4 == 0x1) {
- sysread($sock, $r5, 4 + 2);
- } elsif ($s4 == 0x3) {
- sysread($sock, $r5, 1);
- $s5 = unpack("C", $r5);
- sysread($sock, $r6, $s5 + 2);
- } elsif ($s4 == 0x4) {
- sysread($sock, $r5, 16 + 2);
- }
-
- if ($s1 != 0x5 || $s2 != 0x0 || $s3 != 0x0) {
- print STDERR "SOCKS5 failed: s1=$s1 s2=$s2 s3=$s3 s4=$s4 n1=$n1 n2=$n2 n3=$n3 n4=$n4\n";
- close $sock;
- exit(1);
- }
-
- } elsif ($ENV{PPROXY_SOCKS} eq "1") {
- # SOCKS4 SOCKS4a
- my ($h, $p) = ($CONNECT, "");
- if ($h =~ /^(.*):(\d+)$/) {
- $h = $1;
- $p = $2;
- }
- $con .= pack("C", 0x04);
- $con .= pack("C", 0x01);
- $con .= pack("n", $p);
-
- my $SOCKS_4a = 0;
- if ($h eq "localhost" || $h eq "127.0.0.1") {
- $con .= pack("C", 127);
- $con .= pack("C", 0);
- $con .= pack("C", 0);
- $con .= pack("C", 1);
- } elsif ($h =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
- $con .= pack("C", $1);
- $con .= pack("C", $2);
- $con .= pack("C", $3);
- $con .= pack("C", $4);
- } else {
- $con .= pack("C", 0);
- $con .= pack("C", 0);
- $con .= pack("C", 0);
- $con .= pack("C", 3);
- $SOCKS_4a = 1;
- }
-
- $con .= "nobody";
- $con .= pack("C", 0);
-
- $msg = "SOCKS4 via $cur_proxy to $h:$p\n\n";
- if ($SOCKS_4a) {
- $con .= $h;
- $con .= pack("C", 0);
- $msg =~ s/SOCKS4/SOCKS4a/;
- }
- print STDERR "proxy_request$w: $msg";
- syswrite($sock, $con, length($con));
-
- my $ok = 1;
- for (my $i = 0; $i < 8; $i++) {
- my $c;
- sysread($sock, $c, 1);
- my $s = unpack("C", $c);
- if ($i == 0) {
- $ok = 0 if $s != 0x0;
- } elsif ($i == 1) {
- $ok = 0 if $s != 0x5a;
- }
- }
- if (! $ok) {
- print STDERR "SOCKS4 failed.\n";
- close $sock;
- exit(1);
- }
- } elsif ($ENV{PPROXY_SOCKS} eq "0") {
- # hack for ipv6 "proxy", nothing to do, assume INET6 call worked.
- ;
- } elsif ($ENV{PPROXY_REPEATER} ne "") {
- my $rep = $ENV{PPROXY_REPEATER};
- print STDERR "repeater: $rep\n";
- $rep .= pack("x") x 250;
- syswrite($sock, $rep, 250);
-
- my $rfb = "";
-
- my $ok = 1;
- for (my $i = 0; $i < 12; $i++) {
- my $c;
- last if $ENV{PPROXY_GENERIC_REPEATER};
- sysread($sock, $c, 1);
- print STDERR $c;
- $rfb .= $c;
- }
- if ($rfb ne "" && $rfb !~ /^RFB 000\.000/) {
- $initial_data = $rfb;
- $rfb =~ s/\n//g;
- print STDERR "detected non-UltraVNC repeater; forwarding \"$rfb\"\nlength: ", length($initial_data), "\n";
- }
- } elsif ($ENV{PPROXY_VENCRYPT} ne "") {
- my $vencrypt = $ENV{PPROXY_VENCRYPT};
- vencrypt_dialog($vencrypt);
-
- } else {
- # Web Proxy:
- $con = "CONNECT $CONNECT HTTP/1.1\r\n";
- $con .= "Host: $CONNECT\r\n";
- $con .= "Connection: close\r\n\r\n";
- $msg = $con;
-
- print STDERR "proxy_request$w: via $cur_proxy:\n$msg";
- syswrite($sock, $con, length($con));
-
- my $rep = "";
- my $n = 0;
- while ($rep !~ /\r\n\r\n/ && $n < 30000) {
- my $c;
- sysread($sock, $c, 1);
- print STDERR $c;
- $rep .= $c;
- $n++;
- }
- if ($rep !~ m,HTTP/.* 200,) {
- print STDERR "HTTP CONNECT failed.\n";
- close $sock;
- exit(1);
- }
- }
-}
-
-sub vdie {
- append_handshake("done\n");
- close $sock;
- kill_proxy_pids();
- exit(1);
-}
-
-sub anontls_handshake {
- my ($vmode, $db) = @_;
-
- print STDERR "\nPPROXY: Doing ANONTLS Handshake\n";
-
- my $psec = pack("C", $rfbSecTypeAnonTls);
- syswrite($sock, $psec, 1);
-
- append_handshake("done\n");
-}
-
-sub vencrypt_handshake {
-
- my ($vmode, $db) = @_;
-
- print STDERR "\nPPROXY: Doing VeNCrypt Handshake\n";
-
- my $psec = pack("C", $rfbSecTypeVencrypt);
-
- if (exists $ENV{SSVNC_TEST_SEC_TYPE}) {
- my $fake = $ENV{SSVNC_TEST_SEC_TYPE};
- print STDERR "PPROXY: sending sec-type: $fake\n";
- $psec = pack("C", $fake);
- }
-
- syswrite($sock, $psec, 1);
-
- my $vmajor;
- my $vminor;
- sysread($sock, $vmajor, 1);
- sysread($sock, $vminor, 1);
-
- vdie if $vmajor eq "" || $vminor eq "";
-
- $vmajor = unpack("C", $vmajor);
- $vminor = unpack("C", $vminor);
- print STDERR "server vencrypt version $vmajor.$vminor\n" if $db;
-
- if (exists $ENV{SSVNC_TEST_SEC_TYPE}) {
- print STDERR "PPROXY: continuing on in test mode.\n";
- } else {
- vdie if $vmajor ne 0;
- vdie if $vminor < 2;
- }
-
- $vmajor = pack("C", 0);
- $vminor = pack("C", 2);
- append_handshake("subversion=0.2\n");
-
- syswrite($sock, $vmajor, 1);
- syswrite($sock, $vminor, 1);
-
- my $result;
- sysread($sock, $result, 1);
- print STDERR "result empty\n" if $db && $result eq "";
-
- vdie if $result eq "";
- $result = unpack("C", $result);
- print STDERR "result=$result\n" if $db;
-
- vdie if $result ne 0;
-
- my $nsubtypes;
- sysread($sock, $nsubtypes, 1);
-
- vdie if $nsubtypes eq "";
- $nsubtypes = unpack("C", $nsubtypes);
- print STDERR "nsubtypes=$nsubtypes\n" if $db;
-
- my %subtypes;
-
- for (my $i = 0; $i < $nsubtypes; $i++) {
- my $subtype = "";
- sysread($sock, $subtype, 4);
- vdie if length($subtype) != 4;
-
- # XXX fix 64bit.
- $subtype = unpack("N", $subtype);
- print STDERR "subtype: $subtype\n" if $db;
- $subtypes{$subtype} = 1;
- append_handshake("sst$i=$subtype\n");
- }
-
- my $subtype = 0;
- if (exists $subtypes{$rfbVencryptX509None}) {
- $subtype = $rfbVencryptX509None;
- print STDERR "selected rfbVencryptX509None\n" if $db;
- } elsif (exists $subtypes{$rfbVencryptX509Vnc}) {
- $subtype = $rfbVencryptX509Vnc;
- print STDERR "selected rfbVencryptX509Vnc\n" if $db;
- } elsif (exists $subtypes{$rfbVencryptX509Plain}) {
- $subtype = $rfbVencryptX509Plain;
- print STDERR "selected rfbVencryptX509Plain\n" if $db;
- } elsif (exists $subtypes{$rfbVencryptTlsNone}) {
- $subtype = $rfbVencryptTlsNone;
- print STDERR "selected rfbVencryptTlsNone\n" if $db;
- } elsif (exists $subtypes{$rfbVencryptTlsVnc}) {
- $subtype = $rfbVencryptTlsVnc;
- print STDERR "selected rfbVencryptTlsVnc\n" if $db;
- } elsif (exists $subtypes{$rfbVencryptTlsPlain}) {
- $subtype = $rfbVencryptTlsPlain;
- print STDERR "selected rfbVencryptTlsPlain\n" if $db;
- }
-
- if (exists $ENV{SSVNC_TEST_SEC_SUBTYPE}) {
- my $fake = $ENV{SSVNC_TEST_SEC_SUBTYPE};
- print STDERR "PPROXY: sending sec-subtype: $fake\n";
- $subtype = $fake;
- }
-
- append_handshake("subtype=$subtype\n");
-
- my $pst = pack("N", $subtype);
- syswrite($sock, $pst, 4);
-
- if (exists $ENV{SSVNC_TEST_SEC_SUBTYPE}) {
- print STDERR "PPROXY: continuing on in test mode.\n";
- } else {
- vdie if $subtype == 0;
- }
-
- my $ok;
- sysread($sock, $ok, 1);
- $ok = unpack("C", $ok);
- print STDERR "ok=$ok\n" if $db;
-
- append_handshake("done\n");
-
- vdie if $ok == 0;
-}
-
-sub vencrypt_dialog {
- my $vmode = shift;
- my $db = 0;
-
- $db = 1 if exists $ENV{SS_DEBUG};
- $db = 1 if exists $ENV{SSVNC_VENCRYPT_DEBUG};
-
- append_handshake("mode=$vmode\n");
-
- my $server_rfb = "";
- #syswrite($sock, $rep, 250);
- for (my $i = 0; $i < 12; $i++) {
- my $c;
- sysread($sock, $c, 1);
- $server_rfb .= $c;
- print STDERR $c;
- }
- print STDERR "server_rfb: $server_rfb\n" if $db;
- append_handshake("server=$server_rfb");
-
- my $minor = "";
- if ($server_rfb =~ /^RFB 003\.(\d+)/) {
- $minor = $1;
- } else {
- vdie;
- }
- my $viewer_rfb = "RFB 003.008\n";
- if ($minor < 7) {
- vdie;
- } elsif ($minor == 7) {
- $viewer_rfb = "RFB 003.007\n";
- }
- my $nsec;
- my $t1 = gettime();
- my $t0 = gettime();
-
- syswrite($sock, $viewer_rfb, 12);
- sysread($sock, $nsec, 1);
-
- $t1 = gettime();
- $t1 = sprintf("%.6f", $t1 - $t0);
-
- append_handshake("viewer=$viewer_rfb");
- append_handshake("latency=$t1\n");
-
- vdie if $nsec eq "";
-
- $nsec = unpack("C", $nsec);
-
- print STDERR "nsec: $nsec\n" if $db;
- vdie if $nsec eq 0 || $nsec > 100;
-
- my %sectypes = ();
-
- for (my $i = 0; $i < $nsec; $i++) {
- my $sec;
- sysread($sock, $sec, 1);
- vdie if $sec eq "";
- $sec = unpack("C", $sec);
- print STDERR "sec: $sec\n" if $db;
- $sectypes{$sec} = 1;
- }
-
- if (exists $sectypes{$rfbSecTypeVencrypt}) {
- print STDERR "found rfbSecTypeVencrypt\n" if $db;
- append_handshake("sectype=$rfbSecTypeVencrypt\n");
- vencrypt_handshake($vmode, $db);
- } elsif (exists $sectypes{$rfbSecTypeAnonTls}) {
- print STDERR "found rfbSecTypeAnonTls\n" if $db;
- append_handshake("sectype=$rfbSecTypeAnonTls\n");
- anontls_handshake($vmode, $db);
- } else {
- print STDERR "No supported sec-type found\n" if $db;
- vdie;
- }
-}
-
-sub append_handshake {
- my $str = shift;
- if ($handshake_file) {
- if (open(HSF, ">>$handshake_file")) {
- print HSF $str;
- close HSF;
- }
- }
-}
-
-sub do_vencrypt_viewer_bridge {
- my ($listen, $connect) = @_;
- print STDERR "\npproxy: starting vencrypt_viewer_bridge[$$]: $listen \-> $connect\n";
- my $db = 0;
- my $backwards = 0;
- if ($listen < 0) {
- $backwards = 1;
- $listen = -$listen;
- }
- if ($handshake_file eq "") {
- die "pproxy: vencrypt_viewer_bridge[$$]: no SSVNC_PREDIGESTED_HANDSHAKE\n";
- }
- my $listen_sock;
- my $maxtry = 12;
- my $sleep = 5;
- for (my $i=0; $i < $maxtry; $i++) {
- $listen_sock = IO::Socket::INET->new(
- Listen => 2,
- ReuseAddr => 1,
- LocalAddr => "127.0.0.1",
- LocalPort => $listen,
- Proto => "tcp"
- );
- if (! $listen_sock) {
- if ($i < $maxtry - 1) {
- warn "pproxy: vencrypt_viewer_bridge[$$]: $!\n";
- warn "Could not listen on port $listen, retrying in $sleep seconds... (Ctrl-C to quit)\n";
- sleep $sleep;
- }
- } else {
- last;
- }
- }
- if (! $listen_sock) {
- die "pproxy: vencrypt_viewer_bridge[$$]: $!\n";
- }
- print STDERR "pproxy: vencrypt_viewer_bridge[$$]: listening on port $listen\n\n";
- my ($viewer_sock, $ip) = $listen_sock->accept();
- my $err = $!;
- close $listen_sock;
- if (! $viewer_sock) {
- die "pproxy: vencrypt_viewer_bridge[$$]: $err\n";
- }
- if ($ENV{PPROXY_LOOP_THYSELF_MASTER}) {
- my $sml = $ENV{SSVNC_MULTIPLE_LISTEN};
- if ($sml ne "" && $sml ne "0") {
- setpgrp(0, 0);
- if (fork()) {
- close $viewer_sock;
- wait;
- exit 0;
- }
- if (fork()) {
- close $viewer_sock;
- exit 0;
- }
- setpgrp(0, 0);
- $parent = $$;
- }
- }
- print STDERR "vencrypt_viewer_bridge[$$]: viewer_sock $viewer_sock\n" if $db;
-
- print STDERR "pproxy: vencrypt_viewer_bridge[$$]: connecting to 127.0.0.1:$connect\n";
- my $server_sock = IO::Socket::INET->new(
- PeerAddr => "127.0.0.1",
- PeerPort => $connect,
- Proto => "tcp"
- );
- print STDERR "vencrypt_viewer_bridge[$$]: server_sock $server_sock\n" if $db;
- if (! $server_sock) {
- my $err = $!;
- die "pproxy: vencrypt_viewer_bridge[$$]: $err\n";
- }
-
- if ($backwards) {
- print STDERR "vencrypt_viewer_bridge[$$]: reversing roles of viewer and server.\n";
- my $t = $viewer_sock;
- $viewer_sock = $server_sock;
- $server_sock = $t;
- }
-
- my %hs = ();
- my $dt = 0.2;
- my $slept = 0.0;
- while ($slept < 20.0) {
- select(undef, undef, undef, $dt);
- $slept += $dt;
- if (-f $handshake_file && open(HSF, "<$handshake_file")) {
- my $done = 0;
- %hs = ();
- my $str = "";
- while (<HSF>) {
- print STDERR "vencrypt_viewer_bridge[$$]: $_" if $ENV{VENCRYPT_VIEWER_BRIDGE_DEBUG};
- $str .= "vencrypt_viewer_bridge[$$]: $_";
- chomp;
- if ($_ eq "done") {
- $done = 1;
- } else {
- my ($k, $v) = split(/=/, $_, 2);
- if ($k ne "" && $v ne "") {
- $hs{$k} = $v;
- }
- }
- }
- close HSF;
- if ($done) {
- print STDERR "\n" . $str;
- last;
- }
- }
- }
- if (! exists $hs{server}) {
- $hs{server} = "RFB 003.008";
- }
- if (! exists $hs{sectype}) {
- unlink($handshake_file);
- die "pproxy: vencrypt_viewer_bridge[$$]: no sectype.\n";
- }
- syswrite($viewer_sock, "$hs{server}\n", length($hs{server}) + 1);
- my $viewer_rfb = "";
- for (my $i = 0; $i < 12; $i++) {
- my $c;
- sysread($viewer_sock, $c, 1);
- $viewer_rfb .= $c;
- print STDERR $c;
- }
- my $viewer_major = 3;
- my $viewer_minor = 8;
- if ($viewer_rfb =~ /RFB (\d+)\.(\d+)/) {
- $viewer_major = $1;
- $viewer_minor = $2;
- }
- my $u0 = pack("C", 0);
- my $u1 = pack("C", 1);
- my $u2 = pack("C", 2);
- if ($hs{sectype} == $rfbSecTypeAnonTls) {
- unlink($handshake_file);
- print STDERR "\npproxy: vencrypt_viewer_bridge[$$]: rfbSecTypeAnonTls\n";
- if ($viewer_major > 3 || $viewer_minor >= 7) {
- ; # setup ok, proceed to xfer.
- } else {
- print STDERR "pproxy: vencrypt_viewer_bridge[$$]: faking RFB version 3.3 to viewer.\n";
- my $n;
- sysread($server_sock, $n, 1);
- $n = unpack("C", $n);
- if ($n == 0) {
- die "pproxy: vencrypt_viewer_bridge[$$]: nsectypes == $n.\n";
- }
- my %types;
- for (my $i = 0; $i < $n; $i++) {
- my $t;
- sysread($server_sock, $t, 1);
- $t = unpack("C", $t);
- $types{$t} = 1;
- }
- my $use = 1; # None
- if (exists $types{1}) {
- $use = 1; # None
- } elsif (exists $types{2}) {
- $use = 2; # VncAuth
- } else {
- die "pproxy: vencrypt_viewer_bridge[$$]: no valid sectypes" . join(",", keys %types) . "\n";
- }
-
- # send 4 bytes sectype to viewer:
- # (note this should be MSB, network byte order...)
- my $up = pack("C", $use);
- syswrite($viewer_sock, $u0, 1);
- syswrite($viewer_sock, $u0, 1);
- syswrite($viewer_sock, $u0, 1);
- syswrite($viewer_sock, $up, 1);
- # and tell server the one we selected:
- syswrite($server_sock, $up, 1);
- if ($use == 1) {
- # even None has security result, so read it here and discard it.
- my $sr = "";
- sysread($server_sock, $sr, 4);
- }
- }
- } elsif ($hs{sectype} == $rfbSecTypeVencrypt) {
- print STDERR "\npproxy: vencrypt_viewer_bridge[$$]: rfbSecTypeVencrypt\n";
- if (! exists $hs{subtype}) {
- unlink($handshake_file);
- die "pproxy: vencrypt_viewer_bridge[$$]: no subtype.\n";
- }
- my $fake_type = "None";
- my $plain = 0;
- my $sub_type = $hs{subtype};
- if ($sub_type == $rfbVencryptTlsNone) {
- $fake_type = "None";
- } elsif ($sub_type == $rfbVencryptTlsVnc) {
- $fake_type = "VncAuth";
- } elsif ($sub_type == $rfbVencryptTlsPlain) {
- $fake_type = "None";
- $plain = 1;
- } elsif ($sub_type == $rfbVencryptX509None) {
- $fake_type = "None";
- } elsif ($sub_type == $rfbVencryptX509Vnc) {
- $fake_type = "VncAuth";
- } elsif ($sub_type == $rfbVencryptX509Plain) {
- $fake_type = "None";
- $plain = 1;
- }
- if ($plain) {
- if (!open(W, ">$handshake_file")) {
- unlink($handshake_file);
- die "pproxy: vencrypt_viewer_bridge[$$]: $handshake_file $!\n";
- }
- print W <<"END";
-
- proc print_out {} {
- global user pass env
-
- if [info exists env(SSVNC_UP_DEBUG)] {
- toplevel .b
- button .b.b -text "user=\$user pass=\$pass" -command {destroy .b}
- pack .b.b
- update
- tkwait window .b
- }
-
- if [info exists env(SSVNC_UP_FILE)] {
- set fh ""
- catch {set fh [open \$env(SSVNC_UP_FILE) w]}
- if {\$fh != ""} {
- puts \$fh user=\$user\\npass=\$pass
- flush \$fh
- close \$fh
- return
- }
- }
- puts stdout user=\$user\\npass=\$pass
- flush stdout
- }
-
- proc center_win {w} {
- update
- set W [winfo screenwidth \$w]
- set W [expr \$W + 1]
- wm geometry \$w +\$W+0
- update
- set x [expr [winfo screenwidth \$w]/2 - [winfo width \$w]/2]
- set y [expr [winfo screenheight \$w]/2 - [winfo height \$w]/2]
-
- wm geometry \$w +\$x+\$y
- wm deiconify \$w
- update
- }
-
- wm withdraw .
-
- global env
- set up {}
- if [info exists env(SSVNC_UNIXPW)] {
- set rm 0
- set up \$env(SSVNC_UNIXPW)
- if [regexp {^rm:} \$up] {
- set rm 1
- regsub {^rm:} \$up {} up
- }
- if [file exists \$up] {
- set fh ""
- set f \$up
- catch {set fh [open \$up r]}
- if {\$fh != ""} {
- gets \$fh u
- gets \$fh p
- close \$fh
- set up "\$u@\$p"
- }
- if {\$rm} {
- catch {file delete \$f}
- }
- }
- } elseif [info exists env(SSVNC_VENCRYPT_USERPASS)] {
- set up \$env(SSVNC_VENCRYPT_USERPASS)
- }
- #puts stderr up=\$up
- if {\$up != ""} {
- if [regexp {@} \$up] {
- global user pass
- set user \$up
- set pass \$up
- regsub {@.*\$} \$user "" user
- regsub {^[^@]*@} \$pass "" pass
- print_out
- exit
- }
- }
-
- wm title . {VeNCrypt Viewer Bridge User/Pass}
-
- set user {}
- set pass {}
-
- label .l -text {SSVNC VeNCrypt Viewer Bridge}
-
- frame .f0
- frame .f0.fL
- label .f0.fL.la -text {Username: }
- label .f0.fL.lb -text {Password: }
-
- pack .f0.fL.la .f0.fL.lb -side top
-
- frame .f0.fR
- entry .f0.fR.ea -width 24 -textvariable user
- entry .f0.fR.eb -width 24 -textvariable pass -show *
-
- pack .f0.fR.ea .f0.fR.eb -side top -fill x
-
- pack .f0.fL -side left
- pack .f0.fR -side right -expand 1 -fill x
-
- button .no -text Cancel -command {destroy .}
- button .ok -text Done -command {print_out; destroy .}
-
- center_win .
- pack .l .f0 .no .ok -side top -fill x
- update
- wm deiconify .
-
- bind .f0.fR.ea <Return> {focus .f0.fR.eb}
- bind .f0.fR.eb <Return> {print_out; destroy .}
- focus .f0.fR.ea
-
- wm resizable . 1 0
- wm minsize . [winfo reqwidth .] [winfo reqheight .]
-END
- close W;
-
- #system("cat $handshake_file");
- my $w = "wish";
- if ($ENV{WISH}) {
- $w = $ENV{WISH};
- }
- print STDERR "pproxy: vencrypt_viewer_bridge[$$]: prompt VencryptPlain user and passwd.\n";
- my $res = "";
- if (`uname` =~ /Darwin/) {
- my $mtmp = `mktemp /tmp/hsup.XXXXXX`;
- chomp $mtmp;
- system("env SSVNC_UP_FILE=$mtmp $w $handshake_file");
- $res = `cat $mtmp`;
- unlink $mtmp;
- } else {
- $res = `$w $handshake_file`;
- }
- my $user = "";
- my $pass = "";
- if ($res =~ /user=(\S*)/) {
- $user = $1;
- }
- if ($res =~ /pass=(\S*)/) {
- $pass = $1;
- }
- print STDERR "pproxy: vencrypt_viewer_bridge[$$]: sending VencryptPlain user and passwd.\n";
- my $ulen = pack("C", length($user));
- my $plen = pack("C", length($pass));
- # (note this should be MSB, network byte order...)
- syswrite($server_sock, $u0, 1);
- syswrite($server_sock, $u0, 1);
- syswrite($server_sock, $u0, 1);
- syswrite($server_sock, $ulen, 1);
- syswrite($server_sock, $u0, 1);
- syswrite($server_sock, $u0, 1);
- syswrite($server_sock, $u0, 1);
- syswrite($server_sock, $plen, 1);
- syswrite($server_sock, $user, length($user));
- syswrite($server_sock, $pass, length($pass));
- }
- unlink($handshake_file);
-
- my $ft = 0;
- if ($fake_type eq "None") {
- $ft = 1;
- } elsif ($fake_type eq "VncAuth") {
- $ft = 2;
- } else {
- die "pproxy: vencrypt_viewer_bridge[$$]: unknown fake type: $fake_type\n";
- }
- my $fp = pack("C", $ft);
- if ($viewer_major > 3 || $viewer_minor >= 7) {
- syswrite($viewer_sock, $u1, 1);
- syswrite($viewer_sock, $fp, 1);
- my $cr;
- sysread($viewer_sock, $cr, 1);
- $cr = unpack("C", $cr);
- if ($cr != $ft) {
- die "pproxy: vencrypt_viewer_bridge[$$]: client selected wrong type: $cr / $ft\n";
- }
- } else {
- print STDERR "pproxy: vencrypt_viewer_bridge[$$]: faking RFB version 3.3 to viewer.\n";
- # send 4 bytes sect type to viewer:
- # (note this should be MSB, network byte order...)
- syswrite($viewer_sock, $u0, 1);
- syswrite($viewer_sock, $u0, 1);
- syswrite($viewer_sock, $u0, 1);
- syswrite($viewer_sock, $fp, 1);
- if ($ft == 1) {
- # even None has security result, so read it here and discard it.
- my $sr = "";
- sysread($server_sock, $sr, 4);
- }
- }
- }
-
- $listen_handle = $viewer_sock;
- $sock = $server_sock;
-
- xfer_both();
-}
-'
- # '
- # xpg_echo will expand \n \r, etc.
- # try to unset and then test for it.
- if type shopt > /dev/null 2>&1; then
- shopt -u xpg_echo >/dev/null 2>&1
- fi
- v='print STDOUT "abc\n";'
- echo "$v" > $tf
- chmod 700 $tf
-
- lc=`wc -l $tf | awk '{print $1}'`
- if [ "X$lc" = "X1" ]; then
- echo "$cod" > $tf
- else
- printf "%s" "$cod" > $tf
- echo "" >> $tf
- fi
- # prime perl
- perl -e 'use IO::Socket::INET; select(undef, undef, undef, 0.01)' >/dev/null 2>&1
-}
-
-# make_tcert is no longer invoked via the ssvnc gui (Listen mode).
-# make_tcert is for testing only now via -mycert BUILTIN
-make_tcert() {
- tcert="/tmp/ss_vnc_viewer_tcert${RANDOM}.$$"
- tcert=`mytmp "$tcert"`
- cat > $tcert <<END
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvkfXxb0wcxgrjV2ziFikjII+ze8iKcTBt47L0GM/c21efelN
-+zZpJUUXLu4zz8Ryq8Q+sQgfNy7uTOpN9bUUaOk1TnD7gaDQnQWiNHmqbW2kL+DS
-OKngJVPo9dETAS8hf7+D1e1DBZxjTc1a4RQqWJixwpYj99ixWzu8VC2m/xXsjvOs
-jp4+DLBB490nbkwvstmhmiWm1CmI5O5xOkgioVNQqHvQMdVKOSz9PpbjvZiRX1Uo
-qoMrk+2NOqwP90TB35yPASXb9zXKpO7DLhkube+yYGf+yk46aD707L07Eb7cosFP
-S84vNZ9gX7rQ0UOwm5rYA/oZTBskgaqhtIzkLwIDAQABAoIBAD4ot/sXt5kRn0Ca
-CIkU9AQWlC+v28grR2EQW9JiaZrqcoDNUzUqbCTJsi4ZkIFh2lf0TsqELbZYNW6Y
-6AjJM7al4E0UqYSKJTv2WCuuRxdiRs2BMwthqyBmjeanev7bB6V0ybt7u3Y8xU/o
-MrTuYnr4vrEjXPKdLirwk7AoDbKsRXHSIiHEIBOq1+dUQ32t36ukdnnza4wKDLZc
-PKHiCdCk/wOGhuDlxD6RspqUAlRnJ8/aEhrgWxadFXw1hRhRsf/v1shtB0T3DmTe
-Jchjwyiw9mryb9JZAcKxW+fUc4EVvj6VdQGqYInQJY5Yxm5JAlVQUJicuuJEvn6A
-rj5osQECgYEA552CaHpUiFlB4HGkjaH00kL+f0+gRF4PANCPk6X3UPDVYzKnzmuu
-yDvIdEETGFWBwoztUrOOKqVvPEQ+kBa2+DWWYaERZLtg2cI5byfDJxQ3ldzilS3J
-1S3WgCojqcsG/hlxoQJ1dZFanUy/QhUZ0B+wlC+Zp1Q8AyuGQvhHp68CgYEA0lBI
-eqq2GGCdJuNHMPFbi8Q0BnX55LW5C1hWjhuYiEkb3hOaIJuJrqvayBlhcQa2cGqp
-uP34e9UCfoeLgmoCQ0b4KpL2NGov/mL4i8bMgog4hcoYuIi3qxN18vVR14VKEh4U
-RLk0igAYPU+IK2QByaQlBo9OSaKkcfm7U1/pK4ECgYAxr6VpGk0GDvfF2Tsusv6d
-GIgV8ZP09qSLTTJvvxvF/lQYeqZq7sjI5aJD5i3de4JhpO/IXQJzfZfWOuGc8XKA
-3qYK/Y2IqXXGYRcHFGWV/Y1LFd55mCADHlk0l1WdOBOg8P5iRu/Br9PbiLpCx9oI
-vrOXpnp03eod1/luZmqguwKBgQCWFRSj9Q7ddpSvG6HCG3ro0qsNsUMTI1tZ7UBX
-SPogx4tLf1GN03D9ZUZLZVFUByZKMtPLX/Hi7K9K/A9ikaPrvsl6GEX6QYzeTGJx
-3Pw0amFrmDzr8ySewNR6/PXahxPEuhJcuI31rPufRRI3ZLah3rFNbRbBFX+klkJH
-zTnoAQKBgDbUK/aQFGduSy7WUT7LlM3UlGxJ2sA90TQh4JRQwzur0ACN5GdYZkqM
-YBts4sBJVwwJoxD9OpbvKu3uKCt41BSj0/KyoBzjT44S2io2tj1syujtlVUsyyBy
-/ca0A7WBB8lD1D7QMIhYUm2O9kYtSCLlUTHt5leqGaRG38DqlX36
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDzDCCArQCCQDSzxzxqhyqLzANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMC
-VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcTBkJvc3RvbjETMBEG
-A1UEChMKTXkgQ29tcGFueTEcMBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDEZ
-MBcGA1UEAxMQd3d3Lm5vd2hlcmUubm9uZTEhMB8GCSqGSIb3DQEJARYSYWRtaW5A
-bm93aGVyZS5ub25lMB4XDTA3MDMyMzE4MDc0NVoXDTI2MDUyMjE4MDc0NVowgacx
-CzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQHEwZC
-b3N0b24xEzARBgNVBAoTCk15IENvbXBhbnkxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2
-ZWxvcG1lbnQxGTAXBgNVBAMTEHd3dy5ub3doZXJlLm5vbmUxITAfBgkqhkiG9w0B
-CQEWEmFkbWluQG5vd2hlcmUubm9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAL5H18W9MHMYK41ds4hYpIyCPs3vIinEwbeOy9BjP3NtXn3pTfs2aSVF
-Fy7uM8/EcqvEPrEIHzcu7kzqTfW1FGjpNU5w+4Gg0J0FojR5qm1tpC/g0jip4CVT
-6PXREwEvIX+/g9XtQwWcY03NWuEUKliYscKWI/fYsVs7vFQtpv8V7I7zrI6ePgyw
-QePdJ25ML7LZoZolptQpiOTucTpIIqFTUKh70DHVSjks/T6W472YkV9VKKqDK5Pt
-jTqsD/dEwd+cjwEl2/c1yqTuwy4ZLm3vsmBn/spOOmg+9Oy9OxG+3KLBT0vOLzWf
-YF+60NFDsJua2AP6GUwbJIGqobSM5C8CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEA
-vGomHEp6TVU83X2EBUgnbOhzKJ9u3fOI/Uf5L7p//Vxqow7OR1cguzh/YEzmXOIL
-ilMVnzX9nj/bvcLAuqEP7MR1A8f4+E807p/L/Sf49BiCcwQq5I966sGKYXjkve+T
-2GTBNwMSq+5kLSf6QY8VZI+qnrAudEQMeJByQhTZZ0dH8Njeq8EGl9KUio+VWaiW
-CQK6xJuAvAHqa06OjLmwu1fYD4GLGSrOIiRVkSXV8qLIUmzxdJaIRznkFWsrCEKR
-wAH966SAOvd2s6yOHMvyDRIL7WHxfESB6rDHsdIW/yny1fBePjv473KrxyXtbz7I
-dMw1yW09l+eEo4A7GzwOdw==
------END CERTIFICATE-----
-END
- chmod 600 $tcert
- echo "$tcert"
-}
-
-Kecho() {
- NO_KECHO=1
- if [ "X$USER" = "Xrunge" -a "X$NO_KECHO" = "X" ]; then
- echo "dbg: $*"
- fi
-}
-
-NHAFL_warning() {
- echo ""
- echo "** Warning: For the proxy: $proxy"
- echo "** Warning: the ssh(1) option: $ssh_NHAFL"
- echo "** Warning: will be used to avoid frequent 'ssh key has changed for localhost'"
- echo "** Warning: dialogs and connection failures (for example, ssh will exit asking"
- echo "** Warning: you to manually remove a key from ~/.ssh/known_hosts.)"
- echo "** Warning: "
- echo "** Warning: This decreases security: a Man-In-The-Middle attack is possible."
- echo "** Warning: For chained ssh connections the first ssh leg is secure but the"
- echo "** Warning: 2nd ssh leg is vulnerable. For an ssh connection going through"
- echo "** Warning: a HTTP or SOCKS proxy the ssh connection is vulnerable."
- echo "** Warning: "
- echo "** Warning: You can set the SSVNC_SSH_LOCALHOST_AUTH=1 env. var. to disable"
- echo "** Warning: using the NoHostAuthenticationForLocalhost=yes ssh option."
- echo "** Warning: "
- echo "** Warning: A better solution is to configure (in the SSVNC GUI) the setting:"
- echo "** Warning: 'Options -> Advanced -> Private SSH KnownHosts file' (or set"
- echo "** Warning: SSVNC_KNOWN_HOSTS_FILE directly) to a per-connection known hosts"
- echo "** Warning: file. That file holds the 'localhost' cert for this specific"
- echo "** Warning: connection. This yields a both secure and convenient solution."
- echo ""
-}
-
-space_expand() {
- str=`echo "$1" | sed -e 's/%SPACE/ /g' -e 's/%TAB/\t/g'`
- echo "$str"
-}
-
-# handle ssh case:
-#
-if [ "X$use_ssh" = "X1" ]; then
- #
- # USING SSH
- #
- ssh_port="22"
- ssh_host="$host"
- vnc_host="$localhost"
- ssh_UKHF=""
- localhost_extra=""
- # let user override ssh via $SSH
- ssh=${SSH:-"ssh -x"}
-
- sshword=`echo "$ssh" | awk '{print $1}'`
- if [ "X$sshword" != "X" ]; then
- if [ -x "$sshword" ]; then
- :
- elif type "$sshword" > /dev/null 2>&1; then
- :
- else
- echo ""
- echo "*********************************************************"
- echo "** Problem finding the SSH command '$sshword': **"
- echo ""
- type "$sshword"
- echo ""
- echo "** Perhaps you need to install the SSH client package. **"
- echo "*********************************************************"
- echo ""
- sleep 5
- fi
- fi
-
- ssh_NHAFL="-o NoHostAuthenticationForLocalhost=yes"
- if [ "X$SSVNC_SSH_LOCALHOST_AUTH" = "X1" ]; then
- ssh_NHAFL=""
- fi
- if [ "X$SSVNC_KNOWN_HOSTS_FILE" != "X" ]; then
- ssh_NHAFL=""
-
- ssh_UKHF="-o UserKnownHostsFile=$SSVNC_KNOWN_HOSTS_FILE"
- ssh_args="$ssh_args $ssh_UKHF"
- if [ ! -f "$SSVNC_KNOWN_HOSTS_FILE" ]; then
- touch "$SSVNC_KNOWN_HOSTS_FILE" >/dev/null 2>&1
- fi
- chmod 600 "$SSVNC_KNOWN_HOSTS_FILE" >/dev/null 2>&1
- fi
- did_ssh_NHAFL=""
-
- if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
- SSVNC_LIM_ACCEPT_PRELOAD="$SSVNC_BASEDIR/$SSVNC_UNAME/$SSVNC_LIM_ACCEPT_PRELOAD"
- fi
- if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
- echo ""
- echo "SSVNC_LIM_ACCEPT_PRELOAD=$SSVNC_LIM_ACCEPT_PRELOAD"
- fi
-
- if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" -a -f "$SSVNC_LIM_ACCEPT_PRELOAD" ]; then
- plvar=LD_PRELOAD
- if uname | grep Darwin >/dev/null; then
- plvar="DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES"
- fi
- ssh="env $plvar=$SSVNC_LIM_ACCEPT_PRELOAD $ssh"
- else
- SSVNC_LIM_ACCEPT_PRELOAD=""
- fi
-
- ssh_vencrypt_proxy=""
- # We handle vencrypt for SSH+SSL mode.
- if echo "$proxy" | grep 'vencrypt://' > /dev/null; then
- proxynew=""
- for part in `echo "$proxy" | tr ',' ' '`
- do
- if echo "$part" | egrep -i '^vencrypt://' > /dev/null; then
- ssh_vencrypt_proxy=$part
- else
- if [ "X$proxynew" = "X" ]; then
- proxynew="$part"
- else
- proxynew="$proxynew,$part"
- fi
- fi
- done
- proxy=$proxynew
- fi
- Kecho ssh_vencrypt_proxy=$ssh_vencrypt_proxy
-
- # note that user must supply http:// for web proxy in SSH and SSH+SSL.
- # No xxxx:// implies ssh server+port.
- #
- if echo "$proxy" | egrep '(http|https|socks|socks4|socks5)://' > /dev/null; then
- # Handle Web or SOCKS proxy(ies) for the initial connect.
- Kecho host=$host
- Kecho port=$port
- pproxy=""
- sproxy1=""
- sproxy_rest=""
- for part in `echo "$proxy" | tr ',' ' '`
- do
- Kecho proxy_part=$part
- if [ "X$part" = "X" ]; then
- continue
- elif echo "$part" | egrep -i '^(http|https|socks|socks4|socks5)://' > /dev/null; then
- pproxy="$pproxy,$part"
- else
- if [ "X$sproxy1" = "X" ]; then
- sproxy1="$part"
- else
- sproxy_rest="$sproxy_rest,$part"
- fi
- fi
- done
- pproxy=`echo "$pproxy" | sed -e 's/^,,*//' -e 's/,,*/,/g'`
- sproxy_rest=`echo "$sproxy_rest" | sed -e 's/^,,*//' -e 's/,,*/,/g'`
-
- Kecho pproxy=$pproxy
- Kecho sproxy1=$sproxy1
- Kecho sproxy_rest=$sproxy_rest
-
- sproxy1_host=""
- sproxy1_port=""
- sproxy1_user=""
-
- if [ "X$sproxy1" != "X" ]; then
- sproxy1_host=`echo "$sproxy1" | awk -F: '{print $1}'`
- sproxy1_user=`echo "$sproxy1_host" | awk -F@ '{print $1}'`
- sproxy1_host=`echo "$sproxy1_host" | awk -F@ '{print $2}'`
- if [ "X$sproxy1_host" = "X" ]; then
- sproxy1_host=$sproxy1_user
- sproxy1_user=""
- else
- sproxy1_user="${sproxy1_user}@"
- fi
- sproxy1_port=`echo "$sproxy1" | awk -F: '{print $2}'`
- if [ "X$sproxy1_port" = "X" ]; then
- sproxy1_port="22"
- fi
- else
- sproxy1_host=`echo "$host" | awk -F: '{print $1}'`
- sproxy1_user=`echo "$sproxy1_host" | awk -F@ '{print $1}'`
- sproxy1_host=`echo "$sproxy1_host" | awk -F@ '{print $2}'`
- if [ "X$sproxy1_host" = "X" ]; then
- sproxy1_host=$sproxy1_user
- sproxy1_user=""
- else
- sproxy1_user="${sproxy1_user}@"
- fi
- sproxy1_port=`echo "$host" | awk -F: '{print $2}'`
- if [ "X$sproxy1_port" = "X" ]; then
- sproxy1_port="22"
- fi
- fi
-
- Kecho sproxy1_host=$sproxy1_host
- Kecho sproxy1_port=$sproxy1_port
- Kecho sproxy1_user=$sproxy1_user
-
- ptmp="/tmp/ss_vncviewer_ssh${RANDOM}.$$.pl"
- ptmp=`mytmp "$ptmp"`
- PPROXY_REMOVE=1; export PPROXY_REMOVE
- proxy=$pproxy
- port_save=$port
- host_save=$host
- if [ "X$sproxy1_host" != "X" ]; then
- host=$sproxy1_host
- fi
- if [ "X$sproxy1_port" != "X" ]; then
- port=$sproxy1_port
- fi
- host=`echo "$host" | sed -e 's/^.*@//'`
- port=`echo "$port" | sed -e 's/^.*://'`
- pcode "$ptmp"
- port=$port_save
- host=$host_save
-
- nd=`findfree 6600`
- PPROXY_LISTEN=$nd; export PPROXY_LISTEN
- # XXX no reverse forever PPROXY_LOOP_THYSELF ...
- $ptmp &
- sleep 1
- if [ "X$ssh_NHAFL" != "X" -a "X$did_ssh_NHAFL" != "X1" ]; then
- NHAFL_warning
- ssh_args="$ssh_args $ssh_NHAFL"
- did_ssh_NHAFL=1
- fi
- sleep 1
- if [ "X$sproxy1" = "X" ]; then
- u=""
- if echo "$host" | grep '@' > /dev/null; then
- u=`echo "$host" | sed -e 's/@.*$/@/'`
- fi
-
- proxy="${u}$localhost:$nd"
- else
- proxy="${sproxy1_user}$localhost:$nd"
- fi
- localhost_extra=".2"
- if [ "X$sproxy_rest" != "X" ]; then
- proxy="$proxy,$sproxy_rest"
- fi
- Kecho proxy=$proxy
- fi
-
- if echo "$proxy" | grep "," > /dev/null; then
-
- proxy1=`echo "$proxy" | awk -F, '{print $1}'`
- proxy2=`echo "$proxy" | awk -F, '{print $2}'`
-
- # user1@gw1.com:port1,user2@ws2:port2
- ssh_host1=`echo "$proxy1" | awk -F: '{print $1}'`
- ssh_port1=`echo "$proxy1" | awk -F: '{print $2}'`
- if [ "X$ssh_port1" != "X" ]; then
- ssh_port1="-p $ssh_port1"
- fi
- ssh_host2=`echo "$proxy2" | awk -F: '{print $1}'`
- ssh_user2=`echo "$ssh_host2" | awk -F@ '{print $1}'`
- ssh_host2=`echo "$ssh_host2" | awk -F@ '{print $2}'`
- if [ "X$ssh_host2" = "X" ]; then
- ssh_host2=$ssh_user2
- ssh_user2=""
- else
- ssh_user2="${ssh_user2}@"
- fi
- ssh_port2=`echo "$proxy2" | awk -F: '{print $2}'`
- if [ "X$ssh_port2" = "X" ]; then
- ssh_port2="22"
- fi
- proxport=`findfree 3500`
- if [ "X$ssh_NHAFL" != "X" -a "X$did_ssh_NHAFL" != "X1" ]; then
- NHAFL_warning
- did_ssh_NHAFL=1
- sleep 1
- fi
- echo
- echo "Running 1st ssh proxy:"
- ukhf=""
- if [ "X$ssh_UKHF" != "X" ]; then
- ukhf="$ssh_UKHF$localhost_extra"
- fi
- if echo "$ssh_host1" | grep '%' > /dev/null; then
- uath=`space_expand "$ssh_host1"`
- else
- uath="$ssh_host1"
- fi
- echo "$ssh -f -x $ssh_port1 $targ -e none $ssh_NHAFL $ukhf -L $proxport:$ssh_host2:$ssh_port2 \"$uath\" \"sleep 30\""
- echo ""
- $ssh -f -x $ssh_port1 $targ -e none $ssh_NHAFL $ukhf -L $proxport:$ssh_host2:$ssh_port2 "$uath" "sleep 30"
- ssh_args="$ssh_args $ssh_NHAFL"
- sleep 1
- stty sane
- proxy="${ssh_user2}$localhost:$proxport"
- fi
-
- if [ "X$proxy" != "X" ]; then
- ssh_port=`echo "$proxy" | awk -F: '{print $2}'`
- if [ "X$ssh_port" = "X" ]; then
- ssh_port="22"
- fi
- ssh_host=`echo "$proxy" | awk -F: '{print $1}'`
- vnc_host="$host"
- fi
-
- echo ""
- echo "Running ssh:"
- sz=`echo "$ssh_cmd" | wc -c`
- if [ "$sz" -gt 300 ]; then
- info="..."
- else
- info="$ssh_cmd"
- fi
-
- C=""
- if [ "X$SS_VNCVIEWER_USE_C" != "X" ]; then
- C="-C"
- fi
-
- getport=""
- teeport=""
- if echo "$ssh_cmd" | egrep "(PORT=|P=) " > /dev/null; then
- getport=1
- if echo "$ssh_cmd" | egrep "P= " > /dev/null; then
- teeport=1
- fi
-
- PORT=""
- ssh_cmd=`echo "$ssh_cmd" | sed -e 's/PORT=[ ]*//' -e 's/P=//'`
- SSVNC_NO_ENC_WARN=1
- if [ "X$use_sshssl" = "X" ]; then
- direct_connect=1
- fi
- fi
- if [ "X$getport" != "X" ]; then
- ssh_redir="-D ${use}"
- elif [ "X$reverse" = "X" ]; then
- ssh_redir="-L ${use}:${vnc_host}:${port}"
- else
- ssh_redir="-R ${port}:${vnc_host}:${use}"
- fi
- pmark=`sh -c 'echo $$'`
-
- # the -t option actually speeds up typing response via VNC!!
- if [ "X$ssh_port" = "X22" ]; then
- ssh_port=""
- else
- ssh_port="-p $ssh_port"
- fi
-
- if echo "$ssh_host" | grep '%' > /dev/null; then
- uath=`space_expand "$ssh_host"`
- else
- uath="$ssh_host"
- fi
- if [ "X$SS_VNCVIEWER_SSH_ONLY" != "X" ]; then
- echo "$ssh -x $ssh_port $targ $C $ssh_args \"$uath\" \"$info\""
- echo ""
- $ssh -x $ssh_port $targ $C $ssh_args "$uath" "$ssh_cmd"
- exit $?
-
- elif [ "X$SS_VNCVIEWER_NO_F" != "X" ]; then
- echo "$ssh -x $ssh_port $targ $C $ssh_redir $ssh_args \"$uath\" \"$info\""
- echo ""
- $ssh -x $ssh_port $targ $C $ssh_redir $ssh_args "$uath" "$ssh_cmd"
- rc=$?
-
- elif [ "X$getport" != "X" ]; then
- tport=/tmp/ss_vncviewer_tport${RANDOM}.$$
- tport=`mytmp "$tport"`
- tport2=/tmp/ss_vncviewer_tport2${RANDOM}.$$
- tport2=`mytmp "$tport2"`
-
- if [ "X$rsh" != "X1" ]; then
- if echo "$ssh_cmd" | grep "sudo " > /dev/null; then
- echo ""
- echo "Initial ssh with 'sudo id' to prime sudo so hopefully the next one"
- echo "will require no password..."
- echo ""
- targ="-t"
- $ssh -x $ssh_port $targ $ssh_args "$uath" "sudo id; tty"
- echo ""
- fi
- echo "$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args \"$uath\" \"$info\""
- echo ""
- $ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args "$uath" "$ssh_cmd" > $tport 2> $tport2
- if [ "X$teeport" = "X1" ]; then
- tail -f $tport 1>&2 &
- tail_pid=$!
- tail -f $tport2 1>&2 &
- tail_pid2=$!
- fi
- rc=$?
- else
- rsh_setup
- echo "rsh $ul \"$ssh_host\" \"$ssh_cmd\""
- echo ""
- rsh $ul "$ssh_host" "$ssh_cmd" > $tport &
- sleep 1
- rc=0
- fi
-
- if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
- echo "sleep $SSVNC_EXTRA_SLEEP"
- sleep $SSVNC_EXTRA_SLEEP
- fi
-
- stty sane
- i=0
- if type perl > /dev/null 2>&1; then
- imax=50
- sleepit="perl -e 'select(undef, undef, undef, 0.20)'"
- else
- imax=10
- sleepit="sleep 1"
- fi
- while [ $i -lt $imax ]; do
- #echo $sleepit
- eval $sleepit
- PORT=`grep "^PORT=" $tport | tr '\r' ' ' | head -n 1 | sed -e 's/PORT=//' -e 's/\r//g' -e 's/ *$//'`
- if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
- break
- fi
- vnss=`sed -e 's/\r//g' $tport $tport2 | egrep -i '^(New.* desktop is|A VNC server is already running).*:[0-9[0-9]*$' | head -n 1 | awk '{print $NF}'`
- if [ "X$vnss" != "X" ]; then
- PORT=`echo "$vnss" | awk -F: '{print $2}'`
- if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
- if [ $PORT -lt 100 ]; then
- PORT=`expr $PORT + 5900`
- fi
- fi
- if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
- vnss=`sed -e 's/\r//g' $tport | egrep -i '^(New.* desktop is|A VNC server is already running).*:[0-9[0-9]*$' | head -n 1`
- echo "vncserver string: $vnss" 1>&2
- break
- fi
- fi
- i=`expr $i + 1`
- done
-
- echo "found: PORT='$PORT'" 1>&2
- lh6=""
- if [ "X$SSVNC_PORT_IPV6" != "X" ]; then
- lh6=1
- elif egrep 'Info: listening on IPv6 only|Info: listening only on IPv6' $tport > /dev/null; then
- lh6=1
- fi
- if [ "X$lh6" = "X1" ]; then
- echo "set SOCKS5 localhost to ::1" 1>&2
- fi
- rm -f $tport $tport2
- if [ "X$rsh" = "X1" ]; then
- rsh_viewer "$@"
- exit $?
- fi
- PPROXY_SOCKS=5
- if [ "X$SSVNC_SOCKS5" != "X" ]; then
- PPROXY_SOCKS=5
- elif [ "X$SSVNC_SOCKS4" != "X" ]; then
- PPROXY_SOCKS=1
- fi
- export PPROXY_SOCKS
- if [ "X$lh6" = "X" ]; then
- host="$localhost"
- else
- host="::1"
- fi
- port="$PORT"
- proxy="$localhost:$use"
-
- else
- if [ "X$rsh" != "X1" ]; then
- echo "$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args \"$uath\" \"$info\""
- echo ""
- $ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args "$uath" "$ssh_cmd"
- rc=$?
- else
- rsh_setup
- echo "rsh $ul \"$ssh_host\" \"$ssh_cmd\""
- echo ""
- rsh $ul "$ssh_host" "$ssh_cmd" &
- sleep 1
- PORT=$port
- rsh_viewer "$@"
- exit $?
- fi
- fi
-
- if [ "$rc" != "0" ]; then
- echo ""
- echo "ssh to \"$uath\" failed."
- exit 1
- fi
- stty sane
-
- c=0
- pssh=""
- while [ $c -lt 40 ]
- do
- p=`expr $pmark + $c`
- pout=`ps -p "$p" 2>/dev/null | grep -v '^[ ]*PID' | sed -e 's/-L.*$//' -e 's/-x .*$//'`
- if echo "$pout" | grep "ssh" > /dev/null; then
- if echo "$pout" | egrep -i 'ssh.*(-add|-agent|-ask|-keygen|-argv0|vnc)' >/dev/null; then
- :
- elif echo "$pout" | egrep -i 'scp|sshd' >/dev/null; then
- :
- else
- pssh=$p
- break
- fi
- fi
- c=`expr $c + 1`
- done
- if [ "X$getport" != "X" ]; then
- :
- elif [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ] ; then
- sleep 2
- elif [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then
- #echo T sleep 1
- sleep 1
- elif echo "$ssh_cmd" | grep '^sleep ' >/dev/null; then
- #echo T sleep 2
- sleep 2
- else
- # let any command get started a bit.
- #echo T sleep 5
- sleep 5
- fi
- echo ""
- #reset
- stty sane
- if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
- echo "sleep $SSVNC_EXTRA_SLEEP"
- sleep $SSVNC_EXTRA_SLEEP
- fi
- echo "ssh_pid='$pssh'"; echo
- if [ "X$use_sshssl" = "X" -a "X$getport" = "X" ]; then
- echo "Running viewer:"
-
- trap "final" 0 2 15
- if [ "X$reverse" = "X" ]; then
- echo "$VNCVIEWERCMD" "$@" $localhost:$N
- echo ""
- $VNCVIEWERCMD "$@" $localhost:$N
- if [ $? != 0 ]; then
- echo "vncviewer command failed: $?"
- if [ "X$secondtry" = "X1" ]; then
- sleep 2
- $VNCVIEWERCMD "$@" $localhost:$N
- fi
- fi
- else
- echo ""
- echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode."
- echo ""
- N2=$N
- if [ "X$VNCVIEWER_IS_REALVNC4" = "X1" ]; then
- N2=`echo "$N2" | sed -e 's/://g'`
- if [ $N2 -le 200 ]; then
- N2=`expr $N2 + 5500`
- fi
- fi
- echo "$VNCVIEWERCMD" "$@" -listen $N2
- echo ""
- $VNCVIEWERCMD "$@" -listen $N2
- fi
-
- exit $?
- else
- use2=`findfree 5960`
- host0=$host
- port0=$port
- host=$localhost
- port=$use
- use=$use2
- N=`expr $use - 5900`
- if [ "X$getport" != "X" ]; then
- host="$host0"
- port="$port0"
- else
- proxy=""
- fi
- if [ "X$ssh_vencrypt_proxy" != "X" ]; then
- ssh_vencrypt_proxy="vencrypt://$host:$port"
- if [ "X$proxy" = "X" ]; then
- proxy=$ssh_vencrypt_proxy
- else
- proxy="$proxy,$ssh_vencrypt_proxy"
- fi
- Kecho "proxy_now=$proxy"
- unset PPROXY_LISTEN
- fi
- fi
-fi
-
-if [ "X$stunnel_set_here" = "X1" -a "X$showcert" = "X" ]; then
- if type $STUNNEL > /dev/null 2>&1; then
- :
- else
- echo ""
- echo "***************************************************************"
- echo "** Problem finding the Stunnel command '$STUNNEL': **"
- echo ""
- type $STUNNEL
- echo ""
- echo "** Perhaps you need to install the stunnel/stunnel4 package. **"
- echo "***************************************************************"
- echo ""
- sleep 5
- fi
-fi
-
-# create the stunnel config file:
-if [ "X$verify" != "X" ]; then
- if [ -d $verify ]; then
- verify="CApath = $verify"
- else
- verify="CAfile = $verify"
- fi
- verify="$verify
-verify = 2"
-fi
-if [ "X$SSVNC_STUNNEL_VERIFY3" != "X" ]; then
- verify=`echo "$verify" | sed -e 's/verify = 2/verify = 3/'`
-fi
-if [ "X$mycert" != "X" ]; then
- cert="cert = $mycert"
-fi
-if [ "X$crl" != "X" ]; then
- if [ -d $crl ]; then
- crl="CRLpath = $crl"
- else
- crl="CRLfile = $crl"
- fi
-fi
-
-if [ "X$showcert" = "X1" ]; then
- if [ "X$have_uvnc_dsm_helper_showcert" = "X1" ]; then
- :
- elif [ "X$SSVNC_NO_IPV6_PROXY" != "X" ]; then
- :
- elif [ "X$ipv6" = "X1" -a "X$proxy" = "X" ]; then
- proxy="ipv6://$host:$port"
- fi
-fi
-
-if [ "X$direct_connect" != "X" -a "X$STUNNEL_LISTEN" != "X" ]; then
- proxy=reverse_direct
-fi
-
-ptmp=""
-if [ "X$proxy" != "X" ]; then
- ptmp="/tmp/ss_vncviewer${RANDOM}.$$.pl"
- ptmp=`mytmp "$ptmp"`
- PPROXY_REMOVE=1; export PPROXY_REMOVE
- pcode "$ptmp"
- if [ "X$showcert" != "X1" -a "X$direct_connect" = "X" ]; then
- if uname | egrep 'Darwin|SunOS' >/dev/null; then
- vout=`echo "$proxy" | grep -i vencrypt`
- if [ "X$vout" != "X" -a "X$reverse" = "X1" ]; then
- # need to exec for reverse vencrypt
- connect="exec = $ptmp"
- else
- # on mac and solaris we need to listen on socket instead of stdio:
- nd=`findfree 6700`
- PPROXY_LISTEN=$nd
- export PPROXY_LISTEN
- if [ "X$reverse" = "X" ]; then
- $ptmp &
- fi
- sleep 2
- host="$localhost"
- port="$nd"
- connect="connect = $localhost:$nd"
- fi
- else
- # otherwise on unix we can exec it:
- connect="exec = $ptmp"
- fi
- else
- connect="exec = $ptmp"
- fi
-else
- connect="connect = $host:$port"
-fi
-
-# handle showcert case:
-#
-if [ "X$showcert" = "X1" ]; then
- if [ "X$proxy" != "X" ]; then
- PPROXY_LISTEN=$use
- export PPROXY_LISTEN
- if [ "X$SS_DEBUG" != "X" ]; then
- $ptmp &
- else
- $ptmp 2>/dev/null &
- fi
- sleep 1
- more_sleep=1
- if uname | grep Linux > /dev/null; then
- if netstat -ant | grep LISTEN | grep "127.0.0.1:$use" > /dev/null; then
- more_sleep=""
- fi
- elif uname | grep SunOS > /dev/null; then
- if netstat -an -f inet -P tcp | grep LISTEN | grep "127.0.0.1.$use" > /dev/null; then
- more_sleep=""
- fi
- elif uname | egrep -i 'bsd|darwin' > /dev/null; then
- if netstat -ant -f inet | grep LISTEN | grep "127.0.0.1.$use" > /dev/null; then
- more_sleep=""
- fi
- fi
- if [ "X$more_sleep" = "X1" ]; then
- sleep 1
- fi
- host="$localhost"
- port="$use"
- fi
- cipher_args=""
- if [ "X$ciphers" != "X" ]; then
- cipher_args=`echo "$ciphers" | sed -e 's/ciphers=/-cipher /'`
- fi
- if [ "X$have_uvnc_dsm_helper_showcert" = "X1" ]; then
- :
- elif type openssl > /dev/null 2>&1; then
- :
- else
- echo ""
- echo "********************************************************"
- echo "** Problem finding the OpenSSL command 'openssl': **"
- echo ""
- type openssl 2>&1
- echo ""
- echo "** Perhaps you need to install the 'openssl' package. **"
- echo "********************************************************"
- echo ""
- fi
- #echo "openssl s_client $cipher_args -connect $host:$port"
- if [ "X$reverse" = "X" ]; then
- if type host > /dev/null 2>/dev/null; then
- host $host >/dev/null 2>&1
- host $host >/dev/null 2>&1
- fi
- timeout=15
- if [ "X$SSVNC_FETCH_TIMEOUT" != "X" ]; then
- timeout=$SSVNC_FETCH_TIMEOUT
- fi
- if [ "X$have_uvnc_dsm_helper_showcert" = "X1" ]; then
- if type pkill >/dev/null 2>&1; then
- (sleep $timeout; if kill -0 $$; then pkill -TERM -f "ultravnc_dsm_helper.*$host.*$port"; fi) >/dev/null 2>&1 &
- fi
- ultravnc_dsm_helper showcert $host:$port 2>&1
- else
- if type pkill >/dev/null 2>&1; then
- (sleep $timeout; if kill -0 $$; then pkill -TERM -f "openssl.*s_client.*$host.*$port"; fi) >/dev/null 2>&1 &
- fi
- openssl s_client $cipher_args -prexit -connect $host:$port 2>&1 < /dev/null
- fi
- rc=$?
- else
- tcert=""
- if [ "X$mycert" = "X" ]; then
- tcert=`make_tcert`
- cert_args="-cert $tcert -CAfile $tcert"
- else
- cert_args="-cert $mycert -CAfile $mycert"
- fi
- tmp_out=/tmp/showcert_out${RANDOM}.$$
- tmp_out=`mytmp "$tmp_out"`
- tmp_err=/tmp/showcert_err${RANDOM}.$$
- tmp_err=`mytmp "$tmp_err"`
-
- #echo "openssl s_server $cipher_args $cert_args -accept $port -verify 2 > $tmp_out 2> $tmp_err" 1>&2
-
- # assume we have perl:
- check_perl perl
-
- perl -e "
- \$p = open(O, \"|openssl s_server $cipher_args $cert_args -accept $port -verify 2 1>$tmp_out 2> $tmp_err\");
- exit 1 unless \$p;
- while (1) {
- sleep 1;
- if (!open(F, \"<$tmp_out\")) {
- kill \$p;
- exit 1;
- }
- while (<F>) {
- if (/RFB 00/) {
- fsleep(0.25);
- print O \"RFB 000.000\\n\";
- fsleep(1.00);
- kill \$p;
- fsleep(0.25);
- exit 0;
- }
- }
- close F;
- }
- sub fsleep {
- select(undef, undef, undef, shift);
- }
- ";
-
- echo ""
- cat $tmp_out
- echo ""
- echo "----2----"
- cat $tmp_err
- if grep BEGIN.CERTIFICATE $tmp_out >/dev/null; then
- rc=0
- else
- rc=1
- fi
-
- rm -f $tmp_out $tmp_err
- fi
- if [ "X$SSVNC_PREDIGESTED_HANDSHAKE" != "X" ]; then
- rm -f $SSVNC_PREDIGESTED_HANDSHAKE
- fi
- if [ "X$SSVNC_SHOWCERT_EXIT_0" = "X1" ]; then
- exit 0
- else
- exit $rc
- fi
-fi
-
-# handle direct connect case:
-#
-if [ "X$direct_connect" != "X" ]; then
- if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
- SSVNC_NO_ENC_WARN=1
- echo ""
- echo "Using UltraVNC DSM Plugin key for encryption:"
- echo ""
- ustr=`echo "$SSVNC_ULTRA_DSM" | sed -e 's/pw=[^ ]*/pw=******/g'`
- echo " $ustr PORT HOST:PORT"
- echo ""
- elif [ "X$getport" = "X" ]; then
- echo ""
- echo "Running viewer for direct connection:"
- if echo X"$@" | grep chatonly > /dev/null; then
- :
- else
- echo ""
- echo "** WARNING: THERE WILL BE NO SSL OR SSH ENCRYPTION **"
- echo ""
- fi
- fi
- x=""
- if [ "X$SSVNC_NO_ENC_WARN" != "X" ]; then
- if [ "X$getport" = "X" ]; then
- sleep 1
- fi
- elif type printf > /dev/null 2>&1; then
- printf "Are you sure you want to continue? [y]/n "
- read x
- else
- echo -n "Are you sure you want to continue? [y]/n "
- read x
- fi
- if [ "X$x" = "Xn" ]; then
- exit 1
- fi
- echo ""
- if [ "X$ptmp" != "X" ]; then
- if [ "X$reverse" = "X" ]; then
- PPROXY_LISTEN=$use
- export PPROXY_LISTEN
- else
- if [ "X$proxy" = "Xreverse_direct" ]; then
- PPROXY_LISTEN="$STUNNEL_LISTEN:`expr 5500 + $disp`"
- PPROXY_DEST="$localhost:$use"
- PPROXY_PROXY="ipv6://$localhost:$use" # not always ipv6..
- export PPROXY_LISTEN PPROXY_DEST PPROXY_PROXY
- pps=1
- else
- PPROXY_REVERSE="$localhost:$use"
- export PPROXY_LISTEN
- pps=3
- fi
- if [ "X$SSVNC_LISTEN_ONCE" != "X1" ]; then
- PPROXY_LOOP_THYSELF=`mytmp "/tmp/pproxy_loop_thyself.${RANDOM}.$$"`
- export PPROXY_LOOP_THYSELF
- pps=2
- fi
- if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
- pps=`expr $pps + $SSVNC_EXTRA_SLEEP`
- fi
- PPROXY_SLEEP=$pps; export PPROXY_SLEEP;
- PPROXY_KILLPID=+1; export PPROXY_KILLPID;
- fi
-
- $ptmp &
-
- if [ "X$reverse" = "X" ]; then
- #sleep 2
- #echo T sleep 1
- sleep 1
- fi
- host="$localhost"
- disp="$N"
- port=`expr $disp + 5900`
- fi
- if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
- echo "T sleep $SSVNC_EXTRA_SLEEP"
- sleep $SSVNC_EXTRA_SLEEP
- fi
- if [ "X$reverse" = "X" ]; then
- hostdisp="$host:$disp"
- if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
- if [ "X$SSVNC_USE_OURS" = "X1" ]; then
- hostdisp="exec=$SSVNC_ULTRA_DSM 0 $host:$port"
- else
- pf=`findfree 5970`
- cmd="$SSVNC_ULTRA_DSM -$pf $host:$port"
- pf=`expr $pf - 5900`
- hostdisp="$localhost:$pf"
- ustr=`echo "$cmd" | sed -e 's/pw=[^ ]*/pw=******/g'`
- echo "Running:"
- echo
- echo "$ustr &"
- echo
- $cmd &
- dsm_pid=$!
- sleep 2
- fi
- fi
- hostdisp2=`echo "$hostdisp" | sed -e 's/pw=[^ ]*/pw=******/g'`
- echo "$VNCVIEWERCMD" "$@" "$hostdisp2"
- trap "final" 0 2 15
- echo ""
- $VNCVIEWERCMD "$@" "$hostdisp"
- if [ $? != 0 ]; then
- echo "vncviewer command failed: $?"
- if [ "X$secondtry" = "X1" ]; then
- sleep 2
- $VNCVIEWERCMD "$@" "$hostdisp"
- fi
- fi
- else
- echo ""
- echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode."
- echo ""
- trap "final" 0 2 15
- if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
- if [ "X$SSVNC_LISTEN_ONCE" = "X1" ]; then
- echo "NOTE: The ultravnc_dsm_helper only runs once. So after the first LISTEN"
- echo " ends you must restart the Listening mode. You may also need to"
- echo " Press Ctrl-C to stop the viewer and restart for another connection."
- echo ""
- fi
- #SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
- VNCVIEWER_LISTEN_LOCALHOST=1
- export VNCVIEWER_LISTEN_LOCALHOST
- dport=`expr 5500 + $disp`
- cmd="$SSVNC_ULTRA_DSM $dport $localhost:$use"
- ustr=`echo "$cmd" | sed -e 's/pw=[^ ]*/pw=******/g'`
- echo "Running:"
- echo
- echo "$ustr &"
- echo
- if [ "X$SSVNC_LISTEN_ONCE" = "X1" ]; then
- $cmd &
- dsm_pid=$!
- else
- while [ 1 ]; do $cmd; sleep 1; done &
- dsm_pid=$!
- fi
- sleep 2
- disp=$use
- if [ $disp -ge 5500 ]; then
- disp=`expr $disp - 5500`
- fi
- fi
- disp2=$disp
- if [ "X$VNCVIEWER_IS_REALVNC4" = "X1" ]; then
- disp2=`echo "$disp2" | sed -e 's/://g'`
- if [ $disp2 -le 200 ]; then
- disp2=`expr $disp2 + 5500`
- fi
- fi
- echo "$VNCVIEWERCMD" "$@" -listen $disp2
- echo ""
- $VNCVIEWERCMD "$@" -listen $disp2
- if [ "X$PPROXY_LOOP_THYSELF" != "X" ]; then
- rm -f $PPROXY_LOOP_THYSELF
- fi
- fi
- exit $?
-fi
-
-tmp_cfg=/tmp/ss_vncviewer${RANDOM}.$$
-tmp_cfg=`mytmp "$tmp_cfg"`
-
-stunnel_exec=""
-if [ "X$SSVNC_USE_OURS" != "X1" ]; then
- :
-elif echo $STUNNEL_EXTRA_SVC_OPTS | grep '#stunnel-exec' > /dev/null; then
- stunnel_exec="#"
-fi
-
-if [ "X$reverse" = "X" ]; then
-
- if echo "$proxy" | grep "^repeater://" > /dev/null; then
- if [ "X$cert" = "XBUILTIN" ]; then
- ttcert=`make_tcert`
- cert="cert = $ttcert"
- fi
- # Note for listen mode, an empty cert will cause stunnel to fail.
- # The ssvnc gui will have already taken care of this.
- fi
-
- cat > "$tmp_cfg" <<END
-foreground = yes
-pid =
-client = yes
-debug = $stunnel_debug
-$ciphers
-$STUNNEL_EXTRA_OPTS
-$STUNNEL_EXTRA_OPTS_USER
-$cert
-$crl
-$verify
-
-${stunnel_exec}[vnc_stunnel]
-${stunnel_exec}accept = $localhost:$use
-$connect
-$STUNNEL_EXTRA_SVC_OPTS
-$STUNNEL_EXTRA_SVC_OPTS_USER
-
-END
-
-else
- # REVERSE case:
-
- stunnel_exec="" # doesn't work for listening.
-
- p2=`expr 5500 + $N`
- connect="connect = $localhost:$p2"
- if [ "X$cert" = "XBUILTIN" ]; then
- ttcert=`make_tcert`
- cert="cert = $ttcert"
- fi
- # Note for listen mode, an empty cert will cause stunnel to fail.
- # The ssvnc gui will have already taken care of this.
-
-
- hloc=""
- if [ "X$use_ssh" = "X1" ]; then
- hloc="$localhost:"
- elif [ "X$STUNNEL_LISTEN" != "X" ]; then
- hloc="$STUNNEL_LISTEN:"
- fi
- if echo "$proxy" | grep -i '^vencrypt:' > /dev/null; then
- hloc="$localhost:"
- pv=`findfree 5570`
- proxy="vencrypt:$pv:$port"
- port=$pv
- if [ "X$anondh_set" = "X1" ]; then
- # not needed for ANONDH in this mode
- #ciphers="ciphers = ADH:@STRENGTH"
- :
- fi
- fi
- cat > "$tmp_cfg" <<END
-foreground = yes
-pid =
-client = no
-debug = $stunnel_debug
-$ciphers
-$STUNNEL_EXTRA_OPTS
-$STUNNEL_EXTRA_OPTS_USER
-$cert
-$crl
-$verify
-
-[vnc_stunnel]
-accept = $hloc$port
-$connect
-$STUNNEL_EXTRA_SVC_OPTS
-$STUNNEL_EXTRA_SVC_OPTS_USER
-
-END
-
-fi
-
-echo ""
-echo "Using this stunnel configuration:"
-echo ""
-cat "$tmp_cfg" | uniq
-echo ""
-if egrep -i '^[ ]*(CApath|CAfile) =' "$tmp_cfg" > /dev/null ; then
- :
-else
- echo "** WARNING: THE STUNNEL CONFIG HAS NO SERVER CERTIFICATE SPECIFIED **"
- echo "** WARNING: (the CApath or CAfile stunnel option) THE VNC SERVER WILL **"
- echo "** WARNING: NOT BE AUTHENTICATED. A MAN-IN-THE-MIDDLE ATTACK IS POSSIBLE **"
- echo ""
-fi
-sleep 1
-
-if [ "X$stunnel_exec" = "X" ]; then
- echo ""
- echo "Running stunnel:"
- echo "$STUNNEL $tmp_cfg"
- st=`echo "$STUNNEL" | awk '{print $1}'`
- $st -help > /dev/null 2>&1
- $STUNNEL "$tmp_cfg" < /dev/tty > /dev/tty &
- stunnel_pid=$!
- echo ""
-
- # pause here to let the user supply a possible passphrase for the
- # mycert key:
- if [ "X$mycert" != "X" ]; then
- nsl=10
- dsl=0
- if [ ! -f $mycert ]; then
- dsl=0
- elif grep -i 'Proc-Type.*ENCRYPTED' "$mycert" > /dev/null 2>/dev/null; then
- dsl=1
- fi
- if [ "X$dsl" = "X1" ]; then
- echo ""
- echo "(** pausing $nsl secs for possible certificate passphrase dialog **)"
- echo ""
- sleep $nsl
- echo "(** done pausing for passphrase **)"
- echo ""
- fi
- fi
- #echo T sleep 1
- sleep 1
- rm -f "$tmp_cfg"
-fi
-
-
-echo ""
-if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
- echo "sleep $SSVNC_EXTRA_SLEEP"
- sleep $SSVNC_EXTRA_SLEEP
-fi
-
-if [ "X$reverse" = "X" ]; then
- if [ "X$NEED_VENCRYPT_VIEWER_BRIDGE" = "X1" -a "X$ptmp" != "X" ] ; then
- port1=`expr 5900 + $N` # stunnel port
- port2=`findfree 5970` # bridge port (viewer connects to it.)
- N=`expr $port2 - 5900`
- env PPROXY_REMOVE=0 PPROXY_SLEEP=0 PPROXY_VENCRYPT_VIEWER_BRIDGE="$port2,$port1" $ptmp &
- sleep 1
- fi
- echo "Running viewer:"
- vnc_hp=$localhost:$N
- if [ "X$stunnel_exec" != "X" ]; then
- vnc_hp="exec=$STUNNEL $tmp_cfg"
- fi
- echo "$VNCVIEWERCMD" "$@" "$vnc_hp"
- trap "final" 0 2 15
- echo ""
- $VNCVIEWERCMD "$@" "$vnc_hp"
- if [ $? != 0 ]; then
- echo "vncviewer command failed: $?"
- if [ "X$secondtry" = "X1" ]; then
- sleep 2
- $VNCVIEWERCMD "$@" "$vnc_hp"
- fi
- fi
-else
- echo "Running viewer:"
- echo ""
- echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode."
- echo ""
- trap "final" 0 2 15
- N2=$N
- N2_trim=`echo "$N2" | sed -e 's/://g'`
- if [ $N2_trim -le 200 ]; then
- N2_trim=`expr $N2_trim + 5500`
- fi
- if [ "X$proxy" != "X" ]; then
- if echo "$proxy" | grep -i '^vencrypt:' > /dev/null; then
- pstunnel=`echo "$proxy" | awk -F: '{print $2}'`
- plisten=`echo "$proxy" | awk -F: '{print $3}'`
- IF=INADDR_ANY
- if [ "X$STUNNEL_LISTEN" != "X" ]; then
- IF=$STUNNEL_LISTEN
- fi
- PPROXY_VENCRYPT_REVERSE=1; export PPROXY_VENCRYPT_REVERSE
- PPROXY_LISTEN="$IF:$plisten"; export PPROXY_LISTEN
- PPROXY_PROXY="vencrypt://$localhost:$pstunnel"; export PPROXY_PROXY
- PPROXY_DEST="$localhost:$pstunnel"; export PPROXY_DEST
- STUNNEL_ONCE=1; export STUNNEL_ONCE
- STUNNEL_MAX_CLIENTS=1; export STUNNEL_MAX_CLIENTS
- if [ "X$NEED_VENCRYPT_VIEWER_BRIDGE" = "X1" -a "X$ptmp" != "X" ] ; then
- port1=`expr 5500 + $N2`
- port2=`findfree 5580`
- N2=`expr $port2 - 5500`
- N2_trim=`echo "$N2" | sed -e 's/://g'`
- if [ $N2_trim -le 200 ]; then
- N2_trim=`expr $N2_trim + 5500`
- fi
- if [ "X$SSVNC_LISTEN_ONCE" != "X1" ]; then
- PPROXY_LOOP_THYSELF=`mytmp "/tmp/pproxy_loop_thyself1.${RANDOM}.$$"`
- export PPROXY_LOOP_THYSELF
- PPROXY_LOOP_THYSELF0=$PPROXY_LOOP_THYSELF
- fi
- env PPROXY_REMOVE=0 PPROXY_SLEEP=0 PPROXY_VENCRYPT_VIEWER_BRIDGE="-$port1,$port2" $ptmp &
- sleep 1
- fi
- else
- PPROXY_REVERSE="$localhost:$port"; export PPROXY_REVERSE
- PPROXY_SLEEP=1; export PPROXY_SLEEP;
- fi
- PPROXY_KILLPID=+1; export PPROXY_KILLPID;
- if [ "X$SSVNC_LISTEN_ONCE" != "X1" ]; then
- PPROXY_LOOP_THYSELF=`mytmp "/tmp/pproxy_loop_thyself2.${RANDOM}.$$"`
- export PPROXY_LOOP_THYSELF
- fi
- $ptmp &
- # Important to have no extra pids generated between here and VNCVIEWERCMD
- fi
- if [ "X$VNCVIEWER_IS_REALVNC4" = "X1" ]; then
- N2=$N2_trim
- fi
- echo "$VNCVIEWERCMD" "$@" -listen $N2
- echo ""
- $VNCVIEWERCMD "$@" -listen $N2
-
- if [ "X$PPROXY_LOOP_THYSELF" != "X" ]; then
- rm -f $PPROXY_LOOP_THYSELF
- fi
- if [ "X$PPROXY_LOOP_THYSELF0" != "X" ]; then
- rm -f $PPROXY_LOOP_THYSELF0
- fi
-fi
-
-sleep 1
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl
deleted file mode 100755
index fefb143..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl
+++ /dev/null
@@ -1,19041 +0,0 @@
-#!/bin/sh
-# the next line restarts using wish \
-exec wish "$0" "$@"
-
-#
-# Copyright (c) 2006-2010 by Karl J. Runge <runge@karlrunge.com>
-#
-# ssvnc.tcl: gui wrapper to the programs in this
-# package. Also sets up service port forwarding.
-#
-set version 1.0.28
-
-set buck_zero $argv0
-
-proc center_win {w} {
- global is_windows
- update
- set W [winfo screenwidth $w]
- set W [expr $W + 1]
- wm geometry $w +$W+0
- update
- set x [expr [winfo screenwidth $w]/2 - [winfo width $w]/2]
- set y [expr [winfo screenheight $w]/2 - [winfo height $w]/2]
-
- if {$is_windows} {
- set y [expr "$y - 30"]
- if {$y <= 0} {
- set y 1
- }
- }
- wm geometry $w +$x+$y
- wm deiconify $w
- update
-}
-
-proc small_height {} {
- set H [winfo screenheight .]
- if {$H < 700} {
- return 1
- } else {
- return 0
- }
-}
-
-proc mac_raise {} {
- global uname
- if {$uname == "Darwin"} {
- catch {exec /bin/sh -c {osascript -e 'tell application "Wish Shell" to activate' >/dev/null 2>&1 &}}
- after 150
- update
- update idletasks
- }
-}
-
-proc toplev {w} {
- catch {destroy $w}
- toplevel $w
- catch {wm withdraw $w}
-}
-
-proc apply_bg {w} {
- global is_windows system_button_face
- if {$is_windows && $system_button_face != ""} {
- catch {$w configure -bg "$system_button_face"}
- }
-}
-
-proc line_count {{str ""} {pad 0}} {
- set n $pad
- foreach l [split $str "\n"] {
- incr n
- }
- return $n
-}
-
-proc scroll_text {fr {w 80} {h 35}} {
- global help_font is_windows scroll_text_focus
-
- if {$h == 35 && [small_height]} {
- set h 28
- }
- catch {destroy $fr}
-
- frame $fr -bd 0
-
- eval text $fr.t -width $w -height $h $help_font \
- -setgrid 1 -bd 2 -yscrollcommand {"$fr.y set"} -relief ridge
-
- apply_bg $fr.t
-
- scrollbar $fr.y -orient v -relief sunken -command "$fr.t yview"
- pack $fr.y -side right -fill y
- pack $fr.t -side top -fill both -expand 1
-
- if {$scroll_text_focus} {
- focus $fr.t
- }
-}
-
-proc scroll_text_dismiss {fr {w 80} {h 35}} {
- global help_font
-
- if {$h == 35 && [small_height]} {
- set h 28
- }
- scroll_text $fr $w $h
-
- set up $fr
- regsub {\.[^.]*$} $up "" up
-
- button $up.d -text "Dismiss" -command "destroy $up"
- bind $up <Escape> "destroy $up"
- pack $up.d -side bottom -fill x
- pack $fr -side top -fill both -expand 1
-}
-
-proc jiggle_text {w} {
- global uname
- if {$uname == "Darwin"} {
- $w yview scroll 1 pages
- update idletasks
- $w yview scroll -1 pages
- update idletasks
- }
-}
-
-proc ts_help {} {
- toplev .h
-
- scroll_text_dismiss .h.f
-
- center_win .h
- wm title .h "Terminal Services VNC Viewer Help"
-
- set msg {
- Terminal Services:
-
- The Terminal Services VNC Viewer uses SSH to establish an encrypted
- and authenticated connection to the remote server.
-
- Through the SSH channel, it automatically starts x11vnc in terminal
- services mode on the remote server to find or create your desktop
- session. x11vnc is used for both the session management and the
- VNC transport.
-
- You MUST be able to log in via SSH to the remote terminal server.
- Ask your administrator to set this up for you if it isn't already.
- x11vnc must also be installed on the remote server machine.
- See "Requirements" below.
-
- This mode is started by the commands 'tsvnc' or 'ssvnc -ts' or
- toggled by pressing Ctrl-t. "SSVNC Mode" under Options -> Advanced
- will also return to the full SSVNC.
-
- Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=tsvnc"
- to have the tool always start up in that mode. To constrain the UI,
- run with -tso or SSVNC_TS_ALWAYS set to prevent leaving the Terminal
- Services mode.
-
-
- Hosts and Displays:
-
- Enter the remote VNC Terminal Services hostname in the
- 'VNC Terminal Server' entry.
-
- Examples:
-
- 24.67.132.27
- far-away.east
- fred@someplace.no
-
- Then click on "Connect".
-
- Once the SSH is running (you may need to type a password or accept
- a new ssh key in the terminal window that pops up), the VNC Viewer
- will be automatically started directed to the local port of the SSH
- tunnel which, in turn, encrypts and redirects the connection to the
- remote VNC server.
-
- x11vnc is run remotely to find or create your terminal services desktop
- session. It must be installed and accessible on the remote system.
-
- Enter "user@hostname.com" in 'VNC Terminal Server' if the remote
- username is different from the yours on this machine. On Windows
- you *MUST* supply the remote username due to a deficiency in Plink.
- This entry is passed to SSH; it could also be an SSH alias you have
- created (in ~/.ssh/config).
-
- If the remote SSH server is run on a non-standard port, e.g. 2222, use
- something like one of these:
-
- far-away.east:2222
- fred@someplace.no:2222
-
- (unlike SSVNC mode, the number is the SSH port, not the VNC display)
-
- If you find yourself in the unfortunate circumstance that your ssh
- username has a space in it, use %SPACE (or %TAB) like this:
-
- fred%SPACEflintstone@xyzzy.net
-
-
- Zeroconf/Bonjour:
-
- On Unix or Mac OS X, if the 'avahi-browse' or 'dns-sd' command is
- available on the system and in your PATH, a 'Find' button is placed by
- 'VNC Host:Display'. Clicking on Find will try to find VNC Servers
- on your Local Network that advertize via the Zeroconf protocol.
- A menu of found hosts is presented for you to select from.
-
-
- Profiles:
-
- Use "Save" to save a profile (i.e. a host:display and its specific
- settings) with a name. The "TS-" prefix will be suggested to help
- you distinguish between Terminal Services and regular profiles.
-
- To load in a saved Options profile, click on the "Load" button,
- and choose which one you want.
-
- To list your profiles from the command line use:
-
- tsvnc -profiles (or -list)
-
- To launch profile1 directly from the command-line, or to a server
- use things like:
-
- tsvnc profile1
- tsvnc /path/to/profile1.vnc
- tsvnc hostname
- tsvnc user@hostname
-
- Note that the 'Verify All Certs' setting is NOT saved in profiles.
-
-
- Proxies/Gateways:
-
- Proxy/Gateway is usually a gateway machine to log into via SSH that is
- not the machine running the VNC terminal services. However, Web and
- SOCKS proxies can also be used (see below).
-
- For example if a company had a central login server: "ssh.company.com"
- (accessible from the internet) and the internal server name was
- "ts-server", one could put in
-
- VNC Terminal Server: ts-server
- Proxy/Gateway: ssh.company.com
-
- It is OK if the hostname "ts-server" only resolves inside the firewall.
-
- The 2nd host, ts-server in this example, MUST also be running an SSH
- server and you must be able to log into it. You may need to supply
- a 2nd password to it to login.
-
- Use username@host (e.g. joe@ts-server or jsmith@ssh.company.com)
- if the user name differs between machines.
-
- NOTE: On Windows you MUST always supply the username@ because putty's
- plink requires it.
-
-
- NON-STANDARD SSH PORT: To use a non-standard ssh port (i.e. a port other
- than 22) you need to use the Proxy/Gateways as well. E.g. something
- like this for port 2222:
-
- VNC Terminal Server: ts-server
- Proxy/Gateway: jsmith@ssh.company.com:2222
-
- On Unix/MacOSX the username@ is not needed if it is the same as on this
- machine.
-
-
- A Web or SOCKS proxy can also be used. Use this if you are inside a
- firewall that prohibits direct connections to remote SSH servers.
- In Terminal Services SSH mode, the "http://" prefix is required for
- web proxies.
-
- VNC Terminal Server: fred@someplace.no
- Proxy/Gateway: http://myproxy.west:8080
-
- or for SOCKS:
-
- VNC Terminal Server: fred@someplace.no
- Proxy/Gateway: socks://mysocks.west:1080
-
- use socks5://... to force the SOCKS5 version. For a non-standard
- port the above would be, e.g., fred@someplace.no:2222
-
- As with a username that contains a space, use %SPACE (or %TAB) to
- indicate it in the SSH proxies, e.g. john%SPACEsmith@ssh.company.com
-
- One can also chain proxies and other things. See the section
- "SSH Proxies/Gateways" in the Main SSVNC Help for full details.
-
-
- Options:
-
- Click on Options to get to dialog boxes to:
-
- - Desktop Type (kde, gnome, failsafe, twm...)
- - Desktop Size (Geometry WxH and pixel depth)
- - X Server Type (Xvfb, Xdummy, Xvnc)
- - Enable Printing (CUPS and/or SMB/Windows)
- - Enable Sound (TBD, ESD partially working)
- - File Transfer (Ultra or TightVNC filexfer)
- - View Only (View only client)
- - Change VNC Viewer (Realvnc, ultra, etc...)
- - X11 viewer MacOSX (use bundled X11 vncviewer)
- - Delete Profile... (Delete a saved profile)
-
- - Advanced Options:
-
- - VNC Shared (optional traditional VNC sharing)
- - Multiple Sessions (more than 1 session per server)
- - X Login Greeter (Connect to Login/Greeter Display)
- - Other VNC Server (redirect to 3rd party VNC Server)
- - Use unixpw (optional x11vnc login mode)
- - Client 8bit Color (VNC Viewer requests low color mode)
- - Client-Side Caching (experimental x11vnc speedup)
- - X11VNC Options (set any extra x11vnc options)
- - Extra Sleep (delay a bit before starting viewer)
- - Putty Args (Windows: string for plink/putty cmd)
- - Putty Agent (Windows: launch pageant)
- - Putty Key-Gen (Windows: launch puttygen)
- - SSH Local Protections (a bit of safety on local side)
- - SSH KnownHosts file (to avoid SSH 'localhost' collisions)
- - SSVNC Mode (Return to full SSVNC mode)
-
- - Unix ssvncviewer (set options for supplied Unix viewer)
-
-
- Requirements:
-
- When running this application on Unix/MacOSX the ssh(1) program must
- be installed locally. On Windows a plink/putty binary is included.
-
- On the remote VNC Terminal Services host, x11vnc must be installed
- (0.9.3 or higher), and at least one virtual X server: Xvfb, Xdummy,
- or Xvnc must be available. Xvfb is the most often used one. All of
- these programs must be available in $PATH on the remote server when
- logged in via SSH.
-
- The VNC terminal services administrator can make "x11vnc" be a wrapper
- script that sets everything up correctly and then runs the real x11vnc.
-
-
- Real X servers:
-
- As a *BONUS*, if on the remote host, say a workstation, you have a
- regular X session running on the physical hardware that you are
- ALREADY logged into you can access to that display as well (x11vnc
- will find it).
-
- So this tool can be used as a simple way to launch x11vnc to find
- your real X display on your workstation and connect to it.
-
- The Printing and Sound redirection won't work for this mode however.
- You will need to use the full SSVNC application to attempt that.
-
- If you (mistakenly) have not logged into an X session on the real
- X server on the workstation, a VIRTUAL (Xvfb, etc.) server will be
- created for you (that may or may not be what you want).
-
- The X Login Advanced setting can be used to connect to a X Display
- Manger Greeter login panel (no one is logged in yet). This requires
- sudo(1) privileges on the remote machine.
-
- More Info:
-
- See these links for more information:
-
- http://www.karlrunge.com/x11vnc/#tunnelling
-}
-
- global version
- set msg " SSVNC version: $version\n$msg"
-
- .h.f.t insert end $msg
- jiggle_text .h.f.t
-}
-
-proc help {} {
- global ts_only
- if {$ts_only} {
- ts_help
- return
- }
- toplev .h
-
- set h 37
- if [small_height] {
- set h 26
- }
- scroll_text_dismiss .h.f 82 $h
-
- center_win .h
- wm title .h "SSL/SSH VNC Viewer Help"
-
- global help_main help_prox help_misc help_tips
-
- set help_main {
- Hosts and Displays:
-
- Enter the VNC host and display in the 'VNC Host:Display' entry box.
-
- It is of the form "host:number", where "host" is the hostname of the
- machine running the VNC Server and "number" is the VNC display number;
- it is often "0". Some Examples:
-
- snoopy:0
-
- far-away.east:0
-
- sunray-srv1.west:17
-
- 24.67.132.27:0
-
- Then click on "Connect". When you do the STUNNEL program will be started
- locally to provide you with an outgoing SSL tunnel.
-
- Once the STUNNEL is running, the TightVNC Viewer (Or perhaps Chicken of
- the VNC on Mac OS X, or one you set under Options) will be automatically
- started and directed to the local port of the SSL tunnel which, in turn,
- encrypts and redirects the connection to the remote VNC server.
-
- The remote VNC server **MUST** support an initial SSL/TLS handshake before
- using the VNC protocol (i.e. VNC is tunnelled through the SSL channel
- after it is established). "x11vnc -ssl ..." does this, and any VNC server
- can be made to do this by using, e.g., STUNNEL or socat on the remote side.
- SSVNC also supports VeNCrypt and ANONTLS SSL/TLS VNC servers (see below.)
-
- * Automatic SSH Tunnels are described below.
-
- * The 'No Encryption' / 'None' option provides a direct connection without
- encryption (disable the button with the -enc option, or Options menu.)
- More info in Tip 5.
-
- Port numbers:
-
- If you are using a port less than the default VNC port 5900 (usually
- the VNC display = port - 5900), use the full port number itself, e.g.:
-
- 24.67.132.27:443
-
- Note, however, if the number n after the colon is < 200, then a
- port number 5900 + n is assumed; i.e. n is the VNC display number.
- If you must use a TCP port less than 200, specify a negative value,
- e.g.: 24.67.132.27:-80
-
- For Reverse VNC connections (listening viewer, See Tip 2 and
- Options -> Help), the port mapping is similar, except "listening
- display :0" corresponds to port 5500, :1 to 5501, etc.
- Specify a specific interface, e.g. 192.168.1.1:0 to have stunnel
- listen on that interface only. Listening on IPv6 can also be done, use
- e.g. :::0 or ::1:0 This listening on IPv6 (:::0) works for UN-encrypted
- reverse connections as well (mode 'None').
-
-
- Zeroconf/Bonjour:
-
- On Unix or Mac OS X, if the 'avahi-browse' or 'dns-sd' command is
- available on the system and in your PATH, a 'Find' button is placed by
- 'VNC Host:Display'. Clicking on Find will try to find VNC Servers on
- your Local Network that advertize via the Zeroconf protocol. A menu of
- found hosts is presented for you to select from.
-
-
- VNC Password:
-
- On Unix or MacOSX IF there is a VNC password for the server you can
- enter it in the "VNC Password:" entry box.
-
- This is *REQUIRED* on MacOSX when Chicken of the VNC is used, because
- that viewer does not put up a user password prompt when it learns
- that a password is needed.
-
- On Unix (including MacOSX using the X11 viewer) if you choose not to
- enter the password you will simply be prompted for it in the terminal
- window running TightVNC viewer if one is required.
-
- On Windows TightVNC viewer will prompt you if a password is required.
-
- NOTE: when you Save a VNC profile, the password is NOT saved (you need
- to enter it each time). Nor is the 'Verify All Certs' setting.
-
-
- Profiles:
-
- Use "Save" to save a profile (i.e. a host:display and its specific
- settings) with a name.
-
- To load in a saved Options profile, click on the "Load" button.
-
- To list your profiles from the command line use:
-
- ssvnc -profiles (or -list)
-
- You can launch ssvnc and have it immediately connect to the server
- by invoking it something like this:
-
- ssvnc profile1 (launches profile named "profile1")
- ssvnc /path/to/profile.vnc (loads the profile file, no launching)
- ssvnc hostname:0 (connect to hostname VNC disp 0 via SSL)
- ssvnc vnc+ssl://hostname:0 (same)
- ssvnc vnc+ssh://hostname:0 (connect to hostname VNC disp 0 via SSH)
-
- see the Tips 5 and 7 for more about the URL-like syntax.
-
- If you don't want "ssvnc profile1" to immediately launch the connection
- to the VNC server set the SSVNC_PROFILE_LOADONLY env. var. to 1.
- (or specify the full path to the profile.vnc as shown above.)
-
-
- SSL Certificate Verification:
-
- *** IMPORTANT ***: If you do not take the steps to VERIFY the VNC Server's
- SSL Certificate, you are in principle vulnerable to a Man-In-The-Middle
- attack. Without SSL Certificate verification, only passive network
- sniffing attacks will be guaranteed to be prevented. There are hacker
- tools like dsniff/webmitm and cain that implement SSL Man-In-The-Middle
- attacks. They rely on the client user not bothering to check the cert.
-
- Some people may be confused by the above because they are familiar with
- their Web Browser using SSL (i.e. https://... websites) and those sites
- are authenticated securely without the user's need to verify anything
- manually. The reason why this happens automatically is because 1) their
- web browser comes with a bundle of Certificate Authority certificates
- and 2) the https sites have paid money to the Certificate Authorities to
- have their website certificate signed by them. When using SSL in VNC we
- normally do not do something this sophisticated, and so we have to verify
- the certificates manually. However, it is possible to use Certificate
- Authorities with SSVNC; that method is described below.
-
- You can use the "Fetch Cert" button to retrieve the Cert and then
- after you check it is OK (say, via comparing the MD5 or other info)
- you can "Save" it and use it to verify future connections to servers.
- (However, see the note at the end of this section about CA certificates.)
-
- When "Verify All Certs" is checked, this check is always enforced,
- and so the first time you connect to a new server you may need to
- follow a few dialogs to inspect and save the server certificate.
- See the "Certs... -> Help" for information on how to manage certificates.
-
- "Verify All Certs" is on by default.
-
- Note, however, "Fetch Cert" and "Verify All Certs" are currently disabled
- in the very rare "SSH + SSL" usage mode to avoid SSHing in twice.
- You can manually set a ServerCert or CertsDir in this case if you like.
-
-
- Advanced Method: Certificate Authority (CA):
-
- If you, or your site administrator, goes though the steps of setting up
- a Certificate Authority (CA) to sign the VNC server and/or VNC client
- Certs, that can be used instead and avoids the need to manually verify
- every cert while still authenticating every connection. More info:
- http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-ca
-
- See the cmdline option -cacert file below in 'SSL Certificates'
- for setting a default ServerCert/CA Cert.
-
- You may also Import the CA Cert and save it to the 'Accepted Certs'
- directory so the "Verify All Certs" automatic checking will find it.
-
- Note that if a Server is using a CA signed certificate instead of
- its own Self-Signed one, then the default "Verify All Certs/Fetch Cert"
- saving mechanism will NOT succeed. You must obtain the CA certificate
- and explicitly set it as the ServerCert or Import it to Accepted Certs.
-
-
- SSL/TLS Variants; VeNCrypt and ANONTLS:
-
- SSVNC can also connect to VNC SSL/TLS variants; namely the VeNCrypt and
- "TLS" VNC Security types. Vino uses the latter (we call it "ANONTLS");
- and a growing number use VeNCrypt (QEMU, ggi, virt-manager, VeNCrypt, Xen.)
-
- Via the VeNCrypt bridge that SSVNC provides, the VeNCrypt/ANONTLS
- support ALSO works with ANY 3rd party VNC Viewers you specify via
- 'Change VNC Viewer' (e.g. RealVNC, TightVNC, UltraVNC, etc.) that do
- not directly support VeNCrypt or ANONTLS. This works on all platforms:
- Unix, MacOSX, and Windows.
-
-
- Notes on VeNCrypt/ANONTLS Auto-detection:
-
- IMPORTANT: VeNCrypt Server Auto-detection *ONLY* occurs in SSL mode
- and when an initial fetch-cert action takes place.
-
- While the initial certificate fetch is taking place SSVNC applies
- heuristics to try to automatically detect the VeNCrypt or ANONTLS
- protocol use by the VNC server. This way it learns that the server
- is using it and then knows to switch to VeNCrypt encrypted SSL/TLS at
- the right point. Then SSVNC makes a second (the real) connection to
- VNC server and connects the VNC viewer to it.
-
- In the default "Verify All Certs" mode, a fetch cert action always
- takes place, and so VeNCrypt/ANONTLS will be autodected.
-
- However, if you have specified an explicit ServerCert or disabled
- "Verify All Certs" then even though the initial fetch cert action is no
- longer needed, it is performed anyway because it allows VeNCrypt/ANONTLS
- auto-detection.
-
- To disabled this initial fetch (e.g. you know the VNC server is normal
- SSL and not VeNCrypt/ANONTLS and want to connect more quickly) then
- select "Do not Probe for VeNCrypt" in the Advanced Options menu.
-
- On the other hand, if you know the VNC server ONLY supports VeNCrypt or
- ANONTLS, to improve the accuracy and speed with which the connection
- takes place, you can specify the one or both of the 'Server uses
- VeNCrypt SSL encryption' and 'Server uses Anonymous Diffie-Hellman'
- in the 'Advanced' options panel. That way guessing via an initial
- probe is not needed or performed. See each options's Advanced Options
- Help for more info.
-
- Note that if you are using VeNCrypt or ANONTLS for REVERSE connections
- (Listen) then you *MUST* set the 'Server uses VeNCrypt SSL encryption'
- (and the ANON-DH if it applies) option in Advanced. Note also that
- REVERSE VeNCrypt and ANONTLS connections currently do not work on
- Windows.
-
- Also, if you are using the "Use SSH+SSL" double tunnel, you MUST set
- 'Server uses VeNCrypt SSL encryption' (and the ANON-DH if it applies)
- because the initial fetch cert is disabled in SSH+SSL mode.
-
-
- Deciphering SSL Negotiation Success or Failure:
-
- Since SSVNC is a "glue program", in this case gluing VNCViewer and stunnel
- together (with possibly a proxy helper) reporting is clumsy at best.
- (In SSH encryption mode, it glues to ssh instead of stunnel.) In most
- cases the programs being "glued" are run in a terminal window where you
- can see the program's output. On Windows you will need to double click
- on the stunnel tray icon to view its log.
-
- Although the output is quite cryptic, you are encouraged to learn to
- recognize some of the errors reported in it.
-
- Here is stunnel output for a case of successfully verifying the VNC
- Server's Certificate:
-
- 2008.11.20 08:09:39 LOG5[1472]: VERIFY OK: depth=0, /C=AU/L=...
- 2008.11.20 08:09:39 LOG6[1472]: SSL connected: new session negotiated
- 2008.11.20 08:09:39 LOG6[1472]: Negotiated ciphers: AES256-SHA SSLv3 ...
-
- Here is a case where the Server's Cert did not match the ServerCert
- we set:
-
- 2008.11.20 08:12:31 LOG4[1662]: VERIFY ERROR: depth=0, error=self ...
- 2008.11.20 08:12:31 LOG3[1662]: SSL_connect: 14090086: error:14090086:SSL
- routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-
- Here is a case where the Server's Cert has expired:
-
- 2009.12.27 12:20:25 LOG4[25500]: VERIFY ERROR: depth=0, error=certificate
- has expired: /C=AU/L=...
- 2009.12.27 12:20:25 LOG3[25500]: SSL_connect: 14090086: error:14090086:SSL
- routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-
-
- If you disable "Verify All Certs" and do not supply a ServerCert,
- then there will be no 'VERIFY ...' in the output because the SSVNC
- stunnel accepts the server's cert without question (this is insecure.)
-
- Also in the output will be messages about whether the SSL VNC server
- rejected your connection because it requires you to authenticate
- yourself with a certificate (MyCert). Here is the case when you
- supplied no MyCert:
-
- 2008.11.20 08:16:29 LOG3[1746]: SSL_connect: 14094410: error:14094410:
- SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
-
- or you used a certificate the server did not recognize:
-
- 2008.11.20 08:18:46 LOG3[1782]: SSL_connect: 14094412: error:14094412:
- SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
-
- or your certificate has been revoked:
-
- 2008.11.20 08:20:08 LOG3[1913]: SSL_connect: 14094414: error:14094414:
- SSL routines:SSL3_READ_BYTES:sslv3 alert certificate revoked
-
-
- SSH:
-
- Click on "Use SSH" if you want to use an *SSH* tunnel instead of SSL
- (then the VNC Server does not need to speak SSL or use STUNNEL or socat).
-
- You will need to be able to login to your account on the remote host
- via SSH (e.g. via password, ssh keys, or ssh-agent).
-
- Specify the SSH hostname and VNC display in the VNC Host:Display entry.
- Use something like:
-
- username@far-away.east:0
-
- if your remote username is different from the one on the local viewer
- machine.
-
- On Windows you *MUST* supply the "username@" part because Putty/Plink
- needs it to work correctly.
-
- "SSH + SSL" is similar but its use is more rare because it requires 2
- encrypted tunnels to reach the VNC server. See the Help under Options
- for more info.
-
- To connect to a non-standard SSH port, see SSH Proxies/Gateways section.
-
- See Tip 8) for how to make this application be SSH-only with the -ssh
- command line option or "sshvnc".
-
- If you find yourself in the unfortunate circumstance that your ssh
- username has a space in it, use %SPACE (or %TAB) like this:
-
- fred%SPACEflintstone@xyzzy.net:0
-
- Remote SSH Command:
-
- In SSH or SSH + SSL mode you can also specify a remote command to run
- on the remote ssh host in the "Remote SSH Command" entry. The default
- is just to sleep a bit (e.g. sleep 15) to make sure the tunnel ports
- are established. Alternatively you could have the remote command start
- the VNC server, e.g.
-
- x11vnc -display :0 -rfbport 5900 -localhost -nopw
-
- When starting the VNC server this way, note that sometimes you will need
- to correlate the VNC Display number with the "-rfbport" (or similar)
- option of the server. E.g. for VNC display :2
-
- VNC Host:Display username@somehost.com:2
- Remote SSH Command: x11vnc -find -rfbport 5902 -nopw
-
- See the Tip 18) for using x11vnc PORT=NNNN feature (or vncserver(1)
- output) to not need to specify the VNC display number or the x11vnc
- -rfbport option.
-
- Windows SSH SERVER: if you are ssh'ing INTO Windows (e.g. CYGWIN SSHD
- server) there may be no "sleep" command so put in something like
- "ping localhost" or "ping -n 10 -w 1000 localhost" to set a short
- delay to let the tunnel ports get established.
-
-
- SSL Certificates:
-
- If you want to use a SSL Certificate (PEM) file to authenticate YOURSELF to
- the VNC server ("MyCert") and/or to verify the identity of the VNC Server
- ("ServerCert" or "CertsDir") select the certificate file by clicking the
- "Certs ..." button before connecting.
-
- Certificate verification is needed to prevent Man-In-The-Middle attacks;
- if it is not done then only passive network sniffing attacks are prevented.
- There are hacker tools like dsniff/webmitm and cain that implement SSL
- Man-In-The-Middle attacks. They rely on the client user not bothering to
- check the cert.
-
-
- See the x11vnc documentation:
-
- http://www.karlrunge.com/x11vnc/ssl.html
-
- for how to create and use PEM SSL certificate files. An easy way is:
-
- x11vnc -ssl SAVE ...
-
- where it will print out its automatically generated certificate to the
- screen and that can be copied safely to the viewer side.
-
- You can also use the "Create Certificate" feature of this program under
- "Certs ...". Just click on it and follow the instructions in the dialog.
- Then copy the cert file to the VNC Server and specify the other one in
- the "Certs ..." dialog.
-
- Alternatively you can use the "Import Certificate" action to paste in a
- certificate or read one in from a file. Or you can use the "Fetch Cert"
- button on the main panel. If "Verify All Certs" is checked, you will
- be forced to check Certs of any new servers the first time you connect.
-
- Note that "Verify All Certs" is on by default so that users who do not
- understand the SSL Man-In-The-Middle problem will not be left completely
- vulnerable to it (everyone still must make the effort to verify new
- certificates by an external method to be completely safe).
-
- To have "Verify All Certs" toggled off at startup, use "ssvnc -nv" or
- set SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want to
- see the button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1.
-
- Use the "-mycert file" option (same as "-cert file") to set a default
- MyCert. This is the same as "mycert=file" (also "cert=file") in the
- ~/.ssvncrc file. See Certs -> Help for more info.
-
- Use the "-cacert file" option (same as "-ca file") to set a default
- ServerCert (or CA). This is the same as "cacert=file" (also "ca=file")
- in the ~/.ssvncrc file. See Certs -> Help for more info.
-
- Use the "-crl file" option to set a default CRL File. This is the same
- as "crl=file" in the ~/.ssvncrc file. See Certs -> Help for more info.
-
- Prefix any of these files with "FORCE:" to make them immutable.
-
-
-
- More Options:
-
- To set other Options, e.g. for View-Only usage or to limit the number
- of colors used, click on the "Options ..." button and read the Help there.
-
- More Info:
-
- Press the 'Proxies', 'Misc', and 'Tips' buttons below.
-
- See also these links for more information:
-
- http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-ext
- http://stunnel.mirt.net
- http://www.tightvnc.com
-}
-
- set help_misc {
- Windows STUNNEL problems:
-
- Note that on Windows when the Viewer connection is finished by default
- SSVNC will try to kill the STUNNEL process for you.
-
- If Options -> Kill Stunnel Automatically is not set you will be
- prompted if you want SSVNC to try to kill the STUNNEL process for you.
- Usually you will say Yes, however if there are problems connecting
- you may want to look at the STUNNEL Log first.
-
- Before it is killed, double clicking the STUNNEL tray icon (dark green)
- will show you its Log file (useful for debugging connection problems).
-
- Even though SSVNC will kill the STUNNEL process for you, you will
- still need to move the mouse over the icon to make the little picture
- go away!!! This is unfortunate but there does not seem to be a way
- to avoid it.
-
- In some cases you may need to terminate STUNNEL manually from the System
- Tray (right click on dark green icon) and selecting "Exit".
-
- Use -nokillstunnel or killstunnel=0 in ~/.ssvncrc to have SSVNC
- start up with stunnel killing disabled.
-
- Untrusted Local Users:
-
- *IMPORTANT WARNING*: If you run SSVNC on a workstation or computer
- that other users can log into and you DO NOT TRUST these users
- (it is a shame but sometimes one has to work in an environment like
- this), then please note the following warning.
-
- By 'do not trust' we mean they might try to gain access to remote
- machines you connect to via SSVNC. Note that an untrusted local
- user can often obtain root access in a short amount of time; if a
- user has achieved that, then all bets are off for ANYTHING that you
- do on the workstation. It is best to get rid of Untrusted Local
- Users as soon as possible.
-
- Both the SSL and SSH tunnels set up by SSVNC listen on certain ports
- on the 'localhost' address and redirect TCP connections to the remote
- machine; usually the VNC server running there (but it could also be
- another service, e.g. CUPS printing). These are the stunnel(8) SSL
- redirection and the ssh(1) '-L' port redirection. Because 'localhost'
- is used only users or programs on the same workstation that is
- running SSVNC can connect to these ports, however this includes any
- local users (not just the user running SSVNC.)
-
- If the untrusted local user tries to connect to these ports, he may
- succeed by varying degrees to gain access to the remote machine.
- We now list some safeguards one can put in place to try to make this
- more difficult to achieve.
-
- It probably pays to have the VNC server require a password, even
- though there has already been SSL or SSH authentication (via
- certificates or passwords). In general if the VNC Server requires
- SSL authentication of the viewer that helps, unless the untrusted
- local user has gained access to your SSVNC certificate keys.
-
- If the VNC server is configured to only allow one viewer connection
- at a time, then the window of opportunity that the untrusted local
- user can use is greatly reduced: he might only have a second or two
- between the tunnel being set up and the SSVNC vncviewer connecting
- to it (i.e. if the VNC server only allows a single connection, the
- untrusted local user cannot connect once your session is established).
- Similarly, when you disconnect the tunnel is torn down quickly and
- there is little or no window of opportunity to connect (e.g. x11vnc
- in its default mode exits after the first client disconnects).
-
- Also for SSL tunnelling with stunnel(8) on Unix using one of the SSVNC
- prebuilt 'bundles', a patched stunnel is provided that denies all
- connections after the first one, and exits when the first one closes.
- This is not true if the system installed stunnel(8) is used and is
- not true when using SSVNC on Windows.
-
- The following are experimental features that are added to SSVNC to
- improve the situation for the SSL/stunnel and SSH cases. Set them
- via Options -> Advanced -> "STUNNEL Local Port Protections" or
- "SSH Local Port Protections".
-
- STUNNEL:
-
- 1) For SSL tunnelling with stunnel(8) on Unix there is a setting
- 'Use stunnel EXEC mode' that will try to exec(2) stunnel
- instead of using a listening socket. This will require using
- the specially modified vncviewer unix viewer provided by SSVNC.
- The mode works well and is currently set as the default.
- Disable it if it causes problems or conflicts.
-
- 2) For SSL tunnelling with stunnel(8) on Unix there is a setting
- 'Use stunnel IDENT check' (experimental) to limit socket
- connections to be from you (this assumes the untrusted local
- user has not become root on your workstation and has modified
- your local IDENT check service; if he has you have much bigger
- problems to worry about...)
-
- Neither of the above methods are available on Windows.
-
- SSH:
-
- 1) There is also a simple LD_PRELOAD trick for SSH to limit the
- number of accepted port redirection connections. This makes the
- window of time the untrusted local user can connect to the tunnel
- much smaller. Enable it via Options -> Advanced -> "SSH Local
- Port Protections". You will need to have the lim_accept.so file
- in your SSVNC package. The mode works well and is currently set
- as the default. Disable it if it causes problems or conflicts.
-
- The above method is not available on Windows.
-
- The main message is to 'Watch your Back' when you connect via the
- SSVNC tunnels and there are users you don't trust on your workstation.
- The same applies to ANY use of SSH '-L' port redirections or outgoing
- stunnel SSL redirection services.
-}
-
- set help_prox {
- Here are a number of long sections on all sorts of proxies, Web, SOCKS,
- SSH tunnels/gateways, UltraVNC, Single Click, etc., etc.
-
-
- Proxies/Gateways:
-
- If an intermediate proxy is needed to make the SSL connection
- (e.g. a web gateway out of a firewall) enter it in the "Proxy/Gateway"
- entry box:
-
- VNC Host-Display: host:number
- Proxy/Gateway: proxy-host:port
- e.g.:
- VNC Host-Display: far-away.east:0
- Proxy/Gateway: myproxy.west:8080
-
-
- If the "double proxy" case is required (e.g. coming out of a web
- proxied firewall environment and then INTO a 2nd proxy to ultimately
- reach the VNC server), separate them via a comma, e.g.:
-
- VNC Host-Display: far-away:0
- Proxy/Gateway: myproxy.west:8080,myhome.net:443
-
- So it goes: viewer -> myproxy.west -> myhome.net -> far-away (VNC)
-
- The proxies are assumed to be Web proxies. To use SOCKS proxies:
-
- VNC Host-Display: far-away.east:0
- Proxy/Gateway: socks://mysocks.west:1080
-
- Use socks5:// to force the SOCKS5 proxy protocol (e.g. for ssh -D).
-
- You can prefix web proxies with http:// in SSL mode but it doesn't matter
- since that is the default for a proxy. (NOTE that in SSH or SSH+SSL
- mode you MUST supply the http:// prefix for web proxies because in those
- modes an SSH tunnel is the default proxy type: see the next section.)
-
- Note that Web proxies are often configured to ONLY allow outgoing
- connections to ports 443 (HTTPS) and 563 (SNEWS), so you might
- have run the VNC server (or router port redirector) on those ports.
- SOCKS proxies usually have no restrictions on port number.
-
- You can chain up to 3 proxies (any combination of web (http://) and
- socks://) by separating them with commas (i.e. first,second,third).
-
- Proxies also work for un-encrypted connections ("None" or vnc://, Tip 5)
-
- See the ss_vncviewer description and x11vnc FAQ for info on proxies:
-
- http://www.karlrunge.com/x11vnc/faq.html#ss_vncviewer
- http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-java-viewer-proxy
-
-
- SSH Proxies/Gateways:
-
- Proxy/Gateway also applies to SSH mode, it is a usually a gateway SSH
- machine to log into via ssh that is not the workstation running the
- VNC server. However, Web and SOCKS proxies can also be used (see below).
-
- For example if a company had a central login server: "ssh.company.com"
- (accessible from the internet) and the internal workstation with VNC was
- named "joes-pc", then to create an SSH tunnel one could put this in:
-
- VNC Host:Display: joes-pc:0
- Proxy/Gateway: ssh.company.com
-
- It is OK if the hostname "joes-pc" only resolves inside the firewall.
-
- The 2nd leg, from ssh.company.com -> joes-pc is done by a ssh -L
- redir and is not encrypted (but the viewer -> ssh.company.com 1st leg is
- an encrypted tunnel).
-
- To SSH encrypt BOTH legs, try the "double SSH gateway" method using
- the "comma" notation:
-
- VNC Host:Display: localhost:0
- Proxy/Gateway: ssh.company.com,joes-pc
-
- this requires an SSH server also running on joes-pc. So an initial SSH
- login is done to ssh.company.com, then a 2nd SSH is performed (through
- port a redirection of the first) to login straight to joes-pc where
- the VNC server is running.
-
- Use username@host (e.g. joe@joes-pc jsmith@ssh.company.com) if the
- user names differ between the various machines.
-
- NOTE: On Windows you MUST always supply the username@ because putty's
- plink requires it.
-
-
- NON-STANDARD SSH PORT: To use a non-standard ssh port (i.e. a port other
- than 22) you need to use the Proxy/Gateways as well. E.g. something
- like this for port 2222:
-
- VNC Host:Display: localhost:0
- Proxy/Gateway: joe@far-away.east:2222
-
- On Unix/MacOSX the username@ is not needed if it is the same as on
- the client. This will also work going to a different internal machine,
- e.g. "joes-pc:0" instead of "localhost:0", as in the first example.
-
-
- A Web or SOCKS proxy can also be used with SSH. Use this if you are
- inside a firewall that prohibits direct connections to remote SSH servers.
-
- VNC Host:Display: joe@far-away.east:0
- Proxy/Gateway: http://myproxy.west:8080
-
- or for SOCKS:
-
- VNC Host:Display: joe@far-away.east:0
- Proxy/Gateway: socks://mysocks.west:1080
-
- Use socks5://... to force the SOCKS5 version. Note that the http://
- prefix is REQUIRED for web proxies in SSH or SSH+SSL modes (but it is
- the default proxy type in SSL mode.)
-
- You can chain up to 3 proxies (any combination of http://, socks://
- and ssh) by separating them with commas (i.e. first,second,third).
-
- Note: the Web and/or SOCKS proxies must come before any SSH gateways.
-
- For a non-standard SSH port and a Web or SOCKS proxy try:
-
- VNC Host:Display: localhost:0
- Proxy/Gateway: http://myproxy.west:8080,joe@far-away.east:2222
-
- Even the "double SSH gateway" method (2 SSH encrypted legs) described
- above works with an initial Web or SOCKS proxy, e.g.:
-
- VNC Host:Display: localhost:0
- Proxy/Gateway: socks://mysocks.west:1080,ssh.company.com,joes-pc
-
-
-
- Some Notes on SSH localhost tunnelling with SSH options
- NoHostAuthenticationForLocalhost=yes and UserKnownHostsFile=file:
-
- Warning: Note that for proxy use with ssh(1), tunnels going through
- 'localhost' are used. This means ssh(1) thinks the remote hostname is
- 'localhost', which may cause collisions and confusion when storing
- and checking SSH keys.
-
- By default on Unix when a 'localhost' ssh host is involved the
- ssh option -o NoHostAuthenticationForLocalhost=yes is applied (see
- ssh_config(1) for details.) This avoids the warnings and ssh refusing
- to connect, but it reduces security. A man in the middle attack may
- be possible. SSVNC prints out a warning in the terminal every time
- the NoHostAuthenticationForLocalhost option is used.
-
- On Unix to disable the use of NoHostAuthenticationForLocalhost set the env.
- variable SSVNC_SSH_LOCALHOST_AUTH=1. This may induce extra ssh(1) dialogs.
-
- On Unix a MUCH SAFER and more convenient way to proceed is to set the
- known hosts option in Options -> Advanced -> 'Private SSH KnownHosts file'
- Then, only for the host in the current profile, a private known_hosts
- file will be used and so there will be no 'localhost' collisions.
- This method is secure (assuming you verify the SSH key fingerprint)
- and avoids the man in the middle attack.
-
- On Windows, Putty/Plink is used and does not have the UserKnownHosts
- or NoHostAuthenticationForLocalhost features. Keys are stored in
- the registry as localhost:port pairs and so it is possible to use the
- 'Port Slot' option to keep the keys separate to avoid the dialogs and
- also maintain good security.
-
- Note that for the "double SSH gateway" method the risk from using
- NoHostAuthenticationForLocalhost is significantly less because the first
- ssh connection does not use the option (it connects directly to the remote
- host) and the second one is only exposed for the leg inside the first
- gateway (but is still vulnerable there when NoHostAuthenticationForLocalhost
- is used.)
-
- As with a username that contains a space, use %SPACE (or %TAB) to
- indicate it in the SSH proxies, e.g. john%SPACEsmith@ssh.company.com
-
- UltraVNC Proxies/Gateways:
-
- UltraVNC has a "repeater" tool (http://www.uvnc.com/addons/repeater.html
- and http://koti.mbnet.fi/jtko/) that acts as a VNC proxy. SSVNC can
- work with both mode I and mode II schemes of this repeater.
-
- For Unix and MacOS X there is another re-implementation of the
- UltraVNC repeater:
-
- http://www.karlrunge.com/x11vnc/ultravnc_repeater.pl
-
- So one does not need to run the repeater on a Windows machine.
-
- Note that even though the UltraVNC repeater tool is NOT SSL enabled,
- it can nevertheless act as a proxy for SSVNC SSL connections.
- This is because, just as with a Web proxy, the proxy negotiations
- occur before the SSL traffic starts. (There is a separate UltraVNC
- tool, repeater_SSL.exe, that is SSL enabled and is discussed below.)
-
- Note: it seems only SSL SSVNC connections make sense with the
- UltraVNC repeater. SSH connections (previous section) do not seem to
- and so are not enabled to (let us know if you find a way to use it.)
-
- Unencrypted (aka Direct) SSVNC VNC connections (Vnc:// prefix in
- 'VNC Host:Display'; see Tip 5) also work with the UltraVNC repeater.
-
- MODE I REPEATER:
-
- For the mode I UltraVNC repeater the Viewer initiates the connection
- and passes a string that is the VNC server's IP address (or hostname)
- and port or display to the repeater (the repeater then makes the
- connection to the server host and then exchanges data back and forth.)
- To do this in SSVNC:
-
- VNC Host:Display: :0
- Proxy/Gateway: repeater://myuvncrep.west:5900+joes-pc:1
-
- Where "myuvncrep.west" is running the UltraVNC repeater and
- "joes-pc:1" is the VNC server the repeater will connect us to.
-
- Note here that the VNC Host:Display can be anything because it is
- not used; we choose :0. You cannot leave VNC Host:Display empty.
-
- The Proxy/Gateway format is repeater://proxy:port+vncserver:display.
- The string after the "+" sign is passed to the repeater server for
- it to interpret (and so does not have to be the UltraVNC repeater;
- you could create your own if you wanted to.) For this example,
- instead of joes-pc:1 it could be joes-pc:5901 or 192.168.1.4:1,
- 192.168.1.4:5901, etc.
-
- If you do not supply a proxy port, then the default 5900 is assumed,
- e.g. use repeater://myuvncrep.west+joes-pc:1 for port 5900 on
- myuvncrep.west then connecting to port 5901 on joes-pc.
-
- X11VNC: For mode I operation the VNC server x11vnc simply runs as
- a normal SSL/VNC server:
-
- x11vnc -ssl SAVE
-
- because the repeater will connect to it as a VNC client would.
- For mode II operation additional options are needed (see below.)
-
-
- MODE II REPEATER:
-
- For the mode II repeater both the VNC viewer and VNC server initiate
- TCP connections to the repeater proxy. In this case they pass a string
- that identifies their mutual connection via "ID:NNNN", for example:
-
- VNC Host:Display: :0
- Proxy/Gateway: repeater://myuvncrep.west:5900+ID:2345
-
- again, the default proxy port is 5900 if not supplied. And we need
- to supply a placeholder display ":0".
-
- The fact that BOTH the VNC viewer and VNC server initiate outgoing
- TCP connections to the repeater makes some things tricky, especially
- for the SSL aspect. In SSL one side takes the 'client' role and
- the other side must take the 'server' role. These roles must be
- coordinated correctly or otherwise the SSL handshake will fail.
-
- We now describe two scenarios: 1) SSVNC in Listening mode with STUNNEL
- in 'SSL server' role; and 2) SSVNC in Forward mode with STUNNEL in
- 'SSL client' role. For both cases we show how the corresponding
- VNC server x11vnc would be run.
-
- SSVNC Listening mode / STUNNEL 'SSL server' role:
-
- By default, when using SSL over a reverse connection the x11vnc VNC
- server will take the 'SSL client' role. This way it can connect to a
- standard STUNNEL (SSL server) redirecting connections to a VNC viewer
- in Listen mode. This is how SSVNC with SSL is normally intended to
- be used for reverse connections (i.e. without the UltraVNC Repeater.)
-
- To do it this way with the mode II UltraVNC Repeater; you set
- Options -> Reverse VNC Connection, i.e. a "Listening Connection".
- You should disable 'Verify All Certs' unless you have already
- saved the VNC Server's certificate to Accepted Certs. Or you can
- set ServerCert to the saved certificate. Then click 'Listen'.
- In this case an outgoing connection is made to the UltraVNC
- repeater, but everything else is as for a Reverse connection.
-
- Note that in Listening SSL mode you must supply a MyCert or use the
- "listen.pem" one you are prompted by SSVNC to create.
-
- X11VNC command:
-
- x11vnc -ssl -connect_or_exit repeater://myuvncrep.west+ID:2345
-
-
- SSVNC Forward mode / STUNNEL 'SSL client' role:
-
- x11vnc 0.9.10 and later can act in the 'SSL server' role for Reverse
- connections (i.e. as it does for forward connections.) Set these
- x11vnc options: '-env X11VNC_DISABLE_SSL_CLIENT_MODE=1 -sslonly'
-
- The -sslonly option is to prevent x11vnc from thinking the delay in
- connection implies VeNCrypt instead of VNC over SSL. With x11vnc
- in X11VNC_DISABLE_SSL_CLIENT_MODE mode, you can then have SSVNC make
- a regular forward connection to the UltraVNC repeater.
-
- Note that SSVNC may attempt to do a 'Fetch Cert' action in forward
- connection mode to either retrieve the certificate or probe for
- VeNCrypt and/or ANONDH. After that 'Fetch Cert' is done the
- connection to the UltraVNC repeater will be dropped. This is a
- problem for the subsequent real VNC connection. You can disable
- 'Verify All Certs' AND also set 'Do not Probe for VeNCrypt'
- to avoid the 'Fetch Cert' action. Or, perhaps better, add to
- x11vnc command line '-connect_or_exit repeater://... -loop300,2'
- (in addition to the options in the previous paragraphs.) That way
- x11vnc will reconnect once to the Repeater after the 'Fetch Cert'
- action. Then things should act pretty much as a normal forward
- SSL connection.
-
- X11VNC 0.9.10 command (split into two lines):
-
- x11vnc -ssl -connect_or_exit repeater://myuvncrep.west+ID:2345 \
- -env X11VNC_DISABLE_SSL_CLIENT_MODE=1 -loop300,2 -sslonly
-
- We recommend using "SSVNC Forward mode / STUNNEL 'SSL client' role"
- if you are connecting to x11vnc 0.9.10 or later. Since this does
- not use Listen mode it should be less error prone and less confusing
- and more compatible with other features. Be sure to use all of
- the x11vnc options in the above command line. To enable VeNCrypt,
- replace '-sslonly' with '-vencrypt force'. If you do not indicate
- them explicitly to SSVNC, SSVNC may have to probe multiple times for
- VeNCrypt and/or ANONDH. So you may need '-loop300,4' on the x11vnc
- cmdline so it will reconnect to the UltraVNC repeater 3 times.
-
-
- Note that for UNENCRYPTED (i.e. direct) SSVNC connections (see vnc://
- in Tip 5) using the UltraVNC Repeater mode II there is no need to
- use a reverse "Listening connection" and so you might as well use
- a forward connection.
-
- For Listening connections, on Windows after the VNC connection you
- MUST manually terminate the listening VNC Viewer (and connect again
- if desired.) Do this by going to the System Tray and terminating
- the Listening VNC Viewer. Subsequent connection attempts using the
- repeater will fail unless you do this and restart the Listen.
-
- On Unix and MacOS X after the VNC connection the UltraVNC repeater
- proxy script will automatically restart and reconnect to the repeater
- for another connection. So you do not need to manually restart it.
- To stop the listening, kill the listening VNC Viewer with Ctrl-C.
-
- In the previous sections it was mentioned one can chain up to 3
- proxies together by separating them with commas: proxy1,proxy2,proxy3.
- Except where explicitly noted below this should work for "repeater://..."
- as the final proxy. E.g. you could use a web proxy to get out of a
- firewall, and then connect to a remote repeater.
-
- The UltraVNC SSL enabled repeater_SSL.exe is discussed below.
-
-
- UltraVNC Single Click:
-
- UltraVNC has Single Click (SC) Windows VNC servers that allow naive
- users to get them running very easily (a EXE download and a few
- mouse clicks). See http://sc.uvnc.com/ for details on how to create
- these binaries. Also there is a how-to here:
- http://www.simply-postcode-lookup.com/SingleClickUltraVNC/SingleClickVNC.htm
-
- The SC EXE is a VNC *server* that starts up a Reverse VNC connection
- to a Listening Viewer (e.g. the viewer address/port/ID is hardwired
- into the SC EXE). So SC is not really a proxy, but it can be used
- with UltraVNC repeater proxies and so we describe it here.
-
- One important point for SC III binary creation: do NOT include
- "-id N" in the helpdesk.txt config file. This is because the with
- SSVNC the Ultra VNC repeater IS NOT USED (see below for how to
- use it). Use something like for helpdesk.txt:
-
- [TITLE]
- My UltraVNC SC III
-
- [HOST]
- Internet Support XYZ
- -sslproxy -connect xx.xx.xx.xx:5500 -noregistry
-
- (replace xx.xx.xx.xx with IP address or hostname of the SSVNC machine.)
-
- The Unix SSVNC vncviewer supports the both the unencrypted "SC I"
- mode and the SSL encrypted "SC III" mode. For both cases SSVNC
- must be run in Listening mode (Options -> Reverse VNC Connection)
-
- For SC I, enable Reverse VNC Connection and put Vnc://0 (see Tip 5
- below) in the VNC Host:Display to disable encryption (use a different
- number if you are not using the default listening port 5500).
- Then click on the "Listen" button and finally have the user run your
- Single Click I EXE.
-
- BTW, we used this for a SC I helpdesk.txt:
-
- [TITLE]
- My UltraVNC SC I
-
- [HOST]
- Internet Support XYZ
- -connect xx.xx.xx.xx:5500 -noregistry
-
- For SC III (SSL), enable Reverse VNC Connection and then UNSET "Verify
- All Certs" (this is required). Let the VNC Host:Display be ":0"
- (use a different number if you are not using the default listening
- port 5500). Then click on the "Listen" button and finally have the
- user run your Single Click III EXE.
-
- Note that in Listening SSL mode you MUST supply a MyCert or use the
- "listen.pem" one you are prompted by SSVNC to create.
-
-
- UltraVNC repeater_SSL.exe proxy:
-
- For repeater_SSL.exe SSL usage, with Single Click III or otherwise
- (available at http://www.uvnc.com/pchelpware/SCIII/index.html)
- it helps to realize that the ENTIRE connection is SSL encrypted,
- even the proxy host:port/ID:NNNN negotiation, and so a different
- approach needs to be taken from that described above in 'UltraVNC
- Proxies/Gateways'. In this case do something like this:
-
- VNC Host:Display: :0
- Proxy/Gateway: sslrepeater://myuvncrep.west:443+ID:2345
-
- The sslrepeater:// part indicates the entire ID:XYZ negotiation must
- occur inside the SSL tunnel. Listening mode is not required in this
- case: a forward VNC connection works fine (and is recommended).
- As before, the ":0" is simply a placeholder and is not used.
- Note that the UltraVNC repeater_SSL.exe listens on port 443 (HTTPS),
- (it is not clear that it can be modified to use another port.)
-
- Non-ID connections sslrepeater://myuvncrep.west:443+host:disp also
- work, but the 2nd leg repeater <-> host:disp must be unencrypted.
- The first leg SSVNC <-> repeater is, however, SSL encrypted.
-
- sslrepeater:// only works on Unix or MacOSX using the provided
- SSVNC vncviewer. The modified viewer is needed; stock VNC viewers
- will not work. Also, proxy chaining (bouncing off of more than one
- proxy) currently does not work for repeater_SSL.exe.
-
-
- VeNCrypt is treated as a proxy:
-
- SSVNC supports the VeNCrypt VNC security type. You will find out more
- about this security type in the other parts of the Help documentation.
- In short, it does a bit of plain-text VNC protocol negotiation before
- switching to SSL/TLS encryption and authentication.
-
- SSVNC implements its VeNCrypt support as final proxy in a chain
- of proxies. You don't need to know this or specify anything, but
- it is good to know since it uses up one of the 3 proxies you are
- allowed to chain together. If you watch the command output you will
- see the vencrypt:// proxy item.
-
- You can specify that a VNC server uses VeNCrypt (Options -> Advanced)
- or you can let SSVNC try to autodetect VeNCrypt.
-
-
- IPv6 can be treated as a proxy for UN-ENCRYPTED connections:
-
- Read Tip 20 about SSVNC's IPv6 (128 bit IP addresses) support.
- In short, because stunnel and ssh support IPv6 hostnames and
- addresses, SSVNC does too without you needing to do anything.
-
- However, in some rare usage modes you will need to specify the IPv6
- server destination in the Proxy/Gateway entry box. The only case
- this appears to be needed is when making an un-encrypted connection
- to an IPv6 VNC server. In this case neither stunnel nor ssh are
- used and you need to specify something like this:
-
- VNC Host:Display: localhost:0
- Proxy/Gateway: ipv6://2001:4860:b009::68:5900
-
- and then select 'None' as the encryption type. Note that the above
- 'localhost:0' setting can be anything; it is basically ignored.
-
- Note that on Unix, MacOSX, and Windows un-encrypted ipv6 connections
- are AUTODETECTED and so you likely NEVER need to supply ipv6://
- Only try it if you encounter problems. Also note that the ipv6://
- proxy type does not work on Windows, so only the autodetection is
- available there.
-
- Note that if there is some other proxy, e.g. SOCKS or HTTP and that
- proxy server is an IPv6 host (or will connect you to one) then any
- sort of connection through that proxy will work OK: un-encrypted as
- well as SSL or SSH connections, etc.
-
- Unencrypted connection is the only special case where you may need
- to specify an ipv6:// proxy. If you find another use let us know.
-
- See Tip 20 for more info.
-}
-
- set help_tips {
- Tips and Tricks:
-
- Table of Contents:
-
- 1) Connect to Non-Standard SSH port.
- 2) Reverse VNC connections (Listening)
- 3) Global options in ~/.ssvncrc
- 4) Fonts
- 5) vnc://host for un-encrypted connection
- 6) Home directory for memory stick usage, etc.
- 7) vncs:// vncssl:// vnc+ssl:// vnc+ssh:// URL-like prefixes
- 8) sshvnc / -ssh SSH only GUI
- 9) tsvnc / -ts Terminal services only GUI (SSH+x11vnc)
- 10) 2nd GUI window on Unix/MacOSX
- 11) Ctrl-L or Button3 to Load profile
- 12) SHELL command or Ctrl-S for SSH terminal w/o VNC
- 13) KNOCK command for port-knock sequence
- 14) Unix/MacOSX general SSL redirector (not just VNC)
- 15) Environment variables
- 16) Bigger "Open File" dialog window
- 17) Unix/MacOSX extra debugging output
- 18) Dynamic VNC Server Port determination with SSH
- 19) No -t ssh cmdline option for older sshd
- 20) IPv6 support.
-
- 1) To connect in SSH-Mode to a server running SSH on a non-standard
- port (22 is the standard port) you need to use the Proxy/Gateway
- setting. The following is from the Proxies Help panel:
-
- NON-STANDARD SSH PORT: To use a non-standard ssh port (i.e. a port other
- than 22) you need to use the Proxy/Gateways as well. E.g. something
- like this for port 2222:
-
- VNC Host:Display: localhost:0
- Proxy/Gateway: joe@far-away.east:2222
-
- The username@ is not needed if it is the same as on the client. This
- will also work going to a different internal machine, e.g. "joes-pc:0"
- instead of "localhost:0", as in the first example.
-
- 2) Reverse VNC connections (Listening) are possible as well.
- In this case the VNC Server initiates the connection to your
- waiting (i.e. listening) SSVNC viewer.
-
- Go to Options and select "Reverse VNC connection". In the 'VNC
- Host:Display' entry box put in the number (e.g. "0" or ":0", or
- ":1", etc) that corresponds to the Listening display (0 -> port
- 5500, 1 -> port 5501, etc.) you want to use. Then clicking on
- 'Listen' puts your SSVNC viewer in a "listening" state on that
- port number, waiting for a connection from the VNC Server.
-
- On Windows or using a 3rd party VNC Viewer multiple, simultaneous
- reverse connections are always enabled. On Unix/MacOSX with the
- provided ssvncviewer they are disabled by default. To enable them:
- Options -> Advanced -> Unix ssvncviewer -> Multiple LISTEN Connections
-
- Specify a specific interface, e.g. 192.168.1.1:0 to have stunnel
- only listen on that interface. IPv6 works too, e.g. :::0 or ::1:0
- This also works for UN-encrypted reverse connections as well ('None').
-
- See the Options Help for more info.
-
- 3) You can put global options in your ~/.ssvncrc file (ssvnc_rc on
- Windows). Currently they are:
-
- Put "mode=tsvnc" or "mode=sshvnc" in the ~/.ssvncrc file to have
- the application start up in the given mode.
-
- desktop_type=wmaker (e.g.) to switch the default Desktop Type.
-
- desktop_size=1280x1024 (e.g.) to switch the default Desktop Size.
-
- desktop_depth=24 (e.g.) to switch the default Desktop Color Depth
-
- xserver_type=Xdummy (e.g.) to switch the default X Server Type.
-
- (The above 4 settings apply only to the Terminal Services Mode.)
-
- noenc=1 (same as the -noenc option for a 'No Encryption' option)
- noenc=0 (do not show the 'No Encryption' option)
-
- killstunnel=1 (same as -killstunnel), on Windows automatically kills
- the STUNNEL process when the viewer exits. Disable via killstunnel=0
- and -nokillstunnel.
-
- ipv6=0 act as though IPv6 was not detected.
- ipv6=1 act as though IPv6 was detected.
-
- cotvnc=1 have the default vncviewer on Mac OS X be the Chicken of
- the VNC. By default the included ssvnc X11 vncviewer is used
- (requires Mac OS X X11 server to be running.)
-
- mycert=file (same as -mycert file option). Set your default MyCert
- to "file". If file does not exist ~/.vnc/certs/file is used.
-
- cacert=file (same as -cacert file option). Set your default ServerCert
- to "file". If file does not exist ~/.vnc/certs/file is used. If
- file is "CA" then ~/.vnc/certs/CA/cacert.pem is used.
-
- crl=file (same as -crl file option). Set your default CRL File
- to "file". If file does not exist ~/.vnc/certs/file is used.
-
- Prefix any of these cert/key files with "FORCE:" to make them
- immutable, e.g. "cacert=FORCE:CA".
-
- You can set any environment variable in ~/.ssvncrc by using a line
- like env=VAR=value, for example: env=SSVNC_FINISH_SLEEP=2
-
- To change the fonts (see Tip 4 below for examples):
-
- font_default=tk-font-name (sets the font for menus and buttons)
- font_fixed=tk-font-name (sets the font for help text)
-
- 4) Fonts: To change the tk fonts, set these environment variables
- before starting up ssvnc: SSVNC_FONT_DEFAULT and SSVNC_FONT_FIXED.
- For example:
-
- % env SSVNC_FONT_DEFAULT='helvetica -20 bold' ssvnc
- % env SSVNC_FONT_FIXED='courier -14' ssvnc
-
- or set both of them at once. You can also set 'font_default' and
- 'font_fixed' in your ~/.ssvncrc. E.g.:
-
- font_default=helvetica -16 bold
- font_fixed=courier -12
-
- 5) If you want to make a Direct VNC connection, WITH *NO* SSL OR
- SSH ENCRYPTION or authentication, use the "vnc://" prefix in the
- VNC Host:Display entry box, e.g. "vnc://far-away.east:0" This
- also works for reverse connections, e.g. vnc://0
-
- Use Vnc:// (i.e. capital 'V') to avoid being prompted if you are
- sure you want no encryption. For example, "Vnc://far-away.east:0"
- Shift+Ctrl-E in the entry box is a short-cut to add or remove
- the prefix "Vnc://" from the host:disp string.
-
- You can also run ssvnc with the '-noenc' cmdline option (now
- the default) to have a check option 'None' that lets you turn off
- Encryption (and profiles will store this setting). Pressing Ctrl-E
- on the main panel is a short-cut to toggle between the -noenc 'No
- Encryption' mode and normal mode. The option "Show 'No Encryption'
- Option" under Options also toggles it.
-
- The '-enc' option disables the button (and so makes it less obvious
- to naive users how to disable encryption.)
-
- Note as of SSVNC 1.0.25 the '-noenc' mode is now the default. I.e.
- the 'No Encryption' option ('None') is shown by default. When
- you select 'None' you do not need to supply the "vnc://" prefix.
- To disable the button supply the '-enc' cmdline option.
-
- Setting SSVNC_DISABLE_ENCRYPTION_BUTTON=1 in your environment is
- the same as -noenc. You can also put noenc=1 in your ~/.ssvncrc file.
-
- Setting SSVNC_DISABLE_ENCRYPTION_BUTTON=0 in your environment is
- the same as -enc. You can also put noenc=0 in your ~/.ssvncrc file.
-
- Please be cautious/thoughtful when you make a VNC connection with
- encryption disabled. You may send sensitive information (e.g. a
- password) over the network that can be sniffed.
-
- It is also possible (although difficult) for someone to hijack an
- existing unencrypted VNC session.
-
- Often SSVNC is used to connect to x11vnc where the Unix username and
- password is sent over the channel. It would be a very bad idea to
- let that data be sent over an unencrypted connection! In general,
- it is not wise to have a plaintext VNC connection.
-
- Note that even the VNC Password challenge-response method (the password
- is not sent in plaintext) leaves your VNC password susceptible to a
- dictionary attack unless encryption is used to hide it.
-
- So (well, before we made the button visible by default!) we forced
- you to learn about and supply the "vnc://" or "Vnc://" prefix to
- the host:port or use -noenc or the "Show 'No Encryption' Option"
- to disable encryption. This is a small hurdle, but maybe someone
- will think twice. It is a shame that VNC has been around for
- over 10 years and still does not have built-in strong encryption.
-
- Note the Vnc:// or vnc:// prefix will be stored in any profile that
- you save so you do not have to enter it every time.
-
- Set the env var SSVNC_NO_ENC_WARN=1 to skip the warning prompts the
- same as the capitalized Vnc:// does.
-
- 6) Mobile USB memory stick / flash drive usage: You can unpack
- ssvnc to a flash drive for impromptu usage (e.g. from a friends
- computer).
-
- If you create a directory "Home" in the toplevel ssvnc directory,
- then that will be the default location for your VNC profiles
- and certs. So they follow the drive this way. If you run like
- this: "ssvnc ." or "ssvnc.exe ." the "Home" directory will be
- created for you.
-
- WARNING: if you use ssvnc from an "Internet Cafe", i.e. an
- untrusted computer, an unscrupulous person may be capturing
- keystrokes, etc.!
-
- You can also set the SSVNC_HOME env. var. to point to any
- directory you want. It can be set after starting ssvnc by putting
- HOME=/path/to/dir in the Host:Display box and clicking "Connect".
-
- For a Windows BAT file to get the "Home" directory correct
- something like this might be needed:
-
- cd \ssvnc\Windows
- start \ssvnc\Windows\ssvnc.exe
-
- 7) In the VNC Host:Display entry you can also use these "URL-like"
- prefixes:
-
- vncs://host:0, vncssl://host:0, vnc+ssl://host:0 for SSL
-
- and
-
- vncssh://host:0, vnc+ssh://host:0 for SSH
-
- There is no need to toggle the SSL/SSH setting. These also work
- from the command line, e.g.: ssvnc vnc+ssh://mymachine:10
-
- 8) If you want this application to be SSH only, then supply the
- command line option "-ssh" or set the env. var SSVNC_SSH_ONLY=1.
-
- Then no GUI elements specific to SSL will appear (the
- documentation wills still refer to the SSL mode, however).
- To convert a running app to ssh-only select "Mode: SSH-Only"
- in Options.
-
- The wrapper scripts "sshvnc" and "sshvnc.bat" will start it up
- automatically this way.
-
- Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=sshvnc"
- to have the tool always start up in that mode.
-
- 9) For an even simpler "Terminal Services" mode use "tsvnc" or
- "tsvnc.bat" (or "-ts" option). This mode automatically launches
- x11vnc on the remote side to find or create your Desktop session
- (usually the Xvfb X server). So x11vnc must be available on the
- remote server machines under "Terminal Services" mode.
-
- From a full ssvnc you can press Ctrl-h to go into ssh-only mode
- and Ctrl-t to toggle between "tsvnc" and "ssvnc" modes. The
- Options Mode menu also let you switch.
-
- Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=tsvnc"
- to have the tool always start up in that mode.
-
- 10) On Unix to get a 2nd GUI (e.g. for a 2nd connection) press Ctrl-N
- on the GUI. If only the xterm window is visible you can press
- Ctrl-N or try Ctrl-LeftButton -> New SSVNC_GUI. On Windows you
- will have to manually Start a new one: Start -> Run ..., etc.
-
- 11) Pressing the "Load" button or pressing Ctrl-L or Clicking the Right
- mouse button on the main GUI will invoke the Load dialog.
-
- Pressing Ctrl-O on the main GUI will bring up the Options Panel.
- Pressing Ctrl-A on the main GUI will bring up the Advanced Options.
-
- 12) If you use "SHELL" for the "Remote SSH Command" (or in the display
- line: "user@hostname cmd=SHELL") then you get an SSH shell only:
- no VNC viewer will be launched. On Windows "PUTTY" will try
- to use putty.exe (better terminal emulation than plink.exe).
-
- A ShortCut for this is Ctrl-S with user@hostname in the entry box.
-
- 13) If you use "KNOCK" for the "Remote SSH Command" (or in the display
- line "user@hostname cmd=KNOCK") then only the port-knocking is done.
-
- A ShortCut for this is Ctrl-P with hostname the entry box.
-
- If it is KNOCKF, i.e. an extra "F", then the port-knocking
- "FINISH" sequence is sent, if any. A ShortCut for this
- Shift-Ctrl-P as long as hostname is present.
-
- 14) On Unix to have SSVNC act as a general STUNNEL redirector (i.e. no
- VNC), put the desired host:port in VNC Host:Display (use a
- negative port value if it is to be less than 200), then go to
- Options -> Advanced -> Change VNC Viewer. Change the "viewer"
- command to be "xmessage OK" or "xmessage <port>" (or sleep) where
- port is the desired local listening port. Then click Connect.
- If you didn't set the local port look for it in the terminal output.
-
- On Windows set 'viewer' to "NOTEPAD" or similar; you can't
- control the port though. It is usually 5930, 5931, ... Watch
- the messages or look at the stunnel log.
-
- 15) Tricks with environment variables:
-
- You can change the X DISPLAY variable by typing DISPLAY=... into
- VNC Host:Display and hitting Return or clicking Connect. Same
- for HOME=. On Mac, you can set DYLD_LIBRARY_PATH=... too.
- It should propagate down the viewer.
-
- Setting SLEEP=n increases the amount of time waited before
- starting the viewer. The env. var. SSVNC_EXTRA_SLEEP also does
- this (and also Sleep: Option setting) Setting FINISH=n sets the
- amount of time slept before the Terminal window exits on Unix
- and MacOS X. (same as SSVNC_FINISH_SLEEP env. var.)
-
- Full list of parameters HOME/SSVNC_HOME, DISPLAY/SSVNC_DISPLAY
- DYLD_LIBRARY_PATH/SSVNC_DYLD_LIBRARY_PATH, SLEEP/SSVNC_EXTRA_SLEEP
- FINISH/SSVNC_FINISH_SLEEP, DEBUG_NETSTAT, REPEATER_FORCE,
- SSH_ONLY, TS_ONLY, NO_DELETE, BAT_SLEEP, IPV6/SSVNC_IPV6=0 or 1.
- See below for more info. (the ones joined by "/" are equivalent
- names, and the latter can be set as an env. var. as well.)
-
- After you set the parameter, clear out the 'VNC Host:Display'
- entry and replace it with the actual host and display number.
-
- To replace the xterm terminal where most of the external commands
- are run set SSVNC_XTERM_REPLACEMENT to a command that will run
- a command in a terminal. I.e.: "$SSVNC_XTERM_REPLACEMENT cmd"
- will run cmd. If present, %GEOMETRY is expanded to a desired
- +X+Y geometry. If present, %TITLE is expanded to a desired title.
- Examples: SSVNC_XTERM_REPLACEMENT='gnome-terminal -e'
- SSVNC_XTERM_REPLACEMENT='gnome-terminal -t "%TITLE" -e'
- SSVNC_XTERM_REPLACEMENT='konsole -e'
-
- More info: EXTRA_SLEEP: seconds of extra sleep in scripts;
- FINISH_SLEEP: final extra sleep at end; DEBUG_NETSTAT put up a
- window showing what netstat reports; NO_DELETE: do not delete tmp
- bat files on Windows (for debugging); BAT_SLEEP: sleep this many
- seconds at the end of each Windows bat file (for debugging.)
-
- You can also set any environment variable by entering in something
- like ENV=VAR=VAL e.g. ENV=SSH_AUTH_SOCK=/tmp/ssh-BF2297/agent.2297
- Use an empty VAL to unset the variable.
-
- There are also a HUGE number of env. vars. that apply to the Unix
- and MacOS X wrapper script 'ss_vncviewer' and/or the ssvncviewer
- binary. See Options -> Advanced -> Unix ssvncviewer -> Help for
- all of them.
-
- 16) On Unix you can make the "Open File" and "Save File" dialogs
- bigger by setting the env. var. SSVNC_BIGGER_DIALOG=1 or
- supplying the -bigger option. If you set it to a Width x Height,
- e.g. SSVNC_BIGGER_DIALOG=500x200, that size will be used.
-
- 17) On Unix / MacOSX to enable debug output you can set these env.
- vars to 1: SSVNC_STUNNEL_DEBUG, SSVNC_VENCRYPT_DEBUG, and
- SS_DEBUG (very verbose)
-
- 18) Dynamic VNC Server Port determination and redirection: If you
- are running SSVNC on Unix and are using SSH to start the remote
- VNC server and the VNC server prints out the line "PORT=NNNN"
- to indicate which dynamic port it is using (x11vnc does this),
- then if you prefix the SSH command with "PORT=" SSVNC will watch
- for the PORT=NNNN line and uses ssh's built in SOCKS proxy
- (ssh -D ...) to connect to the dynamic VNC server port through
- the SSH tunnel. For example:
-
- VNC Host:Display user@somehost.com
- Remote SSH Command: PORT= x11vnc -find -nopw
-
- or "PORT= x11vnc -display :0 -localhost", etc. Or use "P= ..."
-
- There is also code to detect the display of the regular Unix
- vncserver(1). It extracts the display (and hence port) from
- the lines "New 'X' desktop is hostname:4" and also
- "VNC server is already running as :4". So you can use
- something like:
-
- PORT= vncserver; sleep 15
- or: PORT= vncserver :4; sleep 15
-
- the latter is preferred because when you reconnect with it will
- find the already running one. The former one will keep creating
- new X sessions if called repeatedly.
-
- On Windows if PORT= is supplied SOCKS proxying is not used, but
- rather a high, random value of the VNC port is chosen (e.g. 8453)
- and assumed to be free, and is passed to x11vnc's -rfbport option.
- This only works with x11vnc (not vncserver).
-
- 19) On Unix if you are going to an older SSH server (e.g. Solaris 10),
- you will probably need to set the env. var. SS_VNCVIEWER_NO_T=1
- to disable the ssh "-t" option being used (that can prevent the
- command from being run).
-
- 20) SSVNC is basically a wrapper for the stunnel and ssh programs,
- and because those two programs have good IPv6 support SSVNC will
- for most usage modes support it as well. IPv6 is 128 bit internet
- addresses (as opposed to IPv4 with its 32 bit xxx.yyy.zzz.nnn IPs.
-
- So for basic SSL and SSH connections if you type in an IPv6 IP
- address, e.g. '2001:4860:b009::68', or a hostname with only an
- IPv6 lookup, e.g. ipv6.l.google.com, the connection will work
- because stunnel and ssh handle these properly.
-
- Note that you often need to supply a display number or port after
- the address so put it, e.g. ':0' at the end: 2001:4860:b009::68:0
- You can also use the standard notation [2001:4860:b009::68]:0
- that is more clear. You MUST specify the display if you use
- the IPv6 address notation (but :0 is still the default for a
- non-numeric hostname string.)
-
- IPv4 addresses encoded in IPv6 notation also work, e.g.
- ::ffff:192.168.1.100 should work for the most part.
-
- SSVNC on Unix and MacOSX also has its own Proxy helper tool
- (pproxy) This script has been modified to handle IPv6 hostnames
- and addresses as long as the IO::Socket::INET6 Perl module
- is available. On Windows the relay6.exe tool is used.
-
- So for the most part IPv6 should work without you having to do
- anything special. However, for rare usage, the proxy helper tool
- can also treat and IPv6 address as a special sort of 'proxy'.
- So in the entry Proxy/Gateway you can include ipv6://host:port
- and the IPv6 host will simply be connected to and the data
- transferred. In this usage mode, set the VNC Host:Display
- to anything, e.g. 'localhost:0'; it is ignored if the ipv6://
- endpoint is specified as a proxy. Need for ipv6:// usage proxy
- should be rare.
-
- Note that for link local (not global) IPv6 addresses you may
- need to include the network interface at the end of the address,
- e.g. fe80::a00:20ff:fefd:53d4%eth0
-
- Note that one can use a 3rd party VNC Viewer with SSVNC (see
- Options -> Advanced -> Change VNC Viewer.) IPv6 will work for
- them as well even if they do not support IPv6.
-
- IPv6 support on Unix, MacOSX, and Windows is essentially complete
- for all types of connections (including proxied, unencrypted and
- reverse connections.) Let us know if you find a scenario that
- does not work (see the known exception for putty/plink below.)
-
- You can set ipv6=0 in your ssvncrc, then no special relaying for
- IPv6 will be done (do this if there are problems or slowness in
- trying to relay ipv6 and you know you will not connect to any
- such hosts.) Set ipv6=1 to force the special processing even if
- IPv6 was not autodetected. To change this dynamically, you also
- enter IPV6=... in the VNC Host:Display entry box and press Enter.
- Also on Unix or MacOSX you can set the env. var. SSVNC_IPV6=0
- to disable the wrapper script from checking if hosts have ipv6
- addresses (this is the same as setting ipv6=0 in ssvncrc or by
- the setting ipv6 in the Entry box.)
-
- On Windows plink.exe (SSH client) currently doesn't work for
- IPv6 address strings (e.g. 2001:4860:b009::68) but it does work
- for hostname strings that resolve to IPv6 addresses.
-
- Note that one can make a home-brew SOCKS5 ipv4-to-ipv6 gateway
- proxy using ssh like this:
-
- ssh -D '*:1080' localhost "printf 'Press Enter to Exit: '; read x"
-
- then specify a proxy like socks5://hostname:1080 where hostname
- is the machine running the above ssh command. Add '-v' to the
- ssh cmdline for verbose output. See also the x11vnc inet6to4 tool
- (a direct ipv4/6 relay, not socks.)
-}
-
- global version
- set help_main " SSVNC version: $version\n$help_main"
- set help_misc " SSVNC version: $version\n$help_misc"
- set help_prox " SSVNC version: $version\n$help_prox"
- set help_tips " SSVNC version: $version\n$help_tips"
-
- frame .h.w
- button .h.w.b1 -text "Main" -command {help_text main}
- button .h.w.b2 -text "Proxies" -command {help_text prox}
- button .h.w.b3 -text "Misc" -command {help_text misc}
- button .h.w.b4 -text "Tips" -command {help_text tips}
-
- pack .h.w.b1 .h.w.b2 .h.w.b3 .h.w.b4 -side left -fill x -expand 1
-
- pack .h.w -side bottom -after .h.d -fill x
-
- .h.f.t insert end $help_main
- jiggle_text .h.f.t
-}
-
-proc help_text {which} {
- global help_main help_misc help_prox help_tips
- set txt ""
- if {$which == "main"} {
- set txt $help_main
- }
- if {$which == "misc"} {
- set txt $help_misc
- }
- if {$which == "prox"} {
- set txt $help_prox
- }
- if {$which == "tips"} {
- set txt $help_tips
- }
- catch {.h.f.t delete 0.0 end; .h.f.t insert end $txt; jiggle_text .h.f.t}
-}
-
-proc ssvnc_escape_help {} {
- toplev .ekh
-
- scroll_text_dismiss .ekh.f
-
- center_win .ekh
- wm title .ekh "SSVNC Escape Keys Help"
-
- set msg {
- SSVNC Escape Keys:
-
- The Unix SSVNC VNC Viewer, ssvncviewer(1), has an 'Escape Keys'
- mechanism that enables using keystrokes that are bound as 'Hot Keys'
- to specific actions.
-
- So, when you have all of the modifier keys ('escape keys') pressed down,
- then subsequent keystrokes are interpreted as local special actions
- instead of being sent to the remote VNC server.
-
- This enables quick parameter changing and also panning of the viewport.
- E.g. the keystroke 'r' is mapped to refresh the screen.
-
- Enter 'default' in the entry box to enable this feature and to use the
- default modifier list (Alt_L,Super_L on unix and Control_L,Meta_L on
- macosx) or set it to a list of modifier keys, e.g. Alt_L,Control_L.
- Note that _L means left side of keyboard and _R means right side.
-
- Alt_L is the 'Alt' key on the left side of the keyboard, and Super_L
- is usually the 'WindowsFlaggie(TM)' on the left side of the keyboard,
- so when both of those are pressed, the escape keys mapping take effect.
-
-
- Here is info from the ssvncviewer(1) manual page:
-
- -escape str This sets the 'Escape Keys' modifier sequence and enables
- escape keys mode. When the modifier keys escape sequence
- is held down, the next keystroke is interpreted locally
- to perform a special action instead of being sent to the
- remote VNC server.
-
- Use '-escape default' for the default modifier sequence.
- (Unix: Alt_L,Super_L and MacOSX: Control_L,Meta_L)
-
- Here are the 'Escape Keys: Help+Set' instructions from the Popup Menu:
-
- Escape Keys: Enter a comma separated list of modifier keys to be the
- 'escape sequence'. When these keys are held down, the next keystroke is
- interpreted locally to invoke a special action instead of being sent to
- the remote VNC server. In other words, a set of 'Hot Keys'.
-
- To enable or disable this, click on 'Escape Keys: Toggle' in the Popup.
-
- Here is the list of hot-key mappings to special actions:
-
- r: refresh desktop b: toggle bell c: toggle full-color
- f: file transfer x: x11cursor z: toggle Tight/ZRLE
- l: full screen g: graball e: escape keys dialog
- s: scale dialog +: scale up (=) -: scale down (_)
- t: text chat a: alphablend cursor
- V: toggle viewonly Q: quit viewer 1 2 3 4 5 6: UltraVNC scale 1/n
-
- Arrow keys: pan the viewport about 10% for each keypress.
- PageUp / PageDown: pan the viewport by a screenful vertically.
- Home / End: pan the viewport by a screenful horizontally.
- KeyPad Arrow keys: pan the viewport by 1 pixel for each keypress.
- Dragging the Mouse with Button1 pressed also pans the viewport.
- Clicking Mouse Button3 brings up the Popup Menu.
-
- The above mappings are *always* active in ViewOnly mode, unless you set the
- Escape Keys value to 'never'.
-
- If the Escape Keys value below is set to 'default' then a default list of
- of modifier keys is used. For Unix it is: Alt_L,Super_L and for MacOSX it
- is Control_L,Meta_L. Note: the Super_L key usually has a Windows(TM) Flag
- on it. Also note the _L and _R mean the key is on the LEFT or RIGHT side
- of the keyboard.
-
- On Unix the default is Alt and Windows keys on Left side of keyboard.
- On MacOSX the default is Control and Command keys on Left side of keyboard.
-
- Example: Press and hold the Alt and Windows keys on the LEFT side of the
- keyboard and then press 'c' to toggle the full-color state. Or press 't'
- to toggle the ultravnc Text Chat window, etc.
-
- To use something besides the default, supply a comma separated list (or a
- single one) from: Shift_L Shift_R Control_L Control_R Alt_L Alt_R Meta_L
- Meta_R Super_L Super_R Hyper_L Hyper_R or Mode_switch.
-}
-
- .ekh.f.t insert end $msg
- jiggle_text .ekh.f.t
-}
-
-# Or Alternatively one can supply both hosts separated by
-# spaces (with the proxy second) in the VNC Host:Display box:
-#
-# VNC Host-Display: far-away.east:0 theproxy.net:8080
-#
-# This looks a little strange, but it actually how SSVNC stores the
-# host info internally.
-
-# You can also specify the remote SSH command by putting a string like
-#
-# cmd=x11vnc -nopw -display :0 -rfbport 5900 -localhost
-#
-# (use any command you wish to run) at the END of the VNC Host:Display
-# entry. In general, you can cram it all in the VNC Host:Display if
-# you like: host:disp proxy:port cmd=... (this is the way it is
-# stored internally).
-
-proc help_certs {} {
- toplev .ch
-
- set h 33
- if [small_height] {
- set h 28
- }
- scroll_text_dismiss .ch.f 87 $h
-
- center_win .ch
- wm resizable .ch 1 0
-
- wm title .ch "SSL Certificates Help"
-
- set msg {
- Description:
-
- *** IMPORTANT ***: Only with SSL Certificate verification (either manually
- or via a Certificate Authority certificate) can Man-In-The-Middle attacks be
- prevented. Otherwise, only passive network sniffing attacks are prevented.
- There are hacker tools like dsniff/webmitm and cain that implement SSL
- Man-In-The-Middle attacks. They rely on the client user not bothering to
- check the cert.
-
- Some people may be confused by the above because they are familiar with
- their Web Browser using SSL (i.e. https://... websites) and those sites
- are authenticated securely without the user's need to verify anything
- manually. The reason why this happens automatically is because 1) their
- web browser comes with a bundle of Certificate Authority certificates
- and 2) the https sites have paid money to the Certificate Authorities to
- have their website certificate signed by them. When using SSL in VNC we
- normally do not do something this sophisticated, and so we have to verify
- the certificates manually. However, it is possible to use Certificate
- Authorities with SSVNC; that method is described below.
-
- The SSL Certificate files described below may have been created externally
- (e.g. by x11vnc or openssl): you can import them via "Import Certificate".
- OR you can click on "Create Certificate ..." to use THIS program to generate
- a Certificate + Private Key pair for you (in this case you will need to
- distribute one of the generated files to the VNC Server).
-
- Then you associate the Saved cert with the VNC server, see the panel entry
- box description below. Then click Connect. You will usually want to Save
- this association in a VNC Server profile for the next time you connect.
-
- Expiration:
-
- SSL Certificates will Expire after a certain period (usually 1-2 years;
- if you create a cert with this tool you can set it to any length you want).
- So if for a particular Cert you find you can no longer connect, check the
- STUNNEL log output to see if the cert has expired. Then create and distribute
- a new one.
-
- Fetch Cert:
-
- You can also retrieve and view the VNC Server's Cert via the "Fetch Cert"
- button on the main panel. After you check that it is the correct Cert (e.g. by
- comparing MD5 hash or other info), you can save it. The file it was saved
- as will be set as the "ServerCert" to verify against for the next connection.
- To make this verification check permanent, you will need to save the profile
- via 'Save'.
-
- NOTE: See the CA section below for how "Fetch Cert/Verify All Certs" WILL NOT
- WORK when a Certificate Authority (CA) is used (i.e. you need to save the CA's
- cert instead.) It will work if the certificate is Self-Signed.
-
- Verify All Certs:
-
- If "Verify All Certs" is checked on the main panel, you are always forced
- to check unrecognized server certs, and so the first time you connect to
- a new server you may need to follow a few dialogs to inspect and save the
- server certificate.
-
- Under "Verify All Certs", new certificates are saved in the 'Accepted Certs'
- directory. When the checkbox is set all host profiles with "CertsDir" set to
- "ACCEPTED_CERTS" (and an empty "ServerCert" setting) will be checked against
- the pool of accepted certificates in the 'Accepted Certs' directory.
-
- Note that we have "Verify All Certs" on by default so that users who do not
- understand the SSL Man-In-The-Middle problem will not be left completely
- vulnerable to it. Everyone still must make the effort to verify new
- certificates by an external method to be completely safe.
-
- To have "Verify All Certs" toggled off at startup, use "ssvnc -nv" or set
- SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want to see the
- button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1.
-
- Note: "Fetch Cert" and "Verify All Certs" are currently not implemented in
- "SSH + SSL" mode. In this case to have server authentication "ServerCert"
- must be set explicitly to a file (or "CertsDir" to a directory).
-
- Also note that "Fetch Cert" only works in a limited fashion in "Listen"
- mode (it is the VNC Server that initiates the connection), and so you
- may need to be set via "ServerCert" as well.
-
- NOTE: See the CA section below for how "Fetch Cert/Verify All Certs"
- WILL NOT WORK when a Certificate Authority (CA) is used (i.e. you need
- to save the CA's cert instead.) The "Fetch Cert" saving method will
- work if the certificate is Self-Signed.
-
- CA:
-
- One can make SSL VNC server authentication more "automatic" as it is in
- Web Browsers going to HTTPS sites, by using a Certificate Authority (CA)
- cert (e.g. a professional one like Verisign or Thawte, or one your company
- or organization creates) for the "ServerCert". This is described in detail
- here: http://www.karlrunge.com/x11vnc/ssl.html
-
- CA's are not often used, but if the number of VNC Servers scales up it can
- be very convenient because the viewers (i.e. SSVNC) only need the CA cert,
- not all of the Server certs.
-
- IMPORTANT NOTE: if a VNC Server is using a CA signed certificate instead
- of its own Self-Signed one, then "Fetch Cert", etc. saving mechanism
- WILL NOT WORK. You must obtain the CA certificate and explicitly set
- it as the ServerCert or import it to 'Accepted Certs'.
-
-
- Now what goes into the panel's entry boxes is described.
-
-
- Your Certificate + Key (MyCert):
-
- You can specify YOUR own SSL certificate (PEM) file in "MyCert" in which
- case it is used to authenticate YOU (the viewer) to the remote VNC Server.
- If this fails the remote VNC Server will drop the connection.
-
- So the Server could use this method to authenticate Viewers instead of the
- more common practice of using a VNC password or x11vnc's -unixpw mode.
-
-
- Server Certificates (ServerCert/CertsDir):
-
- Server certs can be specified in one of two ways:
-
- - A single certificate (PEM) file for a single server
- or a single Certificate Authority (CA)
-
- - A directory of certificate (PEM) files stored in
- the special OpenSSL hash fashion.
-
- The former is set via "ServerCert" in this gui.
- The latter is set via "CertsDir" in this gui.
-
- The former corresponds to the "CAfile" STUNNEL parameter.
- The latter corresponds to the "CApath" STUNNEL parameter.
-
- See stunnel(8) or stunnel.mirt.net for more information.
-
- If the remote VNC Server fails to authenticate itself with respect to the
- specified certificate(s), then the VNC Viewer (your side) will drop the
- connection.
-
- Select which file or directory by clicking on the appropriate "Browse..."
- button. Once selected, if you click Info or the Right Mouse button on
- "Browse..." then information about the certificate will be displayed.
-
- If, as is the default, "CertsDir" is set to the token "ACCEPTED_CERTS"
- (and "ServerCert" is unset) then the certificates accumulated in the special
- 'Accepted Certs' directory will be used. "ACCEPTED_CERTS" is the default for
- every server ("Verify All Certs"). Note that if you ever need to clean this
- directory, each cert is saved in two files, for example:
-
- hostname-0=bf-d0-d6-9c-68-5a-fe-24-c6-60-ba-b4-14-e6-66-14.crt
- and
- 9eb7c8be.0
-
- This is because of the way OpenSSL must use hash-based filenames in Cert dirs.
- The file will have a "full filename:" line indicating the fingerprint and
- hostname associated with it. Be sure to remove both files. The Delete Certs
- dialog should automatically find the matching one for you and prompt you to
- remove it as well.
-
- Certificate Revocation List (CRL File):
-
- For large scale deployments, usually involving a CA Cert, it is worthwhile
- to be able to revoke individual certs (so that a new CA cert does not need to
- be created and new keys distributed). Set CRL File to the path to the
- file containing the revoked certificates (or a directory containing
- OpenSSL style hash-based filenames.) See the x11vnc -sslCRL documentation
- for how to create CRL's. In short, the commands 'openssl ca -revoke ...'
- and 'openssl ca -gencrl ...' are the ones to look for; See the ca(1) manpage.
-
- Create Certificate:
-
- A simple dialog to create a Self-Signed Certificate. See the x11vnc
- -sslGenCA, -sslGenCert options for creating a CA Cert and signing with it.
-
- Import Certificate:
-
- You can paste in a Certificate or read one in from a file to add to your
- list of Server Certificates. If (also) saved in the 'Accepted Certs'
- directory, it will be automatically used to verify any Server when in
- 'Verify All Certs' Mode.
-
- Deleting Certificates:
-
- To delete a Certificate+private_key pair click on "Delete Certificate"
- and select one in the menu. You will be prompted to remove it,
- and also any corresponding .pem or .crt file. For "ACCEPTED_CERTS"
- it will find the matching "HASH" file and prompt you to remove that too.
-
-
- Default Certs and Keys:
-
- Use the "-mycert file" option (same as "-cert file") to set a default
- MyCert. The user will then have to manually clear the field to not
- use a certificate. This is the same as "mycert=file" (also "cert=file")
- in the ~/.ssvncrc file. If "file" does not exist, then ~/.vnc/certs is
- prepended to it.
-
- Use the "-cacert file" option (same as "-ca file") to set a default
- ServerCert. The user will then have to manually clear the field to not
- set a server cert. This is the same as "cacert=file" (also "ca=file")
- in the ~/.ssvncrc file. If "file" does not exist, then ~/.vnc/certs is
- prepended to it. Use "-cacert CA" to set it to ~/.vnc/certs/CA/cacert.pem
-
- Use the "-crl file" option to set a default CRL File. The user will
- then have to manually clear the field to not use a CRL. This is the
- same as "crl=file" in the ~/.ssvncrc file. If "file" does not exist,
- then ~/.vnc/certs is prepended to it.
-
- A sys-admin might set up an SSVNC deployment for user's workstations or
- laptops using one or more of -cacert (authenticate VNC server to the
- user) or -mycert (authenticate user to VNC server) or -crl (supply a
- list of revoked certificates). Prefix either one with "FORCE:" to make
- the setting unchangable.
-
-
- Notes:
-
- If "Use SSH" has been selected then SSL certs are disabled.
-
- See the x11vnc and STUNNEL documentation for how to create and use PEM
- certificate files:
-
- http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-ext
- http://www.karlrunge.com/x11vnc/ssl.html
- http://stunnel.mirt.net
-
- A common way to create and use a VNC Server certificate is:
-
- x11vnc -ssl SAVE ...
-
- and then copy the Server certificate to the local (viewer-side) machine.
- x11vnc prints out to the screen the Server certificate it generates
- (stored in ~/.vnc/certs/server.crt). You can set "ServerCert" to it
- directly or use the "Import Certificate" action to save it to a file.
- Or use the "Fetch Cert" method to retrieve it (be sure to verify the
- MD5 fingerprint, etc).
-
- x11vnc also has command line utilities to create server, client, and CA
- (Certificate Authority) certificates and sign with it. See the above URLs.
-}
-
- .ch.f.t insert end $msg
- jiggle_text .ch.f.t
-}
-
-proc help_ts_opts {} {
- toplev .oh
-
- scroll_text_dismiss .oh.f
-
- center_win .oh
-
- wm title .oh "Terminal Services VNC Options Help"
-
-set msg {
- Options: Click on a checkbox to enable a feature and bring up its Dialog.
- Deselecting a checkbox will disable the feature (but settings from the
- Dialog are remembered). Click on it again to re-enable.
-
-
- Desktop Type:
-
- The default type of remote Desktop type is the "kde" (The K Desktop
- Environment) You can choose a different type: gnome, failsafe,
- twm, etc.
-
- This setting will ONLY be used if the desktop needs to be created.
- If an existing session of yours is found it will be used instead
- (log out of that session if you want to create a new Desktop type
- or see the Multiple Sessions option under Advanced).
-
- Desktop Size:
-
- The default size of remote Desktop type is the "1280x1024" with a
- Color depth of 16 bits per pixel (BPP). Choose one of the standard
- WxH values or enter a custom one (TBD).
-
- This setting will ONLY be used if the desktop needs to be created.
- If an existing session of yours is found it will be used instead
- (log out of that session if you want to create a new Desktop size
- or see the Multiple Sessions option under Advanced).
-
- Some X servers, Xdummy or a real X server, will allow dynamic screen
- size changing after the session has started via a GUI configuration
- tool (or xrandr(1) from the command line).
-
- X Server Type:
-
- The default type of remote X session is the "Xvfb" (X virtual frame
- buffer) X server. It is available on most systems. To choose a
- different type, select "Xdummy", "Xvnc", "Xvnc.redirect".
-
- Xdummy is part of the x11vnc project and is a virtual X server with
- some nice features, but it Linux only and requires root permission
- to run. One user put 'ALL ALL = NOPASSWD: /usr/local/bin/Xdummy*'
- in his sudo(1) configuration (via visudo).
-
- For Xvnc that server is started up, and x11vnc polls it in its
- normal way. Use Xvnc.redirect if you want x11vnc to find and/or
- create the Xvnc session, but after that merely transfer packets back
- and forth between VNC viewer and Xvnc (I.e. x11vnc does no polling
- or VNC protocol).
-
-
- Enable Printing:
-
- This sets up a SSH port redirection for you from your remote session
- to your local print server. The CUPS mechanism is used. The local
- print server can also be SMB/Windows.
-
- Enable Sound:
-
- Not completely implemented yet. A partially working ESD method
- is provided. It may change over to http://nas.sourceforge.net in
- the future. As with printing, it uses a SSH port redirection to a
- server running locally.
-
- File Transfer:
-
- x11vnc supports both the UltraVNC and TightVNC file transfer
- extensions. On Windows both viewers support their file transfer
- protocol. On Unix only the SSVNC VNC Viewer has filexfer support;
- it supports the UltraVNC flavor via a Java helper program.
-
- Choose the one you want based on VNC viewer you will use.
- The defaults for the SSVNC viewer package are TightVNC on Windows
- and UltraVNC on Unix.
-
- View Only:
-
- Start the VNC Viewer in View-Only mode (it may be switched to full
- access later in the session).
-
- Change VNC Viewer:
-
- If you do not like the VNC Viewer bundled in the package, you can
- indicate another one here.
-
- X11 viewer MacOSX:
-
- On MacOSX try to use the bundled X11 vncviewer instead of the
- Chicken of the VNC viewer; the Xquartz X server must be installed
- (it is by default on 10.5.x) and the DISPLAY variable must be set
- (see Tip 15 of SSVNC Help to do this manually.)
-
-
- Advanced Options:
-
- VNC Shared:
-
- Normal use of this program, 'tsvnc', *ALREADY* allows simultaneous
- shared access of the remote desktop: You simply log in as many
- times from as many different locations with 'tsvnc' as you like.
-
- Select this option for the traditional VNC server shared mode of
- operation using a single x11vnc server. SSH access is still required.
-
- Multiple Sessions:
-
- To enable one user to have more than one Terminal Services Desktop
- X session on a single machine, this option lets you create Tags for
- multiple ones (e.g. KDE_BIG, TWM_800x600)
-
- X Login Greeter:
-
- If you have root (sudo(1)) permission on the remote machine,
- you can have x11vnc try to connect to X displays that have nobody
- logged in yet. This is most likely the login greeter running on
- the Physical console. sudo(1) is used to run x11vnc with FD_XDM=1.
-
- An initial ssh running 'sudo id' is performed to try to 'prime'
- sudo so the 2nd one that starts x11vnc does not need a password.
-
- Note that if someone is already logged into the console of the XDM
- display you will see their X session.
-
- Other VNC Server:
-
- The x11vnc program running on the remote machine can be instructed to
- immediately redirect to some other (3rd party, e.g. Xvnc or vnc.so)
- VNC server.
-
- Use unixpw:
-
- This enables the x11vnc unixpw mode. A Login: and Password: dialog
- will be presented in the VNC Viewer for the user to provide any Unix
- username and password whose session he wants to connect to.
-
- This mode is useful if a shared terminal services user (e.g. 'tsuser')
- is used for the SSH login part (say via the SSH authorized_keys
- mechanism and all users share the same private SSH key for 'tsuser').
-
- In normal usage the per-user SSH login should be the simplest and
- sufficient, in which case the unixpw option should NOT be selected.
-
- Client 8bit Color:
-
- Have the VNC Viewer request low color mode (8 bits per pixel) for
- slow links. This may be disabled or further tuned (e.g. 64 color
- mode) in the viewer during the session.
-
- Client-Side Caching:
-
- x11vnc has an experiment Client-Side caching scheme "-ncache n"
- that can give nice speedups. But there are some drawbacks
- because the cache-region is visible and uses much RAM.
- http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching
-
- X11VNC Options:
-
- If you are familiar with x11vnc, you can specify any of its features
- that you would like enabled.
-
- SSVNC Mode:
-
- Clicking on this button will return you to the full SSVNC Mode.
-
- Unix ssvncviewer:
-
- Clicking on this button will popup a menu for setting options
- of the Unix (and Mac OS X) provided SSVNC vncviewer.
-
-
- ~/.ssvncrc file:
-
- You can put global options in your ~/.ssvncrc file (ssvnc_rc on
- Windows). Currently they are:
-
- Put "mode=tsvnc" or "mode=sshvnc" in the ~/.ssvncrc file to have
- the application start up in the given mode.
-
- desktop_type=wmaker (e.g.) to switch the default Desktop Type.
-
- desktop_size=1280x1024 (e.g.) to switch the default Desktop Size.
-
- desktop_depth=24 (e.g.) to switch the default Desktop Color Depth.
-
- xserver_type=Xdummy (e.g.) to switch the default X Server Type.
-
- (The above 4 settings apply only to the Terminal Services Mode.)
-
- noenc=1 (same as the -noenc option for a 'No Encryption' option)
- noenc=0 (do not show the 'No Encryption' option)
-
- font_default=tk-font-name (sets the font for menus and buttons)
- font_fixed=tk-font-name (sets the font for help text)
-}
- .oh.f.t insert end $msg
- jiggle_text .oh.f.t
-}
-
-proc help_opts {} {
- toplev .oh
-
- scroll_text_dismiss .oh.f
-
- center_win .oh
-
- wm title .oh "SSL/SSH Viewer Options Help"
-
-set msg {
- Use SSL: The default, use SSL via STUNNEL (this requires SSL aware VNC
- server, e.g. x11vnc -ssl SAVE ...) See the description in the
- main Help panel.
-
- Use SSH: Instead of using STUNNEL SSL, use ssh(1) for the encrypted
- tunnel. You must be able to log in via ssh to the remote host.
-
- On Unix the cmdline ssh(1) program (it must already be installed)
- will be run in an xterm for passphrase authentication, prompts
- about RSA keys, etc. On Windows the cmdline plink.exe program
- will be launched in a Windows Console window. (Apologies for
- the klunkiness..)
-
- You can set the "VNC Host:Display" to "user@host:disp" to
- indicate ssh should log in as "user" on "host". NOTE: On
- Windows you *MUST* always supply the "user@" part (due to a
- plink deficiency). E.g.:
-
- VNC Host:Display: fred@far-away.east:0
-
-
- Gateway: If an intermediate gateway machine must be used
- (e.g. to enter a firewall; the VNC Server is not running on it),
- put it in the Proxy/Gateway entry, e.g.:
-
- VNC Host:Display: workstation:0
- Proxy/Gateway: user@gateway-host:port
-
- ssh is used to login to user@gateway-host and then a -L port
- redirection is set up to go to workstation:0 from gateway-host.
- ":port" is optional, use it if the gateway-host SSH port is
- not the default value 22.
-
- Chaining 2 ssh's: One can also do a "double ssh", i.e. a
- first SSH to the gateway login machine then a 2nd ssh to the
- destination machine (presumably it is running the vnc server).
-
- Unlike the above example, the "last leg" (gateway-host ->
- workstation) is also encrypted by SSH this way. Do this by
- splitting the gateway in two with a comma, the part before it
- is the first SSH:
-
- VNC Host:Display: localhost:0
- Proxy/Gateway: user@gateway-host:port,user@workstation:port
-
- Web and SOCKS proxies can also be used with SSH:
-
- VNC Host:Display: user@workstation:0
- Proxy/Gateway: socks://socks.server:1080
-
- See the "SSH Proxies/Gateways" in the Main Help document for full
- details.
-
-
- Remote Command: In the "Remote SSH Command" entry you can to
- indicate that a remote command to be run. The default is
- "sleep 15" to make sure port redirections get established. But you
- can run anything else, for example, to run x11vnc on your X :0
- workstation display:
-
- x11vnc -display :0 -nopw
-
-
- Windows SSH SERVER: if you are ssh'ing INTO Windows (e.g. CYGWIN
- SSHD server) there may be no "sleep" command so put in something
- like "ping localhost" or "ping -n 10 -w 1000 localhost" to
- set a short delay to let the port redir get established.
-
-
- Trick: If you use "SHELL" asl the "Remote SSH Command" then
- you get an SSH shell only: no VNC viewer will be launched.
- On Windows "PUTTY" will try to use putty.exe (better terminal
- emulation than plink.exe) A shortcut for this is Ctrl-S as
- long as user@hostname is present in the "VNC Host:Display" box.
-
-
- Use SSH + SSL:
-
- Tunnel the SSL connection through a SSH tunnel. Use this
- if you want end-to-end SSL and must use a SSH gateway (e.g. to
- enter a firewall) or if additional SSH port redirs are required
- (CUPS, Sound, SMB tunnelling: See Advanced Options).
-
- This is a RARELY used mode, but included in case the need arises.
-
-
- No Encryption:
-
- In '-noenc' mode, which is now the default, (Ctrl-E also toggles
- this mode), use this to make a Direct connection to the VNC Server
- with no encryption whatsoever. (Be careful about passwords, etc.)
-
- The -noenc mode is now the default since SSVNC 1.0.25, use
- the '-enc' cmdline option to disable the button.
-
-
- Automatically Find X Session:
-
- When using SSH mode to connect, you can select this option. It
- simply sets the Remote SSH Command to:
-
- PORT= x11vnc -find -localhost
-
- This requires that x11vnc is installed on the remote computer
- and is available in $PATH for the ssh login. The command
- "x11vnc -find -localhost" command is run on the remote
- machine.
-
- The -find option causes x11vnc to try to find an existing X
- session owned by the user (i.e. who you ssh in as). If it
- does it attaches to it; otherwise the x11vnc VNC server exits
- immediately followed by your VNC Viewer.
-
- The PORT= option just means to let x11vnc pick its own
- VNC port and then connect to whatever it picked. Use P=
- for more debugging output.
-
- The idea for this mode is you simply type 'username@workstation'
- in the VNC Host:Display box, Select 'Options -> Automatically
- Find X Session', and then click Connect. The tsvnc mode is
- similar (it runs x11vnc on the remote side with the intent
- of automatically finding, or creating, your desktop).
-
-
- Unix Username & Password:
-
- This is only available on Unix and MacOSX and when using
- the SSVNC enhanced TightVNC viewer (it has been modified to
- do Unix logins). It supports a login dialog with servers
- doing something like x11vnc's "-unixpw" mode. After any
- regular VNC authentication takes place (VNC Password), then
- it sends the Unix Username, a Return, the Unix Password and
- a final Return. This saves you from typing them into the
- "login:" and "Password:" prompts in the viewer window.
-
- Note that the x11vnc -unixpw login mode is external to the
- VNC protocol, so you need to be sure the VNC server is in
- this mode and will be waiting for the dialog. Otherwise the
- username and password will be typed directly into the desktop
- application that happens to have the focus!
-
- When you select this option "Unix Username:" and "Unix
- Password:" entry boxes appear on the main panel where you can
- type them in. x11vnc has settings that can be specified after
- a ":" in the Unix username; they may be used here as well.
- (For example: username:3/4,nc for a smaller screen and -nocache)
-
- If the Unix Username is not set when you click Connect, then
- any SSH username@host is used. Otherwise the environment
- variable $USER or $LOGNAME and finally whoami(1) is used.
-
- Also Note that the Unix Password is never saved in a VNC
- profile (so you have to type it each time). Also, the remote
- x11vnc server is instructed to not echo the Username string
- by sending an initial Escape. Set the SSVNC_UNIXPW_NOESC=1
- environment variable to override this.
-
- Reverse VNC Connection:
-
- Reverse (listening) VNC connections are possible as well.
- Enable with this button "Reverse VNC Connection (-LISTEN)"
-
- In this case the VNC Server initiates the connection to your
- waiting (i.e. listening) SSVNC viewer.
-
- For SSL connections in the 'VNC Host:Display' entry box put in
- the number (e.g. "0" or ":0" or ":1", etc.) that corresponds to
- the Listening display (0 -> port 5500, 1 -> port 5501, etc.) you
- want to use. For example x11vnc can then be used via:
- "x11vnc ... -ssl SAVE -connect hostname:port" using the "port"
- with the one you chose.
-
- Clicking on the 'Listen' button puts your SSVNC viewer
- in a "listening" state on that port number, waiting for a
- connection from the VNC Server.
-
- Then a VNC server should establish a reverse connection to
- that port on this machine (e.g. -connect this-machine:5500
- or -connect this-machine:5503, etc.)
-
- Server SSL certificates will be verified, however you WILL
- NOT be prompted about unrecognized ones; rather, you MUST
- set up the correct Server certificate (e.g. by importing).
- prior to any connections.
-
- If the connection is failing in Reverse VNC (listening) mode,
- check the STUNNEL log output to see if STUNNEL is unable to
- authenticate the VNC Server. If you want to allow in a
- reverse connection with NO Server authentication, unset the
- 'Verify All Certs' option.
-
- When listening in SSL, you will ALSO need to specify YOUR
- OWN SSL cert, "MyCert", or otherwise let the GUI prompt you
- to create a "listen.pem" and use that.
-
- The "listen.pem" will be reused in later SSL Listening
- connections unless you specify a different one with MyCert.
-
- On Windows or using a 3rd party VNC Viewer multiple,
- simultaneous reverse connections are always enabled.
- On Unix/MacOSX with the provided ssvncviewer they are disabled
- by default. To enable them:
- Options -> Advanced -> Unix ssvncviewer -> Multiple LISTEN Conns.
-
- For reverse connections in SSH or SSH + SSL modes it is a
- little trickier. The SSH tunnel (with -R tunnel) must be
- established and remain up waiting for reverse connections.
- The default time is "sleep 1800", i.e. 30 mins. You can put
- a longer or shorter sleep in "Remote SSH Command" (perhaps
- after your command runs: cmd; sleep 3600).
-
- For SSH reverse connections put "hostname:n" in
- 'VNC Host:Display' or "user@hostname:n". The "n" will be the
- listening display on the *REMOTE* side. So to have the remote
- x11vnc connect use: "x11vnc ... -connect localhost:n" or
- "x11vnc -R connect:localhost:n" (-ssl will be needed for SSH+SSL
- mode). If the -R port cannot be opened because it is in use
- by another program you will have to kill everything and start
- over using a different port.
-
- In reverse connections mode be careful to protect the listening
- VNC Viewer from direct connections (neither SSL nor SSH)
- connecting directly to its listening port thereby bypassing
- the tunnel. This can be done by a host-level firewall that
- only lets in, say, port 5500 (the default one ":0" for stunnel
- to listen on). Or for SSH reverse connections allow NO 5500+n
- ports in. For reverse connections, the Unix enhanced tightvnc
- viewers supplied in the SSVNC package will only listen on
- localhost so these precautions are not needed.
-
- Specify a specific interface, e.g. 192.168.1.1:0 to have stunnel
- only listen on that interface. IPv6 works too, e.g. :::0 or ::1:0
- Also works for UN-encrypted reverse connections as well ('None').
-
- Note that for SSL connections use of "Proxy/Gateway" does not
- make sense: the remote side cannot initiate its reverse connection
- via the Proxy.
-
- Note that for SSH or SSH+SSL connections use of "Proxy/Gateway"
- does not make sense (the ssh cannot do a -R on a remote host:port),
- unless it is a double proxy where the 2nd host is the machine with
- the VNC server.
-
-
- View Only: Have VNC Viewer ignore mouse and keyboard input.
-
- Fullscreen: Start the VNC Viewer in fullscreen mode.
-
- Raise On Beep: Deiconify viewer when bell rings.
-
- Use 8bit color: Request a very low-color pixel format.
-
- Do not use JPEG: Do not use the jpeg aspect of the tight encoding.
-
- Use X11 vncviewer on MacOSX:
- On MacOSX try to use the bundled X11 vncviewer
- instead of the Chicken of the VNC viewer;
- The Xquartz X server must be installed (it is by
- default on 10.5.x) and the DISPLAY variable must
- be set (see Tip 15 of Help to do this manually.)
- Put cotvnc=1 in ~/.ssvncrc to switch the default.
-
- Kill Stunnel Automatically:
- On Windows, automatically try to kill the STUNNEL
- process when the VNC Viewer exits. This is a
- global setting (not per-profile); it can be also
- set via either the -killstunnel cmdline option,
- or killstunnel=1 in ssvnc_rc. To disable it supply
- -nokillstunnel or put killstunnel=0 in ssvnc_rc.
- As of 1/2009 this option is on by default.
-
- The main drawback to having STUNNEL automatically
- killed is that you will not be able to view its
- logfile. If you are having trouble connecting via
- SSL, disable this option and double click on the
- dark green STUNNEL icon in the tray to view the log.
-
-
- Compress Level/Quality: Set TightVNC encoding parameters.
-
-
- Putty PW: On Windows only: use the supplied password for plink SSH
- logins. Unlike the other options the value is not saved
- when 'Save' is performed. This feature is useful when
- options under "Advanced" are set that require TWO SSH's:
- you just have to type the password once in this entry box.
- The bundled pageant.exe and puttygen.exe programs can also
- be used to avoid repeatedly entering passwords (note this
- requires setting up and distributing SSH keys). Start up
- pageant.exe or puttygen.exe and read the instructions there.
-
- Note, that there is a small exposure to someone seeing the
- putty password on the plink command line.
-
- Note that the Putty PW is not cleared if you load in a
- new VNC profile.
-
-
- Port Slot: On Windows ports cannot be selected or checked as easily as
- on Unix. So listening ports for ssh redirs, proxy tunnelling,
- and etc. things are picked via finding a free "slot".
- The slots run from 30 to 99 and are locked based on the
- existence of a file with the slot number in it. When the
- connection is about to be made, a free slot is found and used
- to work out some ports (e.g. 5930 for the local VNC port,
- etc.) This way simultaneous SSVNC connections can take place.
-
- One drawback of this is that Putty/Plink stores SSH keys based
- on hostname:port, and with a proxy tunnel the hostname is
- "localhost". So the Putty key store may have key collisions
- for the localhost tunnels, and plink will prompt you to
- resolve the conflict WRT a different SSH key being discovered.
-
- To work around this to some degree you can select a unique
- Port Slot (in the range 50-99) for a specific host. Then the
- ssh redir port to this host will never change and so the
- Putty localhost:fixed-port key should remain valid.
-
-
- Mode: To change the GUI Mode, select between the full SSVNC
- (i.e. SSL and SSH), SSHVNC (i.e. SSH-Only), and Terminal
- Services mode (TSVNC; uses x11vnc)
-
- Note: You can put "mode=tsvnc" or "mode=sshvnc" in your
- ~/.ssvncrc file (ssvnc_rc on Windows) to have the application
- start up in the given mode.
-
-
- Show 'No Encryption' Option:
-
- Note: since SSVNC 1.0.25 the 'No Encryption' Option is
- enabled by default.
-
- Select this to display a button that disables both SSL and
- SSH encryption. This is the same as Ctrl+E. This puts
- a check item "None" on the main panel and also a "No
- Encryption" check item in the "Options" panel. If you
- select this item, there will be NO encryption for the VNC
- connection (use cautiously) See Tip 5) under Help for more
- information about disabling encryption.
-
-
- Buttons:
-
- Use Defaults: Set all options to their defaults (i.e. unset).
-
- Delete Profile: Delete a saved profile.
-
- Advanced: Bring up the Advanced Options dialog.
-
- Save and Load:
-
- You can Save the current settings by clicking on Save
- (.vnc file) and you can also read in a saved one with Load
- Profile. Use the Browse... button to select the filename
- via the GUI.
-
- Pressing Ctrl-L or Clicking the Right mouse button on the
- main GUI will invoke the Load dialog.
-
- Note: On Windows since the TightVNC Viewer will save its own
- settings in the Registry, some unexpected behavior is possible
- because the viewer is nearly always directed to the VNC host
- "localhost:30". E.g. if you specify "View Only" in this gui
- once but not next time the Windows VNC Viewer may remember
- the setting. Unfortunately there is not a /noreg option for
- the Viewer.
-}
- .oh.f.t insert end $msg
- jiggle_text .oh.f.t
-}
-
-proc help_fetch_cert {{selfsigned 1}} {
- toplev .fh
-
- set h 35
- if [small_height] {
- set h 28
- }
- scroll_text_dismiss .fh.f 85 $h
-
- center_win .fh
- wm resizable .fh 1 0
-
- wm title .fh "Fetch Certificates Help"
-
- set msg {
- The displayed SSL Certificate has been retrieved from the VNC Server via the
- "Fetch Cert" action.
-
- It has merely been downloaded via the SSL Protocol:
-
- *** IT HAS NOT BEEN VERIFIED OR AUTHENTICATED IN ANY WAY ***
-
- So, in principle, it could be a fake certificate being inserted by a bad
- person attempting to perform a Man-In-The-Middle attack on your SSL connection.
-
- If, however, by some external means you can verify the authenticity of this SSL
- Certificate you can use it for your VNC SSL connection to the VNC server you
- wish to connect to. It will provide an authenticated and encrypted connection.
-
- You can verify the SSL Certificate by comparing the MD5 or SHA1 hash value
- via a method/channel you know is safe (i.e. not also under control of a
- Man-In-The-Middle attacker). You could also check the text between the
- -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags, etc.
-
- Once you are sure it is correct, you can press the Save button to save the
- certificate to a file on the local machine for use when you connect via VNC
- tunneled through SSL. If you save it, then that file will be set as the
- Certificate to verify the VNC server against. You can see this in the dialog
- started via the "Certs..." button on the main panel.
-
- NOTE: If you want to make Permanent the association of the saved SSL certificate
- file with the VNC server host, you MUST save the setting as a profile for
- loading later. To Save a Profile, click on Options -> Save Profile ...,
- and choose a name for the profile and then click on Save.
-
- If "Verify All Certs" is checked, then you are forced to check all new certs.
- In this case the certs are saved in the 'Accepted Certs' directory against
- which all servers will be checked unless "ServerCert" or "CertsDir" has been
- set to something else.
-
- To reload the profile at a later time, click on the "Load" button on the
- main panel and then select the name and click "Open". If you want to be
- sure the certificate is still associated with the loaded in host, click on
- "Certs..." button and make sure the "ServerCert" points to the desired SSL
- filename.
-
- See the Certs... Help for more information. A sophisticated method can be set
- up using a Certificate Authority key to verify never before seen certificates
- (i.e. like your web browser does).
-}
-
- set msg2 {
- --------------------------------------------------------------------------
- NOTE: The certificate that was just downloaded IS NOT a Self-Signed
- certificate. It was signed by a Certificate Authority (CA) instead.
- So saving it does not make sense because it cannot be used to authenticate
- anything.
-
- You need to Obtain and Save the CA's certificate instead.
-
- The remainder of this Help description applies ONLY to Self-Signed
- certificates (i.e. NOT the most recently downloaded one.)
- --------------------------------------------------------------------------
-
-
-}
-
- if {!$selfsigned} {
- regsub { If, however,} $msg "$msg2 If, however," msg
- }
-
- .fh.f.t insert end $msg
- jiggle_text .fh.f.t
-}
-
-proc win_nokill_msg {} {
- global help_font is_windows system_button_face
- toplev .w
-
- eval text .w.t -width 60 -height 11 $help_font
- button .w.d -text "Dismiss" -command {destroy .w}
- pack .w.t .w.d -side top -fill x
-
- apply_bg .w.t
-
- center_win .w
- wm resizable .w 1 0
-
- wm title .w "SSL/SSH Viewer: Warning"
-
- set msg {
- The VNC Viewer has exited.
-
- You will need to terminate STUNNEL manually.
-
- To do this go to the System Tray and right-click on the STUNNEL
- icon (dark green). Then click "Exit".
-
- You can also double click on the STUNNEL icon to view the log
- for error messages and other information.
-}
- .w.t insert end $msg
-}
-
-proc win_kill_msg {pids} {
- global terminate_pids
- global help_font
-
- toplev .w
-
- eval text .w.t -width 72 -height 21 $help_font
- button .w.d -text "Dismiss" -command {destroy .w; set terminate_pids no}
- button .w.k -text "Terminate STUNNEL" -command {destroy .w; set terminate_pids yes}
- pack .w.t .w.k .w.d -side top -fill x
-
- apply_bg .w.t
-
- center_win .w
- wm resizable .w 1 0
-
- wm title .w "SSL/SSH Viewer: Warning"
-
- set msg {
- The VNC Viewer has exited.
-
- We can terminate the following still running STUNNEL process(es):
-
-}
- append msg " $pids\n"
-
- append msg {
- Click on the "Terminate STUNNEL" button below to do so.
-
- Before terminating STUNNEL you can double click on the STUNNEL
- Tray icon to view its log for error messages and other information.
-
- Note: You may STILL need to terminate STUNNEL manually if we are
- unable to kill it. To do this go to the System Tray and right-click
- on the STUNNEL icon (dark green). Then click "Exit". You will
- probably also need to hover the mouse over the STUNNEL Tray Icon to
- make the Tray notice STUNNEL is gone...
-
- To have STUNNEL automatically killed when the Viewer exits use the
- -killstunnel cmdline option, or set it under Options or in ssvnc_rc.
-}
- .w.t insert end $msg
-}
-
-proc win9x_plink_msg {file} {
- global help_font win9x_plink_msg_done
- toplev .pl
-
- eval text .pl.t -width 90 -height 26 $help_font
- button .pl.d -text "OK" -command {destroy .pl; set win9x_plink_msg_done 1}
- wm protocol .pl WM_DELETE_WINDOW {catch {destroy .pl}; set win9x_plink_msg_done 1}
- pack .pl.t .pl.d -side top -fill x
-
- apply_bg .pl.t
-
- center_win .pl
- wm resizable .pl 1 0
-
- wm title .pl "SSL/SSH Viewer: Win9x Warning"
-
- set msg {
- Due to limitations on Window 9x you will have to manually start up
- a COMMAND.COM terminal and paste in the following command:
-
-}
- set pwd [pwd]
- regsub -all {/} $pwd "\\" pwd
- append msg " $pwd\\$file\n"
-
- append msg {
- The reason for this is a poor Console application implementation that
- affects many text based applications.
-
- To start up a COMMAND.COM terminal, click on the Start -> Run, and then
- type COMMAND in the entry box and hit Return or click OK.
-
- To select the above command, highlight it with the mouse and then press
- Ctrl-C. Then go over to the COMMAND.COM window and click on the
- Clipboard paste button. Once pasted in, press Return to run the script.
-
- This will start up a PLINK.EXE ssh login to the remote computer,
- and after you log in successfully and indicate (QUICKLY!!) that the
- connection is OK by clicking OK in this dialog. If the SSH connection
- cannot be autodetected you will ALSO need to click "Success" in the
- "plink ssh status?" dialog, the VNC Viewer will be started going
- through the SSH tunnel.
-}
- .pl.t insert end $msg
- wm deiconify .pl
-}
-
-proc mesg {str} {
- set maxx 60
- if [regexp {^INFO: without Certificate} $str] {
- set maxx 72
- }
- if {[string length $str] > $maxx} {
- set lend [expr $maxx - 1]
- set str [string range $str 0 $lend]
- append str " ..."
- }
- .l configure -text $str
- update
- global env
- if [info exists env(SSVNC_MESG_DELAY)] {
- after $env(SSVNC_MESG_DELAY)
- }
-}
-
-proc get_ssh_hp {str} {
- regsub {cmd=.*$} $str "" str
- set str [string trim $str]
- regsub {[ ].*$} $str "" str
- return $str
-}
-
-proc get_ssh_cmd {str} {
- set str [string trim $str]
- global ts_only
- if {$ts_only} {
- return [ts_x11vnc_cmd]
- }
- if [regexp {cmd=(.*$)} $str m cmd] {
- set cmd [string trim $cmd]
- regsub -nocase {^%x11vncr$} $cmd "x11vnc -nopw -display none -rawfb rand" cmd
- regsub -nocase {^%x11vnc$} $cmd "x11vnc -nopw -display none -rawfb null" cmd
- return $cmd
- } else {
- return ""
- }
-}
-
-proc get_ssh_proxy {str} {
- set str [string trim $str]
- regsub {cmd=.*$} $str "" str
- set str [string trim $str]
- if { ![regexp {[ ]} $str]} {
- return ""
- }
- regsub {^.*[ ][ ]*} $str "" str
- return $str
-}
-
-proc ts_x11vnc_cmd {} {
- global is_windows
- global ts_xserver_type choose_xserver ts_desktop_type choose_desktop ts_unixpw ts_vncshared
- global ts_desktop_size ts_desktop_depth choose_desktop_geom
- global choose_filexfer ts_filexfer
- global ts_x11vnc_opts ts_x11vnc_path ts_x11vnc_autoport choose_x11vnc_opts
- global ts_othervnc choose_othervnc ts_xlogin
- global choose_sleep extra_sleep
-
- set cmd ""
- if {$choose_x11vnc_opts && $ts_x11vnc_path != ""} {
- set cmd $ts_x11vnc_path
- } else {
- set cmd "x11vnc"
- }
- if {! $is_windows} {
- set cmd "PORT= $cmd"
- } else {
- set cmd "PORT= $cmd"
- }
-
- set type $ts_xserver_type;
- if {! $choose_xserver} {
- set type ""
- }
- if {$choose_othervnc && $ts_othervnc == "find"} {
- set type "Xvnc.redirect"
- }
-
- if [info exists choose_sleep] {
- if {! $choose_sleep} {
- set extra_sleep ""
- }
- }
-
- if {$choose_othervnc && $ts_othervnc != "find"} {
- set cmd "$cmd -redirect $ts_othervnc"
- } elseif {$type == ""} {
- global ts_xserver_type_def
- if {$ts_xserver_type_def != ""} {
- set cmd "$cmd -display WAIT:cmd=FINDCREATEDISPLAY-$ts_xserver_type_def";
- } else {
- set cmd "$cmd -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb";
- }
- } elseif {$type == "Xvfb"} {
- set cmd "$cmd -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb";
- } elseif {$type == "Xdummy"} {
- set cmd "$cmd -display WAIT:cmd=FINDCREATEDISPLAY-Xdummy";
- } elseif {$type == "Xvnc"} {
- set cmd "$cmd -display WAIT:cmd=FINDCREATEDISPLAY-Xvnc";
- } elseif {$type == "Xvnc.redirect"} {
- set cmd "$cmd -display WAIT:cmd=FINDCREATEDISPLAY-Xvnc.redirect";
- }
-
- # TBD: Cups + sound
-
- set cmd "$cmd -localhost";
- set cmd "$cmd -nopw";
- global ts_ncache choose_ncache
- if {$choose_ncache && [regexp {^[0-9][0-9]*$} $ts_ncache]} {
- set cmd "$cmd -ncache $ts_ncache";
- } else {
- #set cmd "$cmd -nonc";
- }
- set cmd "$cmd -timeout 120";
- global ts_multisession choose_multisession
- regsub -all {[^A-z0-9_-]} $ts_multisession "" ts_multisession
- if {$choose_multisession && $ts_multisession != ""} {
- set cmd "$cmd -env FD_TAG='$ts_multisession'";
- }
- if {$choose_filexfer && $ts_filexfer != ""} {
- if {$ts_filexfer == "tight"} {
- set cmd "$cmd -tightfilexfer";
- } else {
- set cmd "$cmd -ultrafilexfer";
- }
- }
- if {$ts_unixpw} {
- set cmd "$cmd -unixpw";
- }
- if {$ts_vncshared} {
- set cmd "$cmd -shared";
- }
- set u "unknown"
- global env
- if {[info exists env(USER)]} {
- regsub -all {[^A-z]} $env(USER) "_" u
- }
- set cmd "$cmd -o \$HOME/.tsvnc.log.$u"; # XXX perms
-
- set sess "kde"
- global ts_desktop_type_def
- if {$ts_desktop_type_def != ""} {
- set sess $ts_desktop_type_def
- }
- if {$choose_desktop && $ts_desktop_type != ""} {
- set sess $ts_desktop_type
- }
- set cmd "$cmd -env FD_SESS=$sess";
-
- if {$choose_desktop_geom} {
- set geom "1280x1024"
- set dep 16
- global ts_desktop_size_def ts_desktop_depth_def
- if {$ts_desktop_size_def != ""} {
- set geom $ts_desktop_size_def
- }
- if {$ts_desktop_depth_def != ""} {
- set dep $ts_desktop_depth_def
- }
- if {$ts_desktop_size != ""} {
- if [regexp {^[0-9][0-9]*x[0-9][0-9]*$} $ts_desktop_size] {
- set geom $ts_desktop_size
- }
- if {$ts_desktop_depth != ""} {
- set geom "${geom}x$ts_desktop_depth"
- } else {
- set geom "${geom}x$dep"
- }
- } else {
- set geom "${geom}x$dep"
- }
- set cmd "$cmd -env FD_GEOM=$geom";
- }
- if {$is_windows} {
- ;
- } elseif {$choose_x11vnc_opts && $ts_x11vnc_autoport != "" && [regexp {^[0-9][0-9]*$} $ts_x11vnc_autoport]} {
- set cmd "$cmd -autoport $ts_x11vnc_autoport";
- } else {
- set cmd "$cmd -env AUTO_PORT=5950";
- }
- if {$choose_x11vnc_opts && $ts_x11vnc_opts != ""} {
- set cmd "$cmd $ts_x11vnc_opts";
- }
- if {$ts_xlogin} {
- regsub {PORT= } $cmd "PORT= sudo " cmd
- regsub {P= } $cmd "P= sudo " cmd
- regsub { -o [^ ][^ ]*} $cmd "" cmd
-
- set cmd "$cmd -env FD_XDM=1";
- }
-
- return $cmd
-}
-
-proc set_defaults {} {
- global defs env
-
- global mycert svcert crtdir crlfil
- global use_alpha use_turbovnc disable_pipeline use_grab use_ssl use_ssh use_sshssl use_viewonly use_fullscreen use_bgr233
- global use_send_clipboard use_send_always
- global disable_all_encryption
- global use_nojpeg use_raise_on_beep use_compresslevel use_quality use_x11_macosx
- global compresslevel_text quality_text
- global use_cups use_sound use_smbmnt
- global cups_local_server cups_remote_port cups_manage_rcfile ts_cups_manage_rcfile cups_x11vnc
- global cups_local_smb_server cups_remote_smb_port
- global change_vncviewer change_vncviewer_path vncviewer_realvnc4
- global choose_xserver ts_xserver_type choose_desktop ts_desktop_type ts_unixpw ts_vncshared
- global choose_filexfer ts_filexfer
- global ts_x11vnc_opts choose_x11vnc_opts ts_x11vnc_path ts_x11vnc_autoport ts_xlogin
- global ts_othervnc choose_othervnc choose_sleep
- global choose_ncache ts_ncache choose_multisession ts_multisession
- global ts_mode ts_desktop_size ts_desktop_depth choose_desktop_geom
- global additional_port_redirs additional_port_redirs_list
- global stunnel_local_protection stunnel_local_protection_type ssh_local_protection multiple_listen listen_once listen_accept_popup listen_accept_popup_sc
- global ssh_known_hosts ssh_known_hosts_filename
- global ultra_dsm ultra_dsm_type ultra_dsm_file ultra_dsm_noultra ultra_dsm_salt
- global sound_daemon_remote_cmd sound_daemon_remote_port sound_daemon_kill sound_daemon_restart
- global sound_daemon_local_cmd sound_daemon_local_port sound_daemon_local_kill sound_daemon_x11vnc sound_daemon_local_start
- global smb_su_mode smb_mount_list
- global use_port_knocking port_knocking_list port_slot putty_args
- global ycrop_string ssvnc_scale ssvnc_escape sbwid_string rfbversion ssvnc_encodings ssvnc_extra_opts use_x11cursor use_nobell use_rawlocal use_notty use_popupfix extra_sleep use_listen use_unixpw use_x11vnc_find unixpw_username
- global disable_ssl_workarounds disable_ssl_workarounds_type
- global no_probe_vencrypt server_vencrypt server_anondh
- global include_list
- global svcert_default mycert_default crlfil_default
-
-
- set defs(use_viewonly) 0
- set defs(use_listen) 0
- set defs(disable_ssl_workarounds) 0
- set defs(disable_ssl_workarounds_type) "none"
- set defs(use_unixpw) 0
- set defs(unixpw_username) ""
- set defs(use_x11vnc_find) 0
- set defs(use_fullscreen) 0
- set defs(use_raise_on_beep) 0
- set defs(use_bgr233) 0
- set defs(use_alpha) 0
- set defs(use_send_clipboard) 0
- set defs(use_send_always) 0
- set defs(use_turbovnc) 0
- set defs(disable_pipeline) 0
- set defs(no_probe_vencrypt) 0
- set defs(server_vencrypt) 0
- set defs(server_anondh) 0
- set defs(use_grab) 0
- set defs(use_nojpeg) 0
- set defs(use_x11_macosx) 1
- if [info exists env(SSVNC_COTVNC)] {
- if {$env(SSVNC_COTVNC) != 0} {
- set defs(use_x11_macosx) 0
- }
- } elseif {![info exists env(DISPLAY)]} {
- set defs(use_x11_macosx) 0
- }
- set defs(use_compresslevel) "default"
- set defs(use_quality) "default"
- set defs(compresslevel_text) "Compress Level: default"
- set defs(quality_text) "Quality: default"
-
- set defs(mycert) $mycert_default
- set defs(svcert) $svcert_default
- set defs(crtdir) "ACCEPTED_CERTS"
- set defs(crlfil) $crlfil_default
-
- set defs(use_cups) 0
- set defs(use_sound) 0
- set defs(use_smbmnt) 0
-
- set defs(choose_xserver) 0
- set defs(ts_xserver_type) ""
- set defs(choose_desktop) 0
- set defs(ts_desktop_type) ""
- set defs(ts_desktop_size) ""
- set defs(ts_desktop_depth) ""
- set defs(choose_desktop_geom) 0
- set defs(ts_unixpw) 0
- set defs(ts_vncshared) 0
- set defs(ts_ncache) 8
- set defs(choose_ncache) 0
- set defs(ts_multisession) ""
- set defs(choose_multisession) 0
- set defs(ts_filexfer) ""
- set defs(choose_filexfer) 0
- set defs(choose_x11vnc_opts) 0
- set defs(ts_x11vnc_opts) ""
- set defs(ts_x11vnc_path) ""
- set defs(ts_x11vnc_autoport) ""
- set defs(ts_othervnc) ""
- set defs(choose_othervnc) 0
- set defs(ts_xlogin) 0
- set defs(ts_mode) 0
-
- set defs(change_vncviewer) 0
- set defs(change_vncviewer_path) ""
- set defs(cups_manage_rcfile) 1
- set defs(ts_cups_manage_rcfile) 0
- set defs(cups_x11vnc) 0
- set defs(vncviewer_realvnc4) 0
-
- set defs(additional_port_redirs) 0
- set defs(additional_port_redirs_list) ""
-
- set defs(stunnel_local_protection) 1
- set defs(stunnel_local_protection_type) "exec"
- set defs(ssh_local_protection) 1
- set defs(ssh_known_hosts) 0
- set defs(ssh_known_hosts_filename) ""
- set defs(multiple_listen) 0
- set defs(listen_once) 0
- set defs(listen_accept_popup) 0
- set defs(listen_accept_popup_sc) 0
-
- set defs(ultra_dsm) 0
- set defs(ultra_dsm_file) ""
- set defs(ultra_dsm_type) "guess"
- set defs(ultra_dsm_noultra) 0
- set defs(ultra_dsm_salt) ""
-
- set defs(port_slot) ""
- set defs(putty_args) ""
-
- set defs(cups_local_server) ""
- set defs(cups_remote_port) ""
- set defs(cups_local_smb_server) ""
- set defs(cups_remote_smb_port) ""
-
- set defs(smb_su_mode) "sudo"
- set defs(smb_mount_list) ""
-
- set defs(sound_daemon_remote_cmd) ""
- set defs(sound_daemon_remote_port) ""
- set defs(sound_daemon_kill) 0
- set defs(sound_daemon_restart) 0
-
- set defs(sound_daemon_local_cmd) ""
- set defs(sound_daemon_local_port) ""
- set defs(sound_daemon_local_start) 0
- set defs(sound_daemon_local_kill) 0
- set defs(sound_daemon_x11vnc) 0
-
- set defs(ycrop_string) ""
- set defs(ssvnc_scale) ""
- set defs(ssvnc_escape) ""
- set defs(sbwid_string) ""
- set defs(rfbversion) ""
- set defs(ssvnc_encodings) ""
- set defs(ssvnc_extra_opts) ""
- set defs(use_x11cursor) 0
- set defs(use_nobell) 0
- set defs(use_rawlocal) 0
- set defs(use_notty) 0
- set defs(use_popupfix) 0
- set defs(extra_sleep) ""
- set defs(use_port_knocking) 0
- set defs(port_knocking_list) ""
-
- set defs(include_list) ""
-
- set dir [get_profiles_dir]
- set deffile ""
- if [file exists "$dir/defaults"] {
- set deffile "$dir/defaults"
- } elseif [file exists "$dir/defaults.vnc"] {
- set deffile "$dir/defaults.vnc"
- }
- if {$deffile != ""} {
- set fh ""
- catch {set fh [open $deffile "r"]}
- if {$fh != ""} {
- while {[gets $fh line] > -1} {
- set line [string trim $line]
- if [regexp {^#} $line] {
- continue
- }
- if [regexp {^([^=]*)=(.*)$} $line m var val] {
- if {$var == "disp"} {
- continue
- }
- if [info exists defs($var)] {
- set pct 0
- if {$var == "smb_mount_list"} {
- set pct 1
- }
- if {$var == "port_knocking_list"} {
- set pct 1
- }
- if {$pct} {
- regsub -all {%%%} $val "\n" val
- }
- set defs($var) $val
- }
- }
- }
- close $fh
- }
- }
-
- global ssh_only ts_only
- if {$ssh_only || $ts_only} {
- set defs(use_ssl) 0
- set defs(use_ssh) 1
- set defs(use_sshssl) 0
- } else {
- set defs(use_ssl) 1
- set defs(use_ssh) 0
- set defs(use_sshssl) 0
- }
- set defs(disable_all_encryption) 0
-
- foreach var [array names defs] {
- set $var $defs($var)
- }
-
- global vncauth_passwd unixpw_passwd
- set vncauth_passwd ""
- set unixpw_passwd ""
-
- if {$ssh_only || $ts_only} {
- ssl_ssh_adjust ssh
- } else {
- ssl_ssh_adjust ssl
- }
- listen_adjust
- unixpw_adjust
-
- global last_load
- set last_load ""
-}
-
-proc windows_listening_message {n} {
- global did_listening_message
-
- global extra_cmd
- set extra_cmd ""
- set cmd [get_cmd $n]
-
- if {$did_listening_message < 2} {
- incr did_listening_message
- global listening_name
-
- set ln $listening_name
- if {$ln == ""} {
- set ln "this-computer:$n"
- }
-
- set msg "
- About to start the Listening VNC Viewer (Reverse Connection).
-
- The VNC Viewer command to be run is:
-
- $cmd
-
- After the Viewer starts listening, the VNC server should
- then Reverse connect to:
-
- $ln
-
- When the VNC Connection has ended **YOU MUST MANUALLY STOP**
- the Listening VNC Viewer.
-
- To stop the Listening Viewer: right click on the VNC Icon in
- the tray and select 'Close listening daemon' (or similar).
-
- ONLY AFTER THAT will you return to the SSVNC GUI.
-
- Click OK now to start the Listening VNC Viewer.$extra_cmd
-"
- global use_ssh use_sshssl
- if {$use_ssh || $use_sshssl} {
- set msg "${msg} NOTE: You will probably also need to kill the SSH in the\n terminal via Ctrl-C"
- }
-
- global help_font is_windows system_button_face
- toplev .wll
- global wll_done
-
- set wll_done 0
-
- eval text .wll.t -width 64 -height 22 $help_font
- button .wll.d -text "OK" -command {destroy .wll; set wll_done 1}
- pack .wll.t .wll.d -side top -fill x
-
- apply_bg .wll.t
-
- center_win .wll
- wm resizable .wll 1 0
-
- wm title .wll "SSL/SSH Viewer: Listening VNC Info"
-
- .wll.t insert end $msg
-
- vwait wll_done
- }
-}
-
-proc get_cmd {n} {
- global use_alpha use_grab use_x11cursor use_nobell use_ssh
- global use_sshssl use_viewonly use_fullscreen use_bgr233
- global use_nojpeg use_raise_on_beep use_compresslevel use_quality
- global use_send_clipboard use_send_always change_vncviewer
- global change_vncviewer_path vncviewer_realvnc4 use_listen
- global disable_ssl_workarounds disable_ssl_workarounds_type env
-
- set cmd "vncviewer"
- if {$change_vncviewer && $change_vncviewer_path != ""} {
- set cmd [string trim $change_vncviewer_path]
- regsub -all {\\} $cmd {/} cmd
- if {[regexp {[ \t]} $cmd]} {
- if {[regexp -nocase {\.exe$} $cmd]} {
- if {! [regexp {["']} $cmd]} { #"
- # hmmm, not following instructions, are they?
- set cmd "\"$cmd\""
- }
- }
- }
- }
- if {$use_viewonly} {
- if {$vncviewer_realvnc4} {
- append cmd " viewonly=1"
- } else {
- append cmd " /viewonly"
- }
- }
- if {$use_fullscreen} {
- if {$vncviewer_realvnc4} {
- append cmd " fullscreen=1"
- } else {
- append cmd " /fullscreen"
- }
- }
- if {$use_bgr233} {
- if {$vncviewer_realvnc4} {
- append cmd " lowcolourlevel=1"
- } else {
- append cmd " /8bit"
- }
- }
- if {$use_nojpeg} {
- if {! $vncviewer_realvnc4} {
- append cmd " /nojpeg"
- }
- }
- if {$use_raise_on_beep} {
- if {! $vncviewer_realvnc4} {
- append cmd " /belldeiconify"
- }
- }
- if {$use_compresslevel != "" && $use_compresslevel != "default"} {
- if {$vncviewer_realvnc4} {
- append cmd " zliblevel=$use_compresslevel"
- } else {
- append cmd " /compresslevel $use_compresslevel"
- }
- }
- if {$use_quality != "" && $use_quality != "default"} {
- if {! $vncviewer_realvnc4} {
- append cmd " /quality $use_quality"
- }
- }
-
- global extra_cmd
- set extra_cmd ""
- if {$use_listen} {
- if {$vncviewer_realvnc4} {
- append cmd " listen=1"
- } else {
- append cmd " /listen"
- }
- set nn $n
- if {$nn < 100} {
- set nn [expr "$nn + 5500"]
- }
- global direct_connect_reverse_host_orig is_win9x
- if {![info exists direct_connect_reverse_host_orig]} {
- set direct_connect_reverse_host_orig ""
- }
- if {$direct_connect_reverse_host_orig != "" && !$is_win9x} {
- set nn2 [expr $nn + 15]
- set h0 $direct_connect_reverse_host_orig
- global win_localhost
- set extra_cmd "\n\nrelay6.exe $nn $win_localhost $nn2 /b:$h0"
- set nn $nn2
- }
-
- append cmd " $nn"
-
- } else {
- if [regexp {^[0-9][0-9]*$} $n] {
- global win_localhost
- append cmd " $win_localhost:$n"
- } else {
- append cmd " $n"
- }
- }
- return $cmd
-}
-
-proc do_viewer_windows {n} {
- global use_listen env
-
- set cmd [get_cmd $n]
-
- set ipv6_pid2 ""
- if {$use_listen} {
- set nn $n
- if {$nn < 100} {
- set nn [expr "$nn + 5500"]
- }
- global direct_connect_reverse_host_orig is_win9x
- if {![info exists direct_connect_reverse_host_orig]} {
- set direct_connect_reverse_host_orig ""
- }
- if {$direct_connect_reverse_host_orig != "" && !$is_win9x} {
- set nn2 [expr $nn + 15]
- set h0 $direct_connect_reverse_host_orig
- global win_localhost
- set ipv6_pid2 [exec relay6.exe $nn $win_localhost $nn2 /b:$h0 &]
- set nn $nn2
- }
- }
-
- if [info exists env(SSVNC_EXTRA_SLEEP)] {
- set t $env(SSVNC_EXTRA_SLEEP)
- mesg "sleeping an extra $t seconds..."
- set t [expr "$t * 1000"]
- after $t
- }
- global extra_sleep
- if {$extra_sleep != ""} {
- set t $extra_sleep
- mesg "sleeping an extra $t seconds..."
- set t [expr "$t * 1000"]
- after $t
- }
-
- mesg $cmd
- set emess ""
- set rc [catch {eval exec $cmd} emess]
-
- if {$ipv6_pid2 != ""} {
- winkill $ipv6_pid2
- }
-
- if {$rc != 0} {
- raise .
- tk_messageBox -type ok -icon error -message $emess -title "Error: $cmd"
- }
-}
-
-proc get_netstat {} {
- set ns ""
- catch {set ns [exec netstat -an]}
- return $ns
-}
-
-proc get_ipconfig {} {
- global is_win9x
- set ip ""
- if {! $is_win9x} {
- catch {set ip [exec ipconfig]}
- return $ip
- }
-
- set file "ip"
- append file [pid]
- append file ".txt"
-
- # VF
- catch {[exec winipcfg /Batch $file]}
-
- if [file exists $file] {
- set fh [open $file "r"]
- while {[gets $fh line] > -1} {
- append ip "$line\n"
- }
- close $fh
- catch {file delete $file}
- }
- return $ip
-}
-
-proc read_file {file} {
- set str ""
- if [file exists $file] {
- set fh ""
- catch {set fh [open $file "r"]}
- if {$fh != ""} {
- while {[gets $fh line] > -1} {
- append str "$line\n"
- }
- close $fh
- }
- }
- return $str
-}
-
-proc guess_nat_ip {} {
- global save_nat last_save_nat
- set s ""
-
- if {! [info exists save_nat]} {
- set save_nat ""
- set last_save_nat 0
- }
- if {$save_nat != ""} {
- set now [clock seconds]
- if {$now < $last_save_nat + 45} {
- return $save_nat
- }
- }
- set s ""
- catch {set s [socket "www.whatismyip.com" 80]}
- set ip "unknown"
- if {$s != ""} {
- fconfigure $s -buffering none
- #puts $s "GET / HTTP/1.1"
- puts $s "GET /automation/n09230945.asp HTTP/1.1"
- puts $s "Host: www.whatismyip.com"
- puts $s "Connection: close"
- puts $s ""
- flush $s
- set on 0
- while { [gets $s line] > -1 } {
- if {! $on && [regexp {<HEAD>} $line]} {set on 1}
- if {! $on && [regexp {<HTML>} $line]} {set on 1}
- if {! $on && [regexp {<TITLE>} $line]} {set on 1}
- if {! $on && [regexp {^[0-9][0-9]*\.[0-9]} $line]} {set on 1}
- if {! $on} {
- continue;
- }
- if [regexp {([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*)} $line ip] {
- break
- }
- }
- close $s
- }
- if {$ip != "unknown"} {
- set save_nat $ip
- set last_save_nat [clock seconds]
- }
- return $ip
-}
-
-proc check_for_ipv6 {} {
- global is_windows have_ipv6
- if {$have_ipv6 != ""} {
- return
- }
- if {! $is_windows} {
- set out ""
- catch {set out [exec netstat -an]}
- if [regexp {tcp6} $out] {
- set have_ipv6 1
- } elseif [regexp {udp6} $out] {
- set have_ipv6 1
- } elseif [regexp {:::} $out] {
- set have_ipv6 1
- } elseif [regexp {::1} $out] {
- set have_ipv6 1
- } elseif [regexp {TCP: IPv6.*LISTEN} $out] {
- set have_ipv6 1
- } else {
- set have_ipv6 0
- }
- } else {
- set out [get_ipconfig]
- set out [string trim $out]
- if {$out == ""} {
- catch {set out [exec ping6 -n 1 -w 2000 ::1]}
- if [regexp {Reply from.*bytes} $out] {
- if [regexp {Received = 1} $out] {
- set have_ipv6 1
- return
- }
- }
- set have_ipv6 0
- return
- }
- foreach line [split $out "\n\r"] {
- if {[regexp -nocase {IP Address.*:[ \t]*[a-f0-9]*:[a-f0-9]*:} $line]} {
- set have_ipv6 1
- return
- }
- }
- set have_ipv6 0
- }
-}
-proc guess_ip {} {
- global is_windows
- if {! $is_windows} {
- set out ""
- set out [get_hostname]
- if {$out != ""} {
- set hout ""
- catch {set hout [exec host $out]}
- if {$hout != ""} {
- if [regexp {has address ([.0-9][.0-9]*)} $hout mvar ip] {
- set ip [string trim $ip]
- return $ip
- }
- }
- }
- return ""
- } else {
- set out [get_ipconfig]
- set out [string trim $out]
- if {$out == ""} {
- return ""
- }
- foreach line [split $out "\n\r"] {
- if {[regexp -nocase {IP Address.*:[ \t]*([.0-9][.0-9]*)} $line mvar ip]} {
- set ip [string trim $ip]
- if [regexp {^[.0]*$} $ip] {
- continue
- }
- if [regexp {127\.0\.0\.1} $ip] {
- continue
- }
- if {$ip != ""} {
- return $ip
- }
- }
- }
- foreach line [split $out "\n\r"] {
- if {[regexp -nocase {IP Address.*:[ \t]*([:a-f0-9][%:a-f0-9]*)} $line mvar ip]} {
- set ip [string trim $ip]
- if [regexp {^[.0]*$} $ip] {
- continue
- }
- if [regexp {127\.0\.0\.1} $ip] {
- continue
- }
- if {$ip != ""} {
- return $ip
- }
- }
- }
- }
-}
-
-proc bat_sleep {fh} {
- global env
- if [info exists env(SSVNC_BAT_SLEEP)] {
- puts $fh "@echo ."
- puts $fh "@echo -----"
- puts $fh "@echo Debug: BAT SLEEP for $env(SSVNC_BAT_SLEEP) seconds ..."
- puts $fh "@ping -n $env(SSVNC_BAT_SLEEP) -w 1000 0.0.0.1 > NUL"
- puts $fh "@echo BAT SLEEP done."
- }
-}
-
-proc windows_start_sound_daemon {file} {
- global env
- global use_sound sound_daemon_local_cmd sound_daemon_local_start
-
- # VF
- regsub {\.bat} $file "snd.bat" file2
- set fh2 [open $file2 "w"]
-
- puts $fh2 $sound_daemon_local_cmd
- bat_sleep $fh2
- puts $fh2 "del $file2"
- close $fh2
-
- mesg "Starting SOUND daemon..."
- if [info exists env(COMSPEC)] {
- if [info exists env(SSVNC_BAT_SLEEP)] {
- exec $env(COMSPEC) /c start $env(COMSPEC) /c $file2 &
- } else {
- exec $env(COMSPEC) /c $file2 &
- }
- } else {
- if [info exists env(SSVNC_BAT_SLEEP)] {
- exec cmd.exe /c start cmd.exe /c $file2 &
- } else {
- exec cmd.exe /c $file2 &
- }
- }
- after 1500
-}
-
-proc winkill {pid} {
- global is_win9x
-
- if {$pid == ""} {
- return
- }
- if {! $is_win9x} {
- catch {exec tskill.exe $pid}
- after 100
- catch {exec taskkill.exe /PID $pid}
- after 100
- }
- catch {exec w98/kill.exe /f $pid}
-}
-
-proc windows_stop_sound_daemon {} {
- global use_sound sound_daemon_local_cmd sound_daemon_local_start
-
- set cmd [string trim $sound_daemon_local_cmd]
-
- regsub {[ \t].*$} $cmd "" cmd
- regsub {^.*\\} $cmd "" cmd
- regsub {^.*/} $cmd "" cmd
-
- if {$cmd == ""} {
- return
- }
-
- set output [get_task_list]
-
- foreach line [split $output "\n\r"] {
- if [regexp "$cmd" $line] {
- if [regexp {(-?[0-9][0-9]*)} $line m p] {
- set pids($p) $line
- }
- }
- }
-
- set count 0
- foreach pid [array names pids] {
- mesg "Stopping SOUND pid: $pid"
- winkill $pid
- if {$count == 0} {
- after 1200
- } else {
- after 500
- }
- incr count
- }
-}
-
-proc contag {} {
- global concount
- if {! [info exists concount]} {
- set concount 0
- }
- incr concount
- set str [pid]
- set str "-$str-$concount"
-}
-
-proc make_plink {} {
- toplev .plink
- #wm geometry .plink +700+500
- wm geometry .plink -40-40
- wm title .plink "plink SSH status?"
- set wd 37
- label .plink.l1 -anchor w -text "Login via plink/ssh to the remote server" -width $wd
- label .plink.l2 -anchor w -text "(supply username and password as needed)." -width $wd
- label .plink.l3 -anchor w -text "" -width $wd
- label .plink.l4 -anchor w -text "After ssh is set up, AND if the connection" -width $wd
- label .plink.l5 -anchor w -text "success is not autodetected, please click" -width $wd
- label .plink.l6 -anchor w -text "one of these buttons:" -width $wd
- global plink_status
- button .plink.fail -text "Failed" -command {destroy .plink; set plink_status no}
- button .plink.ok -text "Success" -command {destroy .plink; set plink_status yes}
- pack .plink.l1 .plink.l2 .plink.l3 .plink.l4 .plink.l5 .plink.l6 .plink.fail .plink.ok -side top -fill x
-
- update
-}
-
-proc ssh_split {str} {
- regsub { .*$} $str "" str
- if {! [regexp {:[0-9][0-9]*$} $str]} {
- append str ":22"
- }
- regsub {:[0-9][0-9]*$} $str "" ssh_host
- regsub {^.*:} $str "" ssh_port
- if {$ssh_port == ""} {
- set ssh_port 22
- }
- if [regexp {@} $ssh_host] {
- regsub {@.*$} $ssh_host "" ssh_user
- regsub {^.*@} $ssh_host "" ssh_host
- } else {
- set ssh_user ""
- }
- return [list $ssh_user $ssh_host $ssh_port]
-}
-
-proc check_debug_netstat {port str wn} {
- global debug_netstat
- if {! [info exists debug_netstat]} {
- return
- }
- if {$debug_netstat == "0" || $debug_netstat == ""} {
- return
- }
- mesg "DBG: $wn"
-
- toplev .dbns
-
- set h 35
- if [small_height] {
- set h 28
- }
- scroll_text_dismiss .dbns.f 82 $h
- center_win .dbns
- .dbns.f.t insert end "LOOKING FOR PORT: $port\n\n$str"
- jiggle_text .dbns.f.t
- update
- after 1000
-}
-
-proc launch_windows_ssh {hp file n} {
- global is_win9x env
- global use_sshssl use_ssh putty_pw putty_args
- global port_knocking_list
- global use_listen listening_name
- global disable_ssl_workarounds disable_ssl_workarounds_type
- global ts_only
- global debug_netstat
-
- set hpnew [get_ssh_hp $hp]
- set proxy [get_ssh_proxy $hp]
- set sshcmd [get_ssh_cmd $hp]
-
- global win_localhost
-
- set vnc_host $win_localhost
- set vnc_disp $hpnew
- regsub {^.*:} $vnc_disp "" vnc_disp
-
- regsub {\.bat} $file ".flg" flag
-
- if {$ts_only} {
- regsub {:0$} $hpnew "" hpnew
- if {$proxy == ""} {
- if {[regexp {^(.*):([0-9][0-9]*)$} $hpnew mv sshhst sshpt]} {
- set proxy "$sshhst:$sshpt"
- set hpnew $win_localhost
- }
- } else {
- if {![regexp {,} $proxy]} {
- if {$hpnew != $win_localhost} {
- set proxy "$proxy,$hpnew"
- set hpnew $win_localhost
- }
- }
- }
- } elseif {![regexp {^-?[0-9][0-9]*$} $vnc_disp]} {
- if {[regexp {cmd=SHELL} $hp]} {
- ;
- } elseif {[regexp {cmd=PUTTY} $hp]} {
- ;
- } else {
- # XXX add :0 instead?
- if {1} {
- set vnc_disp "vnc_disp:0"
- mesg "Added :0 to $vnc_disp"
- } else {
- mesg "Bad vncdisp, missing :0 ?, $vnc_disp"
- bell
- return 0
- }
- }
- }
-
- if {$use_listen} {
- set vnc_port 5500
- } else {
- set vnc_port 5900
- }
-
- if {$ts_only || [regexp {PORT= .*x11vnc} $sshcmd] || [regexp {P= .*x11vnc} $sshcmd]} {
- regsub {PORT= [ ]*} $sshcmd "" sshcmd
- regsub {P= [ ]*} $sshcmd "" sshcmd
- set vnc_port [expr "8100 + int(4000 * rand())"]
- set sshcmd "$sshcmd -rfbport $vnc_port"
- } elseif {[regexp {^-[0-9][0-9]*$} $vnc_disp]} {
- set vnc_port [expr "- $vnc_disp"]
- } elseif {![regexp {^[0-9][0-9]*$} $vnc_disp]} {
- ;
- } elseif {$vnc_disp < 200} {
- if {$use_listen} {
- set vnc_port [expr $vnc_disp + 5500]
- } else {
- set vnc_port [expr $vnc_disp + 5900]
- }
- } else {
- set vnc_port $vnc_disp
- }
-
- global ssh_ipv6_pid
- set ssh_ipv6_pid ""
-
- set ssh_port 22
- set ssh_host [host_part $hpnew]
-
- set double_ssh ""
- set p_port ""
- if {$proxy != ""} {
- if [regexp -nocase {(http|https|socks|socks4|socks5|repeater)://} $proxy] {
- set pproxy ""
- set sproxy1 ""
- set sproxy_rest ""
- set sproxy1_host ""
- set sproxy1_user ""
- set sproxy1_port ""
- foreach part [split $proxy ","] {
- if {[regexp {^[ ]*$} $part]} {
- continue
- }
- if [regexp -nocase {^(http|https|socks|socks4|socks5|repeater)://} $part] {
- if {$pproxy == ""} {
- set pproxy $part
- } else {
- set pproxy "$pproxy,$part"
- }
- } else {
- if {$sproxy1 == ""} {
- set sproxy1 $part
- } else {
- if {$sproxy_rest == ""} {
- set sproxy_rest $part
- } else {
- set sproxy_rest "$sproxy_rest,$part"
- }
- }
- }
- }
-
-#mesg "pproxy: $pproxy"; after 2000
-#mesg "sproxy1: $sproxy1"; after 2000
-#mesg "sproxy_rest: $sproxy_rest"; after 2000
-#mesg "ssh_host: $ssh_host"; after 2000
-#mesg "ssh_port: $ssh_port"; after 2000
-
- if {$sproxy1 != ""} {
- regsub {:[0-9][0-9]*$} $sproxy1 "" sproxy1_host
- regsub {^.*@} $sproxy1_host "" sproxy1_host
- regsub {@.*$} $sproxy1 "" sproxy1_user
- regsub {^.*:} $sproxy1 "" sproxy1_port
- } else {
- regsub {:[0-9][0-9]*$} $ssh_host "" sproxy1_host
- regsub {^.*@} $sproxy1_host "" sproxy1_host
- regsub {@.*$} $ssh_host "" sproxy1_user
- regsub {^.*:} $ssh_host "" sproxy1_port
- }
- if {![regexp {^[0-9][0-9]*$} $sproxy1_port]} {
- set sproxy1_port 22
- }
- if {$sproxy1_user != ""} {
- set sproxy1_user "$sproxy1_user@"
- }
-
-#mesg "sproxy1_host: $sproxy1_host"; after 2000
-#mesg "sproxy1_user: $sproxy1_user"; after 2000
-#mesg "sproxy1_port: $sproxy1_port"; after 2000
-
- set port2 ""
- if [regexp -- {-([0-9][0-9]*)} [file tail $file] mv dport] {
- set port2 [expr 21000 + $dport]
- } else {
- set port2 [rand_port]
- }
-
- global have_ipv6
- if {$have_ipv6} {
- set res [ipv6_proxy $pproxy "" ""]
- set pproxy [lindex $res 0]
- set ssh_ipv6_pid [lindex $res 3]
- }
-
- set env(SSVNC_PROXY) $pproxy
- set env(SSVNC_LISTEN) $port2
- set env(SSVNC_DEST) "$sproxy1_host:$sproxy1_port"
-
- mesg "Starting Proxy TCP helper on port $port2 ..."
- after 300
- # ssh br case:
- set proxy_pid [exec "connect_br.exe" &]
-
- catch { unset env(SSVNC_PROXY) }
- catch { unset env(SSVNC_LISTEN) }
- catch { unset env(SSVNC_DEST) }
-
- if {$sproxy1 == ""} {
- set proxy "$win_localhost:$port2"
- if [regexp {^(.*)@} $ssh_host mv u] {
- set proxy "$u@$proxy"
- }
- } else {
- set proxy "${sproxy1_user}$win_localhost:$port2"
- }
- if {$sproxy_rest != ""} {
- set proxy "$proxy,$sproxy_rest"
- }
- mesg "Set proxy to: $proxy"
- after 300
- }
- if [regexp {,} $proxy] {
- if {$is_win9x} {
- mesg "Double proxy does not work on Win9x"
- bell
- winkill $ssh_ipv6_pid
- set ssh_ipv6_pid ""
- return 0
- }
- # user1@gateway:port1,user2@workstation:port2
- set proxy1 ""
- set proxy2 ""
- set s [split $proxy ","]
- set proxy1 [lindex $s 0]
- set proxy2 [lindex $s 1]
-
- set p_port ""
- if [regexp -- {-([0-9][0-9]*)} [file tail $file] mv dport] {
- set p_port [expr 4000 + $dport]
- } else {
- set p_port [expr 3000 + 1000 * rand()]
- set p_port [expr round($p_port)]
- }
-
- set s [ssh_split $proxy1]
- set ssh_user1 [lindex $s 0]
- set ssh_host1 [lindex $s 1]
- set ssh_port1 [lindex $s 2]
-
- set s [ssh_split $proxy2]
- set ssh_user2 [lindex $s 0]
- set ssh_host2 [lindex $s 1]
- set ssh_port2 [lindex $s 2]
-
- if {! [regexp {^[0-9][0-9]*$} $ssh_port1]} {
- set ssh_port1 22
- }
- if {! [regexp {^[0-9][0-9]*$} $ssh_port2]} {
- set ssh_port2 22
- }
-
- set u1 ""
- if {$ssh_user1 != ""} {
- set u1 "${ssh_user1}@"
- }
- set u2 ""
- if {$ssh_user2 != ""} {
- set u2 "${ssh_user2}@"
- }
-
- set double_ssh "-L $p_port:$ssh_host2:$ssh_port2 -P $ssh_port1 $u1$ssh_host1"
- set proxy_use "${u2}$win_localhost:$p_port"
-
- } else {
- # user1@gateway:port1
- set proxy_use $proxy
- }
-
- set ssh_host [host_part $proxy_use]
-
- set ssh_port [port_part $proxy_use]
- if {! [regexp {^[0-9][0-9]*$} $ssh_port]} {
- set ssh_port 22
- }
-
- set vnc_host [host_part $hpnew]
- if {$vnc_host == ""} {
- set vnc_host $win_localhost
- }
- }
-
- if {![regexp {^[^ ][^ ]*@} $ssh_host]} {
- mesg "You must supply a username: user@host..."
- bell
- winkill $ssh_ipv6_pid
- set ssh_ipv6_pid ""
- return 0
- }
-
- set verb "-v"
-
- set pwd ""
- if {$is_win9x} {
- set pwd [pwd]
- regsub -all {/} $pwd "\\" pwd
- }
- if {! [regexp {^[0-9][0-9]*$} $n]} {
- set n 0
- }
-
- if {$use_listen} {
- set use [expr $n + 5500]
- } else {
- set use [expr $n + 5900]
- }
-
- set_smb_mounts
-
- global use_smbmnt use_sound sound_daemon_kill
- set do_pre 0
- if {$use_smbmnt} {
- set do_pre 1
- } elseif {$use_sound && $sound_daemon_kill} {
- set do_pre 1
- }
-
- global skip_pre
- if {$skip_pre} {
- set do_pre 0
- set skip_pre 0
- }
-
- set pw ""
- if {$putty_pw != ""} {
- if {! [regexp {"} $putty_pw]} { #"
- set pw " -pw \"$putty_pw\""
- }
- }
-
- set tag [contag]
-
- set file_double ""
-
- set file_pre ""
- set file_pre_cmd ""
- if {$do_pre} {
- set setup_cmds [ugly_setup_scripts pre $tag]
-
- if {$setup_cmds != ""} {
- # VF
- regsub {\.bat} $file "pre.cmd" file_pre_cmd
- set fh [open $file_pre_cmd "w"]
- puts $fh "$setup_cmds sleep 10; "
- bat_sleep $fh
- close $fh
-
- # VF
- regsub {\.bat} $file "pre.bat" file_pre
- set fh [open $file_pre "w"]
- set plink_str "plink.exe -ssh -C -P $ssh_port -m $file_pre_cmd $verb -t"
- if {$putty_args != ""} {
- append plink_str " $putty_args"
- }
-
- global smb_redir_0
- if {$smb_redir_0 != ""} {
- append plink_str " $smb_redir_0"
- }
-
- if [regexp {%} $ssh_host] {
- set uath ""
- regsub -all {%SPACE} $ssh_host " " uath
- regsub -all {%TAB} $uath " " uath
- append plink_str "$pw \"$uath\""
- } else {
- append plink_str "$pw $ssh_host"
- }
-
- if {$pw != ""} {
- puts $fh "echo off"
- }
- puts $fh $plink_str
-
- bat_sleep $fh
- if {![info exists env(SSVNC_NO_DELETE)]} {
- if {$file_pre_cmd != ""} {
- puts $fh "del $file_pre_cmd"
- }
- puts $fh "del $file_pre"
- }
- close $fh
- }
- }
-
- if {$is_win9x} {
- set sleep 35
- } else {
- set sleep 20
- }
- if {$use_listen} {
- set sleep 1800
- }
-
- set setup_cmds [ugly_setup_scripts post $tag]
-
- set do_shell 0
- if {$sshcmd == "SHELL"} {
- set setup_cmds ""
- set sshcmd {$SHELL}
- set do_shell 1
- } elseif {$sshcmd == "PUTTY"} {
- set setup_cmds ""
- set do_shell 1
- }
-
- if {$sshcmd != "SHELL" && [regexp -nocase {x11vnc} $sshcmd]} {
- global use_cups cups_x11vnc cups_remote_port
- global cups_remote_smb_port
- global use_sound sound_daemon_x11vnc sound_daemon_remote_port
- global ts_only
- if {$ts_only} {
- set cups_x11vnc 1
- set sound_daemon_x11vnc 1
- }
- if {$use_cups && $cups_x11vnc && $cups_remote_port != ""} {
- set crp $cups_remote_port
- if {$ts_only} {
- set cups_remote_port [rand_port]
- set crp "DAEMON-$cups_remote_port"
- }
- set sshcmd "$sshcmd -env FD_CUPS=$crp"
- }
- if {$use_cups && $cups_x11vnc && $cups_remote_smb_port != ""} {
- set csp $cups_remote_smb_port
- if {$ts_only} {
- set cups_remote_smb_port [rand_port]
- set csp "DAEMON-$cups_remote_smb_port"
- }
- set sshcmd "$sshcmd -env FD_SMB=$csp"
- }
- if {$use_sound && $sound_daemon_x11vnc && $sound_daemon_remote_port != ""} {
- set srp $sound_daemon_remote_port
- if {$ts_only} {
- set sound_daemon_remote_port [rand_port]
- set srp "DAEMON-$sound_daemon_remote_port"
- }
- set sshcmd "$sshcmd -env FD_ESD=$srp"
- }
- }
-
- set file_cmd ""
- if {$setup_cmds != ""} {
- # VF
- regsub {\.bat} $file ".cmd" file_cmd
- set fh_cmd [open $file_cmd "w"]
-
- set str $setup_cmds
- if {$sshcmd != ""} {
- append str " $sshcmd; "
- } else {
- append str " sleep $sleep; "
- }
- puts $fh_cmd $str
- bat_sleep $fh_cmd
- close $fh_cmd
-
- set sshcmd $setup_cmds
- }
-
- if {$sshcmd == ""} {
- set pcmd "echo; echo SSH connected OK.; echo If this state is not autodetected,; echo Go Click the Success button."
- set sshcmd "$pcmd; sleep $sleep"
- }
-
- global use_sound sound_daemon_local_cmd sound_daemon_local_start
- if {! $do_shell && ! $is_win9x && $use_sound && $sound_daemon_local_start && $sound_daemon_local_cmd != ""} {
- windows_start_sound_daemon $file
- }
-
- # VF
- set fh [open $file "w"]
- if {$is_win9x} {
- puts $fh "cd $pwd"
- if {$file_pre != ""} {
- puts $fh "echo Press Ctrl-C --HERE-- when done with the Pre-Command shell work."
- puts $fh "start /w command.com /c $file_pre"
- }
- }
-
- global use_cups use_smbmnt
- set extra_redirs ""
- if {$use_cups} {
- append extra_redirs [get_cups_redir]
- }
- if {$use_sound} {
- append extra_redirs [get_sound_redir]
- }
- global additional_port_redirs
- if {$additional_port_redirs} {
- append extra_redirs [get_additional_redir]
- }
-
- if {$vnc_host == ""} {
- set vnc_host $win_localhost
- }
- regsub {^.*@} $vnc_host "" vnc_host
-
- set redir "-L $use:$vnc_host:$vnc_port"
- if {$use_listen} {
- set redir "-R $vnc_port:$vnc_host:$use"
- set listening_name "localhost:$vnc_port (on remote SSH side)"
- }
-
- set plink_str "plink.exe -ssh -P $ssh_port $verb $redir $extra_redirs -t"
- if {$putty_args != ""} {
- append plink_str " $putty_args"
- }
- if {$extra_redirs != ""} {
- regsub {exe} $plink_str "exe -C" plink_str
- } else {
- # hmm we used to have it off... why?
- # ssh typing response?
- regsub {exe} $plink_str "exe -C" plink_str
- }
- set uath $ssh_host
- if [regexp {%} $uath] {
- regsub -all {%SPACE} $uath " " uath
- regsub -all {%TAB} $uath " " uath
- set uath "\"$uath\""
- }
- if {$do_shell} {
- if {$sshcmd == "PUTTY"} {
- if [regexp {^".*@} $uath] { #"
- regsub {@} $uath {" "} uath
- set uath "-l $uath"
- }
- if {$is_win9x} {
- set plink_str "putty.exe -ssh -C -P $ssh_port $extra_redirs $putty_args -t $pw $uath"
- } else {
- set plink_str "start \"putty $ssh_host\" putty.exe -ssh -C -P $ssh_port $extra_redirs $putty_args -t $pw $uath"
- if [regexp {FINISH} $port_knocking_list] {
- regsub {start} $plink_str "start /wait" plink_str
- }
- }
- } else {
- set plink_str "plink.exe -ssh -C -P $ssh_port $extra_redirs $putty_args -t $pw $uath"
- append plink_str { "$SHELL"}
- }
- } elseif {$file_cmd != ""} {
- append plink_str " -m $file_cmd$pw $uath"
- } else {
- append plink_str "$pw $uath \"$sshcmd\""
- }
-
- if {$pw != ""} {
- puts $fh "echo off"
- }
- if {$ts_only && [regexp {sudo } $sshcmd]} {
- puts $fh "echo \" \""
- puts $fh "echo \"Doing Initial SSH with sudo id to prime sudo...\""
- puts $fh "echo \" \""
- puts $fh "plink.exe -ssh $putty_args -t $uath \"sudo id; tty\""
- puts $fh "echo \" \""
- }
- puts $fh $plink_str
- bat_sleep $fh
- puts $fh "del $flag"
- if {![info exists env(SSVNC_NO_DELETE)]} {
- if {$file_cmd != ""} {
- puts $fh "del $file_cmd"
- }
- puts $fh "del $file"
- }
- close $fh
-
- catch {destroy .o}
- catch {destroy .oa}
- catch {destroy .os}
-
- if { ![do_port_knock $ssh_host start]} {
- if {![info exists env(SSVNC_NO_DELETE)]} {
- catch {file delete $file}
- if {$file_cmd != ""} {
- catch {file delete $file_cmd}
- }
- if {$file_pre != ""} {
- catch {file delete $file_pre}
- }
- }
- winkill $ssh_ipv6_pid
- set ssh_ipv6_pid ""
- return 0
- }
-
- if {$double_ssh != ""} {
- set plink_str_double_ssh "plink.exe -ssh $putty_args -t $pw $double_ssh \"echo sleep 60 ...; sleep 60; echo done.\""
-
- # VF
- regsub {\.bat} $file "dob.bat" file_double
- set fhdouble [open $file_double "w"]
- puts $fhdouble $plink_str_double_ssh
- bat_sleep $fhdouble
- puts $fhdouble "del $flag"
- if {![info exists env(SSVNC_NO_DELETE)]} {
- puts $fhdouble "del $file_double"
- }
- close $fhdouble
-
- set com "cmd.exe"
- if [info exists env(COMSPEC)] {
- set com $env(COMSPEC)
- }
-
- set ff [open $flag "w"]
- puts $ff "flag"
- close $ff
-
- global env
- if [info exists env(SSVNC_BAT_SLEEP)] {
- exec $com /c start $com /c $file_double &
- } else {
- exec $com /c $file_double &
- }
-
- set waited 0
- set gotit 0
- while {$waited < 30000} {
- after 500
- update
- if {$use_listen} {
- set gotit 1
- break;
- }
- set ns [get_netstat]
- set re ":$p_port"
- check_debug_netstat $p_port $ns $waited
- append re {[ ][ ]*[0:.][0:.]*[ ][ ]*LISTEN}
- if [regexp $re $ns] {
- set gotit 1
- break
- }
- set waited [expr "$waited + 500"]
- if {![file exists $flag]} {
- break
- }
- }
- catch {file delete $flag}
- if {! $gotit} {
- after 5000
- }
- }
-
- vencrypt_tutorial_mesg
-
- set wdraw 1
- #set wdraw 0
- if [info exists debug_netstat] {
- if {$debug_netstat != "" && $debug_netstat != "0"} {
- set wdraw 0
- }
- }
-
- set ff [open $flag "w"]
- puts $ff "flag"
- close $ff
-
- if {$is_win9x} {
- if {$wdraw} {
- wm withdraw .
- }
- update
- win9x_plink_msg $file
- global win9x_plink_msg_done
- set win9x_plink_msg_done 0
- vwait win9x_plink_msg_done
- } else {
- set com "cmd.exe"
- if [info exists env(COMSPEC)] {
- set com $env(COMSPEC)
- }
-
- if {$file_pre != ""} {
- set sl 0
- if {$use_smbmnt} {
- global smb_su_mode
- if {$smb_su_mode == "su"} {
- set sl [expr $sl + 15]
- } elseif {$smb_su_mode == "sudo"} {
- set sl [expr $sl + 15]
- } else {
- set sl [expr $sl + 3]
- }
- }
- if {$pw == ""} {
- set sl [expr $sl + 5]
- }
-
- set sl [expr $sl + 5]
- set st [clock seconds]
- set dt 0
- global entered_gui_top button_gui_top
- set entered_gui_top 0
- set button_gui_top 0
-
- catch {wm geometry . "-40-40"}
- catch {wm withdraw .; update; wm deiconify .; raise .; update}
- mesg "Click on *This* Label when done with 1st SSH 0/$sl"
- after 600
-
- global env
- if [info exists env(SSVNC_BAT_SLEEP)] {
- exec $com /c start $com /c $file_pre &
- } else {
- exec $com /c $file_pre &
- }
-
- catch {lower .; update; raise .; update}
-
- while {$dt < $sl} {
- after 100
- set dt [clock seconds]
- set dt [expr $dt - $st]
- mesg "Click on *This* Label when done with 1st SSH $dt/$sl"
- update
- update idletasks
- if {$dt <= 1} {
- set button_gui_top 0
- }
- if {$button_gui_top != 0 && $dt >= 3} {
- mesg "Running 2nd SSH now ..."
- after 1000
- break
- }
- }
- mesg "Running 2nd SSH ..."
- }
-
- if {! $do_shell} {
- make_plink
- }
- if {$wdraw} {
- wm withdraw .
- }
-
- update
- if {$do_shell && [regexp {FINISH} $port_knocking_list]} {
- catch {exec $com /c $file}
- } else {
- global env
- if [info exists env(SSVNC_BAT_SLEEP)] {
- exec $com /c start $com /c $file &
- } else {
- exec $com /c $file &
- }
- }
- after 1000
- }
-
- if {$do_shell} {
- wm deiconify .
- update
- if {[regexp {FINISH} $port_knocking_list]} {
- do_port_knock $ssh_host finish
- }
- return 1
- }
- set made_plink 0
- if {$is_win9x} {
- make_plink
- set made_plink 1
- }
- global plink_status
- set plink_status ""
- set waited 0
- set cnt 0
- while {$waited < 30000} {
- after 500
- update
- if {$use_listen} {
- set plink_status yes
- break;
- }
- set ns [get_netstat]
- set re ":$use"
- check_debug_netstat $use $ns $waited
- append re {[ ][ ]*[0:.][0:.]*[ ][ ]*LISTEN}
- if [regexp $re $ns] {
- set plink_status yes
- }
- if {$plink_status != ""} {
- catch {destroy .plink}
- break
- }
-
- if {$waited == 0} {
- #wm deiconify .plink
- }
- set waited [expr "$waited + 500"]
-
- incr cnt
- if {$cnt >= 12} {
- set cnt 0
- }
- if {![file exists $flag]} {
- set plink_status flag_gone
- break
- }
- }
- catch {file delete $flag}
- if {$plink_status == ""} {
- if {! $made_plink} {
- make_plink
- set made_plink 1
- }
- vwait plink_status
- }
-
- if {$use_sshssl} {
- global launch_windows_ssh_files
- if {$file != ""} {
- append launch_windows_ssh_files "$file "
- }
- if {$file_pre != ""} {
- append launch_windows_ssh_files "$file_pre "
- }
- if {$file_pre_cmd != ""} {
- append launch_windows_ssh_files "$file_pre_cmd "
- }
- regsub { *$} $launch_windows_ssh_files "" launch_windows_ssh_files
- return 1
- }
-
- if {$plink_status != "yes"} {
- set m "unknown"
- if {$plink_status == "flag_gone"} {
- set m "plink script failed"
- } elseif {$plink_status == ""} {
- set m "timeout"
- }
- mesg "Error ($m) to $hp"
- wm deiconify .
- } else {
- after 1000
- do_viewer_windows $n
- wm deiconify .
- mesg "Disconnected from $hp"
- }
- update
- if [regexp {FINISH} $port_knocking_list] {
- do_port_knock $ssh_host finish
- }
-
- if {![info exists env(SSVNC_NO_DELETE)]} {
- if {$file != ""} {
- catch {file delete $file}
- }
- if {$file_pre != ""} {
- catch {file delete $file_pre}
- }
- if {$file_pre_cmd != ""} {
- catch {file delete $file_pre_cmd}
- }
- if {$file_double != ""} {
- catch {file delete $file_double}
- }
- }
-
- winkill $ssh_ipv6_pid
- set ssh_ipv6_pid ""
-
- global sound_daemon_local_kill
- if {! $is_win9x && $use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} {
- windows_stop_sound_daemon
- }
- return 1
-}
-
-proc check_ssh_needed {} {
- globalize
-
- if {$use_ssh || $use_sshssl} {
- return
- }
- set must_cups 0
- set must_snd 0
- set must_smb 0
- set must_addl 0
- if {$use_cups} {
- if {$cups_local_server != ""} {set must_cups 1}
- if {$cups_remote_port != ""} {set must_cups 1}
- if {$cups_local_smb_server != ""} {set must_cups 1}
- if {$cups_remote_smb_port != ""} {set must_cups 1}
- if {$cups_manage_rcfile != ""} {set must_cups 1}
- }
- if {$use_sound} {
- if {$sound_daemon_remote_cmd != ""} {set must_snd 1}
- if {$sound_daemon_remote_port != ""} {set must_snd 1}
- if {$sound_daemon_kill} {set must_snd 1}
- if {$sound_daemon_restart} {set must_snd 1}
- if {$sound_daemon_local_cmd != ""} {set must_snd 1}
- if {$sound_daemon_local_port != ""} {set must_snd 1}
- if {$sound_daemon_local_kill} {set must_snd 1}
- if {$sound_daemon_local_start} {set must_snd 1}
- }
- if {$use_smbmnt} {
- if {[regexp {//} $smb_mount_list]} {set must_smb 1}
- }
- if {$additional_port_redirs} {
- set must_addl 1
- }
- if {$must_cups || $must_snd || $must_smb || $must_addl} {
- mesg "Cannot do Port redirs in non-SSH mode (SSL)"
- set msg ""
- if {$must_smb} {
- append msg " - SMB Mount Port Redirection\n"
- }
- if {$must_snd} {
- append msg " - ESD Sound Port Redirection\n"
- }
- if {$must_cups} {
- append msg " - CUPS Port Redirection\n"
- }
- if {$must_addl} {
- append msg " - Additional Port Redirections\n"
- }
- set msg "\"Use SSL\" mode selected (no SSH)\nThe following options will be disabled:\n\n$msg"
- bell
- update
- raise .
- tk_messageBox -type ok -icon info -message $msg
- }
-}
-
-proc set_smb_mounts {} {
- global smb_redir_0 smb_mounts use_smbmnt
-
- set smb_redir_0 ""
- set smb_mounts ""
- if {$use_smbmnt} {
- set l2 [get_smb_redir]
- set smb_redir_0 [lindex $l2 0]
- set smb_redir_0 [string trim $smb_redir_0]
- set smb_mounts [lindex $l2 1]
- }
-}
-
-proc mytmp {tmp} {
- global is_windows mktemp env
-
- if {$is_windows} {
- return $tmp
- }
-
- if {! [info exists mktemp]} {
- set mktemp ""
- foreach dir {/bin /usr/bin /usr/local/bin} {
- if [file exists "$dir/mktemp"] {
- set mktemp "$dir/mktemp"
- break
- }
- }
- }
- if {$mktemp != ""} {
- set tmp2 ""
- catch {set tmp2 [exec $mktemp "$tmp.XXXXXX"]}
- if [file exists $tmp2] {
- if [info exists env(DEBUG_MKTEMP)] {
- puts stderr "mytmp: $tmp2"
- }
- return $tmp2
- }
- }
- catch {exec rm -f $tmp}
- catch {file delete $tmp}
- if [file exists $tmp] {
- puts stderr "tmp file still exists: $tmp"
- exit 1
- }
- catch {exec touch $tmp}
- catch {exec chmod 600 $tmp}
- if [info exists env(DEBUG_MKTEMP)] {
- puts stderr "mytmp: $tmp"
- }
- return $tmp
-}
-
-proc darwin_terminal_cmd {{title ""} {cmd ""} {bg 0}} {
- global darwin_terminal
-
- set tries ""
- lappend tries "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal"
-
- if {! [info exists darwin_terminal]} {
- foreach try $tries {
- if [file exists $try] {
- if [file executable $try] {
- set darwin_terminal $try
- break
- }
- }
- }
- if {! [info exists darwin_terminal]} {
- set fh ""
- catch {set fh [open "| find /Applications -type f -name Terminal" "r"]}
- if {$fh != ""} {
- while {[gets $fh line] > -1} {
- if {! [file exists $line]} {
- continue
- }
- if {[file isdirectory $line]} {
- continue
- }
- if {! [regexp {/Terminal$} $line]} {
- continue
- }
- if {! [file executable $line]} {
- continue
- }
- set darwin_terminal $line
- break
- }
- close $fh
- }
- }
- }
- if {! [info exists darwin_terminal]} {
- raise .
- tk_messageBox -type ok -icon error -message "Cannot find Darwin Terminal program." -title "Cannot find Terminal program"
- mac_raise
- return
- }
-
- global darwin_terminal_cnt
- set tmp /tmp/darwin_terminal_cmd.[tpid]
- if {! [info exists darwin_terminal_cnt]} {
- set darwin_terminal_cnt 0
- }
- incr darwin_terminal_cnt
- append tmp ".$darwin_terminal_cnt"
- set tmp [mytmp $tmp]
-
- set fh ""
- catch {set fh [open $tmp w 0755]}
- catch {[exec chmod 755 $tmp]}
- if {$fh == ""} {
- raise .
- tk_messageBox -type ok -icon error -message "Cannot open temporary file: $tmp" -title "Cannot open file"
- mac_raise
- return
- }
- global env
- puts $fh "#!/bin/sh"
- puts $fh "PATH=$env(PATH)"
- puts $fh "export PATH"
- puts $fh "tmp=$tmp"
- puts $fh "sleep 1"
- puts $fh {if [ "X$DDDBG" != "X" ]; then ps www; fi}
- puts $fh {termpid=`ps www | grep -w Terminal | grep $tmp | grep -v grep | awk '{print $1}' | sort -n | tail -1`}
- puts $fh {echo try-1: termpid=$termpid mypid=$$}
- puts $fh {if [ "X$termpid" = "X" ]; then}
- puts $fh { termpid=`ps www | grep -w Terminal | grep -v grep | awk '{print $1}' | sort -n | tail -1`}
- puts $fh { echo try-2: termpid=$termpid mypid=$$}
- puts $fh {fi}
- puts $fh {if [ "X$termpid" = "X" ]; then}
- puts $fh { termpid=`ps wwwwaux | grep -w Terminal | grep $tmp | grep -v grep | awk '{print $2}' | sort -n | tail -1`}
- puts $fh { echo try-3: termpid=$termpid mypid=$$}
- puts $fh {fi}
- puts $fh {if [ "X$termpid" = "X" ]; then}
- puts $fh { termpid=$$}
- puts $fh { echo termpid-find-fail: termpid=$termpid mypid=$$}
- puts $fh {fi}
- puts $fh {trap "rm -f $tmp; kill -TERM $termpid; kill -TERM $mypid; kill -KILL $mypid; exit 0" 0 2 15}
- puts $fh {osascript -e 'tell application "Terminal" to activate' >/dev/null 2>&1 &}
- puts $fh "$cmd"
- puts $fh "sleep 1"
- puts $fh {rm -f $tmp}
- puts $fh {kill -TERM $termpid}
- puts $fh {kill -TERM $mypid}
- puts $fh {kill -KILL $mypid}
- puts $fh "exit 0"
- close $fh
- if {$bg} {
- catch {exec $darwin_terminal $tmp &}
- } else {
- catch {exec $darwin_terminal $tmp}
- }
-}
-
-proc unix_terminal_cmd {{geometry "+100+100"} {title "xterm-command"} {cmd "echo test"} {bg 0} {xrm1 ""} {xrm2 ""} {xrm3 ""}} {
- global uname env
- if {$uname == "Darwin"} {
- global env
- set doX 0;
- if {! $doX} {
- darwin_terminal_cmd $title $cmd $bg
- return
- }
- }
-
- global checked_for_xterm
- if {![info exists checked_for_xterm]} {
- set p ""
- set r [catch {set p [exec /bin/sh -c {type xterm}]}]
- set checked_for_xterm 1
- if {$r != 0} {
- set p [exec /bin/sh -c {type xterm 2>&1; exit 0}]
- set txt "Problem finding the 'xterm' command:\n\n$p\n\n"
- append txt "Perhaps you need to install a package containing 'xterm' (Sigh...)\n\n"
- fetch_dialog $txt "xterm" "xterm" 0 [line_count $txt]
- update
- after 1000
- catch {tkwait window .fetch}
- update
- }
- }
-
- if [info exists env(SSVNC_XTERM_REPLACEMENT)] {
- set tcmd $env(SSVNC_XTERM_REPLACEMENT)
- if {$tcmd != ""} {
- regsub -all {%GEOMETRY} $tcmd $geometry tcmd
- regsub -all {%TITLE} $tcmd $title tcmd
-
- set tmp1 /tmp/xterm_replacement1.[tpid]
- set tmp1 [mytmp $tmp1]
- set fh1 ""
- catch {set fh1 [open $tmp1 "w"]}
-
- set tmp2 /tmp/xterm_replacement2.[tpid]
- set tmp2 [mytmp $tmp2]
- set fh2 ""
- catch {set fh2 [open $tmp2 "w"]}
- if {$fh1 != "" && $fh2 != ""} {
- puts $fh1 "#!/bin/sh";
- puts $fh1 "$cmd"
- puts $fh1 "rm -f $tmp1"
- close $fh1
- catch {exec chmod 755 $tmp1}
- puts $fh2 "#!/bin/sh"
- puts $fh2 "$tcmd $tmp1"
- puts $fh2 "rm -f $tmp2"
- close $fh2
- catch {exec chmod 755 $tmp2}
- if {$bg} {
- exec $tmp2 2>@stdout &
- } else {
- exec $tmp2 2>@stdout
- }
- return
- }
- catch {close $fh1}
- catch {close $fh2}
- }
- }
-
- if {$bg} {
- if {$xrm1 == ""} {
- exec xterm -sb -sl 2000 -geometry "$geometry" -title "$title" -e sh -c "$cmd" 2>@stdout &
- } else {
- exec xterm -sb -sl 2000 -geometry "$geometry" -title "$title" -xrm "$xrm1" -xrm "$xrm2" -xrm "$xrm3" -e sh -c "$cmd" 2>@stdout &
- }
- } else {
- if {$xrm1 == ""} {
- exec xterm -sb -sl 2000 -geometry "$geometry" -title "$title" -e sh -c "$cmd" 2>@stdout
- } else {
- exec xterm -sb -sl 2000 -geometry "$geometry" -title "$title" -xrm "$xrm1" -xrm "$xrm2" -xrm "$xrm3" -e sh -c "$cmd" 2>@stdout
- }
- }
-}
-
-proc xterm_center_geometry {} {
- set sh [winfo screenheight .]
- set sw [winfo screenwidth .]
- set gw 500
- set gh 300
- set x [expr $sw/2 - $gw/2]
- set y [expr $sh/2 - $gh/2]
- if {$x < 0} {
- set x 10
- }
- if {$y < 0} {
- set y 10
- }
-
- return "+$x+$y"
-}
-
-proc smbmnt_wait {tee} {
- if {$tee != ""} {
- set start [clock seconds]
- set cut 30
- while {1} {
- set now [clock seconds]
- if {$now > $start + $cut} {
- break;
- }
- if [file exists $tee] {
- set sz 0
- catch {set sz [file size $tee]}
- if {$sz > 50} {
- set cut 50
- }
- }
- set g ""
- catch {set g [exec grep main-vnc-helper-finished $tee]}
- if [regexp {main-vnc-helper-finished} $g] {
- break
- }
- after 1000
- }
- catch {file delete $tee}
- } else {
- global smb_su_mode
- if {$smb_su_mode == "su"} {
- after 15000
- } elseif {$smb_su_mode == "sudo"} {
- after 10000
- }
- }
-}
-
-proc do_unix_pre {tag proxy hp pk_hp} {
- global env smb_redir_0 use_smbmnt
- global did_port_knock
-
- set setup_cmds [ugly_setup_scripts pre $tag]
- set c "ss_vncviewer -ssh"
-
- if {$proxy == ""} {
- set pxy $hp
- regsub {:[0-9][0-9]*$} $pxy "" pxy
- set c "$c -proxy '$pxy'"
- } else {
- set c "$c -proxy '$proxy'"
- }
-
- if {$setup_cmds != ""} {
- set env(SS_VNCVIEWER_SSH_CMD) "$setup_cmds sleep 10"
- set env(SS_VNCVIEWER_SSH_ONLY) 1
- if {$smb_redir_0 != ""} {
- set c "$c -sshargs '$smb_redir_0'"
- }
-
- if {! [do_port_knock $pk_hp start]} {
- return
- }
- set did_port_knock 1
-
- if {$use_smbmnt} {
- set title "SSL/SSH VNC Viewer $hp -- SMB MOUNTS"
- } else {
- set title "SSL/SSH VNC Viewer $hp -- Pre Commands"
- }
-
- set tee ""
- if {$use_smbmnt} {
- set tee $env(SSVNC_HOME)
- append tee "/.tee-etv$tag"
- set fh ""
- catch {set fh [open $tee "w"]}
- if {$fh == ""} {
- set tee ""
- } else {
- close $fh
- set c "$c | tee $tee"
- }
- }
-
- unix_terminal_cmd "80x25+100+100" "$title" "set -xv; $c" 1
-
- set env(SS_VNCVIEWER_SSH_CMD) ""
- set env(SS_VNCVIEWER_SSH_ONLY) ""
-
- if {$use_smbmnt} {
- smbmnt_wait $tee
- } else {
- after 2000
- }
- }
-}
-proc init_vncdisplay {} {
- global vncdisplay vncproxy remote_ssh_cmd
- set vncdisplay [string trim $vncdisplay]
-
- if {$vncdisplay == ""} {
- set vncproxy ""
- set remote_ssh_cmd ""
- return
- }
-
- set hpnew [get_ssh_hp $vncdisplay]
- set proxy [get_ssh_proxy $vncdisplay]
- set sshcmd [get_ssh_cmd $vncdisplay]
-
- set vncdisplay $hpnew
- set vncproxy $proxy
- set remote_ssh_cmd $sshcmd
-
- global ssh_only ts_only
- if {$sshcmd != "" || $ssh_only || $ts_only} {
- global use_ssl use_ssh use_sshssl
- set use_ssl 0
- if {! $use_ssh && ! $use_sshssl} {
- set use_ssh 1
- }
- }
- # ssl_ssh_adjust will be called.
-}
-
-proc get_vncdisplay {} {
- global vncdisplay vncproxy remote_ssh_cmd
- set vncdisplay [string trim $vncdisplay]
-
- set t $vncdisplay
- regsub {[ \t]*cmd=.*$} $t "" t
- set t [string trim $t]
-
- set str ""
- if [regexp {[ \t]} $t] {
- set str $t
- } else {
- if {$vncproxy != "" && $t == ""} {
- set str "--nohost-- $vncproxy"
- } else {
- set str "$t $vncproxy"
- }
- }
- if [regexp {cmd=.*$} $vncdisplay match] {
- if {$str == ""} {
- set str "--nohost--"
- }
- set str "$str $match"
- } else {
- if {$remote_ssh_cmd != ""} {
- if {$str == ""} {
- set str "--nohost--"
- }
- set str "$str cmd=$remote_ssh_cmd"
- }
- }
- set str [string trim $str]
- return $str
-}
-
-proc port_knock_only {hp {mode KNOCK}} {
- if {$hp == ""} {
- set hp [get_vncdisplay]
- if {$hp == ""} {
- mesg "No host port found"
- bell
- return
- }
- }
- set hpnew [get_ssh_hp $hp]
- set proxy [get_ssh_proxy $hp]
- set sshcmd [get_ssh_cmd $hp]
- set hp $hpnew
-
- set pk_hp ""
- if {$proxy != ""} {
- set pk_hp $proxy
- }
- if {$pk_hp == ""} {
- set pk_hp $hp
- }
- if {$mode == "KNOCK"} {
- do_port_knock $pk_hp start
- } elseif {$mode == "FINISH"} {
- do_port_knock $pk_hp finish
- }
-}
-
-proc direct_connect_msg {} {
- set msg ""
- global env
- globalize
- if {$use_sshssl} {
- append msg " - SSH + SSL tunnelling\n"
- } elseif {$use_ssh} {
- append msg " - SSH tunnelling\n"
- } else {
- append msg " - SSL tunnelling\n"
- }
- if [info exists env(SSVNC_NO_ENC_WARN)] {
- set msg ""
- }
- if {$use_smbmnt} {
- append msg " - SMB Mount Port Redirection\n"
- }
- if {$use_sound} {
- append msg " - ESD Sound Port Redirection\n"
- }
- if {$use_cups} {
- append msg " - CUPS Port Redirection\n"
- }
- if {$additional_port_redirs} {
- append msg " - Additional Port Redirections\n"
- }
- if {$mycert != "" || $svcert != "" || $crtdir != ""} {
- append msg " - SSL certificate authentication\n"
- }
- if {$msg != ""} {
- set msg "Direct connect via vnc://hostname\nThe following options will be disabled:\n\n$msg"
- raise .
- tk_messageBox -type ok -icon info -message $msg
- }
-}
-
-proc fetch_cert {save} {
- global env vncdisplay is_windows
- set hp [get_vncdisplay]
-
- global vencrypt_detected
- set vencrypt_detected ""
-
- global use_listen
- if {$use_listen} {
- if {$is_windows} {
- mesg "Fetch Cert not enabled for Reverse Connections"
- bell
- catch {raise .}
- mac_raise
- return
- }
- toplev .fcr
- global help_font
- wm title .fcr "Fetch Cert for Reverse Connections"
- global fcr_result
- set fcr_result 0
- eval text .fcr.t -width 55 -height 17 $help_font
- .fcr.t insert end {
- In Reverse VNC Connections (-LISTEN) mode, the
- Fetch Cert operation requires that the Remote
- VNC Server makes an initial connection NOW so
- we can collect its SSL Certificate. Note that
- this method does not work for VeNCrypt servers.
- (If there are problems Fetching, one can always
- copy and import the Cert file manually.)
-
- Do you want to Continue with this operation?
- If so, press "Continue" and Then instruct the
- remote VNC Server to make a Reverse Connection
- to us.
-
- Otherwise, press "Cancel" to cancel the Fetch
- Cert operation.
-}
-
- button .fcr.cancel -text Cancel -command {set fcr_result 0; destroy .fcr}
- button .fcr.continue -text Continue -command {set fcr_result 1; destroy .fcr}
- button .fcr.continu2 -text Continue -command {set fcr_result 1; destroy .fcr}
- global uname
- if {$uname == "Darwin"} {
- pack .fcr.t .fcr.continu2 .fcr.continue .fcr.cancel -side top -fill x
-
- } else {
- pack .fcr.t .fcr.continue .fcr.cancel -side top -fill x
- }
- center_win .fcr
-
- tkwait window .fcr
- update
- after 50
-
- if {$fcr_result != 1} {
- return
- }
- update idletasks
- after 50
- }
-
- regsub {[ ]*cmd=.*$} $hp "" tt
- if {[regexp {^[ ]*$} $tt]} {
- mesg "No host:disp supplied."
- bell
- catch {raise .}
- mac_raise
- return
- }
- if {[regexp -- {--nohost--} $tt]} {
- mesg "No host:disp supplied."
- bell
- catch {raise .}
- mac_raise
- return
- }
- if {! [regexp ":" $hp]} {
- if {! [regexp {cmd=} $hp]} {
- append hp ":0"
- }
- }
- set hpnew [get_ssh_hp $hp]
- set proxy [get_ssh_proxy $hp]
-
-
- set pstr 1
- mesg "Fetching $hpnew Cert..."
- global cert_text
- set cert_text ""
- .f4.getcert configure -state disabled
- update
- if {! $is_windows} {
- catch {set cert_text [fetch_cert_unix $hp]}
- } else {
- set cert_text [fetch_cert_windows $hp]
- }
-
- if [info exists env(CERTDBG)] {puts "\nFetch-0-\n$cert_text"}
-
- set vencrypt 0
- set anondh 0
- if {![regexp {BEGIN CERTIFICATE} $cert_text]} {
- if [regexp {CONNECTED} $cert_text] {
- set m 0
- if {![regexp -nocase {GET_SERVER_HELLO} $cert_text]} {
- set m 1
- }
- if [regexp -nocase -line {GET_SERVER_HELLO.*unknown protocol} $cert_text] {
- set m 1
- }
- if {![regexp -nocase {show_cert: SSL_connect failed} $cert_text]} {
- set m 1
- }
- if {!$m && $is_windows} {
- if [regexp -nocase {write:errno} $cert_text] {
- if [regexp -nocase {no peer certificate} $cert_text] {
- set m 1
- }
- }
- }
- if {$m} {
- # suspect VeNCrypt or ANONTLS plaintext RFB
- set cert_text ""
- set vencrypt 1
- incr pstr
- mesg "#${pstr} Fetching $hpnew Cert... $vencrypt/$anondh"
- if {! $is_windows} {
- catch {set cert_text [fetch_cert_unix $hp $vencrypt $anondh]}
- } else {
- after 600
- catch {set cert_text [fetch_cert_windows $hp $vencrypt $anondh]}
- }
- if [info exists env(CERTDBG)] {puts "\nFetch-1-\n$cert_text"}
- }
- }
- }
- if {![regexp {BEGIN CERTIFICATE} $cert_text]} {
- if [regexp {CONNECTED} $cert_text] {
- set m 0
- if [regexp -nocase -line {error.*handshake failure} $cert_text] {
- set m 1
- }
- if [regexp -nocase -line {error.*unknown protocol} $cert_text] {
- set m 1
- }
- if {![regexp -nocase {show_cert: SSL_connect failed} $cert_text]} {
- set m 1
- }
- if {!$m && $is_windows} {
- if [regexp -nocase {no peer certificate} $cert_text] {
- set m 1
- }
- }
- if {$m} {
- # suspect Anonymous Diffie Hellman
- set cert_text ""
- set anondh 1
- incr pstr
- mesg "#${pstr} Fetching $hpnew Cert... $vencrypt/$anondh"
- if {! $is_windows} {
- catch {set cert_text [fetch_cert_unix $hp $vencrypt $anondh]}
- } else {
- after 600
- catch {set cert_text [fetch_cert_windows $hp $vencrypt $anondh]}
- }
- if [info exists env(CERTDBG)] {puts "\nFetch-2-\n$cert_text"}
- }
- }
- }
- if {![regexp {BEGIN CERTIFICATE} $cert_text]} {
- if [regexp {CONNECTED} $cert_text] {
- if {[regexp -nocase -line {cipher.*ADH} $cert_text]} {
- # it is Anonymous Diffie Hellman
- mesg "WARNING: Anonymous Diffie Hellman Server detected (NO CERT)"
- after 300
- .f4.getcert configure -state normal
- return $cert_text
- } else {
- global vencrypt_detected
- set vencrypt_detected ""
- }
- }
- }
-
- global vencrypt_detected server_vencrypt
- if {$vencrypt_detected != "" && !$server_vencrypt} {
- mesg "VeNCrypt or ANONTLS server detected."
- after 600
- }
-
- .f4.getcert configure -state normal
- mesg "Fetched $hpnew Cert"
-
- set n 47
- set ok 1
- if {$cert_text == ""} {
- set cert_text "An Error occurred in fetching SSL Certificate from $hp"
- set ok 0
- set n 4
- } elseif {! [regexp {BEGIN CERTIFICATE} $cert_text]} {
- set cert_text "An Error occurred in fetching $hp\n\n$cert_text"
- set n [line_count $cert_text 1]
- set ok 0
- } else {
- if [regexp -- {-----BEGIN SSL SESSION PARAMETERS-----} $cert_text] {
- set new ""
- set off 0
- foreach line [split $cert_text "\n"] {
- if [regexp -- {RFB 00} $line] {
- continue
- }
- if [regexp -- {Using default temp} $line] {
- continue
- }
- if [regexp -- {-----BEGIN SSL SESSION PARAMETERS-----} $line] {
- set off 1
- }
- if [regexp -- {-----END SSL SESSION PARAMETERS-----} $line] {
- set off 0
- continue
- }
- if {$off} {
- continue;
- }
- append new "$line\n"
- }
- if [regexp -- {-----BEGIN CERTIFICATE-----} $new] {
- set cert_text $new
- }
- }
- set text ""
- set on 0
- set subject ""
- set curr_subject ""
- set chain_n -1
- set chain(__empty__) ""
- foreach line [split $cert_text "\n"] {
- if [regexp -- {-----BEGIN CERTIFICATE-----} $line] {
- incr on
- }
- if {$chain_n < -1} {
- ;
- } elseif [regexp {^ *([0-9]) *s:(.*/[A-Z][A-Z]*=.*$)} $line m cn sb] {
- set cn [string trim $cn]
- set sb [string trim $sb]
- #puts cn=$cn
- #puts sb=$sb
- if {$subject == ""} {
- set subject $sb
- }
- if {$cn > $chain_n} {
- set chain_n $cn
- set curr_subject $sb
- } else {
- set chain_n -2
- }
- } elseif [regexp {^ *i:(.*/[A-Z][A-Z]*=.*$)} $line m is] {
- set is [string trim $is]
- #puts is=$is
- if {$curr_subject != ""} {
- set chain($curr_subject) $is
- }
- }
- if {$on != 1} {
- continue;
- }
- append text "$line\n"
- if [regexp -- {-----END CERTIFICATE-----} $line] {
- set on 2
- }
- }
- set chain_str "subject: not-known\n"
- set curr_subject $subject
- set self_signed 0
- set top_issuer ""
- for {set i 0} {$i < 10} {incr i} {
- if {$curr_subject != ""} {
- if {$i == 0} {
- set chain_str "- subject: $curr_subject\n\n"
- } else {
- set chain_str "${chain_str}- issuer$i: $curr_subject\n\n"
- set top_issuer $curr_subject;
- }
- if {![info exists chain($curr_subject)]} {
- break
- } elseif {$chain($curr_subject) == ""} {
- break
- } elseif {$curr_subject == $chain($curr_subject)} {
- set j [expr $i + 1]
- set chain_str "${chain_str}- issuer$j: $curr_subject\n\n"
- set top_issuer $curr_subject;
- if {$i == 0} {
- set self_signed 1
- }
- break;
- }
- set curr_subject $chain($curr_subject)
- }
- }
- set chain_str "${chain_str}INFO: SELF_SIGNED=$self_signed\n\n"
- if {$self_signed} {
- set chain_str "${chain_str}INFO: Certificate is Self-Signed.\n"
- set chain_str "${chain_str}INFO: It will successfully authenticate when used as a ServerCert or Accepted-Cert.\n"
- set chain_str "${chain_str}INFO: Be sure to check carefully that you trust this certificate before saving it.\n"
- } else {
- set chain_str "${chain_str}INFO: Certificate is signed by a Certificate Authority (CA).\n"
- set chain_str "${chain_str}INFO: It *WILL NOT* successfully authenticate when used as a ServerCert or Accepted-Cert.\n"
- set chain_str "${chain_str}INFO: You need to Obtain and Save the CA's Certificate (issuer) instead"
- if {$top_issuer != ""} {
- set chain_str "${chain_str}:\nINFO: CA: $top_issuer\n"
- } else {
- set chain_str "${chain_str}.\n"
- }
- }
- #puts "\n$chain_str\n"
-
- global is_windows
- set tmp "/tmp/cert.hsh.[tpid]"
- set tmp [mytmp $tmp]
- if {$is_windows} {
- # VF
- set tmp cert.hsh
- }
- set fh ""
- catch {set fh [open $tmp "w"]}
- if {$fh != ""} {
- puts $fh $text
- close $fh
- set info ""
- catch {set info [get_x509_info $tmp]}
- catch {file delete $tmp}
- if [regexp -nocase {MD5 Finger[^\n]*} $info mvar] {
- set cert_text "$mvar\n\n$cert_text"
- }
- if [regexp -nocase {SHA. Finger[^\n]*} $info mvar] {
- set cert_text "$mvar\n\n$cert_text"
- }
- set cert_text "$cert_text\n\n----------------------------------\nOutput of openssl x509 -text -fingerprint:\n\n$info"
- }
- set cert_text "==== SSL Certificate from $hp ====\n\n$chain_str\n$cert_text"
- }
-
- if {! $save} {
- return $cert_text
- }
-
- fetch_dialog $cert_text $hp $hpnew $ok $n
-}
-
-proc skip_non_self_signed {w hp} {
- set msg "Certificate from $hp is not Self-Signed, it was signed by a Certificate Authority (CA). Saving it does not make sense because it cannot be used to authenticate anything. You need to Obtain and Save the CA Certificate instead. Save it anyway?"
- set reply [tk_messageBox -type okcancel -default cancel -parent $w -icon warning -message $msg -title "CA Signed Certificate"]
- if {$reply == "cancel"} {
- return 1
- } else {
- return 0
- }
-}
-
-proc fetch_dialog {cert_text hp hpnew ok n} {
- toplev .fetch
-
- if [small_height] {
- set n 28
- }
-
- scroll_text_dismiss .fetch.f 90 $n
-
- if {$ok} {
- set ss 0
- if [regexp {INFO: SELF_SIGNED=1} $cert_text] {
- button .fetch.save -text Save -command "destroy .fetch; save_cert {$hpnew}"
- set ss 1
- } else {
- button .fetch.save -text Save -command "if \[skip_non_self_signed .fetch {$hpnew}\] {return} else {destroy .fetch; save_cert {$hpnew}}"
- set ss 0
- }
- button .fetch.help -text Help -command "help_fetch_cert $ss"
- pack .fetch.help .fetch.save -side bottom -fill x
- .fetch.d configure -text "Cancel"
- }
-
- center_win .fetch
- wm title .fetch "$hp Certificate"
-
- .fetch.f.t insert end $cert_text
- jiggle_text .fetch.f.t
-}
-
-
-proc host_part {hp} {
- regsub {^ *} $hp "" hp
- regsub { .*$} $hp "" hp
- if [regexp {^[0-9][0-9]*$} $hp] {
- return ""
- }
- set h $hp
- regsub {:[0-9][0-9]*$} $hp "" h
- return $h
-}
-
-proc port_part {hp} {
- regsub { .*$} $hp "" hp
- set p ""
- if [regexp {:([0-9][0-9]*)$} $hp m val] {
- set p $val
- }
- return $p
-}
-
-proc get_vencrypt_proxy {hpnew} {
- if [regexp -nocase {^vnc://} $hpnew] {
- return ""
- }
- set hpnew [get_ssh_hp $hpnew]
- regsub -nocase {^[a-z0-9+]*://} $hpnew "" hpnew
- set h [host_part $hpnew]
- set p [port_part $hpnew]
-
- if {$p == ""} {
- # might not matter, i.e. SSH+SSL only...
- set p 5900
- }
- set hp2 $h
- if {$p < 0} {
- set hp2 "$hp2:[expr - $p]"
- } elseif {$p < 200} {
- set hp2 "$hp2:[expr $p + 5900]"
- } else {
- set hp2 "$hp2:$p"
- }
- return "vencrypt://$hp2"
-}
-
-proc fetch_cert_unix {hp {vencrypt 0} {anondh 0}} {
- global use_listen
-
- set hpnew [get_ssh_hp $hp]
- set proxy [get_ssh_proxy $hp]
-
- if {$vencrypt} {
- global vencrypt_detected
- set vencrypt_detected [get_vencrypt_proxy $hpnew]
- if {$proxy != ""} {
- set proxy "$proxy,$vencrypt_detected"
- } else {
- set proxy $vencrypt_detected
- }
- }
-
- set cmd [list ss_vncviewer]
- if {$anondh} {
- lappend cmd "-anondh"
- }
- if {$proxy != ""} {
- lappend cmd "-proxy"
- lappend cmd $proxy
- }
- if {$use_listen} {
- lappend cmd "-listen"
- }
- lappend cmd "-showcert"
- lappend cmd $hpnew
-
- if {$proxy != ""} {
- lappend cmd "2>/dev/null"
- }
- global env
- if [info exists env(CERTDBG)] {puts "\nFetch-cmd: $cmd"}
- set env(SSVNC_SHOWCERT_EXIT_0) 1
-
- return [eval exec $cmd]
-}
-
-proc win_nslookup {host} {
- global win_nslookup_cache
- if [info exists win_nslookup_cache($host)] {
- return $win_nslookup_cache($host)
- }
- if [regexp -nocase {[^a-z0-9:._-]} $host] {
- set win_nslookup_cache($host) "invalid"
- return $win_nslookup_cache($host)
- }
- if [regexp {^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$} $host] {
- set win_nslookup_cache($host) $host
- return $win_nslookup_cache($host)
- }
- if [regexp -nocase {^[a-f0-9]*:[a-f0-9:]*:[a-f0-9:]*$} $host] {
- set win_nslookup_cache($host) $host
- return $win_nslookup_cache($host)
- }
- set nsout ""
- catch {set nsout [exec nslookup $host]}
- if {$nsout == "" || [regexp -nocase {server failed} $nsout]} {
- after 250
- set nsout ""
- catch {set nsout [exec nslookup $host]}
- }
- if {$nsout == "" || [regexp -nocase {server failed} $nsout]} {
- set win_nslookup_cache($host) "unknown"
- return $win_nslookup_cache($host)
- }
- regsub -all {Server:[^\n]*\nAddress:[^\n]*} $nsout "" nsout
- regsub {^.*Name:} $nsout "" nsout
- if [regexp {Address:[ \t]*([^\n]+)} $nsout mv addr] {
- set addr [string trim $addr]
- if {$addr != ""} {
- set win_nslookup_cache($host) $addr
- return $win_nslookup_cache($host)
- }
- }
- set win_nslookup_cache($host) "unknown"
- return $win_nslookup_cache($host)
-}
-
-proc win_ipv4 {host} {
- global win_localhost
- set ip [win_nslookup $host];
- if [regexp {^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$} $ip] {
- return 1
- }
- return 0
-}
-
-proc ipv6_proxy {proxy host port} {
- global is_windows win_localhost have_ipv6
-
- if {!$have_ipv6} {
- return [list $proxy $host $port ""]
- } elseif {!$is_windows} {
- return [list $proxy $host $port ""]
- } else {
- set h0 ""
- set p0 ""
- set port3 ""
- set ipv6_pid ""
- set proxy0 $proxy
- if {$proxy == ""} {
- if [win_ipv4 $host] {
- return [list $proxy $host $port ""]
- }
- set port3 [rand_port]
- set h0 $host
- set p0 $port
- set host $win_localhost
- set port $port3
- } else {
- set parts [split $proxy ","]
- set n [llength $parts]
- for {set i 0} {$i < $n} {incr i} {
- set part [lindex $parts $i]
- set prefix ""
- set repeater 0
- regexp -nocase {^[a-z0-9+]*://} $part prefix
- regsub -nocase {^[a-z0-9+]*://} $part "" part
- if [regexp {^repeater://} $prefix] {
- regsub {\+.*$} $part "" part
- if {![regexp {:([0-9][0-9]*)$} $part]} {
- set part "$part:5900"
- }
- }
- set modit 0
- set h1 ""
- set p1 ""
- if [regexp {^(.*):([0-9][0-9]*)$} $part mvar h1 p1] {
- if {$h1 == "localhost" || $h1 == $win_localhost} {
- continue
- } elseif [win_ipv4 $h1] {
- break
- }
- set modit 1
- } else {
- break
- }
- if {$modit} {
- set port3 [rand_port]
- set h0 $h1
- set p0 $p1
- lset parts $i "$prefix$win_localhost:$port3"
- break
- }
- }
- if {$h0 != "" && $p0 != "" && $port3 != ""} {
- set proxy [join $parts ","]
- #mesg "Reset proxy: $proxy"; after 3000
- }
- }
- if {$h0 != "" && $p0 != "" && $port3 != ""} {
- mesg "Starting IPV6 helper on port $port3 ..."
- set ipv6_pid [exec relay6.exe $port3 "$h0" "$p0" /b:$win_localhost &]
- after 400
- #mesg "r6 $port3 $h0 $p0"; after 3000
- }
- return [list $proxy $host $port $ipv6_pid]
- }
-}
-
-proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
- global have_ipv6
-
- regsub {^vnc.*://} $hp "" hp
-
- set hpnew [get_ssh_hp $hp]
- set proxy [get_ssh_proxy $hp]
-
- if {$vencrypt} {
- global vencrypt_detected
- set vencrypt_detected [get_vencrypt_proxy $hpnew]
- if {$proxy != ""} {
- set proxy "$proxy,$vencrypt_detected"
- } else {
- set proxy $vencrypt_detected
- }
- }
-
- set host [host_part $hpnew]
-
- global win_localhost
-
- if {$host == ""} {
- set host $win_localhost
- }
-
- if [regexp {^.*@} $host match] {
- mesg "Trimming \"$match\" from hostname"
- regsub {^.*@} $host "" host
- }
-
- set disp [port_part $hpnew]
-
- if {[regexp {^-[0-9][0-9]*$} $disp]} {
- ;
- } elseif {$disp == "" || ! [regexp {^[0-9][0-9]*$} $disp]} {
- set disp 0
- }
- if {$disp < 0} {
- set port [expr "- $disp"]
- } elseif {$disp < 200} {
- set port [expr "$disp + 5900"]
- } else {
- set port $disp
- }
-
- set ipv6_pid ""
- if {$have_ipv6} {
- set res [ipv6_proxy $proxy $host $port]
- set proxy [lindex $res 0]
- set host [lindex $res 1]
- set port [lindex $res 2]
- set ipv6_pid [lindex $res 3]
- }
-
- if {$proxy != ""} {
- global env
-
- set port2 [rand_port]
-
- set sp ""
- if [info exists env(SSVNC_PROXY)] {
- set sp $env(SSVNC_PROXY)
- }
- set sl ""
- if [info exists env(SSVNC_LISTEN)] {
- set sl $env(SSVNC_LISTEN)
- }
- set sd ""
- if [info exists env(SSVNC_DEST)] {
- set sd $env(SSVNC_DEST)
- }
-
- set env(SSVNC_PROXY) $proxy
- set env(SSVNC_LISTEN) $port2
- set env(SSVNC_DEST) "$host:$port"
-
- set host $win_localhost
- set port $port2
-
- mesg "Starting Proxy TCP helper on port $port2 ..."
- after 300
- # fetch cert br case:
- set proxy_pid [exec "connect_br.exe" &]
-
- if {$sp == ""} {
- catch { unset env(SSVNC_PROXY) }
- } else {
- set env(SSVNC_PROXY) $sp
- }
- if {$sl == ""} {
- catch { unset env(SSVNC_LISTEN) }
- } else {
- set env(SSVNC_LISTEN) $sl
- }
- if {$sd == ""} {
- catch { unset env(SSVNC_DEST) }
- } else {
- set env(SSVNC_DEST) $sd
- }
- }
-
- set ossl [get_openssl]
- update
- # VF
- set tin tmpin.txt
- set tou tmpout.txt
- set fh ""
- catch {set fh [open $tin "w"]}
- if {$fh != ""} {
- puts $fh "Q"
- puts $fh "GET /WOMBAT HTTP/1.1\r\nHost: wombat.com\r\n\r\n\r\n"
- close $fh
- }
-
- if {1} {
- set ph ""
- if {$anondh} {
- set ph [open "| $ossl s_client -prexit -connect $host:$port -cipher ALL:RC4+RSA:+SSLv2:@STRENGTH < $tin 2>NUL" "r"]
- } else {
- set ph [open "| $ossl s_client -prexit -connect $host:$port < $tin 2>NUL" "r"]
- }
-
- set text ""
- if {$ph != ""} {
- set pids [pid $ph]
- set got 0
- while {[gets $ph line] > -1} {
- append text "$line\n"
- if [regexp {END CERT} $line] {
- set got 1
- }
- if {$anondh && [regexp -nocase {cipher.*ADH} $line]} {
- set got 1
- }
- if {$got && [regexp {^ *Verify return code} $line]} {
- break
- }
- if [regexp {^RFB } $line] {
- break
- }
- if [regexp {^DONE} $line] {
- break
- }
- }
- foreach pid $pids {
- winkill $pid
- }
- if {$ipv6_pid != ""} {
- winkill $ipv6_pid
- }
-
- catch {close $ph}
- catch {file delete $tin $tou}
- return $text
- }
- } else {
- set pids ""
-
- if {1} {
- if {$anondh} {
- set ph2 [open "| $ossl s_client -prexit -connect $host:$port -cipher ALL:RC4+RSA:+SSLv2:@STRENGTH > $tou 2>NUL" "w"]
- } else {
- set ph2 [open "| $ossl s_client -prexit -connect $host:$port > $tou 2>NUL" "w"]
- }
- set pids [pid $ph2]
- after 500
- for {set i 0} {$i < 128} {incr i} {
- puts $ph2 "Q"
- }
- catch {close $ph2}
- } else {
- if {$anondh} {
- set pids [exec $ossl s_client -prexit -connect $host:$port -cipher ALL:RC4+RSA:+SSLv2:@STRENGTH < $tin >& $tou &]
- } else {
- set pids [exec $ossl s_client -prexit -connect $host:$port < $tin >& $tou &]
- }
- }
-
- for {set i 0} {$i < 10} {incr i} {
- after 500
- set got 0
- set ph ""
- catch {set ph [open $tou "r"]}
- if {$ph != ""} {
- while {[gets $ph line] > -1} {
- if [regexp {END CERT} $line] {
- set got 1
- break
- }
- }
- close $ph
- }
- if {$got} {
- break
- }
- }
- foreach pid $pids {
- winkill $pid
- }
- after 500
- set ph ""
- catch {set ph [open $tou "r"]}
- }
- set text ""
- if {$ph != ""} {
- while {[gets $ph line] > -1} {
- append text "$line\n"
- }
- close $ph
- }
- catch {file delete $tin $tou}
- if {$ipv6_pid != ""} {
- winkill $ipv6_pid
- }
- return $text
-}
-
-proc check_accepted_certs {{probe_only 0}} {
- global cert_text always_verify_ssl
- global skip_verify_accepted_certs use_listen
- global ultra_dsm env
- global server_vencrypt server_anondh no_probe_vencrypt
-
- if {! $always_verify_ssl} {
- set skip_verify_accepted_certs 1
- if {$server_vencrypt} {
- return 1
- }
- if {$no_probe_vencrypt} {
- return 1
- }
- }
- if {$server_anondh} {
- mesg "WARNING: Anonymous Diffie Hellman (SKIPPING CERT CHECK)"
- after 1000
- set skip_verify_accepted_certs 1
- return 1
- }
- if {$ultra_dsm} {
- return 1;
- }
- if {$use_listen} {
- return 1;
- }
-
- global anon_dh_detected
- set anon_dh_detected 0
-
- set cert_text [fetch_cert 0]
-
- set mvar ""
- if {[regexp -nocase -line {cipher.*ADH} $cert_text mvar]} {
-
- if [info exists env(CERTDBG)] {puts "\nFetch-MSG-\n$cert_text"}
- if [info exists env(CERTDBG)] {puts "\nBEGIN_MVAR: $mvar\nEND_MVAR\n"}
-
- set msg "Anonymous Diffie-Hellman server detected. There will be encryption, but no SSL/TLS authentication. Continue?"
- set reply [tk_messageBox -type okcancel -default ok -icon warning -message $msg -title "Anonymous Diffie-Hellman Detected"]
- set anon_dh_detected 1
- if {$reply == "cancel"} {
- return 0
- } else {
- global skip_verify_accepted_certs
- set skip_verify_accepted_certs 1
- return 1
- }
- }
-
- if {$probe_only} {
- return 1
- }
- if {! $always_verify_ssl} {
- return 1
- }
-
- set from ""
- set fingerprint ""
- set fingerline ""
- set self_signed 1
- set subject_issuer ""
- set subject ""
- set issuer ""
-
- set i 0
- foreach line [split $cert_text "\n"] {
- incr i
- if {$i > 50} {
- break
- }
- if [regexp {^- subject: *(.*)$} $line m val] {
- set val [string trim $val]
- set subject_issuer "${subject_issuer}subject:$val\n"
- set subject $val
- }
- if [regexp {^- (issuer[0-9][0-9]*): *(.*)$} $line m is val] {
- set val [string trim $val]
- set subject_issuer "${subject_issuer}$is:$val\n"
- set issuer $val
- }
- if [regexp {^INFO: SELF_SIGNED=(.*)$} $line m val] {
- set subject_issuer "${subject_issuer}SELF_SIGNED:$val\n"
- }
- if [regexp {^depth=} $line] {
- break
- }
- if [regexp {^verify } $line] {
- break
- }
- if [regexp {^CONNECTED} $line] {
- break
- }
- if [regexp {^Certificate chain} $line] {
- break
- }
- if [regexp {^==== SSL Certificate from (.*) ====} $line mv str] {
- set from [string trim $str]
- }
- if [regexp -nocase {Fingerprint=(.*)} $line mv str] {
- set fingerline $line
- set fingerprint [string trim $str]
- }
- if [regexp -nocase {^INFO: SELF_SIGNED=([01])} $line mv str] {
- set self_signed $str
- }
- }
-
- set fingerprint [string tolower $fingerprint]
- regsub -all {:} $fingerprint "-" fingerprint
- regsub -all {[\\/=]} $fingerprint "_" fingerprint
-
- set from [string tolower $from]
- regsub -all {[\[\]]} $from "" from
- regsub -all {^[+a-z]*://} $from "" from
- regsub -all {:} $from "-" from
- regsub -all {[\\/=]} $from "_" from
- regsub -all {[ ]} $from "_" from
-
- if {$from == "" || $fingerprint == ""} {
- bell
- catch {raise .; update}
- mesg "WARNING: Error fetching Server Cert"
- after 500
- set hp [get_vncdisplay]
- set n [line_count $cert_text 1]
- fetch_dialog $cert_text $hp $hp 0 $n
- update
- after 2000
- return 0
- }
-
- set hp [get_vncdisplay]
-
- set adir [get_idir_certs ""]
- catch {file mkdir $adir}
- set adir "$adir/accepted"
- catch {file mkdir $adir}
-
- set crt "$adir/$from=$fingerprint.crt"
-
- if [file exists $crt] {
- if {$self_signed} {
- mesg "OK: Certificate found in ACCEPTED_CERTS"
- after 750
- return 1
- }
- }
-
- set cnt 0
- foreach f [glob -nocomplain -directory $adir "*$fingerprint*.crt"] {
- mesg "CERT: $f"
- after 150
- if {$self_signed} {
- incr cnt
- }
- }
-
- set oth 0
- set others [list]
- foreach f [glob -nocomplain -directory $adir "*$from*.crt"] {
- if {$f == $crt} {
- continue
- }
- set fb [file tail $f]
- mesg "OTHER CERT: $fb"
- if {$cnt > 0} {
- after 400
- } else {
- bell
- after 800
- }
- lappend others $f
- incr oth
- }
-
- foreach f [glob -nocomplain -directory $adir "*.crt"] {
- if {$f == $crt} {
- continue
- }
- set saw 0
- foreach o $others {
- if {$f == $o} {
- set saw 1
- break
- }
- }
- if {$saw} {
- continue
- }
- set fh [open $f "r"]
- if {$fh == ""} {
- continue
- }
- set same 0
- set sub ""
- set iss ""
- set isn -1;
- while {[gets $fh line] > -1} {
- if [regexp {^Host-Display: (.*)$} $line mv hd] {
- if {$hd == $hp || $hd == $from} {
- set same 1
- }
- }
- if [regexp {^subject:(.*)$} $line mv val] {
- set sub $val
- }
- if [regexp {^issue([0-9][0-9]*):(.*)$} $line mv in val] {
- if {$in > $isn} {
- set isn $in
- set iss $val
- }
- }
- }
- close $fh;
-
- if {!$self_signed} {
- if {$sub == ""} {
- set ossl [get_openssl]
- set si_txt [exec $ossl x509 -subject -issuer -noout -in $f]
- foreach line [split $si_txt "\n"] {
- if [regexp -nocase {^subject= *(.*)$} $line mv str] {
- set str [string trim $str]
- if {$str != ""} {
- set sub $str
- }
- } elseif [regexp -nocase {^issuer= *(.*)$} $line mv str] {
- set str [string trim $str]
- if {$iss != ""} {
- set iss $str
- }
- }
- }
- }
- if {$issuer != "" && $sub != ""} {
- global env
- if [info exists env(CERTDBG)] {
- puts "f: $f"
- puts "s: $sub"
- puts "i: $issuer"
- puts "==================="
- }
- if {$issuer == $sub} {
- set fb [file tail $f]
- mesg "Certificate Authority (CA) CERT: $fb"
- incr cnt
- after 500
- }
- }
- continue
- }
-
- if {! $same} {
- continue
- }
-
- set fb [file tail $f]
- mesg "OTHER CERT: $fb"
- if {$cnt > 0} {
- after 400
- } else {
- bell
- after 800
- }
- lappend others $f
- incr oth
- }
-
- if {$cnt > 0} {
- if {$self_signed} {
- mesg "OK: Server Certificate found in ACCEPTED_CERTS"
- after 400
- } else {
- mesg "OK: CA Certificate found in ACCEPTED_CERTS"
- after 800
- }
- return 1
- }
-
- set hp2 [get_vncdisplay]
- set msg "
- The Self-Signed SSL Certificate from host:
-
- $hp2
-
- Fingerprint: $fingerprint
-
- Subject: $subject
-
- is not present in the 'Accepted Certs' directory:
-
- $adir
-%WARN
- You will need to verify on your own that this is a certificate from a
- VNC server that you trust (e.g. by checking the fingerprint with that
- sent to you by the server administrator).
-
-
- THE QUESTION: Do you want this certificate to be saved in the Accepted Certs
- directory and then used to SSL authenticate VNC servers?
-
-
- By clicking 'Inspect and maybe Save Cert' you will be given the opportunity
- to inspect the certificate before deciding to save it or not.
-"
-
- set msg_bottom "
- Choose 'Ignore Cert for One Connection' to connect a single time to the
- server with *NO* certificate authentication. You will see this dialog again
- the next time you connect to the same server.
-
- Choose 'Continue as though I saved it' to launch stunnel and the VNC viewer.
- Do this if you know the correct Certificate is in the 'Accepted Certs'
- directory. If it is not, stunnel will fail and report 'VERIFY ERROR:...'
-
- Choose 'Cancel' to not connect to the VNC Server at all.
-"
-
- set msg_ca "
- The CA-signed SSL Certificate from host:
-
- $hp2
-
- Fingerprint: $fingerprint
-
- Subject: $subject
-
- Issuer: $issuer
-
- is signed by a Certificate Authority (CA) (the 'Issuer' above.)
-
- However, the certificate of the CA 'Issuer' is not present in the
- 'Accepted Certs' directory:
-
- $adir
-
- You will need to obtain the certificate of the CA 'Issuer' via some means
- (perhaps ask the VNC server administrator for it.) Then, after you have
- verified that the CA certificate is one that you trust, import the
- certificate via Certs -> Import Certificate. Be sure to select to also
- save it to the Accepted Certs directory so it will automatically be used.
-"
- set msg "$msg$msg_bottom"
- set msg_ca "$msg_ca$msg_bottom"
-
- if {!$self_signed} {
- set msg $msg_ca
- }
-
- if {$oth == 0} {
- regsub {%WARN} $msg "" msg
- } else {
- set warn ""
- set wfp ""
- if {$oth == 1} {
- set warn "
-**WARNING** The Following Cert was previously saved FOR THE SAME HOST-DISPLAY:
-
-"
- set wfp "BUT WITH A DIFFERENT FINGERPRINT."
-
- } else {
- set warn "
-**WARNING** The Following Certs were previously saved FOR THE SAME HOST-DISPLAY:
-
-"
- set wfp "BUT WITH DIFFERENT FINGERPRINTS."
- }
-
- foreach o $others {
- set fb [file tail $o]
- set warn "$warn $fb\n"
- }
- set warn "$warn\n $wfp\n"
- set warn "$warn\n This could be a Man-In-The-Middle attack, or simply that the Server changed"
- set warn "$warn\n its Certificate. *PLEASE CHECK* before proceeding!\n"
- regsub {%WARN} $msg $warn msg
- bell
- }
-
- set n 0
- foreach l [split $msg "\n"] {
- incr n
- }
- if {!$self_signed} {
- set n [expr $n + 2]
- } else {
- set n [expr $n + 1]
- }
- if [small_height] {
- if {$n > 26} {
- set n 26
- }
- }
- toplev .acert
- scroll_text .acert.f 83 $n
-
- button .acert.inspect -text "Inspect and maybe Save Cert ..." -command "destroy .acert; set accept_cert_dialog 1"
- button .acert.accept -text "Ignore Cert for One Connection " -command "destroy .acert; set accept_cert_dialog 2"
- button .acert.continue -text "Continue as though I saved it " -command "destroy .acert; set accept_cert_dialog 3"
- button .acert.cancel -text "Cancel" -command "destroy .acert; set accept_cert_dialog 0"
-
- wm title .acert "Unrecognized SSL Cert!"
-
- .acert.f.t insert end $msg
-
- pack .acert.cancel .acert.continue .acert.accept .acert.inspect -side bottom -fill x
- pack .acert.f -side top -fill both -expand 1
-
- if {! $self_signed} {
- catch {.acert.inspect configure -state disabled}
- }
-
- center_win .acert
-
- global accept_cert_dialog
- set accept_cert_dialog ""
-
- jiggle_text .acert.f.t
-
- tkwait window .acert
-
- if {$accept_cert_dialog == 2} {
- set skip_verify_accepted_certs 1
- return 1
- }
- if {$accept_cert_dialog == 3} {
- return 1
- }
- if {$accept_cert_dialog != 1} {
- return 0
- }
-
- global accepted_cert_dialog_in_progress
- set accepted_cert_dialog_in_progress 1
-
- global fetch_cert_filename
- set fetch_cert_filename $crt
-
- global do_save_saved_it
- set do_save_saved_it 0
- global do_save_saved_hash_it
- set do_save_saved_hash_it 0
-
- fetch_dialog $cert_text $hp $hp 1 47
- update; after 150
-
- catch {tkwait window .fetch}
- update; after 250
- catch {tkwait window .scrt}
- update; after 250
- if [winfo exists .scrt] {
- catch {tkwait window .scrt}
- }
-
- set fetch_cert_filename ""
- set accepted_cert_dialog_in_progress 0
-
- if {!$do_save_saved_hash_it} {
- save_hash $crt $adir $hp $fingerline $from $fingerprint $subject_issuer
- }
-
- if {$do_save_saved_it} {
- return 1
- } else {
- return 0
- }
-}
-
-proc save_hash {crt adir hp fingerline from fingerprint {subject_issuer ""}} {
- if ![file exists $crt] {
- return
- }
- set ossl [get_openssl]
- set hash [exec $ossl x509 -hash -noout -in $crt]
- set hash [string trim $hash]
- if [regexp {^([0-9a-f][0-9a-f]*)} $hash mv h] {
- set hashfile "$adir/$h.0"
- set hn "$h.0"
- if [file exists $hashfile] {
- set hashfile "$adir/$h.1"
- set hn "$h.1"
- if [file exists $hashfile] {
- set hashfile "$adir/$h.2"
- set hn "$h.2"
- }
- }
- set fh [open $crt "a"]
- if {$fh != ""} {
- puts $fh ""
- puts $fh "SSVNC-info:"
- puts $fh "Host-Display: $hp"
- puts $fh "$fingerline"
- puts $fh "hash-filename: $hn"
- puts $fh "full-filename: $from=$fingerprint.crt"
- puts -nonewline $fh $subject_issuer
- close $fh
- }
- catch {file copy -force $crt $hashfile}
- if [file exists $hashfile] {
- return 1
- }
- }
-}
-
-proc tpid {} {
- global is_windows
- set p ""
-
- if {!$is_windows} {
- catch {set p [exec sh -c {echo $$}]}
- }
- if {$p == ""} {
- set p [pid];
- }
- append p [clock clicks]
- return $p
-}
-
-proc repeater_proxy_check {proxy} {
- if [regexp {^repeater://.*\+ID:[0-9]} $proxy] {
- global env rpc_m1 rpc_m2
- if {![info exists rpc_m1]} {
- set rpc_m1 0
- set rpc_m2 0
- }
- set force 0
- if [info exists env(REPEATER_FORCE)] {
- if {$env(REPEATER_FORCE) != "" && $env(REPEATER_FORCE) != "0"} {
- # no longer makes a difference.
- set force 1
- }
- }
- global use_listen ultra_dsm
- if {! $use_listen} {
- if {$ultra_dsm} {
- return 1;
- } else {
- if {0} {
- mesg "WARNING: repeater:// ID:nnn proxy might need Listen Mode"
- incr rpc_m1
- if {$rpc_m1 <= 2} {
- after 1000
- } else {
- after 200
- }
- }
- if {0} {
- # no longer required by x11vnc (X11VNC_DISABLE_SSL_CLIENT_MODE)
- bell
- mesg "ERROR: repeater:// ID:nnn proxy must use Listen Mode"
- after 1000
- return 0
- }
- }
- }
- global always_verify_ssl
- if [info exists always_verify_ssl] {
- if {$always_verify_ssl} {
- mesg "WARNING: repeater:// ID:nnn Verify All Certs may fail"
- incr rpc_m2
- if {$rpc_m2 == 1} {
- after 1500
- } elseif {$rpc_m2 == 2} {
- after 500
- } else {
- after 200
- }
- }
- }
- }
- return 1
-}
-
-proc fini_unixpw {} {
- global named_pipe_fh unixpw_tmp
-
- if {$named_pipe_fh != ""} {
- catch {close $named_pipe_fh}
- }
- if {$unixpw_tmp != ""} {
- catch {file delete $unixpw_tmp}
- }
-}
-
-proc init_unixpw {hp} {
- global use_unixpw unixpw_username unixpw_passwd
- global named_pipe_fh unixpw_tmp env
-
- set named_pipe_fh ""
- set unixpw_tmp ""
-
- if {$use_unixpw} {
- set name $unixpw_username
- set env(SSVNC_UNIXPW) ""
- if {$name == ""} {
- regsub {^.*://} $hp "" hp
- set hptmp [get_ssh_hp $hp]
- if [regexp {^(.*)@} $hptmp mv m1] {
- set name $m1
- }
- }
- if {$name == ""} {
- if [info exists env(USER)] {
- set name $env(USER)
- }
- }
- if {$name == ""} {
- if [info exists env(LOGNAME)] {
- set name $env(LOGNAME)
- }
- }
- if {$name == ""} {
- set name [exec whoami]
- }
- if {$name == ""} {
- set name "unknown"
- }
-
- set tmp "/tmp/unixpipe.[tpid]"
- set tmp [mytmp $tmp]
- # need to make it a pipe
- catch {file delete $tmp}
- if {[file exists $tmp]} {
- mesg "file still exists: $tmp"
- bell
- return
- }
-
- catch {exec mknod $tmp p}
- set fh ""
- if {! [file exists $tmp]} {
- catch {set fh [open $tmp "w"]}
- } else {
- catch {set fh [open $tmp "r+"]}
- set named_pipe_fh $fh
- }
- catch {exec chmod 600 $tmp}
- if {! [file exists $tmp]} {
- mesg "cannot create: $tmp"
- if {$named_pipe_fh != ""} {catch close $named_pipe_fh}
- bell
- return
- }
- #puts [exec ls -l $tmp]
- set unixpw_tmp $tmp
- puts $fh $name
- puts $fh $unixpw_passwd
- if {$named_pipe_fh != ""} {
- flush $fh
- } else {
- close $fh
- }
- exec sh -c "sleep 60; /bin/rm -f $tmp" &
- if {$unixpw_passwd == ""} {
- set env(SSVNC_UNIXPW) "."
- } else {
- set env(SSVNC_UNIXPW) "rm:$tmp"
- }
- } else {
- if [info exists env(SSVNC_UNIXPW)] {
- set env(SSVNC_UNIXPW) ""
- }
- }
-}
-
-proc check_for_listen_ssl_cert {} {
- global mycert use_listen use_ssh ultra_dsm
- if {! $use_listen} {
- return 1
- }
- if {$use_ssh} {
- return 1
- }
- if {$ultra_dsm} {
- return 1
- }
- if {$mycert != ""} {
- return 1
- }
-
- set name [get_idir_certs ""]
- set name "$name/listen.pem"
- if {[file exists $name]} {
- set mycert $name
- mesg "Using Listen Cert: $name"
- after 700
- return 1
- }
-
- set title "SSL Listen requires MyCert";
- set msg "In SSL Listen mode a cert+key is required, but you have not specified 'MyCert'.\n\nCreate a cert+key 'listen' now?"
- set reply [tk_messageBox -type okcancel -default ok -icon warning -message $msg -title $msg]
- if {$reply == "cancel"} {
- return 0
- }
- create_cert $name
- tkwait window .ccrt
- if {[file exists $name]} {
- set mycert $name
- mesg "Using Listen Cert: $name"
- after 700
- return 1
- }
- return 0
-}
-
-proc listen_verify_all_dialog {hp} {
- global use_listen always_verify_ssl
- global did_listen_verify_all_dialog
- global svcert
- global sshssl_sw ultra_dsm
-
- if {!$use_listen} {
- return 1
- }
- if {!$always_verify_ssl} {
- return 1
- }
- if {$svcert != ""} {
- return 1
- }
- if {$ultra_dsm} {
- return 1
- }
- if [regexp -nocase {^vnc://} $hp] {
- return 1
- }
- if [info exists sshssl_sw] {
- if {$sshssl_sw == "none"} {
- return 1
- }
- if {$sshssl_sw == "ssh"} {
- return 1
- }
- }
- if [info exists did_listen_verify_all_dialog] {
- return 1
- }
-
- toplev .lvd
- global help_font
- wm title .lvd "Verify All Certs for Reverse Connections"
- eval text .lvd.t -width 55 -height 22 $help_font
- .lvd.t insert end {
- Information:
-
- You have the 'Verify All Certs' option enabled
- in Reverse VNC Connections (-LISTEN) mode.
-
- For this to work, you must have ALREADY saved
- the remote VNC Server's Certificate to the
- 'Accepted Certs' directory. Otherwise the
- incoming Reverse connection will be rejected.
-
- You can save the Server's Certificate by using
- the 'Import Certificate' dialog or on Unix
- and MacOSX by pressing 'Fetch Cert' and then
- have the Server make an initial connection.
-
- If you do not want to save the certificate of
- the VNC Server making the Reverse connection,
- you must disable 'Verify All Certs' (note that
- this means the server authenticity will not be
- checked.)
-}
-
- button .lvd.ok -text OK -command {destroy .lvd}
- button .lvd.ok2 -text OK -command {destroy .lvd}
- button .lvd.disable -text "Disable 'Verify All Certs'" -command {set always_verify_ssl 0; destroy .lvd}
- global uname
- if {$uname == "Darwin"} {
- pack .lvd.t .lvd.ok2 .lvd.disable .lvd.ok -side top -fill x
- } else {
- pack .lvd.t .lvd.disable .lvd.ok -side top -fill x
- }
- center_win .lvd
- update
-
- tkwait window .lvd
- update
- after 50
- update
-
- set did_listen_verify_all_dialog 1
- return 1
-}
-
-proc reset_stunnel_extra_opts {} {
- global stunnel_extra_opts0 stunnel_extra_svc_opts0 env
- global ssvnc_multiple_listen0
- if {$stunnel_extra_opts0 != "none"} {
- set env(STUNNEL_EXTRA_OPTS) $stunnel_extra_opts0
- }
- if {$stunnel_extra_svc_opts0 != "none"} {
- set env(STUNNEL_EXTRA_SVC_OPTS) $stunnel_extra_svc_opts0
- }
- set env(SSVNC_LIM_ACCEPT_PRELOAD) ""
- if {$ssvnc_multiple_listen0 != "none"} {
- set env(SSVNC_MULTIPLE_LISTEN) $ssvnc_multiple_listen0
- }
- set env(SSVNC_ULTRA_DSM) ""
- set env(SSVNC_TURBOVNC) ""
- catch { unset env(VNCVIEWER_NO_PIPELINE_UPDATES) }
- catch { unset env(VNCVIEWER_NOTTY) }
- catch { unset env(SSVNC_ACCEPT_POPUP) }
- catch { unset env(SSVNC_ACCEPT_POPUP_SC) }
- catch { unset env(SSVNC_KNOWN_HOSTS_FILE) }
-}
-
-proc maybe_add_vencrypt {proxy hp} {
- global vencrypt_detected server_vencrypt
- set vpd ""
- if {$vencrypt_detected != ""} {
- set vpd $vencrypt_detected
- set vencrypt_detected ""
- } elseif {$server_vencrypt} {
- set vpd [get_vencrypt_proxy $hp]
- }
- if {$vpd != ""} {
- mesg "vencrypt proxy: $vpd"
- if {$proxy != ""} {
- set proxy "$proxy,$vpd"
- } else {
- set proxy "$vpd"
- }
- }
- return $proxy
-}
-
-proc no_certs_tutorial_mesg {} {
- global svcert crtdir
- global server_anondh
- global always_verify_ssl
-
- set doit 0
- if {!$always_verify_ssl} {
- if {$svcert == ""} {
- if {$crtdir == "" || $crtdir == "ACCEPTED_CERTS"} {
- set doit 1
- }
- }
- } elseif {$server_anondh} {
- set doit 1
- }
- if {$doit} {
- mesg "INFO: without Certificate checking man-in-the-middle attack is possible."
- } else {
- set str ""
- catch {set str [.l cget -text]}
- if {$str != "" && [regexp {^INFO: without Certificate} $str]} {
- mesg ""
- }
- }
-}
-
-proc vencrypt_tutorial_mesg {} {
- global use_ssh use_sshssl use_listen
- global server_vencrypt no_probe_vencrypt
- global ultra_dsm
-
- set m ""
- if {$use_ssh} {
- ;
- } elseif {$server_vencrypt} {
- ;
- } elseif {$ultra_dsm} {
- ;
- } elseif {$use_listen} {
- set m "No VeNCrypt Auto-Detection: Listen mode."
- } elseif {$use_sshssl} {
- set m "No VeNCrypt Auto-Detection: SSH+SSL mode."
- } elseif {$no_probe_vencrypt} {
- set m "No VeNCrypt Auto-Detection: Disabled."
- }
- if {$m != ""} {
- mesg $m
- after 1000
- }
- return $m
-
- #global svcert always_verify_ssl
- #$svcert != "" || !$always_verify_ssl
- # set m "No VeNCrypt Auto-Detection: 'Verify All Certs' disabled"
-}
-
-proc launch_unix {hp} {
- global smb_redir_0 smb_mounts env
- global vncauth_passwd use_unixpw unixpw_username unixpw_passwd
- global ssh_only ts_only use_x11cursor use_nobell use_rawlocal use_notty use_popupfix ssvnc_scale ssvnc_escape
- global ssvnc_encodings ssvnc_extra_opts
-
- globalize
-
- set cmd ""
-
- if {[regexp {^vncssh://} $hp] || [regexp {^vnc\+ssh://} $hp]} {
- set use_ssl 0
- set use_ssh 1
- sync_use_ssl_ssh
- } elseif {[regexp {^vncs://} $hp] || [regexp {^vncssl://} $hp] || [regexp {^vnc\+ssl://} $hp]} {
- set use_ssl 1
- set use_ssh 0
- sync_use_ssl_ssh
- }
- if {[regexp {^rsh:/?/?} $hp]} {
- set use_ssl 0
- set use_ssh 1
- sync_use_ssl_ssh
- }
-
- check_ssh_needed
-
- set_smb_mounts
-
- global did_port_knock
- set did_port_knock 0
- set pk_hp ""
-
- set skip_ssh 0
- set do_direct 0
-
- if [regexp {vnc://} $hp] {
- set skip_ssh 1
- set do_direct 1
- if {! [info exists env(SSVNC_NO_ENC_WARN)]} {
- direct_connect_msg
- }
- }
-
- listen_verify_all_dialog $hp
-
- if {! $do_direct} {
- if {! [check_for_listen_ssl_cert]} {
- return
- }
- }
-
- global stunnel_extra_opts0 stunnel_extra_svc_opts0
- set stunnel_extra_opts0 ""
- set stunnel_extra_svc_opts0 ""
- global ssvnc_multiple_listen0
- set ssvnc_multiple_listen0 ""
-
- if {[regexp -nocase {sslrepeater://} $hp]} {
- if {$disable_ssl_workarounds} {
- set disable_ssl_workarounds 0
- mesg "Disabling SSL workarounds for 'UVNC Single Click III Bug'"
- after 400
- }
- }
-
- if [info exists env(STUNNEL_EXTRA_OPTS)] {
- set stunnel_extra_opts0 $env(STUNNEL_EXTRA_OPTS)
- if {$disable_ssl_workarounds} {
- if {$disable_ssl_workarounds_type == "none"} {
- ;
- } elseif {$disable_ssl_workarounds_type == "noempty"} {
- set env(STUNNEL_EXTRA_OPTS) "$env(STUNNEL_EXTRA_OPTS)\noptions = DONT_INSERT_EMPTY_FRAGMENTS"
- }
- } else {
- set env(STUNNEL_EXTRA_OPTS) "$env(STUNNEL_EXTRA_OPTS)\noptions = ALL"
- }
- } else {
- if {$disable_ssl_workarounds} {
- if {$disable_ssl_workarounds_type == "none"} {
- ;
- } elseif {$disable_ssl_workarounds_type == "noempty"} {
- set env(STUNNEL_EXTRA_OPTS) "options = DONT_INSERT_EMPTY_FRAGMENTS"
- }
- } else {
- set env(STUNNEL_EXTRA_OPTS) "options = ALL"
- }
- }
- if {$stunnel_local_protection && ! $use_listen} {
- if {$stunnel_local_protection_type == "ident"} {
- set user ""
- if {[info exists env(USER)]} {
- set user $env(USER)
- } elseif {[info exists env(LOGNAME)]} {
- set user $env(USER)
- }
- if {$user != ""} {
- if [info exists env(STUNNEL_EXTRA_SVC_OPTS)] {
- set stunnel_extra_svc_opts0 $env(STUNNEL_EXTRA_SVC_OPTS)
- set env(STUNNEL_EXTRA_SVC_OPTS) "$env(STUNNEL_EXTRA_SVC_OPTS)\nident = $user"
- } else {
- set env(STUNNEL_EXTRA_SVC_OPTS) "ident = $user"
- }
- }
- } elseif {$stunnel_local_protection_type == "exec"} {
- if [info exists env(STUNNEL_EXTRA_SVC_OPTS)] {
- set stunnel_extra_svc_opts0 $env(STUNNEL_EXTRA_SVC_OPTS)
- set env(STUNNEL_EXTRA_SVC_OPTS) "$env(STUNNEL_EXTRA_SVC_OPTS)\n#stunnel-exec"
- } else {
- set env(STUNNEL_EXTRA_SVC_OPTS) "#stunnel-exec"
- }
- }
- }
- if {$ultra_dsm} {
- if {$ultra_dsm_type == "securevnc"} {
- ;
- } elseif {![file exists $ultra_dsm_file] && ![regexp {pw=} $ultra_dsm_file]} {
- mesg "DSM key file does exist: $ultra_dsm_file"
- bell
- after 1000
- return
- }
- global vncauth_passwd
- if {$ultra_dsm_file == "pw=VNCPASSWORD" || $ultra_dsm_file == "pw=VNCPASSWD"} {
- if {![info exists vncauth_passwd] || $vncauth_passwd == ""} {
- mesg "For DSM pw=VNCPASSWD you must supply the VNC Password"
- bell
- after 1000
- return
- }
- if [regexp {'} $vncauth_passwd] {
- mesg "For DSM pw=VNCPASSWD password must not contain single quotes."
- bell
- after 1000
- return
- }
- }
- set dsm "ultravnc_dsm_helper "
- if {$ultra_dsm_noultra} {
- append dsm "noultra:"
- }
- if {$use_listen} {
- append dsm "rev:"
- }
- if {$ultra_dsm_type == "guess"} {
- append dsm "."
- } else {
- append dsm $ultra_dsm_type
- }
- if {$ultra_dsm_noultra} {
- if {$ultra_dsm_salt != ""} {
- append dsm "@$ultra_dsm_salt"
- }
- }
- if {$ultra_dsm_file == "pw=VNCPASSWORD" || $ultra_dsm_file == "pw=VNCPASSWD"} {
- append dsm " pw='$vncauth_passwd'"
- } else {
- if {$ultra_dsm_file == "" && $ultra_dsm_type == "securevnc"} {
- append dsm " none"
- } else {
- append dsm " $ultra_dsm_file"
- }
- }
- set env(SSVNC_ULTRA_DSM) $dsm
- }
- if {$multiple_listen && $use_listen} {
- if [info exists env(SSVNC_MULTIPLE_LISTEN)] {
- set ssvnc_multiple_listen0 $env(SSVNC_MULTIPLE_LISTEN)
- }
- set env(SSVNC_MULTIPLE_LISTEN) "1"
- }
-
- if {$use_ssh} {
- ;
- } elseif {$use_sshssl} {
- ;
- } elseif {$use_ssl} {
- set prox [get_ssh_proxy $hp]
- if {$prox != "" && [regexp {@} $prox]} {
- mesg "Error: proxy contains '@' Did you mean to use SSH mode?"
- bell
- return
- }
- if [regexp {@} $hp] {
- mesg "Error: host contains '@' Did you mean to use SSH mode?"
- bell
- return
- }
- }
-
- if {$use_ssh || $use_sshssl} {
- if {$ssh_local_protection} {
- if {![info exists env(LIM_ACCEPT)]} {
- set env(LIM_ACCEPT) 1
- }
- if {![info exists env(LIM_ACCEPT_TIME)]} {
- set env(LIM_ACCEPT_TIME) 35
- }
- set env(SSVNC_LIM_ACCEPT_PRELOAD) "lim_accept.so"
- mesg "SSH LIM_ACCEPT($env(LIM_ACCEPT),$env(LIM_ACCEPT_TIME)): lim_accept.so"
- after 700
- }
- if {$skip_ssh || $ultra_dsm} {
- set cmd "ss_vncviewer"
- } elseif {$use_ssh} {
- set cmd "ss_vncviewer -ssh"
- } else {
- set cmd "ss_vncviewer -sshssl"
- if {$mycert != ""} {
- set cmd "$cmd -mycert '$mycert'"
- }
- if {$crlfil != ""} {
- set cmd "$cmd -crl '$crlfil'"
- }
- if {$svcert != ""} {
- set cmd "$cmd -verify '$svcert'"
- } elseif {$crtdir != "" && $crtdir != "ACCEPTED_CERTS"} {
- set cmd "$cmd -verify '$crtdir'"
- }
- }
- if {$use_listen} {
- set cmd "$cmd -listen"
- }
- if {$ssh_local_protection} {
- regsub {ss_vncviewer} $cmd "ssvnc_cmd" cmd
- }
- set hpnew [get_ssh_hp $hp]
- set proxy [get_ssh_proxy $hp]
- set sshcmd [get_ssh_cmd $hp]
-
- if {$use_sshssl} {
- if {!$do_direct} {
- set proxy [maybe_add_vencrypt $proxy $hp]
- }
- }
-
- if {$ts_only} {
- regsub {:0$} $hpnew "" hpnew
- if {$proxy == ""} {
- # XXX host_part
- if {[regexp {^([^:]*):([0-9][0-9]*)$} $hpnew mv sshhst sshpt]} {
- set proxy "$sshhst:$sshpt"
- set hpnew "localhost"
- }
- } else {
- if {![regexp {,} $proxy]} {
- if {$hpnew != "localhost"} {
- set proxy "$proxy,$hpnew"
- set hpnew "localhost"
- }
- }
- }
- }
-
-#puts hp=$hp
-#puts hpn=$hpnew
-#puts pxy=$proxy
-#puts cmd=$sshcmd
-
- set hp $hpnew
-
- if {$proxy != ""} {
- set cmd "$cmd -proxy '$proxy'"
- set pk_hp $proxy
- }
- if {$pk_hp == ""} {
- set pk_hp $hp
- }
-
- set do_pre 0
- if {$use_smbmnt} {
- set do_pre 1
- } elseif {$use_sound && $sound_daemon_kill} {
- set do_pre 1
- }
- global skip_pre
- if {$skip_pre || $skip_ssh} {
- set do_pre 0
- set skip_pre 0
- }
-
- set tag [contag]
-
- if {$do_pre} {
- do_unix_pre $tag $proxy $hp $pk_hp
- }
-
-
- set setup_cmds [ugly_setup_scripts post $tag]
-
- if {$skip_ssh} {
- set setup_cmds ""
- }
- if {$sshcmd != "SHELL" && [regexp -nocase {x11vnc} $sshcmd]} {
- global use_cups cups_x11vnc cups_remote_port
- global cups_remote_smb_port
- global use_sound sound_daemon_x11vnc sound_daemon_remote_port
- global ts_only
- if {$ts_only} {
- set cups_x11vnc 1
- set sound_daemon_x11vnc 1
- }
- if {$use_cups && $cups_x11vnc && $cups_remote_port != ""} {
- set crp $cups_remote_port
- if {$ts_only} {
- set cups_remote_port [rand_port]
- set crp "DAEMON-$cups_remote_port"
- }
- set sshcmd "$sshcmd -env FD_CUPS=$crp"
- }
- if {$use_cups && $cups_x11vnc && $cups_remote_smb_port != ""} {
- set csp $cups_remote_smb_port
- if {$ts_only} {
- set cups_remote_smb_port [rand_port]
- set csp "DAEMON-$cups_remote_smb_port"
- }
- set sshcmd "$sshcmd -env FD_SMB=$csp"
- }
- if {$use_sound && $sound_daemon_x11vnc && $sound_daemon_remote_port != ""} {
- set srp $sound_daemon_remote_port
- if {$ts_only} {
- set sound_daemon_remote_port [rand_port]
- set srp "DAEMON-$sound_daemon_remote_port"
- }
- set sshcmd "$sshcmd -env FD_ESD=$srp"
- }
- }
-
- if {$sshcmd == "SHELL"} {
- set env(SS_VNCVIEWER_SSH_CMD) {$SHELL}
- set env(SS_VNCVIEWER_SSH_ONLY) 1
- } elseif {$setup_cmds != ""} {
- if {$sshcmd == ""} {
- set sshcmd "sleep 15"
- }
- set env(SS_VNCVIEWER_SSH_CMD) "$setup_cmds$sshcmd"
- } else {
- if {$sshcmd != ""} {
- set cmd "$cmd -sshcmd '$sshcmd'"
- }
- }
-
- set sshargs ""
- if {$use_cups} {
- append sshargs [get_cups_redir]
- }
- if {$use_sound} {
- append sshargs [get_sound_redir]
- }
- if {$additional_port_redirs} {
- append sshargs [get_additional_redir]
- }
-
- set sshargs [string trim $sshargs]
- if {$skip_ssh} {
- set sshargs ""
- }
- if {$sshargs != ""} {
- set cmd "$cmd -sshargs '$sshargs'"
- set env(SS_VNCVIEWER_USE_C) 1
- } else {
- # hmm we used to have it off... why?
- # ssh typing response?
- set env(SS_VNCVIEWER_USE_C) 1
- }
- if {$sshcmd == "SHELL"} {
- set env(SS_VNCVIEWER_SSH_ONLY) 1
- if {$proxy == ""} {
- set hpt $hpnew
- # XXX host_part
- regsub {:[0-9][0-9]*$} $hpt "" hpt
- set cmd "$cmd -proxy '$hpt'"
- }
- set geometry [xterm_center_geometry]
- if {$pk_hp == ""} {
- set pk_hp $hp
- }
- if {! $did_port_knock} {
- if {! [do_port_knock $pk_hp start]} {
- reset_stunnel_extra_opts
- return
- }
- set did_port_knock 1
- }
-
- if {[regexp {FINISH} $port_knocking_list]} {
- wm withdraw .
- update
- unix_terminal_cmd $geometry "SHELL to $hp" "$cmd"
- wm deiconify .
- update
- do_port_knock $pk_hp finish
- } else {
- unix_terminal_cmd $geometry "SHELL to $hp" "$cmd" 1
- }
- set env(SS_VNCVIEWER_SSH_CMD) ""
- set env(SS_VNCVIEWER_SSH_ONLY) ""
- set env(SS_VNCVIEWER_USE_C) ""
- reset_stunnel_extra_opts
- return
- }
- } else {
- set cmd "ssvnc_cmd"
- set hpnew [get_ssh_hp $hp]
- set proxy [get_ssh_proxy $hp]
-
- if {!$do_direct && ![repeater_proxy_check $proxy]} {
- reset_stunnel_extra_opts
- return
- }
-
- if {! $do_direct && ! $ultra_dsm && ![regexp -nocase {ssh://} $hpnew]} {
- set did_check 0
- if {$mycert != ""} {
- set cmd "$cmd -mycert '$mycert'"
- }
- if {$crlfil != ""} {
- set cmd "$cmd -crl '$crlfil'"
- }
- if {$svcert != ""} {
- set cmd "$cmd -verify '$svcert'"
- } elseif {$crtdir != ""} {
- if {$crtdir == "ACCEPTED_CERTS"} {
- global skip_verify_accepted_certs
- set skip_verify_accepted_certs 0
-
- set did_check 1
- if {! [check_accepted_certs 0]} {
- reset_stunnel_extra_opts
- return
- }
- if {! $skip_verify_accepted_certs} {
- set adir [get_idir_certs ""]
- set adir "$adir/accepted"
- catch {file mkdir $adir}
- set cmd "$cmd -verify '$adir'"
- }
-
- } else {
- set cmd "$cmd -verify '$crtdir'"
- }
- }
- if {! $did_check} {
- check_accepted_certs 1
- }
- }
-
- if {!$do_direct} {
- set proxy [maybe_add_vencrypt $proxy $hp]
- }
-
- if {$proxy != ""} {
- set cmd "$cmd -proxy '$proxy'"
- }
- set hp $hpnew
- if [regexp {^.*@} $hp match] {
- catch {raise .; update}
- mesg "Trimming \"$match\" from hostname"
- after 700
- regsub {^.*@} $hp "" hp
- }
- if [regexp {@} $proxy] {
- bell
- catch {raise .; update}
- mesg "WARNING: SSL proxy contains \"@\" sign"
- after 1500
- }
- }
-
- global anon_dh_detected
- if {$anon_dh_detected || $server_anondh} {
- if {!$do_direct} {
- set cmd "$cmd -anondh"
- }
- set anon_dh_detected 0
- }
- if {$use_alpha} {
- set cmd "$cmd -alpha"
- }
- if {$use_send_clipboard} {
- set cmd "$cmd -sendclipboard"
- }
- if {$use_send_always} {
- set cmd "$cmd -sendalways"
- }
- if {$use_turbovnc} {
- set env(SSVNC_TURBOVNC) 1
- }
- if {$disable_pipeline} {
- set env(VNCVIEWER_NO_PIPELINE_UPDATES) 1
- }
- if {$ssh_known_hosts_filename != ""} {
- set env(SSVNC_KNOWN_HOSTS_FILE) $ssh_known_hosts_filename
- }
- if {$use_grab} {
- set cmd "$cmd -grab"
- }
- if {$use_x11cursor} {
- set cmd "$cmd -x11cursor"
- }
- if {$use_nobell} {
- set cmd "$cmd -nobell"
- }
- if {$use_rawlocal} {
- set cmd "$cmd -rawlocal"
- }
- if {$use_notty} {
- set env(VNCVIEWER_NOTTY) 1
- }
- if {$use_popupfix} {
- set cmd "$cmd -popupfix"
- }
- if {$ssvnc_scale != ""} {
- set cmd "$cmd -scale '$ssvnc_scale'"
- }
- if {$ssvnc_escape != ""} {
- set cmd "$cmd -escape '$ssvnc_escape'"
- }
- if {$ssvnc_encodings != ""} {
- set cmd "$cmd -ssvnc_encodings '$ssvnc_encodings'"
- }
- if {$ssvnc_extra_opts != ""} {
- set cmd "$cmd -ssvnc_extra_opts '$ssvnc_extra_opts'"
- }
- if {$rfbversion != ""} {
- set cmd "$cmd -rfbversion '$rfbversion'"
- }
- if {$vncviewer_realvnc4} {
- set cmd "$cmd -realvnc4"
- }
- if {$use_listen} {
- set cmd "$cmd -listen"
- if {$listen_once} {
- set cmd "$cmd -onelisten"
- }
- if {$listen_accept_popup} {
- if {$listen_accept_popup_sc} {
- set env(SSVNC_ACCEPT_POPUP_SC) 1
- } else {
- set env(SSVNC_ACCEPT_POPUP) 1
- }
- }
- }
-
- global darwin_cotvnc
- if {$darwin_cotvnc} {
- set env(DARWIN_COTVNC) 1
- } else {
- if [info exists env(DISPLAY)] {
- if {$env(DISPLAY) != ""} {
- set env(DARWIN_COTVNC) 0
- } else {
- set env(DARWIN_COTVNC) 1
- }
- } else {
- set env(DARWIN_COTVNC) 1
- }
- }
-
- set do_vncspacewrapper 0
- if {$change_vncviewer && $change_vncviewer_path != ""} {
- set path [string trim $change_vncviewer_path]
- if [regexp {^["'].} $path] { # "
- set tmp "/tmp/vncspacewrapper.[tpid]"
- set tmp [mytmp $tmp]
- set do_vncspacewrapper 1
- if {0} {
- catch {file delete $tmp}
- if {[file exists $tmp]} {
- catch {destroy .c}
- mesg "file still exists: $tmp"
- bell
- reset_stunnel_extra_opts
- return
- }
- }
- catch {set fh [open $tmp "w"]}
- catch {exec chmod 700 $tmp}
- if {! [file exists $tmp]} {
- catch {destroy .c}
- mesg "cannot create: $tmp"
- bell
- reset_stunnel_extra_opts
- return
- }
- puts $fh "#!/bin/sh"
- puts $fh "echo $tmp; set -xv"
- puts $fh "$path \"\$@\""
- puts $fh "sleep 1; rm -f $tmp"
- close $fh
- set path $tmp
- }
- set env(VNCVIEWERCMD) $path
- } else {
- if [info exists env(VNCVIEWERCMD_OVERRIDE)] {
- set env(VNCVIEWERCMD) $env(VNCVIEWERCMD_OVERRIDE)
- } else {
- set env(VNCVIEWERCMD) ""
- }
- }
-
- set realvnc4 $vncviewer_realvnc4
- set realvnc3 0
- set flavor ""
- if {! $darwin_cotvnc} {
- set done 0
- if {$do_vncspacewrapper} {
- if [regexp -nocase {ultra} $change_vncviewer_path] {
- set done 1
- set flavor "ultravnc"
- } elseif [regexp -nocase {chicken.of} $change_vncviewer_path] {
- set done 1
- set flavor "cotvnc"
- }
- }
- if {! $done} {
- catch {set flavor [exec ss_vncviewer -viewerflavor 2>/dev/null]}
- }
- }
- if [regexp {realvnc4} $flavor] {
- set realvnc4 1
- }
- if [regexp {tightvnc} $flavor] {
- set realvnc4 0
- }
- if [regexp {realvnc3} $flavor] {
- set realvnc4 0
- set realvnc3 1
- }
- if {$realvnc4} {
- set cmd "$cmd -realvnc4"
- }
-
- set cmd "$cmd $hp"
-
- set passwdfile ""
- if {$vncauth_passwd != ""} {
- global use_listen
- set footest [mytmp /tmp/.check.[tpid]]
- catch {file delete $footest}
- global mktemp
- set passwdfile "/tmp/.vncauth_tmp.[tpid]"
- if {$mktemp == ""} {
- set passwdfile "$env(SSVNC_HOME)/.vncauth_tmp.[tpid]"
- }
-
- set passwdfile [mytmp $passwdfile]
- catch {exec vncstorepw $vncauth_passwd $passwdfile}
- catch {exec chmod 600 $passwdfile}
- if {$use_listen} {
- global env
- set env(SS_VNCVIEWER_RM) $passwdfile
- } else {
- if {$darwin_cotvnc} {
- catch {exec sh -c "sleep 60; rm $passwdfile 2>/dev/null" &}
- } else {
- catch {exec sh -c "sleep 20; rm $passwdfile 2>/dev/null" &}
- }
- }
- if {$darwin_cotvnc} {
- set cmd "$cmd --PasswordFile $passwdfile"
- } elseif {$flavor == "unknown"} {
- ;
- } else {
- set cmd "$cmd -passwd $passwdfile"
- }
- }
-
- if {$use_viewonly} {
- if {$darwin_cotvnc} {
- set cmd "$cmd --ViewOnly"
- } elseif {$flavor == "unknown"} {
- ;
- } elseif {$flavor == "ultravnc"} {
- set cmd "$cmd /viewonly"
- } else {
- set cmd "$cmd -viewonly"
- }
- }
- if {$use_fullscreen} {
- if {$darwin_cotvnc} {
- set cmd "$cmd --FullScreen"
- } elseif {$flavor == "ultravnc"} {
- set cmd "$cmd /fullscreen"
- } elseif {$flavor == "unknown"} {
- if [regexp {vinagre} $change_vncviewer_path] {
- set cmd "$cmd -f"
- }
- } else {
- set cmd "$cmd -fullscreen"
- }
- }
- if {$use_bgr233} {
- if {$realvnc4} {
- set cmd "$cmd -lowcolourlevel 1"
- } elseif {$flavor == "ultravnc"} {
- set cmd "$cmd /8bit"
- } elseif {$flavor == "ultravnc"} {
- ;
- } elseif {$flavor == "unknown"} {
- ;
- } else {
- set cmd "$cmd -bgr233"
- }
- }
- if {$use_nojpeg} {
- if {$darwin_cotvnc} {
- ;
- } elseif {$flavor == "ultravnc"} {
- ;
- } elseif {$flavor == "unknown"} {
- ;
- } elseif {! $realvnc4 && ! $realvnc3} {
- set cmd "$cmd -nojpeg"
- }
- }
- if {! $use_raise_on_beep} {
- if {$darwin_cotvnc} {
- ;
- } elseif {$flavor == "ultravnc"} {
- ;
- } elseif {$flavor == "unknown"} {
- ;
- } elseif {! $realvnc4 && ! $realvnc3} {
- set cmd "$cmd -noraiseonbeep"
- }
- }
- if {$use_compresslevel != "" && $use_compresslevel != "default"} {
- if {$realvnc3} {
- ;
- } elseif {$flavor == "ultravnc"} {
- ;
- } elseif {$flavor == "unknown"} {
- ;
- } elseif {$realvnc4} {
- set cmd "$cmd -zliblevel '$use_compresslevel'"
- } else {
- set cmd "$cmd -compresslevel '$use_compresslevel'"
- }
- }
- if {$use_quality != "" && $use_quality != "default"} {
- if {$darwin_cotvnc} {
- ;
- } elseif {$flavor == "ultravnc"} {
- ;
- } elseif {$flavor == "unknown"} {
- ;
- } elseif {! $realvnc4 && ! $realvnc3} {
- set cmd "$cmd -quality '$use_quality'"
- }
- }
- if {$use_ssh || $use_sshssl} {
- # realvnc4 -preferredencoding zrle
- if {$darwin_cotvnc} {
- ;
- } elseif {$flavor == "ultravnc"} {
- ;
- } elseif {$flavor == "unknown"} {
- ;
- } elseif {$realvnc4} {
- set cmd "$cmd -preferredencoding zrle"
- } else {
- set cmd "$cmd -encodings 'copyrect tight zrle zlib hextile'"
- }
- }
-
- global ycrop_string
- global sbwid_string
- catch {unset env(VNCVIEWER_SBWIDTH)}
- catch {unset env(VNCVIEWER_YCROP)}
- if {[info exists ycrop_string] && $ycrop_string != ""} {
- set t $ycrop_string
- if [regexp {,sb=([0-9][0-9]*)} $t m mv1] {
- set env(VNCVIEWER_SBWIDTH) $mv1
- }
- regsub {,sb=([0-9][0-9]*)} $t "" t
- if {$t != ""} {
- set env(VNCVIEWER_YCROP) $t
- }
- }
- if {[info exists sbwid_string] && $sbwid_string != ""} {
- set t $sbwid_string
- set env(VNCVIEWER_SBWIDTH) $sbwid_string
- if {$t != ""} {
- set env(VNCVIEWER_SBWIDTH) $t
- }
- }
-
- catch {destroy .o}
- catch {destroy .oa}
- catch {destroy .os}
- update
-
- if {$use_sound && $sound_daemon_local_start && $sound_daemon_local_cmd != ""} {
- mesg "running: $sound_daemon_local_cmd"
- global sound_daemon_local_pid
- set sound_daemon_local_pid ""
- #exec sh -c "$sound_daemon_local_cmd " >& /dev/null </dev/null &
- set sound_daemon_local_pid [exec sh -c "echo \$\$; exec $sound_daemon_local_cmd </dev/null 1>/dev/null 2>/dev/null &"]
- update
- after 500
- }
-
- if {$pk_hp == ""} {
- set pk_hp $hp
- }
- if {! $did_port_knock} {
- if {! [do_port_knock $pk_hp start]} {
- wm deiconify .
- update
- reset_stunnel_extra_opts
- return
- }
- set did_port_knock 1
- }
-
- init_unixpw $hp
-
- if {! $do_direct} {
- vencrypt_tutorial_mesg
- }
-
- wm withdraw .
- update
-
- set geometry [xterm_center_geometry]
- set xrm1 "*.srinterCommand:true"
- set xrm2 $xrm1
- set xrm3 $xrm1
- if {[info exists env(SSVNC_GUI_CMD)]} {
- set xrm1 "*.printerCommand:env XTERM_PRINT=1 $env(SSVNC_GUI_CMD)"
- set xrm2 "XTerm*VT100*translations:#override Shift<Btn3Down>:print()\\nCtrl<Key>N:print()"
- set xrm3 "*mainMenu*print*Label: New SSVNC_GUI"
- }
- set m "Done. You Can X-out or Ctrl-C this Terminal if you like. Use Ctrl-\\\\ to pause."
- global uname
- if {$uname == "Darwin"} {
- regsub {X-out or } $m "" m
- }
- set te "set -xv; "
- if {$ts_only} {
- set te ""
- }
-
- global extra_sleep
- set ssvnc_extra_sleep_save ""
- if {$extra_sleep != ""} {
- if [info exists env(SSVNC_EXTRA_SLEEP)] {
- set ssvnc_extra_sleep_save $env(SSVNC_EXTRA_SLEEP)
- }
- set env(SSVNC_EXTRA_SLEEP) $extra_sleep
- }
-
- set sstx "SSL/SSH VNC Viewer"
- set hptx $hp
- global use_listen
- if {$use_listen} {
- set sstx "SSVNC"
- set hptx "$hp (Press Ctrl-C to Stop Listening)"
- }
-
-
- set s1 5
- set s2 4
- if [info exists env(SSVNC_FINISH_SLEEP)] {
- set s1 $env(SSVNC_FINISH_SLEEP);
- set s2 $s1
- }
-
- unix_terminal_cmd $geometry "$sstx $hptx" \
- "$te$cmd; set +xv; ulimit -c 0; trap 'printf \"Paused. Press Enter to exit:\"; read x' QUIT; echo; echo $m; echo; echo sleep $s1; echo; sleep $s2" 0 $xrm1 $xrm2 $xrm3
-
- set env(SS_VNCVIEWER_SSH_CMD) ""
- set env(SS_VNCVIEWER_USE_C) ""
-
- if {$extra_sleep != ""} {
- if {$ssvnc_extra_sleep_save != ""} {
- set env(SSVNC_EXTRA_SLEEP) $ssvnc_extra_sleep_save
- } else {
- catch {unset env(SSVNC_EXTRA_SLEEP)}
- }
- }
-
- if {$use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} {
- # XXX need to kill just one...
- set daemon [string trim $sound_daemon_local_cmd]
- regsub {^gw[ \t]*} $daemon "" daemon
- regsub {[ \t].*$} $daemon "" daemon
- regsub {^.*/} $daemon "" daemon
- mesg "killing sound daemon: $daemon"
- global sound_daemon_local_pid
- if {$sound_daemon_local_pid != ""} {
-#puts pid=$sound_daemon_local_pid
- catch {exec sh -c "kill $sound_daemon_local_pid" >/dev/null 2>/dev/null </dev/null &}
- incr sound_daemon_local_pid
- catch {exec sh -c "kill $sound_daemon_local_pid" >/dev/null 2>/dev/null </dev/null &}
- set sound_daemon_local_pid ""
- } elseif {$daemon != ""} {
- catch {exec sh -c "killall $daemon" >/dev/null 2>/dev/null </dev/null &}
- catch {exec sh -c "pkill -x $daemon" >/dev/null 2>/dev/null </dev/null &}
- }
- }
- if {$passwdfile != ""} {
- catch {file delete $passwdfile}
- }
- wm deiconify .
- mac_raise
- mesg "Disconnected from $hp"
- if {[regexp {FINISH} $port_knocking_list]} {
- do_port_knock $pk_hp finish
- }
-
- reset_stunnel_extra_opts
-
- fini_unixpw
-}
-
-proc kill_stunnel {pids} {
- set count 0
- foreach pid $pids {
- mesg "killing STUNNEL pid: $pid"
- winkill $pid
- if {$count == 0} {
- after 600
- } else {
- after 300
- }
- incr count
- }
-}
-
-proc get_task_list {} {
- global is_win9x
-
- set output1 ""
- set output2 ""
- if {! $is_win9x} {
- # try for tasklist on XP pro
- catch {set output1 [exec tasklist.exe]}
- }
- catch {set output2 [exec w98/tlist.exe]}
-
- set output $output1
- append output "\n"
- append output $output2
-
- return $output
-}
-
-proc note_stunnel_pids {when} {
- global is_win9x pids_before pids_after pids_new
-
- if {$when == "before"} {
- array unset pids_before
- array unset pids_after
- set pids_new {}
- set pids_before(none) "none"
- set pids_after(none) "none"
- }
-
- set output [get_task_list]
-
- foreach line [split $output "\n\r"] {
- set m 0
- if [regexp -nocase {stunnel} $line] {
- set m 1
- } elseif [regexp -nocase {connect_br} $line] {
- set m 1
- }
- if {$m} {
- if [regexp {(-?[0-9][0-9]*)} $line m p] {
- if {$when == "before"} {
- set pids_before($p) $line
- } else {
- set pids_after($p) $line
- }
- }
- }
- }
- if {$when == "after"} {
- foreach new [array names pids_after] {
- if {! [info exists pids_before($new)]} {
- lappend pids_new $new
- }
- }
- }
-}
-
-proc del_launch_windows_ssh_files {} {
- global launch_windows_ssh_files
- global env
-
- if {[info exists env(SSVNC_NO_DELETE)]} {
- return
- }
-
- if {$launch_windows_ssh_files != ""} {
- foreach tf [split $launch_windows_ssh_files] {
- if {$tf == ""} {
- continue
- }
- catch {file delete $tf}
- }
- }
-}
-
-proc launch_shell_only {} {
- global is_windows
- global skip_pre
- global use_ssl use_ssh use_sshssl
-
- set hp [get_vncdisplay]
- regsub {cmd=.*$} $hp "" hp
- set hp [string trim $hp]
- if {$is_windows} {
- append hp " cmd=PUTTY"
- } else {
- append hp " cmd=SHELL"
- }
- set use_ssl_save $use_ssl
- set use_ssh_save $use_ssh
- set use_sshssl_save $use_sshssl
- set skip_pre 1
- if {! $use_ssh && ! $use_sshssl} {
- set use_ssh 1
- set use_ssl 1
- }
- launch $hp
-
- set use_ssl $use_ssl_save
- set use_ssh $use_ssh_save
- set use_sshssl $use_sshssl_save
-}
-
-proc to_sshonly {} {
- global ssh_only ts_only env
- global showing_no_encryption
- #if {$showing_no_encryption} {
- # toggle_no_encryption
- #}
- if {$ssh_only && !$ts_only} {
- return
- }
- if {[info exists env(SSVNC_TS_ALWAYS)]} {
- return
- }
- set ssh_only 1
- set ts_only 0
-
- set t "SSH VNC Viewer"
- wm title . $t
- catch {pack forget .f4}
- catch {pack forget .b.certs}
- catch {.l configure -text $t}
-
- global vncdisplay vncauth_passwd unixpw_username vncproxy remote_ssh_cmd
- set vncdisplay ""
- set vncauth_passwd ""
- set unixpw_username ""
- set vncproxy ""
- set remote_ssh_cmd ""
-
- set_defaults
-}
-
-proc toggle_tsonly {} {
- global ts_only env
- if {$ts_only} {
- if {![info exists env(SSVNC_TS_ALWAYS)]} {
- to_ssvnc
- }
- } else {
- to_tsonly
- }
-}
-
-proc toggle_sshonly {} {
- global ssh_only env
- if {$ssh_only} {
- to_ssvnc
- } else {
- to_sshonly
- }
-}
-
-proc to_tsonly {} {
- global ts_only
- global showing_no_encryption
- #if {$showing_no_encryption} {
- # toggle_no_encryption
- #}
- if {$ts_only} {
- return
- }
- set ts_only 1
- set ssh_only 1
-
- set t "Terminal Services VNC Viewer"
- wm title . $t
- catch {pack forget .f4}
- catch {pack forget .f3}
- catch {pack forget .f1}
- catch {pack forget .b.certs}
- catch {.l configure -text $t}
- catch {.f0.l configure -text "VNC Terminal Server:"}
-
- global vncdisplay vncauth_passwd unixpw_username vncproxy remote_ssh_cmd
- set vncdisplay ""
- set vncauth_passwd ""
- set unixpw_username ""
- set vncproxy ""
- set remote_ssh_cmd ""
-
- set_defaults
-}
-
-proc to_ssvnc {} {
- global ts_only ssh_only env
-
- if {!$ts_only && !$ssh_only} {
- return;
- }
- if {[info exists env(SSVNC_TS_ALWAYS)]} {
- return
- }
- set ts_only 0
- set ssh_only 0
-
- set t "SSL/SSH VNC Viewer"
- wm title . $t
- catch {pack configure .f1 -after .f0 -side top -fill x}
- catch {pack configure .f3 -after .f2 -side top -fill x}
- catch {pack configure .f4 -after .f3 -side top -fill x}
- catch {pack configure .b.certs -before .b.opts -side left -expand 1 -fill x}
- catch {.l configure -text $t}
- catch {.f0.l configure -text "VNC Host:Display"}
-
- #global started_with_noenc
- #if {$started_with_noenc} {
- # toggle_no_encryption
- #}
-
- global vncdisplay vncauth_passwd unixpw_username vncproxy remote_ssh_cmd
- set vncdisplay ""
- set vncauth_passwd ""
- set unixpw_username ""
- set vncproxy ""
- set remote_ssh_cmd ""
-
- set_defaults
-}
-
-proc launch {{hp ""}} {
- global tcl_platform is_windows
- global mycert svcert crtdir crlfil
- global pids_before pids_after pids_new
- global env
- global use_ssl use_ssh use_sshssl sshssl_sw use_listen disable_ssl_workarounds
- global vncdisplay
-
- set debug 0
- if {$hp == ""} {
- set hp [get_vncdisplay]
- }
-
- set hpt [string trim $hp]
- regsub {[ ].*$} $hpt "" hpt
-
-
- if {[regexp {^HOME=} $hpt] || [regexp {^SSVNC_HOME=} $hpt]} {
- set t $hpt
- regsub {^.*HOME=} $t "" t
- set t [string trim $t]
- set env(SSVNC_HOME) $t
- mesg "Set SSVNC_HOME to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^DISPLAY=} $hpt] || [regexp {^SSVNC_DISPLAY=} $hpt]} {
- set t $hpt
- regsub {^.*DISPLAY=} $t "" t
- set t [string trim $t]
- set env(DISPLAY) $t
- mesg "Set DISPLAY to $t"
- set vncdisplay ""
- global uname darwin_cotvnc
- if {$uname == "Darwin"} {
- if {$t != ""} {
- set darwin_cotvnc 0
- } else {
- set darwin_cotvnc 1
- }
- }
- return 0
- }
- if {[regexp {^DYLD_LIBRARY_PATH=} $hpt] || [regexp {^SSVNC_DYLD_LIBRARY_PATH=} $hpt]} {
- set t $hpt
- regsub {^.*DYLD_LIBRARY_PATH=} $t "" t
- set t [string trim $t]
- set env(DYLD_LIBRARY_PATH) $t
- set env(SSVNC_DYLD_LIBRARY_PATH) $t
- mesg "Set DYLD_LIBRARY_PATH to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^SLEEP=} $hpt] || [regexp {^SSVNC_EXTRA_SLEEP=} $hpt]} {
- set t $hpt
- regsub {^.*SLEEP=} $t "" t
- set t [string trim $t]
- set env(SSVNC_EXTRA_SLEEP) $t
- mesg "Set SSVNC_EXTRA_SLEEP to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^SSH=} $hpt]} {
- set t $hpt
- regsub {^.*SSH=} $t "" t
- set t [string trim $t]
- set env(SSH) $t
- mesg "Set SSH to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^FINISH=} $hpt] || [regexp {^SSVNC_FINISH_SLEEP=} $hpt]} {
- set t $hpt
- regsub {^.*=} $t "" t
- set t [string trim $t]
- set env(SSVNC_FINISH_SLEEP) $t
- mesg "Set SSVNC_FINISH_SLEEP to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^NO_DELETE=} $hpt] || [regexp {^SSVNC_NO_DELETE=} $hpt]} {
- set t $hpt
- regsub {^.*=} $t "" t
- set t [string trim $t]
- set env(SSVNC_NO_DELETE) $t
- mesg "Set SSVNC_NO_DELETE to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^BAT_SLEEP=} $hpt] || [regexp {^SSVNC_BAT_SLEEP=} $hpt]} {
- set t $hpt
- regsub {^.*=} $t "" t
- set t [string trim $t]
- set env(SSVNC_BAT_SLEEP) $t
- mesg "Set SSVNC_BAT_SLEEP to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^DEBUG_NETSTAT=} $hpt]} {
- set t $hpt
- regsub {^.*DEBUG_NETSTAT=} $t "" t
- global debug_netstat
- set debug_netstat $t
- mesg "Set DEBUG_NETSTAT to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^REPEATER_FORCE=} $hpt]} {
- set t $hpt
- regsub {^.*REPEATER_FORCE=} $t "" t
- set env(REPEATER_FORCE) $t
- mesg "Set REPEATER_FORCE to $t"
- set vncdisplay ""
- return 0
- }
- if {[regexp -nocase {^SSH.?ONLY} $hpt]} {
- global ssh_only
- if {$ssh_only} {
- return 0;
- }
- to_sshonly
-
- return 0
- }
- if {[regexp -nocase {^TS.?ONLY} $hpt]} {
- global ts_only
- if {$ts_only} {
- return 0;
- }
- to_tsonly
-
- return 0
- }
- if {[regexp -nocase {^IPV6=([01])} $hpt mv val]} {
- global env have_ipv6
- set have_ipv6 $val
- set env(SSVNC_IPV6) $val
- mesg "Set have_ipv6 to $val"
- set vncdisplay ""
- return 0
- }
- if {[regexp {^ENV=([A-z0-9][A-z0-9]*)=(.*)$} $hpt mv var val]} {
- global env
- if {$val == ""} {
- catch {unset env($var)}
- mesg "Unset $var"
- } else {
- set env($var) "$val"
- mesg "Set $var to $val"
- }
- set vncdisplay ""
- return 0
- }
-
- regsub {[ ]*cmd=.*$} $hp "" tt
-
- if {[regexp {^[ ]*$} $tt]} {
- mesg "No host:disp supplied."
- bell
- catch {raise .}
- mac_raise
- return
- }
- if {[regexp -- {--nohost--} $tt]} {
- mesg "No host:disp supplied."
- bell
- catch {raise .}
- mac_raise
- return
- }
- # XXX host_part
- if {! [regexp ":" $hp]} {
- if {! [regexp {cmd=} $hp]} {
- set s [string trim $hp]
- if {! [regexp { } $s]} {
- append hp ":0"
- } else {
- regsub { } $hp ":0 " hp
- }
- }
- }
-
- if {!$use_ssl && !$use_ssh && !$use_sshssl && $sshssl_sw == "none"} {
- regsub -nocase {^[a-z0-9+]*://} $hp "" hp
- set hp "Vnc://$hp"
- }
-
- mesg "Using: $hp"
- after 600
-
- set sc [get_ssh_cmd $hp]
- if {[regexp {^KNOCK} $sc]} {
- if [regexp {^KNOCKF} $sc] {
- port_knock_only $hp "FINISH"
- } else {
- port_knock_only $hp "KNOCK"
- }
- return
- }
-
- if {$debug} {
- mesg "\"$tcl_platform(os)\" | \"$tcl_platform(osVersion)\""
- after 1000
- }
-
- if [regexp {V[Nn][Cc]://} $hp] {
- set env(SSVNC_NO_ENC_WARN) 1
- regsub {V[Nn][Cc]://} $hp "vnc://" hp
- }
- regsub -nocase {^vnc://} $hp "vnc://" hp
- regsub -nocase {^vncs://} $hp "vncs://" hp
- regsub -nocase {^vncssl://} $hp "vncssl://" hp
- regsub -nocase {^vnc\+ssl://} $hp "vnc+ssl://" hp
- regsub -nocase {^vncssh://} $hp "vncssh://" hp
- regsub -nocase {^vnc\+ssh://} $hp "vnc+ssh://" hp
-
- if {! $is_windows} {
- launch_unix $hp
- return
- }
-
- ##############################################################
- # WINDOWS BELOW:
-
- if [regexp {^vnc://} $hp] {
- if {! [info exists env(SSVNC_NO_ENC_WARN)]} {
- direct_connect_msg
- }
- regsub {^vnc://} $hp "" hp
- direct_connect_windows $hp
- return
- } elseif [regexp {^vncs://} $hp] {
- set use_ssl 1
- set use_ssh 0
- regsub {^vncs://} $hp "" hp
- sync_use_ssl_ssh
- } elseif [regexp {^vncssl://} $hp] {
- set use_ssl 1
- set use_ssh 0
- regsub {^vncssl://} $hp "" hp
- sync_use_ssl_ssh
- } elseif [regexp {^vnc\+ssl://} $hp] {
- set use_ssl 1
- set use_ssh 0
- regsub {^vnc\+ssl://} $hp "" hp
- sync_use_ssl_ssh
- } elseif [regexp {^vncssh://} $hp] {
- set use_ssh 1
- set use_ssl 0
- regsub {vncssh://} $hp "" hp
- sync_use_ssl_ssh
- } elseif [regexp {^vnc\+ssh://} $hp] {
- set use_ssh 1
- set use_ssl 0
- regsub {^vnc\+ssh://} $hp "" hp
- sync_use_ssl_ssh
- }
-
- check_ssh_needed
-
- if {! $use_ssh} {
- if {$mycert != ""} {
- if {! [file exists $mycert]} {
- mesg "MyCert does not exist: $mycert"
- bell
- return
- }
- }
- if {$svcert != ""} {
- if {! [file exists $svcert]} {
- mesg "ServerCert does not exist: $svcert"
- bell
- return
- }
- } elseif {$crtdir != ""} {
- if {! [file exists $crtdir] && $crtdir != "ACCEPTED_CERTS"} {
- mesg "CertsDir does not exist: $crtdir"
- bell
- return
- }
- }
- if {$crlfil != ""} {
- if {! [file exists $crlfil]} {
- mesg "CRL File does not exist: $crlfil"
- bell
- return
- }
- }
- }
-
- # VF
- set prefix "stunnel-vnc"
- set suffix "conf"
- if {$use_ssh || $use_sshssl} {
- set prefix "plink_vnc"
- set suffix "bat"
- }
-
- set file1 ""
- set n1 ""
- set file2 ""
- set n2 ""
- set n3 ""
- set n4 ""
- set now [clock seconds]
-
- set proxy [get_ssh_proxy $hp]
- if {$use_sshssl} {
- set proxy ""
- }
- if {! [repeater_proxy_check $proxy]} {
- return
- }
-
- global port_slot
- if {$port_slot != ""} {
- set file1 "$prefix-$port_slot.$suffix"
- set n1 $port_slot
- set ps [expr $port_slot + 200]
- set file2 "$prefix-$ps.$suffix"
- set n2 $ps
- mesg "Using Port Slot: $port_slot"
- after 700
- }
-
- for {set i 30} {$i <= 99} {incr i} {
- set try "$prefix-$i.$suffix"
- if {$i == $port_slot} {
- continue
- }
- if {[file exists $try]} {
- set mt [file mtime $try]
- set age [expr "$now - $mt"]
- set week [expr "7 * 3600 * 24"]
- if {$age > $week} {
- catch {file delete $try}
- }
- }
- if {! [file exists $try]} {
- if {$file1 == ""} {
- set file1 $try
- set n1 $i
- } elseif {$file2 == ""} {
- set file2 $try
- set n2 $i
- } else {
- break
- }
- }
- }
-
- if {$file1 == ""} {
- mesg "could not find free stunnel file"
- bell
- return
- }
-
- if {$n1 == ""} {
- set n1 10
- }
- if {$n2 == ""} {
- set n2 11
- }
- set n3 [expr $n1 + 100]
- set n4 [expr $n2 + 100]
-
- global launch_windows_ssh_files
- set launch_windows_ssh_files ""
-
- set did_port_knock 0
-
- global listening_name
- set listening_name ""
-
- if {$use_ssh} {
- ;
- } elseif {$use_sshssl} {
- ;
- } elseif {$use_ssl} {
- if {$proxy != "" && [regexp {@} $proxy]} {
- mesg "Error: proxy contains '@' Did you mean to use SSH mode?"
- bell
- return
- }
- if [regexp {@} $hp] {
- mesg "Error: host contains '@' Did you mean to use SSH mode?"
- bell
- return
- }
- }
-
- global ssh_ipv6_pid
- set ssh_ipv6_pid ""
-
- if {$use_sshssl} {
- set rc [launch_windows_ssh $hp $file2 $n2]
- if {$rc == 0} {
- if {![info exists env(SSVNC_NO_DELETE)]} {
- catch {file delete $file1}
- catch {file delete $file2}
- }
- del_launch_windows_ssh_files
- return
- }
- set did_port_knock 1
- } elseif {$use_ssh} {
- launch_windows_ssh $hp $file1 $n1
- # WE ARE DONE.
- return
- }
-
- set host [host_part $hp];
- set host_orig $host
-
- global win_localhost
-
- if {$host == ""} {
- set host $win_localhost
- }
-
- if [regexp {^.*@} $host match] {
- catch {raise .; update}
- mesg "Trimming \"$match\" from hostname"
- after 700
- regsub {^.*@} $host "" host
- }
-
- set disp [port_part $hp]
- if {[regexp {^-[0-9][0-9]*$} $disp]} {
- ;
- } elseif {$disp == "" || ! [regexp {^[0-9][0-9]*$} $disp]} {
- set disp 0
- }
-
- if {$disp < 0} {
- set port [expr "- $disp"]
- } elseif {$disp < 200} {
- if {$use_listen} {
- set port [expr "$disp + 5500"]
- } else {
- set port [expr "$disp + 5900"]
- }
- } else {
- set port $disp
- }
-
- if {$debug} {
- mesg "file: $file1"
- after 1000
- }
-
- listen_verify_all_dialog $hp
-
- if {$use_listen && $mycert == ""} {
- if {! [check_for_listen_ssl_cert]} {
- return;
- }
- }
-
- set fail 0
-
- set fh [open $file1 "w"]
-
- if {$use_listen} {
- puts $fh "client = no"
- } else {
- puts $fh "client = yes"
- }
- global disable_ssl_workarounds disable_ssl_workarounds_type
- if {$disable_ssl_workarounds} {
- if {$disable_ssl_workarounds_type == "noempty"} {
- puts $fh "options = DONT_INSERT_EMPTY_FRAGMENTS"
- }
- } else {
- puts $fh "options = ALL"
- }
-
- puts $fh "taskbar = yes"
- puts $fh "RNDbytes = 2048"
- puts $fh "RNDfile = bananarand.bin"
- puts $fh "RNDoverwrite = yes"
- puts $fh "debug = 6"
-
- if {$mycert != ""} {
- if {! [file exists $mycert]} {
- mesg "MyCert does not exist: $mycert"
- bell
- set fail 1
- }
- puts $fh "cert = $mycert"
- } elseif {$use_listen} {
- # see above, this should not happen.
- puts $fh "cert = _nocert_"
- }
- if {$crlfil != ""} {
- if [file isdirectory $crlfil] {
- puts $fh "CRLpath = $crlfil"
- } else {
- puts $fh "CRLfile = $crlfil"
- }
- }
-
- set did_check 0
-
- if {$svcert != ""} {
- if {! [file exists $svcert]} {
- mesg "ServerCert does not exist: $svcert"
- bell
- set fail 1
- }
- puts $fh "CAfile = $svcert"
- puts $fh "verify = 2"
- } elseif {$crtdir != ""} {
- if {$crtdir == "ACCEPTED_CERTS"} {
- global skip_verify_accepted_certs
- set skip_verify_accepted_certs 0
- set did_check 1
- if {$use_sshssl} {
- set skip_verify_accepted_certs 1
- set did_check 0
- } elseif {! [check_accepted_certs 0]} {
- set fail 1
- }
- if {! $skip_verify_accepted_certs} {
- set adir [get_idir_certs ""]
- set adir "$adir/accepted"
- catch {file mkdir $adir}
- puts $fh "CApath = $adir"
- puts $fh "verify = 2"
- }
- } else {
- if {! [file exists $crtdir]} {
- mesg "CertsDir does not exist: $crtdir"
- bell
- set fail 1
- }
- puts $fh "CApath = $crtdir"
- puts $fh "verify = 2"
- }
- }
-
- if {!$did_check} {
- check_accepted_certs 1
- }
-
- if {$use_sshssl} {
- set p [expr "$n2 + 5900"]
- set proxy [maybe_add_vencrypt $proxy "$win_localhost:$p"]
- } else {
- set proxy [maybe_add_vencrypt $proxy $hp]
- }
-
- set ipv6_pid ""
- global have_ipv6
- if {$have_ipv6} {
- if {$proxy == "" && $use_ssl} {
- # stunnel can handle ipv6
- } else {
- set res [ipv6_proxy $proxy $host $port]
- set proxy [lindex $res 0]
- set host [lindex $res 1]
- set port [lindex $res 2]
- set ipv6_pid [lindex $res 3]
- }
- }
-
- set p_reverse 0
-
- if {$proxy != ""} {
- if {$use_sshssl} {
- ;
- } elseif [regexp {@} $proxy] {
- bell
- catch {raise .; update}
- mesg "WARNING: SSL proxy contains \"@\" sign"
- after 1500
- }
- set env(SSVNC_PROXY) $proxy
- set env(SSVNC_DEST) "$host:$port"
- if {$use_listen} {
- set env(SSVNC_REVERSE) "$win_localhost:$port"
- set env(CONNECT_BR_SLEEP) 3
- set p_reverse 1
- } else {
- if {$use_sshssl && [regexp {vencrypt:} $proxy]} {
- set env(SSVNC_LISTEN) [expr "$n4 + 5900"]
- } else {
- set env(SSVNC_LISTEN) [expr "$n2 + 5900"]
- }
- }
- if {[info exists env(PROXY_DEBUG)]} {
- foreach var [list SSVNC_PROXY SSVNC_DEST SSVNC_REVERSE CONNECT_BR_SLEEP SSVNC_LISTEN] {
- if [info exists env($var)] {
- mesg "$var $env($var)"; after 2500;
- }
- }
- }
- }
-
- global anon_dh_detected server_anondh
- if {$anon_dh_detected || $server_anondh} {
- puts $fh "ciphers = ALL:RC4+RSA:+SSLv2:@STRENGTH"
- set anon_dh_detected 0
- }
-
-
- puts $fh "\[vnc$n1\]"
- set port2 ""
- set port3 ""
- if {! $use_listen} {
- set port2 [expr "$n1 + 5900"]
- if [regexp {vencrypt:} $proxy] {
- set port3 [expr "$n3 + 5900"]
- set port2 $port3
- puts $fh "accept = $win_localhost:$port3"
- } else {
- puts $fh "accept = $win_localhost:$port2"
- }
-
- if {$use_sshssl && [regexp {vencrypt:} $proxy]} {
- set port [expr "$n4 + 5900"]
- puts $fh "connect = $win_localhost:$port"
- } elseif {$use_sshssl || $proxy != ""} {
- set port [expr "$n2 + 5900"]
- puts $fh "connect = $win_localhost:$port"
- } else {
- puts $fh "connect = $host:$port"
- }
- } else {
- set port2 [expr "$n1 + 5500"]
- set hloc ""
- if {$use_ssh} {
- # not reached?
- set hloc "$win_localhost:"
- set listening_name "$win_localhost:$port (on remote SSH side)"
- } else {
- set hn [get_hostname]
- if {$hn == ""} {
- set hn "this-computer"
- }
- set listening_name "$hn:$port (or nn.nn.nn.nn:$port, etc.)"
- }
- if {$host_orig != "" && $hloc == ""} {
- set hloc "$host_orig:"
- }
- puts $fh "accept = $hloc$port"
- puts $fh "connect = $win_localhost:$port2"
- }
-
- puts $fh "delay = no"
- puts $fh ""
- close $fh
-
- if {! $did_port_knock} {
- if {! [do_port_knock $host start]} {
- set fail 1
- }
- set did_port_knock 1
- }
-
- if {$fail} {
- if {![info exists env(SSVNC_NO_DELETE)]} {
- catch {file delete $file1}
- }
- catch { unset env(SSVNC_PROXY) }
- catch { unset env(SSVNC_LISTEN) }
- catch { unset env(SSVNC_REVERSE) }
- catch { unset env(SSVNC_DEST) }
- catch { unset env(SSVNC_PREDIGESTED_HANDSHAKE) }
- catch { unset env(CONNECT_BR_SLEEP) }
- winkill $ipv6_pid
- winkill $ssh_ipv6_pid
- set ssh_ipv6_pid ""
- return
- }
-
- note_stunnel_pids "before"
-
- set proxy_pid ""
- set proxy_pid2 ""
-
- if {$use_listen} {
- windows_listening_message $n1
- }
-
- if {$proxy != ""} {
- if [regexp {vencrypt:} $proxy] {
- set vport [expr "$n1 + 5900"]
- mesg "Starting VeNCrypt helper on port $vport,$port3 ..."
- after 500
- if {![info exists env(SSVNC_NO_DELETE)]} {
- catch {file delete "$file1.pre"}
- }
- set env(SSVNC_PREDIGESTED_HANDSHAKE) "$file1.pre"
- set env(SSVNC_VENCRYPT_VIEWER_BRIDGE) "$vport,$port3"
- set proxy_pid2 [exec "connect_br.exe" &]
- catch { unset env(SSVNC_VENCRYPT_VIEWER_BRIDGE) }
- }
- mesg "Starting TCP helper on port $port ..."
- after 400
- # ssl br case:
- set proxy_pid [exec "connect_br.exe" &]
- catch { unset env(SSVNC_PROXY) }
- catch { unset env(SSVNC_LISTEN) }
- catch { unset env(SSVNC_REVERSE) }
- catch { unset env(SSVNC_DEST) }
- catch { unset env(SSVNC_PREDIGESTED_HANDSHAKE) }
- catch { unset env(CONNECT_BR_SLEEP) }
- }
-
- mesg "Starting STUNNEL on port $port2 ..."
- after 500
-
- set pids [exec stunnel $file1 &]
-
- if {! $p_reverse} {
- after 300
- set vtm [vencrypt_tutorial_mesg]
- if {$vtm == ""} {
- after 300
- }
- }
-
- note_stunnel_pids "after"
-
- if {$debug} {
- after 1000
- mesg "pids $pids"
- after 1000
- } else {
- catch {destroy .o}
- catch {destroy .oa}
- catch {destroy .os}
- wm withdraw .
- }
-
- do_viewer_windows $n1
-
- del_launch_windows_ssh_files
-
- if {![info exists env(SSVNC_NO_DELETE)]} {
- catch {file delete $file1}
- }
-
- if {$debug} {
- ;
- } else {
- wm deiconify .
- }
- mesg "Disconnected from $hp."
-
- global port_knocking_list
- if [regexp {FINISH} $port_knocking_list] {
- do_port_knock $host finish
- }
-
- if {[llength $pids_new] > 0} {
- set plist [join $pids_new ", "]
- global terminate_pids
- set terminate_pids ""
- global kill_stunnel
- if {$kill_stunnel} {
- set terminate_pids yes
- } else {
- win_kill_msg $plist
- update
- vwait terminate_pids
- }
- if {$terminate_pids == "yes"} {
- kill_stunnel $pids_new
- }
- } else {
- win_nokill_msg
- }
- mesg "Disconnected from $hp."
- winkill $ipv6_pid
- winkill $ssh_ipv6_pid
- set ssh_ipv6_pid ""
-
- global is_win9x use_sound sound_daemon_local_kill sound_daemon_local_cmd
- if {! $is_win9x && $use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} {
- windows_stop_sound_daemon
- }
-}
-
-proc direct_connect_windows {{hp ""}} {
- global tcl_platform is_windows
- global env use_listen
-
- set proxy [get_ssh_proxy $hp]
-
- set did_port_knock 0
-
- global listening_name
- set listening_name ""
-
- set host [host_part $hp]
-
- set host_orig $host
-
- global win_localhost
- if {$host == ""} {
- set host $win_localhost
- }
-
- if [regexp {^.*@} $host match] {
- catch {raise .; update}
- mesg "Trimming \"$match\" from hostname"
- after 700
- regsub {^.*@} $host "" host
- }
-
- set disp [port_part $hp]
- if {[regexp {^-[0-9][0-9]*$} $disp]} {
- ;
- } elseif {$disp == "" || ! [regexp {^[0-9][0-9]*$} $disp]} {
- set disp 0
- }
-
- if {$disp < 0} {
- set port [expr "- $disp"]
- } elseif {$disp < 200} {
- if {$use_listen} {
- set port [expr "$disp + 5500"]
- } else {
- set port [expr "$disp + 5900"]
- }
- } else {
- set port $disp
- }
-
- global have_ipv6
- set ipv6_pid ""
- if {$have_ipv6 && !$use_listen} {
- set res [ipv6_proxy $proxy $host $port]
- set proxy [lindex $res 0]
- set host [lindex $res 1]
- set port [lindex $res 2]
- set ipv6_pid [lindex $res 3]
- }
-
- if {$proxy != ""} {
- if [regexp {@} $proxy] {
- bell
- catch {raise .; update}
- mesg "WARNING: SSL proxy contains \"@\" sign"
- after 1500
- }
- set n2 45
-
- set env(SSVNC_PROXY) $proxy
- set env(SSVNC_LISTEN) [expr "$n2 + 5900"]
- set env(SSVNC_DEST) "$host:$port"
-
- set port [expr $n2 + 5900]
- set host $win_localhost
- }
-
- set fail 0
- if {! $did_port_knock} {
- if {! [do_port_knock $host start]} {
- set fail 1
- }
- set did_port_knock 1
- }
-
- if {$fail} {
- catch { unset env(SSVNC_PROXY) }
- catch { unset env(SSVNC_LISTEN) }
- catch { unset env(SSVNC_DEST) }
- winkill $ipv6_pid
- return
- }
-
- set proxy_pid ""
- if {$proxy != ""} {
- mesg "Starting Proxy TCP helper on port $port ..."
- after 400
- # unencrypted br case:
- set proxy_pid [exec "connect_br.exe" &]
- catch { unset env(SSVNC_PROXY) }
- catch { unset env(SSVNC_LISTEN) }
- catch { unset env(SSVNC_DEST) }
- }
-
- vencrypt_tutorial_mesg
-
- catch {destroy .o}
- catch {destroy .oa}
- catch {destroy .os}
- wm withdraw .
-
- if {$use_listen} {
- set n $port
- if {$n >= 5500} {
- set n [expr $n - 5500]
- }
- global direct_connect_reverse_host_orig
- set direct_connect_reverse_host_orig $host_orig
-
- do_viewer_windows "$n"
-
- set direct_connect_reverse_host_orig ""
- } else {
- if {$port >= 5900 && $port < 6100} {
- set port [expr $port - 5900]
- }
- do_viewer_windows "$host:$port"
- }
-
- wm deiconify .
-
- mesg "Disconnected from $hp."
-
- winkill $ipv6_pid
-
- global port_knocking_list
- if [regexp {FINISH} $port_knocking_list] {
- do_port_knock $host finish
- }
-
- mesg "Disconnected from $hp."
-}
-
-proc get_idir_certs {str} {
- global is_windows env
- set idir ""
- if {$str != ""} {
- if [file isdirectory $str] {
- set idir $str
- } else {
- set idir [file dirname $str]
- }
- if {$is_windows} {
- regsub -all {\\} $idir "/" idir
- regsub -all {//*} $idir "/" idir
- }
- }
- if {$idir == ""} {
- if {$is_windows} {
- if [info exists env(SSVNC_HOME)] {
- set t "$env(SSVNC_HOME)/ss_vnc"
- regsub -all {\\} $t "/" t
- regsub -all {//*} $t "/" t
- if {! [file isdirectory $t]} {
- catch {file mkdir $t}
- }
- set t "$env(SSVNC_HOME)/ss_vnc/certs"
- regsub -all {\\} $t "/" t
- regsub -all {//*} $t "/" t
- if {! [file isdirectory $t]} {
- catch {file mkdir $t}
- }
- if [file isdirectory $t] {
- set idir $t
- }
- }
- if {$idir == ""} {
- set t [file dirname [pwd]]
- set t "$t/certs"
- if [file isdirectory $t] {
- set idir $t
- }
- }
- }
- if {$idir == ""} {
- if [info exists env(SSVNC_HOME)] {
- set t "$env(SSVNC_HOME)/.vnc"
- if {! [file isdirectory $t]} {
- catch {file mkdir $t}
- }
- set t "$env(SSVNC_HOME)/.vnc/certs"
- if {! [file isdirectory $t]} {
- catch {file mkdir $t}
- }
- if [file isdirectory $t] {
- set idir $t
- }
- }
- }
- }
- if {$idir == ""} {
- if {$is_windows} {
- set idir [get_profiles_dir]
- }
- if {$idir == ""} {
- set idir [pwd]
- }
- }
- return $idir
-}
-
-proc delete_cert {{parent "."}} {
- set idir [get_idir_certs ""]
- set f ""
- unix_dialog_resize $parent
- if {$idir != ""} {
- set f [tk_getOpenFile -parent $parent -initialdir $idir]
- } else {
- set f [tk_getOpenFile -parent $parent]
- }
- if {$f != "" && [file exists $f]} {
- set reply [tk_messageBox -parent $parent -type yesno -icon question -title "Delete Cert" -message "Delete $f"]
- if {$reply == "yes"} {
- global mycert svcert crlfil
- set f_text [read_file $f]
- set f2 ""
- catch {file delete $f}
- if {$f == $mycert} { set mycert "" }
- if {$f == $svcert} { set svcert "" }
- if {$f == $crlfil} { set crlfil "" }
- if [regexp {\.crt$} $f] {
- regsub {\.crt$} $f ".pem" f2
- } elseif [regexp {\.pem$} $f] {
- regsub {\.pem$} $f ".crt" f2
- }
- if {$f2 != "" && [file exists $f2]} {
- set reply [tk_messageBox -parent $parent -type yesno -icon question -title "Delete Cert" -message "Delete $f2"]
- if {$reply == "yes"} {
- catch {file delete $f2}
- if {$f2 == $mycert} { set mycert "" }
- if {$f2 == $svcert} { set svcert "" }
- if {$f2 == $crlfil} { set crlfil "" }
- }
- }
- set dir [file dirname $f]
- if {$f_text != "" && [regexp {accepted$} $dir]} {
- foreach crt [glob -nocomplain -directory $dir {*.crt} {*.pem} {*.[0-9]}] {
- #puts "try $crt"
- set c_text [read_file $crt]
- if {$c_text == ""} {
- continue
- }
- if {$c_text != $f_text} {
- continue
- }
- set reply [tk_messageBox -parent $parent -type yesno -icon question -title "Delete Identical Cert" -message "Delete Identical $crt"]
- if {$reply == "yes"} {
- catch {file delete $crt}
- }
- }
- }
- }
- }
- catch {wm deiconify .c}
- update
-}
-
-proc set_mycert {{parent "."}} {
- global mycert
- set idir [get_idir_certs $mycert]
- set t ""
- unix_dialog_resize $parent
- if {$idir != ""} {
- set t [tk_getOpenFile -parent $parent -initialdir $idir]
- } else {
- set t [tk_getOpenFile -parent $parent]
- }
- if {$t != ""} {
- set mycert $t
- }
- catch {wm deiconify .c}
- v_mycert
- update
-}
-
-proc set_crlfil {{parent "."}} {
- global crlfil
- set idir [get_idir_certs $crlfil]
- set t ""
- unix_dialog_resize $parent
- if {$idir != ""} {
- set t [tk_getOpenFile -parent $parent -initialdir $idir]
- } else {
- set t [tk_getOpenFile -parent $parent]
- }
- if {$t != ""} {
- set crlfil $t
- }
- catch {wm deiconify .c}
- v_crlfil
- update
-}
-
-proc set_ultra_dsm_file {{parent "."}} {
- global ultra_dsm_file
- set idir [get_idir_certs $ultra_dsm_file]
- set t ""
- unix_dialog_resize $parent
- if {$idir != ""} {
- set t [tk_getOpenFile -parent $parent -initialdir $idir]
- } else {
- set t [tk_getOpenFile -parent $parent]
- }
- if {$t != ""} {
- set ultra_dsm_file $t
- }
- update
-}
-
-proc set_ssh_known_hosts_file {{parent "."}} {
- global ssh_known_hosts_filename is_windows uname
-
- if {$ssh_known_hosts_filename == ""} {
- set pdir [get_profiles_dir]
- set pdir "$pdir/ssh_known_hosts"
- catch {file mkdir $pdir}
-
- global last_load
- if {![info exists last_load]} {
- set last_load ""
- }
- if {$last_load != ""} {
- set dispf [string trim $last_load]
- set dispf [file tail $dispf]
-
- regsub {\.vnc$} $dispf "" dispf
- if {![regexp {\.known$} $dispf]} {
- set dispf "$dispf.known"
- }
- set guess $dispf
- } else {
- set vncdisp [get_vncdisplay]
- set dispf [string trim $vncdisp]
- if {$dispf != ""} {
- regsub {[ ].*$} $dispf "" dispf
- regsub -all {/} $dispf "" dispf
- } else {
- set dispf "unique-name-here"
- }
- if {$is_windows || $uname == "Darwin"} {
- regsub -all {:} $dispf "-" dispf
- } else {
- regsub -all {:} $dispf "-" dispf
- }
- if {![regexp {\.known$} $dispf]} {
- set dispf "$dispf.known"
- }
- set guess $dispf
- }
- } else {
- set pdir [file dirname $ssh_known_hosts_filename]
- set guess [file tail $ssh_known_hosts_filename]
- }
-
- set t ""
- unix_dialog_resize $parent
- if {$pdir != ""} {
- set t [tk_getSaveFile -parent $parent -initialdir $pdir -initialfile $guess]
- } else {
- set t [tk_getSaveFile -parent $parent -initialfile $guess]
- }
- if {$t != ""} {
- set ssh_known_hosts_filename $t
- }
- update
-}
-
-proc show_cert {crt} {
- if {$crt == ""} {
- bell
- return
- }
- if {! [file exists $crt]} {
- bell
- return
- }
- set info ""
- catch {set info [get_x509_info $crt]}
- if {$info == ""} {
- bell
- return
- }
-
- set w .show_certificate
- toplev $w
- scroll_text $w.f
- button $w.b -text Dismiss -command "destroy $w"
- bind $w <Escape> "destroy $w"
- $w.f.t insert end $info
-
- pack $w.b -side bottom -fill x
- pack $w.f -side top -fill both -expand 1
- center_win $w
- catch {raise $w}
-}
-
-proc show_crl {crl} {
- if {$crl == ""} {
- bell
- return
- }
- if {! [file exists $crl]} {
- bell
- return
- }
-
- set flist [list]
-
- if [file isdirectory $crl] {
- foreach cfile [glob -nocomplain -directory $crl "*"] {
- if [file isfile $cfile] {
- lappend flist $cfile
- }
- }
- } else {
- lappend flist $crl
- }
-
- set ossl [get_openssl]
- set info ""
-
- foreach cfile $flist {
- catch {
- set ph [open "| $ossl crl -fingerprint -text -noout -in \"$cfile\"" "r"]
- while {[gets $ph line] > -1} {
- append info "$line\n"
- }
- close $ph
- append info "\n"
- }
- }
-
- set w .show_crl
- toplev $w
- scroll_text $w.f
- button $w.b -text Dismiss -command "destroy $w"
- bind $w <Escape> "destroy $w"
- $w.f.t insert end $info
-
- pack $w.b -side bottom -fill x
- pack $w.f -side top -fill both -expand 1
- center_win $w
- catch {raise $w}
-}
-
-proc v_svcert {} {
- global svcert
- if {$svcert == "" || ! [file exists $svcert]} {
- catch {.c.svcert.i configure -state disabled}
- } else {
- catch {.c.svcert.i configure -state normal}
- }
- no_certs_tutorial_mesg
- return 1
-}
-
-proc v_mycert {} {
- global mycert
- if {$mycert == "" || ! [file exists $mycert]} {
- catch {.c.mycert.i configure -state disabled}
- } else {
- catch {.c.mycert.i configure -state normal}
- }
- return 1
-}
-
-proc v_crlfil {} {
- global crlfil
- if {$crlfil == "" || ! [file exists $crlfil]} {
- catch {.c.crlfil.i configure -state disabled}
- } else {
- catch {.c.crlfil.i configure -state normal}
- }
- return 1
-}
-
-proc show_mycert {} {
- global mycert
- show_cert $mycert
-}
-
-proc show_svcert {} {
- global svcert
- show_cert $svcert
-}
-
-proc show_crlfil {} {
- global crlfil
- show_crl $crlfil
-}
-
-proc set_svcert {{parent "."}} {
- global svcert crtdir
- set idir [get_idir_certs $svcert]
- set t ""
- unix_dialog_resize $parent
- if {$idir != ""} {
- set t [tk_getOpenFile -parent $parent -initialdir $idir]
- } else {
- set t [tk_getOpenFile -parent $parent]
- }
- if {$t != ""} {
- set crtdir ""
- set svcert $t
- }
- catch {wm deiconify .c}
- v_svcert
- update
-}
-
-proc set_crtdir {{parent "."}} {
- global svcert crtdir
- set idir ""
- if {$crtdir == "ACCEPTED_CERTS"} {
- set idir [get_idir_certs ""]
- } else {
- set idir [get_idir_certs $crtdir]
- }
- set t ""
- unix_dialog_resize $parent
- if {$idir != ""} {
- set t [tk_chooseDirectory -parent $parent -initialdir $idir]
- } else {
- set t [tk_chooseDirectory -parent $parent]
- }
- if {$t != ""} {
- set svcert ""
- set crtdir $t
- }
- catch {wm deiconify .c}
- update
-}
-
-proc set_createcert_file {} {
- global ccert
- if {[info exists ccert(FILE)]} {
- set idir [get_idir_certs $ccert(FILE)]
- }
- unix_dialog_resize .ccrt
- if {$idir != ""} {
- set t [tk_getSaveFile -parent .ccrt -defaultextension ".pem" -initialdir $idir]
- } else {
- set t [tk_getSaveFile -parent .ccrt -defaultextension ".pem"]
- }
- if {$t != ""} {
- set ccert(FILE) $t
- }
- catch {raise .ccrt}
- update
-}
-
-proc check_pp {} {
- global ccert
- if {$ccert(ENC)} {
- catch {.ccrt.pf.e configure -state normal}
- catch {focus .ccrt.pf.e}
- catch {.ccrt.pf.e icursor end}
- } else {
- catch {.ccrt.pf.e configure -state disabled}
- }
-}
-
-proc get_openssl {} {
- global is_windows
- if {$is_windows} {
- set ossl "openssl.exe"
- } else {
- set ossl "openssl"
- }
-}
-
-proc get_x509_info {crt} {
- set ossl [get_openssl]
- set info ""
- update
- set ph [open "| $ossl x509 -text -fingerprint -in \"$crt\"" "r"]
- while {[gets $ph line] > -1} {
- append info "$line\n"
- }
- close $ph
- return $info
-}
-
-proc do_oss_create {} {
- global is_windows is_win9x
-
- set cfg {
-[ req ]
-default_bits = 2048
-encrypt_key = yes
-distinguished_name = req_distinguished_name
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = %CO
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = %ST
-
-localityName = Locality Name (eg, city)
-localityName_default = %LOC
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = %ON
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-organizationalUnitName_default = %OUN
-
-commonName = Common Name (eg, YOUR name)
-commonName_default = %CN
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_default = %EM
-emailAddress_max = 64
-}
-
- global ccert
-
- if {$ccert(FILE) == ""} {
- catch {destroy .c}
- mesg "No output cert file supplied"
- bell
- return
- }
- if {! [regexp {\.pem$} $ccert(FILE)]} {
- append ccert(FILE) ".pem"
- }
- set pem $ccert(FILE)
- regsub {\.pem$} $ccert(FILE) ".crt" crt
-
- if {$ccert(ENC)} {
- if {[string length $ccert(PASS)] < 4} {
- catch {destroy .c}
- mesg "Passphrase must be at least 4 characters long."
- bell
- return
- }
- }
- if {[string length $ccert(CO)] != 2} {
- catch {destroy .c}
- mesg "Country Name must be at exactly 2 characters long."
- bell
- return
- }
- if {[string length $ccert(CN)] > 64} {
- catch {destroy .c}
- mesg "Common Name must be less than 65 characters long."
- bell
- return
- }
- if {[string length $ccert(EM)] > 64} {
- catch {destroy .c}
- mesg "Email Address must be less than 65 characters long."
- bell
- return
- }
-
- foreach t {EM CN OUN ON LOC ST CO} {
-
- set val $ccert($t)
- if {$val == ""} {
- set val "none"
- }
- regsub "%$t" $cfg "$val" cfg
- }
-
- global is_windows
-
- if {$is_windows} {
- # VF
- set tmp "cert.cfg"
- } else {
- set tmp "/tmp/cert.cfg.[tpid]"
- set tmp [mytmp $tmp]
- catch {set fh [open $tmp "w"]}
- catch {exec chmod 600 $tmp}
- if {! [file exists $tmp]} {
- catch {destroy .c}
- mesg "cannot create: $tmp"
- bell
- return
- }
- }
- set fh ""
- catch {set fh [open $tmp "w"]}
- if {$fh == ""} {
- catch {destroy .c}
- mesg "cannot create: $tmp"
- bell
- catch {file delete $tmp}
- return
- }
-
- puts $fh $cfg
- close $fh
-
- set ossl [get_openssl]
-
- set cmd "$ossl req -config $tmp -nodes -new -newkey rsa:2048 -x509 -batch"
- if {$ccert(DAYS) != ""} {
- set cmd "$cmd -days $ccert(DAYS)"
- }
- if {$is_windows} {
- set cmd "$cmd -keyout {$pem} -out {$crt}"
- } else {
- set cmd "$cmd -keyout \"$pem\" -out \"$crt\""
- }
-
- if {$is_windows} {
- set emess ""
- if {$is_win9x} {
- catch {file delete $pem}
- catch {file delete $crt}
- update
- eval exec $cmd &
- catch {raise .}
- set sl 0
- set max 100
- #if {$ccert(ENC)} {
- # set max 100
- #}
- set maxms [expr $max * 1000]
- while {$sl < $maxms} {
- set s2 [expr $sl / 1000]
- mesg "running openssl ... $s2/$max"
- if {[file exists $pem] && [file exists $crt]} {
- after 2000
- break
- }
- after 500
- set sl [expr $sl + 500]
- }
- mesg ""
- } else {
- update
- set rc [catch {eval exec $cmd} emess]
- if {$rc != 0 && [regexp -nocase {error:} $emess]} {
- raise .
- tk_messageBox -type ok -icon error -message $emess -title "OpenSSL req command failed"
- return
- }
- }
- } else {
- set geometry [xterm_center_geometry]
- update
- unix_terminal_cmd $geometry "Running OpenSSL" "$cmd"
- catch {file attributes $pem -permissions go-rw}
- catch {file attributes $crt -permissions go-w}
- }
- catch {file delete $tmp}
-
- set bad ""
- if {! [file exists $pem]} {
- set bad "$pem "
- }
- if {! [file exists $crt]} {
- set bad "$crt"
- }
- if {$bad != ""} {
- raise .
- tk_messageBox -type ok -icon error -message "Not created: $bad" -title "OpenSSL could not create cert"
- catch {raise .c}
- return
- }
-
- if {$ccert(ENC) && $ccert(PASS) != ""} {
- set cmd "$ossl rsa -in \"$pem\" -des3 -out \"$pem\" -passout stdin"
- set ph ""
- set emess ""
- update
- set rc [catch {set ph [open "| $cmd" "w"]} emess]
- if {$rc != 0 || $ph == ""} {
- raise .
- tk_messageBox -type ok -icon error -message $emess -title "Could not encrypt private key"
- catch {file delete $pem}
- catch {file delete $crt}
- return
- }
- puts $ph $ccert(PASS)
- set emess ""
- set rc [catch {close $ph} emess]
- #puts $emess
- #puts $rc
- }
-
- set in [open $crt "r"]
- set out [open $pem "a"]
- while {[gets $in line] > -1} {
- puts $out $line
- }
- close $in
- close $out
-
- catch {raise .c}
- set p .
- if [winfo exists .c] {
- set p .c
- }
-
- set reply [tk_messageBox -parent $p -type yesno -title "View Cert" -message "View Certificate and Info?"]
- catch {raise .c}
- if {$reply == "yes"} {
- set w .view_cert
- toplev $w
- scroll_text $w.f
- set cert ""
- set fh ""
- catch {set fh [open $crt "r"]}
- if {$fh != ""} {
- while {[gets $fh line] > -1} {
- append cert "$line\n"
- }
- catch {close $fh}
- }
-
- global yegg
- set yegg ""
- button $w.b -text Dismiss -command "destroy $w; set yegg 1"
- pack $w.b -side bottom -fill x
- bind $w <Escape> "destroy $w; set yegg 1"
-
- $w.f.t insert end "\n"
- $w.f.t insert end "$crt:\n"
- $w.f.t insert end "\n"
- $w.f.t insert end $cert
- $w.f.t insert end "\n"
-
- set info [get_x509_info $crt]
- $w.f.t insert end $info
-
- pack $w.f -side top -fill both -expand 1
- center_win $w
- catch {raise $w}
- vwait yegg
- catch {raise .c}
- }
-
- set p .
- if [winfo exists .c] {
- set p .c
- }
- set reply [tk_messageBox -parent $p -type yesno -title "View Private Key" -message "View Private Key?"]
- catch {raise .c}
- if {$reply == "yes"} {
- set w .view_key
- toplev $w
- scroll_text $w.f
- set key ""
- set fh [open $pem "r"]
- while {[gets $fh line] > -1} {
- append key "$line\n"
- }
- close $fh
-
- global yegg
- set yegg ""
- button $w.b -text Dismiss -command "destroy $w; set yegg 1"
- pack $w.b -side bottom -fill x
- bind $w <Escape> "destroy $w; set yegg 1"
-
- $w.f.t insert end "\n"
- $w.f.t insert end "$pem:\n"
- $w.f.t insert end "\n"
- $w.f.t insert end $key
- $w.f.t insert end "\n"
-
- pack $w.f -side top -fill both -expand 1
- center_win $w
- catch {raise $w}
- vwait yegg
- catch {raise .c}
- }
-}
-
-proc create_cert {{name ""}} {
-
- toplev .ccrt
- wm title .ccrt "Create SSL Certificate"
-
- global uname
- set h 27
- if [small_height] {
- set h 14
- } elseif {$uname == "Darwin"} {
- set h 20
- }
- scroll_text .ccrt.f 80 $h
-
- set msg {
- This dialog helps you to create a simple Self-Signed SSL certificate.
-
- On Unix the openssl(1) program must be installed and in $PATH.
- On Windows, a copy of the openssl program is provided for convenience.
-
- The resulting certificate files can be used for either:
-
- 1) authenticating yourself (VNC Viewer) to a VNC Server
- or 2) your verifying the identity of a remote VNC Server.
-
- In either case you will need to safely copy one of the generated key or
- certificate files to the remote VNC Server and have the VNC Server use
- it. Or you could send it to the system administrator of the VNC Server.
-
- For the purpose of description, assume that the filename selected in the
- "Save to file" entry is "vnccert.pem". That file will be generated
- by this process and so will the "vnccert.crt" file. "vnccert.pem"
- contains both the Private Key and the Public Certificate. "vnccert.crt"
- only contains the Public Certificate.
-
- For case 1) you would copy "vnccert.crt" to the VNC Server side and
- instruct the server to use it. For x11vnc it would be for example:
-
- x11vnc -sslverify /path/to/vnccert.crt -ssl SAVE ...
-
- (it is also possible to handle many client certs at once in a directory,
- see the -sslverify documentation). Then you would use "vnccert.pem"
- as the MyCert entry in the SSL Certificates dialog.
-
- For case 2) you would copy "vnccert.pem" to the VNC Server side and
- instruct the server to use it. For x11vnc it would be for example:
-
- x11vnc -ssl /path/to/vnccert.pem
-
- Then you would use "vnccert.crt" as the as the ServerCert entry in the
- "SSL Certificates" dialog.
-
-
- Creating the Certificate:
-
- Choose a output filename (ending in .pem) in the "Save to file" entry.
-
- Then fill in the identification information (Country, State or Province,
- etc).
-
- The click on "Create" to generate the certificate files.
-
- Encrypting the Private Key: It is a very good idea to encrypt the
- Private Key that goes in the "vnccert.pem". The downside is that
- whenever that key is used (e.g. starting up x11vnc using it) then
- the passphrase will need to be created. If you do not encrypt it and
- somebody steals a copy of the "vnccert.pem" file then they can pretend
- to be you.
-
- After you have created the certificate files, you must copy and import
- either "vnccert.pem" or "vnccert.pem" to the remote VNC Server and
- also select the other file in the "SSL Certificates" dialog.
- See the description above.
-
- For more information see:
-
- http://www.karlrunge.com/x11vnc/ssl.html
- http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-int
-
- The first one describes how to use x11vnc to create Certificate
- Authority (CA) certificates in addition to Self-Signed ones.
-
-
- Tip: if you choose the "Common Name" to be the internet hostname
- (e.g. gateway.mydomain.com) that connections will be made to or
- from that will avoid many dialogs when connecting mentioning that
- the hostname does not match the Common Name.
-}
- .ccrt.f.t insert end $msg
-
- global ccert ccert_init tcert
-
-
- if {! [info exists ccert_init]} {
- set ccert_init 1
- set ccert(CO) "US"
- set ccert(ST) "Massachusetts"
- set ccert(LOC) "Boston"
- set ccert(ON) "My Company"
- set ccert(OUN) "Product Development"
- set ccert(CN) "www.nowhere.none"
- set ccert(EM) "admin@nowhere.none"
- set ccert(DAYS) "730"
- set ccert(FILE) ""
- }
-
- set ccert(ENC) 0
- set ccert(PASS) ""
-
- set tcert(CO) "Country Name (2 letter code):"
- set tcert(ST) "State or Province Name (full name):"
- set tcert(LOC) "Locality Name (eg, city):"
- set tcert(ON) "Organization Name (eg, company):"
- set tcert(OUN) "Organizational Unit Name (eg, section):"
- set tcert(CN) "Common Name (eg, YOUR name):"
- set tcert(EM) "Email Address:"
- set tcert(DAYS) "Days until expiration:"
-
- set idir [get_idir_certs ""]
- if {$name != ""} {
- if {[regexp {/} $name] || [regexp {\.pem$} $name] || [regexp {\.crt$} $name]} {
- set ccert(FILE) $name
- } else {
- set ccert(FILE) "$idir/$name.pem"
- }
- } elseif {$ccert(FILE) == ""} {
- set ccert(FILE) "$idir/vnccert.pem"
- }
-
- button .ccrt.cancel -text "Cancel" -command {destroy .ccrt; catch {raise .c}}
- bind .ccrt <Escape> {destroy .ccrt; catch {raise .c}}
- wm protocol .ccrt WM_DELETE_WINDOW {destroy .ccrt; catch {raise .c}}
-
- button .ccrt.create -text "Generate Cert" -command {destroy .ccrt; catch {raise .c}; do_oss_create}
-
- pack .ccrt.create .ccrt.cancel -side bottom -fill x
-
- set ew 40
-
- set w .ccrt.pf
- frame $w
- checkbutton $w.check -anchor w -variable ccert(ENC) -text \
- "Encrypt Key with Passphrase" -command {check_pp}
-
- entry $w.e -width $ew -textvariable ccert(PASS) -state disabled \
- -show *
-
- pack $w.e -side right
- pack $w.check -side left -expand 1 -fill x
- pack $w -side bottom -fill x
-
- set w .ccrt.fl
- frame $w
- label $w.l -anchor w -text "Save to file:"
-
- entry $w.e -width $ew -textvariable ccert(FILE)
- button $w.b -text "Browse..." -command {set_createcert_file; catch {raise .ccrt}}
- if {$name != ""} {
- $w.b configure -state disabled
- }
-
- pack $w.e -side right
- pack $w.b -side right
- pack $w.l -side left -expand 1 -fill x
- pack $w -side bottom -fill x
-
- set i 0
- foreach t {DAYS EM CN OUN ON LOC ST CO} {
- set w .ccrt.f$i
- frame $w
- label $w.l -anchor w -text "$tcert($t)"
- entry $w.e -width $ew -textvariable ccert($t)
- pack $w.e -side right
- pack $w.l -side left -expand 1 -fill x
- pack $w -side bottom -fill x
- incr i
- }
-
- pack .ccrt.f -side top -fill both -expand 1
-
- center_win .ccrt
-}
-
-proc import_check_mode {w} {
- global import_mode
- if {$import_mode == "paste"} {
- $w.mf.b configure -state disabled
- $w.mf.e configure -state disabled
- $w.plab configure -state normal
- $w.paste.t configure -state normal
- } else {
- $w.mf.b configure -state normal
- $w.mf.e configure -state normal
- $w.plab configure -state disabled
- $w.paste.t configure -state disabled
- }
-}
-
-proc import_browse {par} {
- global import_file
-
- set idir ""
- if {$import_file != ""} {
- set idir [get_idir_certs $import_file]
- }
- unix_dialog_resize $par
- if {$idir != ""} {
- set t [tk_getOpenFile -parent $par -initialdir $idir]
- } else {
- set t [tk_getOpenFile -parent $par]
- }
- if {$t != ""} {
- set import_file $t
- }
- catch {raise $par}
- update
-}
-
-proc import_save_browse {{par ".icrt"}} {
- global import_save_file
-
- set idir ""
- if {$import_save_file != ""} {
- set idir [get_idir_certs $import_save_file]
- }
- if {$idir == ""} {
- set idir [get_idir_certs ""]
- }
- unix_dialog_resize $par
- if {$idir != ""} {
- set t [tk_getSaveFile -parent $par -defaultextension ".crt" -initialdir $idir]
- } else {
- set t [tk_getSaveFile -parent $par -defaultextension ".crt"]
- }
- if {$t != ""} {
- set import_save_file $t
- }
- catch {raise $par}
- update
-}
-
-proc do_save {par} {
- global import_mode import_file import_save_file
- global also_save_to_accepted_certs
-
- if {![info exists also_save_to_accepted_certs]} {
- set also_save_to_accepted_certs 0
- }
-
- if {$import_save_file == "" && ! $also_save_to_accepted_certs} {
- tk_messageBox -parent $par -type ok -icon error \
- -message "No Save File supplied" -title "Save File"
- return
- }
-
- set str ""
- set subject_issuer ""
- if {$import_mode == "save_cert_text"} {
- global save_cert_text
- set str $save_cert_text
- set i 0
- foreach line [split $str "\n"] {
- incr i
- if {$i > 50} {
- break
- }
- if [regexp {^- subject: *(.*)$} $line m val] {
- set subject_issuer "${subject_issuer}subject:$val\n"
- }
- if [regexp {^- (issuer[0-9][0-9]*): *(.*)$} $line m is val] {
- set subject_issuer "${subject_issuer}$is:$val\n"
- }
- if [regexp {^INFO: SELF_SIGNED=(.*)$} $line m val] {
- set subject_issuer "${subject_issuer}SELF_SIGNED:$val\n"
- }
- }
- } elseif {$import_mode == "paste"} {
- set str [$par.paste.t get 1.0 end]
- } else {
- if {! [file exists $import_file]} {
- tk_messageBox -parent $par -type ok -icon error \
- -message "Input file \"$import_file\" does not exist." -title "Import File"
- return
- }
- set fh ""
- set emess ""
- set rc [catch {set fh [open $import_file "r"]} emess]
- if {$rc != 0 || $fh == ""} {
- tk_messageBox -parent $par -type ok -icon error \
- -message $emess -title "Import File: $import_file"
- return
- }
- while {[gets $fh line] > -1} {
- append str "$line\n"
- }
- close $fh
- }
-
- if {! [regexp {BEGIN CERTIFICATE} $str]} {
- tk_messageBox -parent $par -type ok -icon error \
- -message "Import Text does not contain \"BEGIN CERTIFICATE\"" -title "Imported Text"
- return
- }
- if {! [regexp {END CERTIFICATE} $str]} {
- tk_messageBox -parent $par -type ok -icon error \
- -message "Import Text does not contain \"END CERTIFICATE\"" -title "Imported Text"
- return
- }
-
- global is_windows
- set fh ""
- set emess ""
- set deltmp ""
- if {$import_save_file == ""} {
- if {! $is_windows} {
- set deltmp /tmp/import.[tpid]
- } else {
- set deltmp import.[tpid]
- }
- set deltmp [mytmp $deltmp]
- set import_save_file $deltmp
- }
- set rc [catch {set fh [open $import_save_file "w"]} emess]
- if {$rc != 0 || $fh == ""} {
- tk_messageBox -parent $par -type ok -icon error \
- -message $emess -title "Save File: $import_save_file"
- return
- }
- if {! $is_windows} {
- catch {file attributes $import_save_file -permissions go-w}
- if {[regexp {PRIVATE} $str] || [regexp {\.pem$} $import_save_file]} {
- catch {file attributes $import_save_file -permissions go-rw}
- }
- }
-
- puts -nonewline $fh $str
- close $fh
-
- global do_save_saved_it
- set do_save_saved_it 1
-
- if {$also_save_to_accepted_certs} {
- set ossl [get_openssl]
- set fp_txt ""
- set fp_txt [exec $ossl x509 -fingerprint -noout -in $import_save_file]
-
- set adir [get_idir_certs ""]
- set adir "$adir/accepted"
- catch {file mkdir $adir}
-
- set fingerprint ""
- set fingerline ""
-
- set i 0
- foreach line [split $fp_txt "\n"] {
- incr i
- if {$i > 5} {
- break
- }
- if [regexp -nocase {Fingerprint=(.*)} $line mv str] {
- set fingerline $line
- set fingerprint [string trim $str]
- }
- }
-
- set fingerprint [string tolower $fingerprint]
- regsub -all {:} $fingerprint "-" fingerprint
- regsub -all {[\\/=]} $fingerprint "_" fingerprint
-
- if {$subject_issuer == ""} {
- set si_txt ""
- set si_txt [exec $ossl x509 -subject -issuer -noout -in $import_save_file]
- set sub ""
- set iss ""
- foreach line [split $si_txt "\n"] {
- if [regexp -nocase {^subject= *(.*)$} $line mv str] {
- set str [string trim $str]
- set sub $str
- } elseif [regexp -nocase {^issuer= *(.*)$} $line mv str] {
- set str [string trim $str]
- set iss $str
- }
- }
- if {$sub != "" && $iss != ""} {
- set subject_issuer "subject:$sub\nissuer1:$iss\n"
- if {$sub == $iss} {
- set subject_issuer "${subject_issuer}SELF_SIGNED:1\n"
- } else {
- set subject_issuer "${subject_issuer}SELF_SIGNED:0\n"
- }
- }
- }
-
- global vncdisplay
- set from [get_ssh_hp $vncdisplay]
- if {$from == ""} {
- set from [file tail $import_save_file]
- regsub {\..*$} $from "" from
- }
- if {$from == ""} {
- set from "import"
- }
- if [regexp -- {^:[0-9][0-9]*$} $from] {
- set from "listen$from"
- }
- set hp $from
-
- set from [string tolower $from]
- regsub -all {^[+a-z]*://} $from "" from
- regsub -all {:} $from "-" from
- regsub -all {[\\/=]} $from "_" from
- regsub -all {[ ]} $from "_" from
-
- set crt "$adir/$from=$fingerprint.crt"
- catch {file copy -force $import_save_file $crt}
-
- global do_save_saved_hash_it
- set do_save_saved_hash_it 1
- save_hash $crt $adir $hp $fingerline $from $fingerprint $subject_issuer
- }
-
- catch {destroy $par}
- set p .c
- if {![winfo exists .c]} {
- global accepted_cert_dialog_in_progress
- if {! $accepted_cert_dialog_in_progress} {
- if {$deltmp == ""} {
- getcerts
- update
- }
- }
- }
- if {![winfo exists .c]} {
- set p .
- }
- catch {raise .c}
- catch {destroy .scrt}
- if {$deltmp != ""} {
- catch {file delete $deltmp}
- set import_save_file ""
- return;
- }
- tk_messageBox -parent $p -type ok -icon info \
- -message "Saved to file: $import_save_file" -title "Save File: $import_save_file"
-}
-
-proc import_cert {} {
-
- toplev .icrt
- wm title .icrt "Import SSL Certificate"
-
- global scroll_text_focus
- set scroll_text_focus 0
- global uname
- set h 19
- if [small_height] {
- set h 12
- } elseif {$uname == "Darwin"} {
- set h 16
- }
- scroll_text .icrt.f 90 $h
- set scroll_text_focus 1
-
- set msg {
- This dialog lets you import a SSL Certificate by either pasting one in or by
- loading from another file. Choose which input mode you want to use by the toggle
- "Paste / Read from File".
-
- There are two types of files we use 1) Certificate only, and 2) Private Key
- and Certificate.
-
- Type 1) would be used to verify the identity of a remote VNC Server, whereas
- type 2) would be used to authenticate ourselves to the remote VNC Server.
-
- A type 1) by convention ends with file suffix ".crt" and looks like:
-
------BEGIN CERTIFICATE-----
-MIID2jCCAsKgAwIBAgIJALKypfV8BItCMA0GCSqGSIb3DQEBBAUAMIGgMQswCQYD
-(more lines) ...
-TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam
------END CERTIFICATE-----
-
- A type 2) by convention ends with file suffix ".pem" and looks like:
-
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA4sApd7WaPKQRWnFe9T04D4pglQB0Ti0/dCVHxg8WEVQ8OdcW
-(more lines) ...
-9kBmNotUiTpvRM+e7E/zRemhvY9qraFooqMWzi9JrgYfeLfSvvFfGw==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIID2jCCAsKgAwIBAgIJALKypfV8BItCMA0GCSqGSIb3DQEBBAUAMIGgMQswCQYD
-(more lines) ...
-TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam
------END CERTIFICATE-----
-
- You do not need to use the ".crt" or ".pem" convention if you do not want to.
-
- First, either paste in the text or set the "Read from File" filename.
-
- Next, set the "Save to File" name to the file where the imported certificate
- will be saved.
-
- Then, click on "Save" to save the imported Certificate.
-
- After you have imported the Certificate (or Key + Certificate), select it to
- use for a connection via the "MyCert" or "ServerCert" dialog.
-}
- .icrt.f.t insert end $msg
-
- global icert import_mode
-
- set import_mode "paste"
-
- set w .icrt.mf
- frame $w
-
- radiobutton $w.p -pady 1 -anchor w -variable import_mode -value paste \
- -text "Paste" -command "import_check_mode .icrt"
-
- radiobutton $w.f -pady 1 -anchor w -variable import_mode -value file \
- -text "Read from File:" -command "import_check_mode .icrt"
-
- global import_file
- set import_file ""
- entry $w.e -width 40 -textvariable import_file
-
- button $w.b -pady 1 -anchor w -text "Browse..." -command {import_browse .icrt}
- pack $w.b -side right
- pack $w.p $w.f -side left
- pack $w.e -side left -expand 1 -fill x
-
- $w.b configure -state disabled
- $w.e configure -state disabled
-
- label .icrt.plab -anchor w -text "Paste Certificate here: (extra blank lines above or below are OK)"
- set h 22
- if [small_height] {
- set h 11
- } elseif {$uname == "Darwin"} {
- set h 11
- }
- scroll_text .icrt.paste 90 $h
-
- button .icrt.cancel -text "Cancel" -command {destroy .icrt; catch {raise .c}}
- bind .icrt <Escape> {destroy .icrt; catch {raise .c}}
- wm protocol .icrt WM_DELETE_WINDOW {destroy .icrt; catch {raise .c}}
-
- button .icrt.save -text "Save" -command {do_save .icrt}
-
- set w .icrt.sf
- frame $w
-
- label $w.l -text "Save to File:" -anchor w
- global import_save_file
- set import_save_file ""
- entry $w.e -width 40 -textvariable import_save_file
- button $w.b -pady 1 -anchor w -text "Browse..." -command import_save_browse
-
- global also_save_to_accepted_certs
- set also_save_to_accepted_certs 0
- checkbutton .icrt.ac -anchor w -variable also_save_to_accepted_certs -text \
- "Also Save to the 'Accepted Certs' directory" -relief raised
-
- pack $w.b -side right
- pack $w.l -side left
- pack $w.e -side left -expand 1 -fill x
-
- pack .icrt.save .icrt.cancel .icrt.ac .icrt.sf .icrt.mf -side bottom -fill x
- pack .icrt.paste .icrt.plab -side bottom -fill x
-
- pack .icrt.f -side top -fill both -expand 1
-
- .icrt.paste.t insert end ""
-
- focus .icrt.paste.t
-
- center_win .icrt
-}
-
-proc save_cert {hp} {
-
- global cert_text
-
- toplev .scrt
- wm title .scrt "Import/Save SSL Certificate"
-
- global scroll_text_focus
- set scroll_text_focus 0
- global uname
-
- global accepted_cert_dialog_in_progress
- set h 20
- if {$accepted_cert_dialog_in_progress} {
- set mode "accepted"
- set h 15
- if [small_height] {
- set h 11
- }
- } else {
- set mode "normal"
- set h 20
- if [small_height] {
- set h 16
- }
- }
- scroll_text .scrt.f 90 $h
-
- set scroll_text_focus 1
-
- set msg1 {
- This dialog lets you import a SSL Certificate retrieved from a VNC server.
-
- Be sure to have verified its authenticity via an external means (checking
- the MD5 hash value sent to you by the administrator, etc)
-
- Set "Save to File" to the filename where the imported cert will be saved.
-
- If you also want the Certificate to be saved to the pool of certs in the
- 'Accepted Certs' directory, select the checkbox. By default all Servers are
- verified against the certificates in this pool.
-
- Then, click on "Save" to save the imported Certificate.
-
- After you have imported the Certificate it will be automatically selected as
- the "ServerCert" for the next connection to this host: %HOST
-
- To make the ServerCert setting to the imported cert file PERMANENT, select
- 'Save' to save it in the profile for this host.
-}
-
- set msg2 {
- This dialog lets you import a SSL Certificate retrieved from a VNC server.
-
- Be sure to have verified its authenticity via an external means (checking
- the MD5 hash value sent to you by the administrator, etc)
-
- It will be added to the 'Accepted Certs' directory. The "Save to File"
- below is already set to the correct directory and file name.
-
- Click on "Save" to add it to the Accepted Certs.
-
- It, and the other certs in that directory, will be used to authenticate
- any VNC Server that has "ACCEPTED_CERTS" as the "CertsDir" value in the
- "Certs..." dialog. This is the default checking policy.
-}
-
- set msg ""
- if {$mode == "normal"} {
- set msg $msg1
- } else {
- set msg $msg2
- }
-
- regsub {%HOST} $msg "$hp" msg
- .scrt.f.t insert end $msg
-
- set w .scrt.mf
- frame $w
-
- global import_file
- set import_file ""
- entry $w.e -width 40 -textvariable import_file
-
- set h 22
- if [small_height] {
- set h 10
- }
- scroll_text .scrt.paste 90 $h
-
- button .scrt.cancel -text "Cancel" -command {destroy .scrt; catch {raise .c}}
- bind .scrt <Escape> {destroy .scrt; catch {raise .c}}
- wm protocol .scrt WM_DELETE_WINDOW {destroy .scrt; catch {raise .c}}
-
- global import_save_file
- if {$mode == "normal"} {
- button .scrt.save -text "Save" -command {do_save .scrt; set svcert $import_save_file}
- } else {
- button .scrt.save -text "Save" -command {do_save .scrt}
- }
-
- if [regexp -nocase -- {ACCEPT} $cert_text] {
- if [regexp -nocase -- {Client certificate} $cert_text] {
- if [regexp -- {^:[0-9][0-9]*$} $hp] {
- if [regexp -nocase {subject=.*CN=([^/][^/]*)/} $cert_text mv0 mv1] {
- regsub -all {[ ]} $mv1 "" mv1
- set hp "$mv1$hp"
- } else {
- set hp "listen$hp"
- }
- }
- }
- }
-
- set w .scrt.sf
- frame $w
-
- label $w.l -text "Save to File:" -anchor w
- set import_save_file "server:$hp.crt"
- global is_windows
- regsub -all {:} $import_save_file "-" import_save_file
-
- set import_save_file [get_idir_certs ""]/$import_save_file
-
- global fetch_cert_filename
- if {$fetch_cert_filename != ""} {
- set import_save_file $fetch_cert_filename
- }
-
- entry $w.e -width 40 -textvariable import_save_file
- button $w.b -pady 1 -anchor w -text "Browse..." -command {import_save_browse .scrt}
-
- pack $w.b -side right
- pack $w.l -side left
- pack $w.e -side left -expand 1 -fill x
-
- global also_save_to_accepted_certs
- set also_save_to_accepted_certs 0
- if [regexp -nocase -- {ACCEPT} $cert_text] {
- if [regexp -nocase -- {Client certificate} $cert_text] {
- set also_save_to_accepted_certs 1
- }
- }
- checkbutton .scrt.ac -anchor w -variable also_save_to_accepted_certs -text \
- "Also Save to the 'Accepted Certs' directory" -relief raised
-
- if {$mode == "normal"} {
- pack .scrt.cancel .scrt.save .scrt.sf .scrt.ac .scrt.mf -side bottom -fill x
- } else {
- pack .scrt.cancel .scrt.save .scrt.sf .scrt.mf -side bottom -fill x
- }
- pack .scrt.paste -side bottom -fill x
-
- pack .scrt.f -side top -fill both -expand 1
-
- set text ""
- set on 0
- foreach line [split $cert_text "\n"] {
- if [regexp -- {-----BEGIN CERTIFICATE-----} $line] {
- incr on
- }
- if {$on != 1} {
- continue;
- }
- append text "$line\n"
- if [regexp -- {-----END CERTIFICATE-----} $line] {
- set on 2
- }
- }
- global save_cert_text
- set save_cert_text $text
- .scrt.paste.t insert end "$text"
- global import_mode
- set import_mode "save_cert_text"
-
- focus .scrt.paste.t
-
- center_win .scrt
-}
-
-
-proc getcerts {} {
- global mycert svcert crtdir crlfil
- global use_ssh use_sshssl
- toplev .c
- wm title .c "SSL Certificates"
- frame .c.mycert
- frame .c.svcert
- frame .c.crtdir
- frame .c.crlfil
- label .c.mycert.l -anchor w -width 12 -text "MyCert:"
- label .c.svcert.l -anchor w -width 12 -text "ServerCert:"
- label .c.crtdir.l -anchor w -width 12 -text "CertsDir:"
- label .c.crlfil.l -anchor w -width 12 -text "CRL File:"
-
- entry .c.mycert.e -width 32 -textvariable mycert -vcmd v_mycert
- entry .c.svcert.e -width 32 -textvariable svcert -vcmd v_svcert
- entry .c.crtdir.e -width 32 -textvariable crtdir
- entry .c.crlfil.e -width 32 -textvariable crlfil -vcmd v_crlfil
-
- bind .c.mycert.e <Enter> {.c.mycert.e validate}
- bind .c.mycert.e <Leave> {.c.mycert.e validate}
- bind .c.svcert.e <Enter> {.c.svcert.e validate}
- bind .c.svcert.e <Leave> {.c.svcert.e validate}
-
- button .c.mycert.b -text "Browse..." -command {set_mycert .c; catch {raise .c}}
- button .c.svcert.b -text "Browse..." -command {set_svcert .c; catch {raise .c}}
- button .c.crtdir.b -text "Browse..." -command {set_crtdir .c; catch {raise .c}}
- button .c.crlfil.b -text "Browse..." -command {set_crlfil .c; catch {raise .c}}
-
- button .c.mycert.i -text "Info" -command {show_mycert}
- button .c.svcert.i -text "Info" -command {show_svcert}
- button .c.crtdir.i -text "Info" -command {}
- button .c.crlfil.i -text "Info" -command {show_crlfil}
-
- bind .c.mycert.b <Enter> "v_mycert"
- bind .c.svcert.b <Enter> "v_svcert"
- bind .c.crlfil.b <Enter> "v_crlfil"
-
- .c.mycert.i configure -state disabled
- .c.svcert.i configure -state disabled
- .c.crtdir.i configure -state disabled
- .c.crlfil.i configure -state disabled
-
- bind .c.mycert.b <B3-ButtonRelease> "show_mycert"
- bind .c.svcert.b <B3-ButtonRelease> "show_svcert"
- bind .c.crlfil.b <B3-ButtonRelease> "show_crlfil"
-
- set do_crl 1
- set do_row 1
-
- set c .c
- if {$do_row} {
- frame .c.b0
- set c .c.b0
- }
-
- button $c.create -text "Create Certificate ..." -command {create_cert}
- button $c.import -text "Import Certificate ..." -command {import_cert}
- button $c.delete -text "Delete Certificate ..." -command {delete_cert .c}
-
- if {$c != ".c"} {
- pack $c.create $c.import $c.delete -fill x -expand 1 -side left
- }
-
- frame .c.b
- button .c.b.done -text "Done" -command {catch {destroy .c}}
- bind .c <Escape> {destroy .c}
- button .c.b.help -text "Help" -command help_certs
- pack .c.b.help .c.b.done -fill x -expand 1 -side left
-
- set wlist [list mycert svcert crtdir]
- lappend wlist crlfil
-
- foreach w $wlist {
- pack .c.$w.l -side left
- pack .c.$w.e -side left -expand 1 -fill x
- pack .c.$w.b -side left
- pack .c.$w.i -side left
- bind .c.$w.e <Return> ".c.$w.b invoke"
- if {$use_ssh} {
- .c.$w.l configure -state disabled
- .c.$w.e configure -state disabled
- .c.$w.b configure -state disabled
- }
- }
-
- global svcert_default_force mycert_default_force crlfil_default_force
- if {$mycert_default_force} {
- .c.mycert.e configure -state readonly
- .c.mycert.b configure -state disabled
- }
- if {$svcert_default_force} {
- .c.svcert.e configure -state readonly
- .c.svcert.b configure -state disabled
- .c.crtdir.e configure -state readonly
- .c.crtdir.b configure -state disabled
- }
- if {$crlfil_default_force} {
- .c.crlfil.e configure -state readonly
- .c.crlfil.b configure -state disabled
- }
-
- if {$mycert != ""} {
- v_mycert
- }
- if {$svcert != ""} {
- v_svcert
- }
- if {$crlfil != ""} {
- v_crlfil
- }
-
- set wlist [list .c.mycert .c.svcert .c.crtdir]
- if {$do_crl} {
- lappend wlist .c.crlfil
- }
- if {$c != ".c"} {
- lappend wlist $c
- } else {
- lappend wlist .c.create .c.import .c.delete
- }
- lappend wlist .c.b
-
- eval pack $wlist -side top -fill x
-
- center_win .c
- wm resizable .c 1 0
-
- focus .c
-}
-
-proc get_profiles_dir {} {
- global env is_windows
-
- set dir ""
- if {$is_windows} {
- if [info exists env(SSVNC_HOME)] {
- set t "$env(SSVNC_HOME)/ss_vnc"
- regsub -all {\\} $t "/" t
- regsub -all {//*} $t "/" t
- if {! [file isdirectory $t]} {
- catch {file mkdir $t}
- }
- if [file isdirectory $t] {
- set dir $t
- set s "$t/profiles"
- if {! [file exists $s]} {
- catch {file mkdir $s}
- }
- }
- }
- if {$dir == ""} {
- set t [file dirname [pwd]]
- set t "$t/profiles"
- if [file isdirectory $t] {
- set dir $t
- }
- }
- } elseif [info exists env(SSVNC_HOME)] {
- set t "$env(SSVNC_HOME)/.vnc"
- catch {file mkdir $t}
- if [file isdirectory $t] {
- set dir $t
- set s "$t/profiles"
- if {! [file exists $s]} {
- catch {file mkdir $s}
- }
- }
- }
-
- if {$dir != ""} {
-
- } elseif [info exists env(SSVNC_BASEDIR)] {
- set dir $env(SSVNC_BASEDIR)
- } else {
- set dir [pwd]
- }
- if [file isdirectory "$dir/profiles"] {
- set dir "$dir/profiles"
- }
- return $dir
-}
-
-proc globalize {} {
- global defs
- foreach var [array names defs] {
- uplevel global $var
- }
-}
-
-proc load_include {include dir} {
- global include_vars defs
-
- if [info exists include_vars] {
- unset include_vars
- }
-
- foreach inc [split $include ", "] {
- set f [string trim $inc]
-#puts "f=$f";
- if {$f == ""} {
- continue
- }
- set try ""
- if {[regexp {/} $f] || [regexp {\\} $f]} {
- set try $f;
- } else {
- set try "$dir/$f"
- }
- if {! [file exists $try]} {
- set try "$dir/$f.vnc"
- }
-#puts "try: $try"
- if [file exists $try] {
- set fh ""
- catch {set fh [open $try "r"]}
- if {$fh == ""} {
- continue
- }
- mesg "Applying template: $inc"
- after 100
- while {[gets $fh line] > -1} {
- append inc_str "$line\n"
- if [regexp {^([^=]*)=(.*)$} $line m var val] {
- if {! [info exists defs($var)]} {
- continue
- }
- if {$var == "include_list"} {
- continue
- }
- set pct 0
- if {$var == "smb_mount_list"} {
- set pct 1
- }
- if {$var == "port_knocking_list"} {
- set pct 1
- }
- if {$pct} {
- regsub -all {%%%} $val "\n" val
- }
- if {$val != $defs($var)} {
-#puts "include_vars $var $val"
- set include_vars($var) $val
- }
- }
- }
- catch {close $fh}
- }
- }
-}
-
-proc unix_dialog_resize {{w .}} {
- global env is_windows uname unix_dialog_size
- set ok 0
- set width 600
- set height 300
- if {[info exists env(SSVNC_BIGGER_DIALOG)]} {
- set ok 1
- if {[regexp {([0-9][0-9]*)x([0-9][0-9]*)} $env(SSVNC_BIGGER_DIALOG) m wi he]} {
- set width $wi;
- set height $he;
- }
- } elseif {[info exists env(USER)] && $env(USER) == "runge"} {
- set ok 1
- }
- if {$ok} {
- # this is a personal hack because tk_getOpenFile size is not configurable.
- if {!$is_windows && $uname != "Darwin"} {
- if {$w == "."} {
- set w2 .__tk_filedialog
- } else {
- set w2 $w.__tk_filedialog
- }
- set w3 $w2.icons.canvas
- global udr_w4
- set udr_w4 $w2.f2.cancel
- if {! [info exists unix_dialog_size($w)]} {
- after 50 {global udr_w4; catch {$udr_w4 invoke}}
- tk_getOpenFile -parent $w -initialdir /
- set unix_dialog_size($w) 1
- }
- if [winfo exists $w3] {
- catch {$w3 configure -width $width}
- catch {$w3 configure -height $height}
- }
- }
- }
-}
-
-proc delete_profile {{parent "."}} {
-
- globalize
-
- set dir [get_profiles_dir]
-
- unix_dialog_resize $parent
- set file [tk_getOpenFile -parent $parent -initialdir $dir -title "DELETE VNC Profile"]
-
- if {$file == ""} {
- return
- }
-
- set tail [file tail $file]
-
- set ans [tk_messageBox -type okcancel -title "Delete $tail" -message "Really Delete $file?" -icon warning]
-
- if {$ans == "ok"} {
- catch {file delete $file}
- mesg "Deleted $tail"
- } else {
- mesg "Delete Skipped."
- }
-}
-
-proc load_profile {{parent "."} {infile ""}} {
- global profdone
- global vncdisplay
-
- globalize
-
- set dir [get_profiles_dir]
-
- if {$infile != ""} {
- set file $infile
- } else {
- unix_dialog_resize
- set file [tk_getOpenFile -parent $parent -defaultextension \
- ".vnc" -initialdir $dir -title "Load VNC Profile"]
- }
-
- if {$file == ""} {
- set profdone 1
- return
- }
- set fh [open $file "r"]
- if {! [info exists fh]} {
- set profdone 1
- return
- }
-
- set goto_mode "";
- set str ""
- set include ""
- set sw 1
- while {[gets $fh line] > -1} {
- append str "$line\n"
- if [regexp {^include_list=(.*)$} $line m val] {
- set include $val
- }
- global ssh_only ts_only
- if {$ssh_only || $ts_only} {
- if [regexp {use_ssh=0} $line] {
- if {$sw} {
- mesg "Switching to SSVNC mode."
- set goto_mode "ssvnc"
- update
- after 300
- } else {
- bell
- mesg "Cannot Load an SSL profile in SSH-ONLY mode."
- set profdone 1
- close $fh
- return
- }
- }
- }
- if {! $ts_only} {
- if [regexp {ts_mode=1} $line] {
- if {$sw} {
- mesg "Switching to Terminal Services mode."
- set goto_mode "tsonly"
- update
- after 300
- } else {
- bell
- mesg "Cannot Load a Terminal Svcs profile SSVNC mode."
- set profdone 1
- close $fh
- return
- }
- }
- } else {
- if [regexp {ts_mode=0} $line] {
- if {$sw} {
- mesg "Switching to SSVNC mode."
- set goto_mode "ssvnc"
- update
- after 300
- } else {
- bell
- mesg "Cannot Load a Terminal Svcs profile SSVNC mode."
- set profdone 1
- close $fh
- return
- }
- }
- }
- }
- close $fh
-
- if {$include != ""} {
- load_include $include $dir
- }
-
- if {$goto_mode == "tsonly"} {
- to_tsonly
- } elseif {$goto_mode == "ssvnc"} {
- to_ssvnc
- } elseif {$goto_mode == "sshvnc"} {
- to_sshvnc
- }
- set_defaults
-
- global include_vars
- if [info exists include_vars] {
- foreach var [array names include_vars] {
- set $var $include_vars($var)
- }
- }
-
-
- global use_ssl use_ssh use_sshssl
- set use_ssl 0
- set use_ssh 0
- set use_sshssl 0
-
- global defs
- foreach line [split $str "\n"] {
- set line [string trim $line]
- if [regexp {^#} $line] {
- continue
- }
- if [regexp {^([^=]*)=(.*)$} $line m var val] {
- if {$var == "disp"} {
- set vncdisplay $val
- continue
- }
- if [info exists defs($var)] {
- set pct 0
- if {$var == "smb_mount_list"} {
- set pct 1
- }
- if {$var == "port_knocking_list"} {
- set pct 1
- }
- if {$pct} {
- regsub -all {%%%} $val "\n" val
- }
- set $var $val
- }
- }
- }
-
- init_vncdisplay
- if {! $use_ssl && ! $use_ssh && ! $use_sshssl} {
- if {! $disable_all_encryption} {
- set use_ssl 1
- }
- }
- if {$use_ssl} {
- set use_ssh 0
- set use_sshssl 0
- } elseif {$use_ssh && $use_sshssl} {
- set use_ssh 0
- }
- sync_use_ssl_ssh
-
- set compresslevel_text "Compress Level: $use_compresslevel"
- set quality_text "Quality: $use_quality"
-
- set profdone 1
- putty_pw_entry check
- listen_adjust
- unixpw_adjust
-
- global last_load
- set last_load [file tail $file]
-
- global uname darwin_cotvnc
- if {$uname == "Darwin"} {
- if {$use_x11_macosx} {
- set darwin_cotvnc 0;
- } else {
- set darwin_cotvnc 1;
- }
- }
-
- mesg "Loaded [file tail $file]"
-}
-
-proc sync_use_ssl_ssh {} {
- global use_ssl use_ssh use_sshssl
- global disable_all_encryption
- if {$use_ssl} {
- ssl_ssh_adjust ssl
- } elseif {$use_ssh} {
- ssl_ssh_adjust ssh
- } elseif {$use_sshssl} {
- ssl_ssh_adjust sshssl
- } elseif {$disable_all_encryption} {
- ssl_ssh_adjust none
- } else {
- ssl_ssh_adjust ssl
- }
-}
-
-proc save_profile {{parent "."}} {
- global is_windows uname
- global profdone
- global include_vars defs
- global ts_only
- global last_load
-
- globalize
-
- set dir [get_profiles_dir]
-
- set vncdisp [get_vncdisplay]
-
- set dispf [string trim $vncdisp]
- if {$dispf != ""} {
- regsub {[ ].*$} $dispf "" dispf
- regsub -all {/} $dispf "" dispf
- } else {
- global ts_only
- if {$ts_only} {
- mesg "No VNC Terminal Server supplied."
- } else {
- mesg "No VNC Host:Disp supplied."
- }
- bell
- return
- }
- if {$is_windows || $uname == "Darwin"} {
- regsub -all {:} $dispf "-" dispf
- } else {
- regsub -all {:} $dispf "-" dispf
- }
- regsub -all {[\[\]]} $dispf "" dispf
- if {$ts_only && ![regexp {^TS-} $dispf]} {
- set dispf "TS-$dispf"
- }
- if {![regexp {\.vnc$} $dispf]} {
- set dispf "$dispf.vnc"
- }
-
- set guess $dispf
- if {$last_load != ""} {
- set guess $last_load
- }
-
- unix_dialog_resize
- set file [tk_getSaveFile -parent $parent -defaultextension ".vnc" \
- -initialdir $dir -initialfile "$guess" -title "Save VNC Profile"]
- if {$file == ""} {
- set profdone 1
- return
- }
- set fh [open $file "w"]
- if {! [info exists fh]} {
- set profdone 1
- return
- }
- set h [string trim $vncdisp]
- set p $h
- # XXX host_part
- regsub {:[0-9][0-9]*$} $h "" h
- set host $h
- regsub {[ ].*$} $p "" p
- regsub {^.*:} $p "" p
- regsub { .*$} $p "" p
- if {$p == ""} {
- set p 0
- } elseif {![regexp {^[-0-9][0-9]*$} $p]} {
- set p 0
- }
- if {$p < 0} {
- set port $p
- } elseif {$p < 200} {
- set port [expr $p + 5900]
- } else {
- set port $p
- }
-
- set h [string trim $vncdisp]
- regsub {cmd=.*$} $h "" h
- set h [string trim $h]
- if {! [regexp {[ ]} $h]} {
- set h ""
- } else {
- regsub {^.*[ ]} $h "" h
- }
- if {$h == ""} {
- set proxy ""
- set proxyport ""
- } else {
- set p $h
- regsub {:[0-9][0-9]*$} $h "" h
- set proxy $h
- regsub {[ ].*$} $p "" p
- regsub {^.*:} $p "" p
- if {$p == ""} {
- set proxyport 0
- } else {
- set proxyport $p
- }
- }
-
- puts $fh "\[connection\]"
- puts $fh "host=$host"
- puts $fh "port=$port"
- puts $fh "proxyhost=$proxy"
- puts $fh "proxyport=$proxyport"
- puts $fh "disp=$vncdisp"
- puts $fh "\n\[options\]"
- puts $fh "# parameters commented out with '#' indicate the default setting."
-
- if {$include_list != ""} {
- load_include $include_list [get_profiles_dir]
- }
- global sshssl_sw
- if {! $use_ssl && ! $use_ssh && ! $use_sshssl} {
- if {$sshssl_sw == "none"} {
- set disable_all_encryption 1
- }
- }
-
- global ts_only ssh_only
- if {$ts_only} {
- set ts_mode 1
- } else {
- set ts_mode 0
- }
- foreach var [lsort [array names defs]] {
- eval set val \$$var
- set pre ""
- if {$val == $defs($var)} {
- set pre "#"
- }
- if {$ssh_only && $var == "use_ssh"} {
- set pre ""
- }
- set pct 0
- if {$var == "smb_mount_list"} {
- set pct 1
- }
- if {$var == "port_knocking_list"} {
- set pct 1
- }
- if {$include_list != "" && [info exists include_vars($var)]} {
- if {$val == $include_vars($var)} {
- if {$pct} {
- regsub -all "\n" $val "%%%" val
- }
- puts $fh "#from include: $var=$val"
- continue
- }
- }
- if {$pct} {
- regsub -all "\n" $val "%%%" val
- }
- puts $fh "$pre$var=$val"
- }
-
- close $fh
-
- mesg "Saved Profile: [file tail $file]"
-
- set last_load [file tail $file]
-
- set profdone 1
-}
-
-proc set_ssh {} {
- global use_ssl
- if {$use_ssl} {
- ssl_ssh_adjust ssh
- }
-}
-
-proc expand_IP {redir} {
- if {! [regexp {:IP:} $redir]} {
- return $redir
- }
- if {! [regexp {(-R).*:IP:} $redir]} {
- return $redir
- }
-
- set ip [guess_ip]
- set ip [string trim $ip]
- if {$ip == ""} {
- return $redir
- }
-
- regsub -all {:IP:} $redir ":$ip:" redir
- return $redir
-}
-
-proc rand_port {} {
- global rand_port_list
-
- set p ""
- for {set i 0} {$i < 30} {incr i} {
- set p [expr 25000 + 35000 * rand()]
- set p [expr round($p)]
- if {![info exists rand_port_list($p)]} {
- break
- }
- }
- if {$p == ""} {
- unset rand_port_list
- set p [expr 25000 + 35000 * rand()]
- set p [expr round($p)]
- }
- set rand_port_list($p) 1
- return $p
-}
-
-proc get_cups_redir {} {
- global cups_local_server cups_remote_port
- global cups_local_smb_server cups_remote_smb_port
-
- regsub -all {[ ]} $cups_local_server "" cups_local_server
- regsub -all {[ ]} $cups_remote_port "" cups_remote_port
- regsub -all {[ ]} $cups_local_smb_server "" cups_local_smb_server
- regsub -all {[ ]} $cups_remote_smb_port "" cups_remote_smb_port
-
- set redir ""
-
- if {$cups_local_server != "" && $cups_remote_port != ""} {
- set redir "$cups_remote_port:$cups_local_server"
- regsub -all {['" ]} $redir {} redir; #"
- set redir " -R $redir"
- }
- if {$cups_local_smb_server != "" && $cups_remote_smb_port != ""} {
- set redir2 "$cups_remote_smb_port:$cups_local_smb_server"
- regsub -all {['" ]} $redir2 {} redir2; #"
- set redir "$redir -R $redir2"
- }
- set redir [expand_IP $redir]
- return $redir
-}
-
-proc get_additional_redir {} {
- global additional_port_redirs additional_port_redirs_list
- global ts_only choose_x11vnc_opts
- if {! $additional_port_redirs || $additional_port_redirs_list == ""} {
- return ""
- }
- if {$ts_only && !$choose_x11vnc_opts} {
- return ""
- }
- set redir [string trim $additional_port_redirs_list]
- regsub -all {['"]} $redir {} redir; #"
- set redir " $redir"
- set redir [expand_IP $redir]
- return $redir
-}
-
-proc get_sound_redir {} {
- global sound_daemon_remote_port sound_daemon_local_port
- global sound_daemon_x11vnc
-
- regsub -all {[ ]} $sound_daemon_remote_port "" sound_daemon_remote_port
- regsub -all {[ ]} $sound_daemon_local_port "" sound_daemon_local_port
-
- set redir ""
- if {$sound_daemon_local_port == "" || $sound_daemon_remote_port == ""} {
- return $redir
- }
-
- set loc $sound_daemon_local_port
- if {! [regexp {:} $loc]} {
- global uname
- if {$uname == "Darwin"} {
- set loc "127.0.0.1:$loc"
- } else {
- global is_windows
- if {$is_windows} {
- global win_localhost
- set loc "$win_localhost:$loc"
- } else {
- set loc "localhost:$loc"
- }
- }
- }
- set redir "$sound_daemon_remote_port:$loc"
- regsub -all {['" ]} $redir {} redir; #"
- set redir " -R $redir"
- set redir [expand_IP $redir]
- return $redir
-}
-
-proc get_smb_redir {} {
- global smb_mount_list
-
- set s [string trim $smb_mount_list]
- if {$s == ""} {
- return ""
- }
-
- set did(0) 1
- set redir ""
- set mntlist ""
-
- foreach line [split $s "\r\n"] {
- set str [string trim $line]
- if {$str == ""} {
- continue
- }
- if {[regexp {^#} $str]} {
- continue
- }
-
- set port ""
- if [regexp {^([0-9][0-9]*)[ \t][ \t]*(.*)} $str mvar port rest] {
- # leading port
- set str [string trim $rest]
- }
-
- # grab: //share /dest [host[:port]]
- set share ""
- set dest ""
- set hostport ""
- foreach item [split $str] {
- if {$item == ""} {
- continue
- }
- if {$share == ""} {
- set share [string trim $item]
- } elseif {$dest == ""} {
- set dest [string trim $item]
- } elseif {$hostport == ""} {
- set hostport [string trim $item]
- }
- }
-
- regsub {^~/} $dest {$HOME/} dest
-
- # work out the local host:port
- set lhost ""
- set lport ""
- if {$hostport != ""} {
- if [regexp {(.*):([0-9][0-9]*)} $hostport mvar lhost lport] {
- ;
- } else {
- set lhost $hostport
- set lport 139
- }
- } else {
- if [regexp {//([^/][^/]*)/} $share mvar h] {
- if [regexp {(.*):([0-9][0-9]*)} $h mvar lhost lport] {
- ;
- } else {
- set lhost $h
- set lport 139
- }
- } else {
- global is_windows win_localhost
- set lhost "localhost"
- if {$is_windows} {
- set lhost $win_localhost
- }
- set lport 139
- }
- }
-
- if {$port == ""} {
- if [info exists did("$lhost:$lport")] {
- # reuse previous one:
- set port $did("$lhost:$lport")
- } else {
- # choose one at random:
- for {set i 0} {$i < 3} {incr i} {
- set port [expr 20100 + 9000 * rand()]
- set port [expr round($port)]
- if { ! [info exists did($port)] } {
- break
- }
- }
- }
- set did($port) 1
- }
-
- if {$mntlist != ""} {
- append mntlist " "
- }
- append mntlist "$share,$dest,$port"
-
- if { ! [info exists did("$lhost:$lport")] } {
- append redir " -R $port:$lhost:$lport"
- set did("$lhost:$lport") $port
- }
- }
-
- regsub -all {['"]} $redir {} redir; #"
- set redir [expand_IP $redir]
-
- regsub -all {['"]} $mntlist {} mntlist; #"
-
- set l [list]
- lappend l $redir
- lappend l $mntlist
- return $l
-}
-
-proc ugly_setup_scripts {mode tag} {
-
-set cmd(1) {
- SSHD_PID=""
- FLAG=$HOME/.vnc-helper-flag__PID__
-
- if [ "X$USER" = "X" ]; then
- USER=$LOGNAME
- fi
-
- DO_CUPS=0
- cups_dir=$HOME/.cups
- cups_cfg=$cups_dir/client.conf
- cups_host=localhost
- cups_port=NNNN
-
- DO_SMB=0
- DO_SMB_SU=0
- DO_SMB_WAIT=0
- smb_mounts=
- DONE_PORT_CHECK=NNNN
- smb_script=$HOME/.smb-mounts__PID__.sh
-
- DO_SOUND=0
- DO_SOUND_KILL=0
- DO_SOUND_RESTART=0
- sound_daemon_remote_prog=
- sound_daemon_remote_args=
-
- findpid() {
- db=0
- back=30
- touch $FLAG
- tty=`tty | sed -e "s,/dev/,,"`
-
- if [ "X$TOPPID" = "X" ]; then
- TOPPID=$$
- if [ $db = 1 ]; then echo "set TOPPID to $TOPPID"; fi
- back=70
- fi
- #back=5
- if [ $db = 1 ]; then echo "TOPPID=$TOPPID THISPID=$$ back=$back"; fi
-
- i=1
- while [ $i -lt $back ]
- do
- try=`expr $TOPPID - $i`
- if [ $try -lt 1 ]; then
- try=`expr 32768 + $try`
- fi
- if [ $db = 1 ]; then echo try-1=$try; ps $try; fi
- if ps $try 2>/dev/null | grep "sshd.*$USER" | grep "$tty" >/dev/null; then
- if [ $db = 1 ]; then echo Found=$try; fi
- SSHD_PID="$try"
- echo
- ps $try
- echo
- break
- fi
- i=`expr $i + 1`
- done
-
- if [ "X$SSHD_PID" = "X" ]; then
- back=`expr $back + 20`
- #back=5
-
- for fallback in 2 3
- do
- i=1
- while [ $i -lt $back ]
- do
- try=`expr $TOPPID - $i`
- if [ $try -lt 1 ]; then
- try=`expr 32768 + $try`
- fi
- match="sshd.*$USER"
- if [ $fallback = 3 ]; then
- match="sshd"
- fi
- if [ $db = 1 ]; then echo "try-$fallback=$try match=$match"; ps $try; fi
- if ps $try 2>/dev/null | grep "$match" >/dev/null; then
- if [ $db = 1 ]; then echo Found=$try; fi
- SSHD_PID="$try"
- echo
- ps $try
- echo
- break
- fi
- i=`expr $i + 1`
- done
- if [ "X$SSHD_PID" != "X" ]; then
- break
- fi
- done
- fi
- #curlie}
-};
-
-set cmd(2) {
- #curlie{
- if [ "X$SSHD_PID" = "X" ]; then
- if [ $db = 1 ]; then
- echo
- pstr=`ps -elf | grep "$USER" | grep "$tty" | grep -v grep | grep -v PID | grep -v "ps -elf"`
- echo "$pstr"
- fi
- plist=`ps -elf | grep "$USER" | grep "$tty" | grep -v grep | grep -v PID | grep -v "ps -elf" | awk "{print \\\$4}" | sort -n`
- if [ $db = 1 ]; then
- echo
- echo "$plist"
- fi
- for try in $plist
- do
- if [ $db = 1 ]; then echo try-final=$try; ps $try; fi
- if echo "$try" | grep "^[0-9][0-9]*\\\$" > /dev/null; then
- :
- else
- continue
- fi
- if ps $try | egrep vnc-helper > /dev/null; then
- :
- else
- if [ $db = 1 ]; then echo Found=$try; fi
- SSHD_PID=$try
- echo
- ps $try
- echo
- break
- fi
- done
- fi
- if [ "X$SSHD_PID" = "X" ]; then
- #ugh
- SSHD_PID=$$
- fi
-
- echo "vnc-helper: [for cups/smb/esd] SSHD_PID=$SSHD_PID MY_PID=$$ TTY=$tty"
- echo "vnc-helper: To force me to finish: rm $FLAG"
- }
-
- wait_til_ssh_gone() {
- try_perl=""
- if type perl >/dev/null 2>&1; then
- if [ -d /proc -a -e /proc/$$ ]; then
- try_perl="1"
- fi
- fi
- if [ "X$try_perl" = "X1" ]; then
- # try to avoid wasting pids:
- perl -e "while (1) {if(-d \"/proc\" && ! -e \"/proc/$SSHD_PID\"){exit} if(! -f \"$FLAG\"){exit} sleep 1;}"
- else
- while [ 1 ]
- do
- ps $SSHD_PID > /dev/null 2>&1
- if [ $? != 0 ]; then
- break
- fi
- if [ ! -f $FLAG ]; then
- break
- fi
- sleep 1
- done
- fi
- rm -f $FLAG
- if [ "X$DO_SMB_WAIT" = "X1" ]; then
- rm -f $smb_script
- fi
- }
-};
-
-set cmd(3) {
- update_client_conf() {
- mkdir -p $cups_dir
-
- if [ ! -f $cups_cfg.back ]; then
- touch $cups_cfg.back
- fi
- if [ ! -f $cups_cfg ]; then
- touch $cups_cfg
- fi
-
- if grep ssvnc-auto $cups_cfg > /dev/null; then
- :
- else
- cp -p $cups_cfg $cups_cfg.back
- fi
-
- echo "#-ssvnc-auto:" > $cups_cfg
- sed -e "s/^ServerName/#-ssvnc-auto-#ServerName/" $cups_cfg.back >> $cups_cfg
- echo "ServerName $cups_host:$cups_port" >> $cups_cfg
-
- echo
- echo "-----------------------------------------------------------------"
- echo "On `hostname`:"
- echo
- echo "The CUPS $cups_cfg config file has been set to:"
- echo
- cat $cups_cfg | grep -v "^#-ssvnc-auto:" | sed -e "s/^/ /"
- echo
- echo "If there are problems automatically restoring it, edit or remove"
- echo "the file to go back to the local CUPS settings."
- echo
- echo "A backup has been placed in: $cups_cfg.back"
- echo
- echo "See the SSVNC CUPS dialog for more details on printing."
- if type lpstat >/dev/null 2>&1; then
- echo
- echo "lpstat -a output:"
- echo
- (lpstat -a 2>&1 | sed -e "s/^/ /") &
- sleep 0.5 >/dev/null 2>&1
- fi
- echo "-----------------------------------------------------------------"
- echo
- }
-
- reset_client_conf() {
- cp $cups_cfg $cups_cfg.tmp
- grep -v "^ServerName" $cups_cfg.tmp | grep -v "^#-ssvnc-auto:" | sed -e "s/^#-ssvnc-auto-#ServerName/ServerName/" > $cups_cfg
- rm -f $cups_cfg.tmp
- }
-
- cupswait() {
- trap "" INT QUIT HUP
- trap "reset_client_conf; rm -f $FLAG; exit" TERM
- wait_til_ssh_gone
- reset_client_conf
- }
-};
-
-# if [ "X$DONE_PORT_CHECK" != "X" ]; then
-# if type perl >/dev/null 2>&1; then
-# perl -e "use IO::Socket::INET; \$SIG{INT} = \"IGNORE\"; \$SIG{QUIT} = \"IGNORE\"; \$SIG{HUP} = \"INGORE\"; my \$client = IO::Socket::INET->new(Listen => 5, LocalAddr => \"localhost\", LocalPort => $DONE_PORT_CHECK, Proto => \"tcp\")->accept(); \$line = <\$client>; close \$client; unlink \"$smb_script\";" </dev/null >/dev/null 2>/dev/null &
-# if [ $? = 0 ]; then
-# have_perl_done="1"
-# fi
-# fi
-# fi
-
-set cmd(4) {
- smbwait() {
- trap "" INT QUIT HUP
- wait_til_ssh_gone
- }
- do_smb_mounts() {
- if [ "X$smb_mounts" = "X" ]; then
- return
- fi
- echo > $smb_script
- have_perl_done=""
- echo "echo" >> $smb_script
- dests=""
- for mnt in $smb_mounts
- do
- smfs=`echo "$mnt" | awk -F, "{print \\\$1}"`
- dest=`echo "$mnt" | awk -F, "{print \\\$2}"`
- port=`echo "$mnt" | awk -F, "{print \\\$3}"`
- dest=`echo "$dest" | sed -e "s,__USER__,$USER,g" -e "s,__HOME__,$HOME,g"`
- if [ ! -d $dest ]; then
- mkdir -p $dest
- fi
- echo "echo SMBMOUNT:" >> $smb_script
- echo "echo smbmount $smfs $dest -o uid=$USER,ip=127.0.0.1,port=$port" >> $smb_script
- echo "smbmount \"$smfs\" \"$dest\" -o uid=$USER,ip=127.0.0.1,port=$port" >> $smb_script
- echo "echo; df \"$dest\"; echo" >> $smb_script
- dests="$dests $dest"
- done
- #curlie}
-};
-
-set cmd(5) {
- echo "(" >> $smb_script
- echo "un_mnt() {" >> $smb_script
- for dest in $dests
- do
- echo " echo smbumount $dest" >> $smb_script
- echo " smbumount \"$dest\"" >> $smb_script
- done
- echo "}" >> $smb_script
- echo "trap \"\" INT QUIT HUP" >> $smb_script
- echo "trap \"un_mnt; exit\" TERM" >> $smb_script
-
- try_perl=""
- if type perl >/dev/null 2>&1; then
- try_perl=1
- fi
- uname=`uname`
- if [ "X$uname" != "XLinux" -a "X$uname" != "XSunOS" -a "X$uname" != "XDarwin" ]; then
- try_perl=""
- fi
-
- if [ "X$try_perl" = "X" ]; then
- echo "while [ -f $smb_script ]" >> $smb_script
- echo "do" >> $smb_script
- echo " sleep 1" >> $smb_script
- echo "done" >> $smb_script
- else
- echo "perl -e \"while (-f \\\"$smb_script\\\") {sleep 1;} exit 0;\"" >> $smb_script
- fi
- echo "un_mnt" >> $smb_script
- echo ") &" >> $smb_script
- echo "-----------------------------------------------------------------"
- echo "On `hostname`:"
- echo
- if [ "$DO_SMB_SU" = "0" ]; then
- echo "We now run the smbmount script as user $USER"
- echo
- echo sh $smb_script
- sh $smb_script
- rc=0
- elif [ "$DO_SMB_SU" = "1" ]; then
- echo "We now run the smbmount script via su(1)"
- echo
- echo "The first \"Password:\" will be for that of root to run the smbmount script."
- echo
- echo "Subsequent \"Password:\" will be for the SMB share(s) (hit Return if no passwd)"
- echo
- echo SU:
- echo "su root -c \"sh $smb_script\""
- su root -c "sh $smb_script"
- rc=$?
- elif [ "$DO_SMB_SU" = "2" ]; then
- echo "We now run the smbmount script via sudo(8)"
- echo
- echo "The first \"Password:\" will be for that of the sudo(8) password."
- echo
- echo "Subsequent \"Password:\" will be for the SMB shares (hit enter if no passwd)"
- echo
- echo SUDO:
- sd="sudo"
- echo "$sd sh $smb_script"
- $sd sh $smb_script
- rc=$?
- fi
-};
-
-set cmd(6) {
- #curlie{
- echo
- if [ "$rc" = 0 ]; then
- if [ "X$have_perl_done" = "X1" -o 1 = 1 ] ; then
- echo
- echo "Your SMB shares will be unmounted when the VNC connection closes,"
- echo "*AS LONG AS* No Applications have any of the share files opened or are"
- echo "cd-ed into any of the share directories."
- echo
- echo "Try to make sure nothing is accessing the SMB shares before disconnecting"
- echo "the VNC session. If you fail to do that follow these instructions:"
- fi
- echo
- echo "To unmount your SMB shares make sure no applications are still using any of"
- echo "the files and no shells are still cd-ed into the share area, then type:"
- echo
- echo " rm -f $smb_script"
- echo
- echo "In the worst case run: smbumount /path/to/mount/point for each mount as root"
- echo
- echo "Even with the remote redirection gone the kernel should umount after a timeout."
- else
- echo
- if [ "$DO_SMB_SU" = "1" ]; then
- echo "su(1) to run smbmount(8) failed."
- elif [ "$DO_SMB_SU" = "2" ]; then
- echo "sudo(8) to run smbmount(8) failed."
- fi
- rm -f $smb_script
- fi
- echo "-----------------------------------------------------------------"
- echo
- }
-};
-
-set cmd(7) {
-
- setup_sound() {
- dpid=""
- d=$sound_daemon_remote_prog
- if type pgrep >/dev/null 2>/dev/null; then
- dpid=`pgrep -U $USER -x $d | head -1`
- else
- dpid=`env PATH=/usr/ucb:$PATH ps wwwwaux | grep -w $USER | grep -w $d | grep -v grep | head -1`
- fi
- echo "-----------------------------------------------------------------"
- echo "On `hostname`:"
- echo
- echo "Setting up Sound: pid=$dpid"
- if [ "X$dpid" != "X" ]; then
- dcmd=`env PATH=/usr/ucb:$PATH ps wwwwaux | grep -w $USER | grep -w $d | grep -w $dpid | grep -v grep | head -1 | sed -e "s/^.*$d/$d/"`
- if [ "X$DO_SOUND_KILL" = "X1" ]; then
- echo "Stopping sound daemon: $sound_daemon_remote_prog $dpid"
- echo "sound cmd: $dcmd"
- kill -TERM $dpid
- fi
- fi
- echo "-----------------------------------------------------------------"
- echo
- }
-
- reset_sound() {
- if [ "X$DO_SOUND_RESTART" = "X1" ]; then
- d=$sound_daemon_remote_prog
- a=$sound_daemon_remote_args
- echo "Restaring sound daemon: $d $a"
- $d $a </dev/null >/dev/null 2>&1 &
- fi
- }
-
- soundwait() {
- trap "" INT QUIT HUP
- trap "reset_sound; rm -f $FLAG; exit" TERM
- wait_til_ssh_gone
- reset_sound
- }
-
-
- findpid
-
- if [ $DO_SMB = 1 ]; then
- do_smb_mounts
- fi
-
- waiter=0
-
- if [ $DO_CUPS = 1 ]; then
- update_client_conf
- cupswait </dev/null >/dev/null 2>/dev/null &
- waiter=1
- fi
-
- if [ $DO_SOUND = 1 ]; then
- setup_sound
- soundwait </dev/null >/dev/null 2>/dev/null &
- waiter=1
- fi
- if [ $DO_SMB_WAIT = 1 ]; then
- if [ $waiter != 1 ]; then
- smbwait </dev/null >/dev/null 2>/dev/null &
- waiter=1
- fi
- fi
-
-
- #FINMSG
- echo "--main-vnc-helper-finished--"
- #cat $0
- rm -f $0
- exit 0
-};
-
- set cmdall ""
-
- for {set i 1} {$i <= 7} {incr i} {
- set v $cmd($i);
- regsub -all "\n" $v "%" v
- regsub -all {.curlie.} $v "" v
- set cmd($i) $v
- append cmdall "echo "
- if {$i == 1} {
- append cmdall {TOPPID=$$ %}
- }
- append cmdall {'}
- append cmdall $cmd($i)
- append cmdall {' | tr '%' '\n'}
- if {$i == 1} {
- append cmdall {>}
- } else {
- append cmdall {>>}
- }
- append cmdall {$HOME/.vnc-helper-cmd__PID__; }
- }
- append cmdall {sh $HOME/.vnc-helper-cmd__PID__; }
-
- regsub -all {vnc-helper-cmd} $cmdall "vnc-helper-cmd-$mode" cmdall
- if {$tag == ""} {
- set tag [pid]
- }
- regsub -all {__PID__} $cmdall "$tag" cmdall
-
- set orig $cmdall
-
- global use_cups cups_local_server cups_remote_port cups_manage_rcfile ts_only ts_cups_manage_rcfile cups_x11vnc
- regsub -all {[ ]} $cups_local_server "" cups_local_server
- regsub -all {[ ]} $cups_remote_port "" cups_remote_port
- if {$use_cups} {
- set dorc 0
- if {$ts_only} {
- if {$ts_cups_manage_rcfile} {
- set dorc 1
- }
- } else {
- if {$cups_manage_rcfile} {
- set dorc 1
- }
- }
- if {$dorc && $mode == "post"} {
- if {$cups_local_server != "" && $cups_remote_port != ""} {
- regsub {DO_CUPS=0} $cmdall {DO_CUPS=1} cmdall
- regsub {cups_port=NNNN} $cmdall "cups_port=$cups_remote_port" cmdall
- }
- }
- }
-
- global use_smbmnt smb_su_mode smb_mounts
- if {$use_smbmnt} {
- if {$smb_mounts != ""} {
- set smbm $smb_mounts
- regsub -all {%USER} $smbm "__USER__" smbm
- regsub -all {%HOME} $smbm "__HOME__" smbm
- if {$mode == "pre"} {
- regsub {DO_SMB=0} $cmdall {DO_SMB=1} cmdall
- if {$smb_su_mode == "su"} {
- regsub {DO_SMB_SU=0} $cmdall {DO_SMB_SU=1} cmdall
- } elseif {$smb_su_mode == "sudo"} {
- regsub {DO_SMB_SU=0} $cmdall {DO_SMB_SU=2} cmdall
- } elseif {$smb_su_mode == "none"} {
- regsub {DO_SMB_SU=0} $cmdall {DO_SMB_SU=0} cmdall
- } else {
- regsub {DO_SMB_SU=0} $cmdall {DO_SMB_SU=1} cmdall
- }
- regsub {smb_mounts=} $cmdall "smb_mounts=\"$smbm\"" cmdall
- } elseif {$mode == "post"} {
- regsub {DO_SMB_WAIT=0} $cmdall {DO_SMB_WAIT=1} cmdall
- }
- }
- }
-
- global use_sound
- if {$use_sound} {
- if {$mode == "pre"} {
- global sound_daemon_remote_cmd sound_daemon_kill sound_daemon_restart
- if {$sound_daemon_kill} {
- regsub {DO_SOUND_KILL=0} $cmdall {DO_SOUND_KILL=1} cmdall
- regsub {DO_SOUND=0} $cmdall {DO_SOUND=1} cmdall
- }
- if {$sound_daemon_restart} {
- regsub {DO_SOUND_RESTART=0} $cmdall {DO_SOUND_RESTART=1} cmdall
- regsub {DO_SOUND=0} $cmdall {DO_SOUND=1} cmdall
- }
- set sp [string trim $sound_daemon_remote_cmd]
- regsub {[ \t].*$} $sp "" sp
- set sa [string trim $sound_daemon_remote_cmd]
- regsub {^[^ \t][^ \t]*[ \t][ \t]*} $sa "" sa
- regsub {sound_daemon_remote_prog=} $cmdall "sound_daemon_remote_prog=\"$sp\"" cmdall
- regsub {sound_daemon_remote_args=} $cmdall "sound_daemon_remote_args=\"$sa\"" cmdall
- }
- }
-
- if {$mode == "pre"} {
- set dopre 0
- if {$use_smbmnt && $smb_mounts != ""} {
- set dopre 1
- }
- if {$use_sound && $sound_daemon_kill} {
- set dopre 1
- }
- if {$dopre} {
- global is_windows
- if {$is_windows} {
- regsub {#FINMSG} $cmdall {echo "Now Go Click on the Label to Start the 2nd SSH"} cmdall
- } else {
- regsub {#FINMSG} $cmdall {echo "Finished with the 1st SSH tasks, the 2nd SSH should start shortly..."} cmdall
- }
- }
- }
-
- set cmdstr $cmdall
-
- if {"$orig" == "$cmdall"} {
- set cmdstr ""
- }
- global env
- if [info exists env(SSVNC_DEBUG_CUPS)] {
- regsub -all {db=0} $cmdstr "db=1" cmdstr
- set pout ""
- regsub -all {%} $cmdstr "\n" pout
- puts stderr "\nSERVICE REDIR COMMAND:\n\n$pout\n"
- }
- return $cmdstr
-}
-
-proc ts_unixpw_dialog {} {
-
- toplev .uxpw
- wm title .uxpw "Use unixpw"
-
- scroll_text .uxpw.f 80 14
-
- global ts_unixpw
-
- set msg {
- This enables the x11vnc unixpw mode. A Login: and Password: dialog
- will be presented in the VNC Viewer for the user to provide any Unix
- username and password whose session he wants to connect to. So this
- may require typing in the password a 2nd time after the one for SSH.
-
- This mode is useful if a shared terminal services user (e.g. 'tsuser')
- is used for the SSH login part (say via the SSH authorized_keys
- mechanism and all users share the same private SSH key for 'tsuser').
-
- Note, However that the default usage of a per-user SSH login should
- be the simplest and also sufficient for most situations, in which
- case this "Use unixpw" option should NOT be selected.
-}
- .uxpw.f.t insert end $msg
-
- button .uxpw.cancel -text "Cancel" -command {destroy .uxpw; set ts_unixpw 0}
- bind .uxpw <Escape> {destroy .uxpw; set ts_unixpw 0}
- wm protocol .uxpw WM_DELETE_WINDOW {destroy .uxpw; set ts_unixpw 0}
-
- button .uxpw.done -text "Done" -command {destroy .uxpw; set ts_unixpw 1}
-
- pack .uxpw.done .uxpw.cancel -side bottom -fill x
- pack .uxpw.f -side top -fill both -expand 1
-
- center_win .uxpw
-}
-
-proc ts_vncshared_dialog {} {
-
- toplev .vncs
- wm title .vncs "VNC Shared"
-
- scroll_text .vncs.f 80 23
-
- global ts_vncshared
-
- set msg {
- Normal use of this program, 'tsvnc', *ALREADY* allows simultaneous
- shared access of the remote desktop: You simply log in as many
- times from as many different locations with 'tsvnc' as you like.
-
- However, doing it that way starts up a new x11vnc for each connection.
- In some circumstances you may want a single x11vnc running but allow
- multiple VNC viewers to access it simultaneously.
-
- This option (VNC Shared) enables that rarer usage case by passing
- '-shared' to the remote x11vnc command.
-
- With this option enabled, the new shared connections must
- still connect to the Terminal Server via SSH for encryption and
- authentication. They must also do the normal SSH port redirection
- to access the x11vnc port (usually 5900, but look for the PORT=
- output for the actual value).
-
- They could use SSVNC for that, or do it manually in terminal
- windows, more information:
-
- http://www.karlrunge.com/x11vnc/#tunnelling
-}
- .vncs.f.t insert end $msg
-
- button .vncs.cancel -text "Cancel" -command {destroy .vncs; set ts_vncshared 0}
- bind .vncs <Escape> {destroy .vncs; set ts_vncshared 0}
- wm protocol .vncs WM_DELETE_WINDOW {destroy .vncs; set ts_vncshared 0}
- button .vncs.done -text "Done" -command {destroy .vncs; set ts_vncshared 1}
-
- pack .vncs.done .vncs.cancel -side bottom -fill x
- pack .vncs.f -side top -fill both -expand 1
-
- center_win .vncs
-}
-
-proc ts_multi_dialog {} {
-
- toplev .mult
- wm title .mult "Multiple Sessions"
-
- scroll_text .mult.f 80 21
-
- global ts_multisession choose_multisession
-
- set msg {
- Normally in Terminal Services mode (tsvnc) your user account (the
- one you SSH in as) can only have a single Terminal Services X session
- running at a time on one server machine.
-
- This is simply because x11vnc chooses the first Desktop (X session)
- of yours that it can find. It will never create a 2nd X session
- because it keeps finding the 1st one.
-
- To have Multiple Sessions for one username on a single machine,
- choose a unique Session "Tag", that will be associated with the X
- session and x11vnc will only choose the one that has this Tag.
-
- For this to work ALL of your sessions on the server machine must
- have a different tag (that is, if you have an existing session with
- no tag, x11vnc might find a tagged one first instead of it).
-
- The tag must be made of only letters, numbers, dash, or underscore.
-
- Examples: KDE_SMALL, gnome-2, test1
-}
- .mult.f.t insert end $msg
-
- frame .mult.c
- label .mult.c.l -anchor w -text "Tag:"
- entry .mult.c.e -width 20 -textvariable ts_multisession
- pack .mult.c.l -side left
- pack .mult.c.e -side left -expand 1 -fill x
-
- button .mult.cancel -text "Cancel" -command {destroy .mult; set choose_multisession 0}
- bind .mult <Escape> {destroy .mult; set choose_multisession 0}
- wm protocol .mult WM_DELETE_WINDOW {destroy .mult; set choose_multisession 0}
-
- bind .mult.c.e <Return> {destroy .mult; set choose_multisession 1}
- button .mult.done -text "Done" -command {destroy .mult; set choose_multisession 1}
-
- pack .mult.done .mult.cancel .mult.c -side bottom -fill x
- pack .mult.f -side top -fill both -expand 1
-
- center_win .mult
- focus .mult.c.e
-}
-
-proc ts_xlogin_dialog {} {
-
- toplev .xlog
- wm title .xlog "X Login Greeter"
-
- set h 33
- if [small_height] {
- set h 28
- }
- scroll_text .xlog.f 80 $h
-
- global ts_xlogin
-
- set msg {
- If you have root (sudo(1)) permission on the remote machine, you
- can have x11vnc try to connect to a X display(s) that has No One
- Logged In Yet. This is most likely the login greeter running on
- the Physical console. sudo(1) is used to run x11vnc with FD_XDM=1.
-
- This is different from tsvnc's regular Terminal Services mode where
- usually a virtual (RAM only, e.g. Xvfb) X server used. With this option
- it is the physical graphics hardware that will be connected to.
-
- Note that if your user is ALREADY logged into the physical display,
- you don't need to use this X Login option because x11vnc should find
- it in its normal find-display procedure and not need sudo(1).
-
- An initial ssh running 'sudo id' is performed to try to 'prime'
- sudo so the 2nd one that runs x11vnc does not need a password.
- This may not always succeed...
-
- Note that if someone is already logged into the display console
- via XDM (GDM, KDM etc.) you will see and control their X session.
-
- Otherwise, you will get the Greeter X login screen where you can
- log in via username and password. Your SSVNC 'Terminal Services'
- Desktop Type, Size, Printing etc. settings will be ignored in this
- case of course because XDM, GDM, or KDM is creating your X session,
- not x11vnc.
-
- Note that the GDM display manager has a setting KillInitClients in
- gdm.conf that will kill x11vnc right after you log in, and so you would
- have to repeat the whole process ('Connect' button) to attach to your
- session. See http://www.karlrunge.com/x11vnc/faq.html#faq-display-manager
- for more info.
-}
- .xlog.f.t insert end $msg
-
- button .xlog.cancel -text "Cancel" -command {destroy .xlog; set ts_xlogin 0}
- bind .xlog <Escape> {destroy .xlog; set ts_xlogin 0}
- wm protocol .xlog WM_DELETE_WINDOW {destroy .xlog; set ts_xlogin 0}
-
- button .xlog.done -text "Done" -command {destroy .xlog; set ts_xlogin 1}
-
- pack .xlog.done .xlog.cancel -side bottom -fill x
- pack .xlog.f -side top -fill both -expand 1
-
- center_win .xlog
-}
-
-
-proc ts_othervnc_dialog {} {
-
- toplev .ovnc
- wm title .ovnc "Other VNC Server"
-
- scroll_text .ovnc.f 80 21
-
- global ts_othervnc choose_othervnc
-
- set msg {
- The x11vnc program running on the remote machine can be instructed to
- immediately redirect to some other (3rd party, e.g. Xvnc or vnc.so)
- VNC server.
-
- It should be a little faster to have x11vnc forward the VNC protocol
- rather than having it poll the corresponding X server for changes
- in the way it normally does and translate to VNC.
-
- This mode also enables a simple way to add SSL or find X display
- support to a 3rd party VNC Server lacking these features.
-
- In the entry box put the other vnc display, e.g. "localhost:0" or
- "somehost:5".
-
- The string "find" in the entry will have x11vnc try to find an X
- display in its normal way, and then redirect to the corresponding VNC
- server port. This assumes if the X display is, say, :2 (i.e. port
- 6002) then the VNC display is also :2 (i.e. port 5902). This mode is
- the same as an "X Server Type" of "Xvnc.redirect" (and overrides it).
-}
- .ovnc.f.t insert end $msg
-
- frame .ovnc.c
- label .ovnc.c.l -anchor w -text "Other VNC Server:"
- entry .ovnc.c.e -width 20 -textvariable ts_othervnc
- pack .ovnc.c.l -side left
- pack .ovnc.c.e -side left -expand 1 -fill x
-
- button .ovnc.cancel -text "Cancel" -command {destroy .ovnc; set choose_othervnc 0}
- bind .ovnc <Escape> {destroy .ovnc; set choose_othervnc 0}
- wm protocol .ovnc WM_DELETE_WINDOW {destroy .ovnc; set choose_othervnc 0}
- button .ovnc.done -text "Done" -command {destroy .ovnc; set choose_othervnc 1}
- bind .ovnc.c.e <Return> {destroy .ovnc; set choose_othervnc 1}
-
- if {$ts_othervnc == ""} {
- set ts_othervnc "find"
- }
-
- pack .ovnc.done .ovnc.cancel .ovnc.c -side bottom -fill x
- pack .ovnc.f -side top -fill both -expand 1
-
- center_win .ovnc
- focus .ovnc.c.e
-}
-
-proc ts_sleep_dialog {} {
-
- toplev .eslp
- wm title .eslp "Extra Sleep"
-
- scroll_text .eslp.f 80 5
-
- global extra_sleep
-
- set msg {
- Sleep: Enter a number to indicate how many extra seconds to sleep
- while waiting for the VNC viewer to start up. On Windows this
- can give extra time to enter the Putty/Plink password, etc.
-}
- .eslp.f.t insert end $msg
-
- frame .eslp.c
- label .eslp.c.l -anchor w -text "Extra Sleep:"
- entry .eslp.c.e -width 20 -textvariable extra_sleep
- pack .eslp.c.l -side left
- pack .eslp.c.e -side left -expand 1 -fill x
-
- button .eslp.cancel -text "Cancel" -command {destroy .eslp; set choose_sleep 0}
- bind .eslp <Escape> {destroy .eslp; set choose_sleep 0}
- wm protocol .eslp WM_DELETE_WINDOW {destroy .eslp; set choose_sleep 0}
- button .eslp.done -text "Done" -command {destroy .eslp; set choose_sleep 1}
- bind .eslp.c.e <Return> {destroy .eslp; set choose_sleep 1}
-
- global choose_sleep
- if {! $choose_sleep} {
- set extra_sleep ""
- }
-
- pack .eslp.done .eslp.cancel .eslp.c -side bottom -fill x
- pack .eslp.f -side top -fill both -expand 1
-
- center_win .eslp
- focus .eslp.c.e
-}
-
-proc ts_putty_args_dialog {} {
-
- toplev .parg
- wm title .parg "Putty Args"
-
- scroll_text .parg.f 80 5
-
- global putty_args
-
- set msg {
- Putty Args: Enter a string to be added to every plink.exe and putty.exe
- command line. For example: -i C:\mykey.ppk
-}
- .parg.f.t insert end $msg
-
- frame .parg.c
- label .parg.c.l -anchor w -text "Putty Args:"
- entry .parg.c.e -width 20 -textvariable putty_args
- pack .parg.c.l -side left
- pack .parg.c.e -side left -expand 1 -fill x
-
- button .parg.cancel -text "Cancel" -command {destroy .parg; set choose_parg 0}
- bind .parg <Escape> {destroy .parg; set choose_parg 0}
- wm protocol .parg WM_DELETE_WINDOW {destroy .parg; set choose_parg 0}
- button .parg.done -text "Done" -command {destroy .parg; set choose_parg 1}
- bind .parg.c.e <Return> {destroy .parg; set choose_parg 1}
-
- global choose_parg
- if {! $choose_parg} {
- set putty_args ""
- }
-
- pack .parg.done .parg.cancel .parg.c -side bottom -fill x
- pack .parg.f -side top -fill both -expand 1
-
- center_win .parg
- focus .parg.c.e
-}
-
-proc ts_ncache_dialog {} {
-
- toplev .nche
- wm title .nche "Client-Side Caching"
-
- scroll_text .nche.f 80 22
-
- global ts_ncache choose_ncache
-
- set msg {
- This enables the *experimental* x11vnc client-side caching mode.
- It often gives nice speedups, but can sometimes lead to painting
- errors or window "flashing". (you can repaint the screen by tapping
- the Left Alt key 3 times in a row)
-
- It is a very simple but hoggy method: uncompressed image pixmaps are
- stored in the viewer in a large (20-100MB) display region beneath
- the actual display screen. You may need also to adjust your VNC Viewer
- to not show this region (the SSVNC Unix viewer does it automatically).
-
- The scheme uses a lot of RAM, but at least it has the advantage that
- it works with every VNC Viewer. Otherwise the VNC protocol would
- need to be modified, changing both the server and the viewer.
-
- Set the x11vnc "-ncache" parameter to an even integer between 2
- and 20. This is the increase in area factor over the normal screen
- for the caching region. So 10 means use 10 times the RAM to store
- pixmaps. The default is 8.
-
- More info: http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching
-}
- .nche.f.t insert end $msg
-
- frame .nche.c
- label .nche.c.l -anchor w -text "ncache:"
- radiobutton .nche.c.r2 -text "2" -variable ts_ncache -value "2"
- radiobutton .nche.c.r4 -text "4" -variable ts_ncache -value "4"
- radiobutton .nche.c.r6 -text "6" -variable ts_ncache -value "6"
- radiobutton .nche.c.r8 -text "8" -variable ts_ncache -value "8"
- radiobutton .nche.c.r10 -text "10" -variable ts_ncache -value "10"
- radiobutton .nche.c.r12 -text "12" -variable ts_ncache -value "12"
- radiobutton .nche.c.r14 -text "14" -variable ts_ncache -value "14"
- radiobutton .nche.c.r16 -text "16" -variable ts_ncache -value "16"
- radiobutton .nche.c.r18 -text "18" -variable ts_ncache -value "18"
- radiobutton .nche.c.r20 -text "20" -variable ts_ncache -value "20"
- pack .nche.c.l -side left
- pack .nche.c.r2 .nche.c.r4 .nche.c.r6 .nche.c.r8 .nche.c.r10 \
- .nche.c.r12 .nche.c.r14 .nche.c.r16 .nche.c.r18 .nche.c.r20 -side left
- button .nche.cancel -text "Cancel" -command {destroy .nche; set choose_ncache 0}
- bind .nche <Escape> {destroy .nche; set choose_ncache 0}
- wm protocol .nche WM_DELETE_WINDOW {destroy .nche; set choose_ncache 0}
- button .nche.done -text "Done" -command {destroy .nche; set choose_ncache 1}
-
- pack .nche.done .nche.cancel .nche.c -side bottom -fill x
- pack .nche.f -side top -fill both -expand 1
-
- center_win .nche
-}
-
-proc ts_x11vnc_opts_dialog {} {
-
- toplev .x11v
- wm title .x11v "x11vnc Options"
-
- set h 23
- if [small_height] {
- set h 21
- }
- scroll_text .x11v.f 80 $h
-
- global ts_x11vnc_opts ts_x11vnc_path ts_x11vnc_autoport choose_x11vnc_opts
- global additional_port_redirs_list
-
- set msg {
- If you are an expert with x11vnc's endless options and tweaking
- parameters feel free to specify any you want here in "Options".
-
- Also, if you need to specify the path to the x11vnc program on the
- remote side because it will not be in $PATH, put it in the "Full
- Path" entry.
-
- Port Redirs are additional SSH "-L port:host:port" or "-R port:host:port"
- (forward or reverse, resp.) port redirections you want. In SSVNC mode,
- see the detailed description under: Options -> Advanced -> Port Redirs.
-
- Some potentially useful options:
-
- -solid -scale -scale_cursor
- -passwd -rfbauth -http
- -xrandr -rotate -noxdamage
- -xkb -skip_lockkeys -nomodtweak
- -repeat -cursor -wmdt
- -nowireframe -ncache_cr -speeds
-
- More info: http://www.karlrunge.com/x11vnc/faq.html#faq-cmdline-opts
-}
-# In Auto Port put a starting port for x11vnc to try autoprobing
-# instead of the default 5900. It starts at the value you supply and
-# works upward until a free one is found. (x11vnc 0.9.3 or later).
-
- .x11v.f.t insert end $msg
-
- frame .x11v.c
- label .x11v.c.l -width 10 -anchor w -text "Options:"
- entry .x11v.c.e -textvariable ts_x11vnc_opts
- pack .x11v.c.l -side left
- pack .x11v.c.e -side left -expand 1 -fill x
-
- frame .x11v.c2
- label .x11v.c2.l -width 10 -anchor w -text "Full Path:"
- entry .x11v.c2.e -textvariable ts_x11vnc_path
- pack .x11v.c2.l -side left
- pack .x11v.c2.e -side left -expand 1 -fill x
-
-# frame .x11v.c3
-# label .x11v.c3.l -width 10 -anchor w -text "Auto Port:"
-# entry .x11v.c3.e -textvariable ts_x11vnc_autoport
-# pack .x11v.c3.l -side left
-# pack .x11v.c3.e -side left -expand 1 -fill x
-
- frame .x11v.c4
- label .x11v.c4.l -width 10 -anchor w -text "Port Redirs:"
- entry .x11v.c4.e -textvariable additional_port_redirs_list
- pack .x11v.c4.l -side left
- pack .x11v.c4.e -side left -expand 1 -fill x
-
- button .x11v.cancel -text "Cancel" -command {destroy .x11v; set choose_x11vnc_opts 0}
- bind .x11v <Escape> {destroy .x11v; set choose_x11vnc_opts 0}
- wm protocol .x11v WM_DELETE_WINDOW {destroy .x11v; set choose_x11vnc_opts 0}
- button .x11v.done -text "Done" -command {destroy .x11v; set choose_x11vnc_opts 1;
- if {$additional_port_redirs_list != ""} {set additional_port_redirs 1} else {set additional_port_redirs 0}}
-
-# pack .x11v.done .x11v.cancel .x11v.c4 .x11v.c3 .x11v.c2 .x11v.c -side bottom -fill x
- pack .x11v.done .x11v.cancel .x11v.c4 .x11v.c2 .x11v.c -side bottom -fill x
- pack .x11v.f -side top -fill both -expand 1
-
- center_win .x11v
- focus .x11v.c.e
-}
-
-
-proc ts_filexfer_dialog {} {
-
- toplev .xfer
- wm title .xfer "File Transfer"
- global choose_filexfer ts_filexfer
-
- scroll_text .xfer.f 70 13
-
- set msg {
- x11vnc supports both the UltraVNC and TightVNC file transfer
- extensions. On Windows both viewers support their file transfer
- protocol. On Unix only the SSVNC VNC Viewer can do filexfer; it
- supports the UltraVNC flavor via a Java helper program (and so
- java(1) is required on the viewer-side).
-
- Choose the one you want based on VNC viewer you will use.
- The defaults for the SSVNC viewer package are TightVNC on
- Windows and UltraVNC on Unix.
-
- For more info see: http://www.karlrunge.com/x11vnc/faq.html#faq-filexfer
-}
- .xfer.f.t insert end $msg
-
- global is_windows
- if {$ts_filexfer == ""} {
- if {$is_windows} {
- set ts_filexfer "tight"
- } else {
- set ts_filexfer "ultra"
- }
- }
-
- frame .xfer.c
- radiobutton .xfer.c.tight -text "TightVNC" -variable ts_filexfer -value "tight" -relief ridge
- radiobutton .xfer.c.ultra -text "UltraVNC" -variable ts_filexfer -value "ultra" -relief ridge
-
- pack .xfer.c.ultra .xfer.c.tight -side left -fill x -expand 1
-
- button .xfer.cancel -text "Cancel" -command {destroy .xfer; set choose_filexfer 0}
- bind .xfer <Escape> {destroy .xfer; set choose_filexfer 0}
- wm protocol .xfer WM_DELETE_WINDOW {destroy .xfer; set choose_filexfer 0}
- button .xfer.done -text "Done" -command {destroy .xfer; set choose_filexfer 1}
-
- pack .xfer.done .xfer.cancel -side bottom -fill x
- pack .xfer.c -side bottom -fill x -expand 1
- pack .xfer.f -side top -fill both -expand 1
-
- center_win .xfer
-}
-
-proc ts_cups_dialog {} {
-
- toplev .cups
- wm title .cups "CUPS and SMB Printing"
- global cups_local_server cups_remote_port cups_manage_rcfile ts_cups_manage_rcfile cups_x11vnc
- global cups_local_smb_server cups_remote_smb_port
-
- set h 30
- if [small_height] {
- set h 24
- }
- scroll_text .cups.f 80 $h
-
-
- set msg {
- This method requires a working CUPS Desktop setup on the remote side
- of the connection and working CUPS (or possibly Windows SMB or IPP)
- printing on the local viewer-side of the connection.
-
- For CUPS printing redirection to work properly, you MUST enable it for
- the connection that *creates* your terminal services X session (i.e. the
- first connection.) You cannot retroactively enable CUPS redirection
- on an already existing terminal services X session. (See CUPS printing
- for normal SSVNC mode for how you might do that.)
-
- Enter the VNC Viewer side (i.e. where you are sitting) CUPS server
- under "Local CUPS Server". Use "localhost:631" if there is one
- on your viewer machine (normally the case if you set up a printer
- on your unix or macosx system), or, e.g., "my-print-srv:631" for a
- nearby CUPS print server. Note that 631 is the default CUPS port.
-
- (On MacOSX it seems better to use "127.0.0.1" instead of "localhost".)
-
- The SSVNC Terminal Services created remote Desktop session will have
- the variables CUPS_SERVER and IPP_PORT set so all printing applications
- will be redirected to your local CUPS server. So your locally available
- printers should appear in the remote print dialogs.
-
-
- Windows/SMB Printers: Under "Local SMB Print Server" you can set a
- port redirection for a Windows (non-CUPS) SMB printer. If localhost:139
- does not work, try the literal string "IP:139", or use the known value
- of the IP address manually. 139 is the default SMB port; nowadays 445
- might be a better possibility.
-
- For Windows/SMB Printers if there is no local CUPS print server, it is
- usually a very good idea to make the CUPS Server setting EMPTY (to avoid
- desktop apps trying incessantly to reach the nonexistent CUPS server.)
-
- On the remote side, in the Desktop session the variables $SMB_SERVER,
- $SMB_HOST, and $SMB_PORT will be set for you to use.
-
- Unfortunately, printing to Windows may only ve partially functional due
- to the general lack PostScript support on Windows.
-
- If you have print admin permission on the remote machine you can
- configure CUPS to know about your Windows printer via lpadmin(8) or
- a GUI tool. You give it the URI:
-
- smb://localhost:port/printername
-
- or possibly:
-
- smb://localhost:port/computer/printername
-
- "port" will be found in the $SMB_PORT. You also need to identify
- the printer type. NOTE: You will leave "Local CUPS Server" blank in
- this case. The smbspool(1) command should also work as well, at least
- for PostScript printers.
-
- A similar thing can be done with CUPS printers if you are having problems
- with the above default mechanism. Use
-
- http://localhost:port/printers/printername
-
- For more info see: http://www.karlrunge.com/x11vnc/faq.html#faq-cups
-}
-
-# The "Manage 'ServerName' in .cups/client.conf for me" setting is usually
-# NOT needed unless you are using Terminal Services to connect to an
-# existing Session that did NOT have CUPS print redirection set at session
-# start time (i.e. IPP_PORT and CUPS_SERVER were not set up). In that
-# case, select this option as a workaround: NOTE that the client.conf
-# setting will REDIRECT ALL PRINTING for apps with the same $HOME/.cups
-# directory (which you probably do not want), however it will be reset
-# when the SSVNC viewer disconnects.
-
- .cups.f.t insert end $msg
-
- global uname
- if {$cups_local_server == ""} {
- if {$uname == "Darwin"} {
- set cups_local_server "127.0.0.1:631"
- } else {
- set cups_local_server "localhost:631"
- }
- }
- if {$cups_remote_port == ""} {
- set cups_remote_port [expr "6731 + int(1000 * rand())"]
- }
- if {$cups_local_smb_server == ""} {
- global is_windows
- if {$is_windows} {
- set cups_local_smb_server "IP:139"
- } elseif {$uname == "Darwin"} {
- set cups_local_smb_server "127.0.0.1:139"
- } else {
- set cups_local_smb_server "localhost:139"
- }
- }
- if {$cups_remote_smb_port == ""} {
- set cups_remote_smb_port [expr "7731 + int(1000 * rand())"]
- }
-
- frame .cups.serv
- label .cups.serv.l -anchor w -text "Local CUPS Server: "
- entry .cups.serv.e -width 40 -textvariable cups_local_server
- pack .cups.serv.e -side right
- pack .cups.serv.l -side left -expand 1 -fill x
-
- frame .cups.smbs
- label .cups.smbs.l -anchor w -text "Local SMB Print Server: "
- entry .cups.smbs.e -width 40 -textvariable cups_local_smb_server
- pack .cups.smbs.e -side right
- pack .cups.smbs.l -side left -expand 1 -fill x
-
- # not working with x11vnc:
- checkbutton .cups.cupsrc -anchor w -variable ts_cups_manage_rcfile -text \
- "Manage 'ServerName' in the remote \$HOME/.cups/client.conf file for me"
-
- button .cups.cancel -text "Cancel" -command {destroy .cups; set use_cups 0}
- bind .cups <Escape> {destroy .cups; set use_cups 0}
- wm protocol .cups WM_DELETE_WINDOW {destroy .cups; set use_cups 0}
- button .cups.done -text "Done" -command {destroy .cups; if {$use_cups} {set_ssh}}
-
- pack .cups.done .cups.cancel .cups.smbs .cups.serv -side bottom -fill x
- pack .cups.f -side top -fill both -expand 1
-
- center_win .cups
- focus .cups.serv.e
-}
-
-
-proc cups_dialog {} {
-
- toplev .cups
- wm title .cups "CUPS Tunnelling"
- global cups_local_server cups_remote_port cups_manage_rcfile cups_x11vnc
- global cups_local_smb_server cups_remote_smb_port
- global ts_only
- if {$ts_only} {
- ts_cups_dialog
- return
- }
-
- global uname
- set h 33
- if [small_height] {
- set h 17
- } elseif {$uname == "Darwin"} {
- set h 24
- }
- scroll_text .cups.f 80 $h
-
-
- set msg {
- CUPS Printing requires SSH be used to set up the CUPS Print service TCP
- port redirection. This will be either of the "Use SSH" or "SSH+SSL" modes.
- NOTE: For pure SSL tunnelling it currently will not work.
-
- This method requires working CUPS software setups on BOTH the remote
- and local sides of the connection.
-
- If the remote VNC server is Windows you probably cannot SSH into it
- anyway... If you can, you will still need to set up a special printer
- TCP port redirection on your own. Perhaps adding and configuring a
- "Unix Printer" under Windows (like Method #2 below) will work.
-
- If the local machine (SSVNC side) is Windows, see the bottom of this
- help for redirecting to SMB printers.
-
- If the remote VNC server is Mac OS X this method may or may not work.
- Sometimes applications need to be restarted to get them to notice the
- new printers. Adding and configuring a special "Unix Printer",
- (Method #2) below, might yield more reliable results at the cost of
- additional setup and permissions.
-
- For Unix/Linux remote VNC servers, applications may also need to be
- restarted to notice the new printers. The only case known to work
- well is the one where the remote side has no CUPS printers configured.
- As mentioned above, see Method #2 for another method.
-
- *************************************************************************
- *** Directions:
-
- You choose your own remote CUPS redir port below under "Use Remote
- CUPS Port". 6631 is our default and is used in the examples below.
- Use it or some random value greater than 1024. Note that the standard
- CUPS server port is 631.
-
- The port you choose must be unused on the VNC server machine (it is NOT
- checked for you). Print requests connecting to it are redirected to
- your local VNC viewer-side CUPS server through the SSH tunnel.
-
- (Note: root SSH login permission is needed for ports less than 1024,
- e.g. 631; this is not recommended, use something around 6631 instead).
-
- Then enter the VNC Viewer side (i.e. where you are sitting) CUPS server
- into "Local CUPS Server". A good choice is the default "localhost:631"
- if there is a cups server on your viewer machine (this is usually the case
- if you have set up a printer). Otherwise enter, e.g., "my-print-srv:631"
- for your nearby (viewer-side) CUPS print server.
-
-
- The "Manage 'ServerName' in the $HOME/.cups/client.conf file for me"
- setting below is enabled by default. It should handle most situations.
-
- What it does is modify the .cups/client.conf file on the VNC server-side
- to redirect the print requests while the SSVNC viewer is connected. When
- SSVNC disconnects .cups/client.conf is restored to its previous setting.
-
- If, for some reason, the SSVNC CUPS script fails to restore this file
- after SSVNC disconnects, run this command on the remote machine:
-
- cp $HOME/.cups/client.conf.back $HOME/.cups/client.conf
-
- to regain your initial printing configuration.
-
-
- You can also use CUPS on the VNC server-side to redirect to Windows
- (SMB) printers. See the additional info for Windows Printing at the
- bottom of this help.
-
-
- In case the default method (automatic .cups/client.conf modification)
- fails, we describe below all of the possible methods that can be tried.
-
- As noted above, you may need to restart applications for them to notice
- the new printers or for them to revert to the original printers. If this
- is not acceptable, consider Method #2 below if you have the permission
- and ability to alter the print queues for this.
-
-
- *************************************************************************
- *** Method #1: Manually create or edit the file $HOME/.cups/client.conf
- on the VNC server side by putting in something like this in it:
-
- ServerName localhost:6631
-
- based on the port you set in this dialog's entry box.
-
- After the remote VNC Connection is finished, to go back to the non-SSH
- tunnelled CUPS server and either remove the client.conf file or comment
- out the ServerName line. This restores the normal CUPS server for
- you on the remote VNC server machine.
-
- Select "Manage 'ServerName' in the $HOME/.cups/client.conf file for me"
- to do this editing of the VNC server-side CUPS config file for you
- automatically. NOTE: It is now on by default (deselect it if you want
- to manage the file manually; e.g. you print through the tunnel only very
- rarely, or often print locally when the tunnel is up, etc.)
-
- Select "Pass -env FD_CUPS=<Port> to x11vnc command line" if you are
- starting x11vnc as the Remote SSH Command, and x11vnc is running in
- -create mode (i.e. FINDCREATEDISPLAY). That way, when your X session
- is created IPP_PORT will be set correctly for the entire session.
- This is the mode used for 'Terminal Services' printing.
-
- NOTE: You probably would never select both of the above two options
- at the same time, since they conflict with each other to some degree.
-
-
- *************************************************************************
- *** Method #2: If you have admin permission on the VNC Server machine
- you can likely "Add a Printer" via a GUI dialog, a Wizard, CUPS Web
- interface (i.e. http://localhost:631/), lpadmin(8), etc.
-
- You will need to tell the dialog that the network printer located
- is at, e.g., localhost:6631, and anything else needed to identify
- the printer (type, model, etc). NOTE: sometimes it is best to set
- the model/type as "Generic / Postscript Printer" to avoid problems
- with garbage being printed out.
-
- For the URI to use, we have successfully used ones like this with CUPS:
-
- http://localhost:6631/printers/Deskjet-3840
- ipp://localhost:6631/printers/Deskjet-3840
-
- for an HP Deskjet-3840 printer. See the CUPS documentation for more
- about the URI syntax and pathname.
-
- This mode makes the client.conf ServerName parameter unnecessary
- (BE SURE TO DISABLE the "Manage 'ServerName' ... for me" option.)
-
-
- *************************************************************************
- *** Method #3: Restarting individual applications with the IPP_PORT
- set will enable redirected printing for them, e.g.:
-
- env IPP_PORT=6631 firefox
-
- If you can only get this method to work, an extreme application would
- be to run the whole desktop, e.g. "env IPP_PORT=6631 gnome-session", but
- then you would need some sort of TCP redirector (ssh -L comes to mind),
- to direct it to 631 when not connected remotely.
-
-
- *************************************************************************
- *** Windows/SMB Printers: Under "Local SMB Print Server" you can set
- a port redirection for a Windows (non-CUPS) SMB printer. E.g. port
- 6632 -> localhost:139.
-
- If localhost:139 does not work, try the literal string "IP:139", or
- insert the actual IP address manually. NOTE: Nowadays on Windows port
- 445 might be a better choice.
-
- For Windows printers, if there is no local CUPS print server, set the
- 'Local CUPS Server' and 'Use Remote CUPS Port' to be EMPTY (to avoid
- desktop apps trying incessantly to reach the nonexistent CUPS server.)
-
- You must enable Sharing for your local Windows Printer. Use Windows
- Printer configuration dialogs to do this.
-
- Next, you need to have sudo or print admin permission so that you can
- configure the *remote* CUPS to know about this Windows printer via
- lpadmin(8) or GUI Printer Configuration dialog, etc (Method #2 above).
- You basically give it the URI:
-
- smb://localhost:6632/printername
-
- For example, we have had success with GNOME CUPS printing configuration
- using:
-
- smb://localhost:6632/HPOffice
- smb://localhost:6632/COMPUTERNAME/HPOffice
-
- where "HPOffice" was the name Windows shares the printer as.
-
- Also with this SMB port redir mode, as a last resort you can often print
- using the smbspool(8) program like this:
-
- smbspool smb://localhost:6632/printer job user title 1 "" myfile.ps
-
- You could put this in a script. For this URI, it appears only the number
- of copies ("1" above) and the file itself are important.
-
- If on the local (SSVNC viewer) side there is some nearby CUPS print server
- that knows about your Windows printer, you might have better luck with
- that instead of using SMB. Set 'Local CUPS Server' to it.
-
- For more info see: http://www.karlrunge.com/x11vnc/faq.html#faq-cups
-}
- .cups.f.t insert end $msg
-
- global uname
- set something_set 0
-
- if {$cups_local_server != ""} {
- set something_set 1
- }
- if {$cups_local_smb_server != ""} {
- set something_set 1
- }
-
- if {$cups_local_server == "" && ! $something_set} {
- if {$uname == "Darwin"} {
- set cups_local_server "127.0.0.1:631"
- } else {
- set cups_local_server "localhost:631"
- }
- }
- if {$cups_remote_port == "" && ! $something_set} {
- set cups_remote_port "6631"
- }
- if {$cups_local_smb_server == "" && ! $something_set} {
- global is_windows
- if {$is_windows} {
- set cups_local_smb_server "IP:139"
- } elseif {$uname == "Darwin"} {
- set cups_local_smb_server "127.0.0.1:139"
- } else {
- set cups_local_smb_server "localhost:139"
- }
- }
- if {$cups_remote_smb_port == "" && ! $something_set} {
- set cups_remote_smb_port "6632"
- }
-
- frame .cups.serv
- label .cups.serv.l -anchor w -text "Local CUPS Server: "
- entry .cups.serv.e -width 40 -textvariable cups_local_server
- pack .cups.serv.e -side right
- pack .cups.serv.l -side left -expand 1 -fill x
-
- frame .cups.port
- label .cups.port.l -anchor w -text "Use Remote CUPS Port:"
- entry .cups.port.e -width 40 -textvariable cups_remote_port
- pack .cups.port.e -side right
- pack .cups.port.l -side left -expand 1 -fill x
-
- frame .cups.smbs
- label .cups.smbs.l -anchor w -text "Local SMB Print Server: "
- entry .cups.smbs.e -width 40 -textvariable cups_local_smb_server
- pack .cups.smbs.e -side right
- pack .cups.smbs.l -side left -expand 1 -fill x
-
- frame .cups.smbp
- label .cups.smbp.l -anchor w -text "Use Remote SMB Print Port:"
- entry .cups.smbp.e -width 40 -textvariable cups_remote_smb_port
- pack .cups.smbp.e -side right
- pack .cups.smbp.l -side left -expand 1 -fill x
-
- checkbutton .cups.cupsrc -anchor w -variable cups_manage_rcfile -text \
- "Manage 'ServerName' in the remote \$HOME/.cups/client.conf file for me"
-
- checkbutton .cups.x11vnc -anchor w -variable cups_x11vnc -text \
- "Pass -env FD_CUPS=<Port> to x11vnc command line."
-
- button .cups.cancel -text "Cancel" -command {destroy .cups; set use_cups 0}
- bind .cups <Escape> {destroy .cups; set use_cups 0}
- wm protocol .cups WM_DELETE_WINDOW {destroy .cups; set use_cups 0}
- button .cups.done -text "Done" -command {destroy .cups; if {$use_cups} {set_ssh}}
-
- button .cups.guess -text "Help me decide ..." -command {}
- .cups.guess configure -state disabled
-
- pack .cups.done .cups.cancel .cups.guess .cups.x11vnc .cups.cupsrc .cups.smbp .cups.smbs .cups.port .cups.serv -side bottom -fill x
- pack .cups.f -side top -fill both -expand 1
-
- center_win .cups
- focus .cups.serv.e
-}
-
-proc ts_sound_dialog {} {
-
- global is_windows
- global ts_only
-
- toplev .snd
- wm title .snd "Sound Tunnelling"
-
- scroll_text .snd.f 80 21
-
- set msg {
- Your remote Desktop will be started in an Enlightenment Sound Daemon
- (ESD) environment (esddsp(1), which must be installed on the remote
- machine), and a local ESD sound daemon (esd(1)) will be started to
- play the sounds for you to hear.
-
- In the entry box below you can choose the port that the local esd
- will use to listen on. The default ESD port is 16001. You will
- need to choose different values if you will have more than one esd
- running locally.
-
- The command run (with port replaced by your choice) will be:
-
- %RCMD
-
- Note: Unfortunately not all applications work with ESD.
- And esd's LD_PRELOAD is broken on 64+32bit Linux (x86_64).
- And so this mode is not working well currently...
-
- For more info see: http://www.karlrunge.com/x11vnc/faq.html#faq-sound
-}
-
-
- global sound_daemon_remote_port sound_daemon_local_port sound_daemon_local_cmd
- global sound_daemon_local_start sound_daemon_local_kill
-
- set sound_daemon_local_start 1
- set sound_daemon_local_kill 1
-
- if {$sound_daemon_remote_port == ""} {
- set sound_daemon_remote_port 16010
- }
- if {$sound_daemon_local_port == ""} {
- set sound_daemon_local_port 16010
- }
-
- if {$sound_daemon_local_cmd == ""} {
- global is_windows
- if {$is_windows} {
- set sound_daemon_local_cmd {esound\esd -promiscuous -as 5 -port %PORT -tcp -bind 127.0.0.1}
- } else {
- set sound_daemon_local_cmd {esd -promiscuous -as 5 -port %PORT -tcp -bind 127.0.0.1}
- }
- }
- regsub {%PORT} $sound_daemon_local_cmd $sound_daemon_local_port sound_daemon_local_cmd
-
- regsub {%RCMD} $msg $sound_daemon_local_cmd msg
- .snd.f.t insert end $msg
-
- frame .snd.lport
- label .snd.lport.l -anchor w -text "Local Sound Port: "
- entry .snd.lport.e -width 45 -textvariable sound_daemon_local_port
- pack .snd.lport.e -side right
- pack .snd.lport.l -side left -expand 1 -fill x
-
- button .snd.cancel -text "Cancel" -command {destroy .snd; set use_sound 0}
- bind .snd <Escape> {destroy .snd; set use_sound 0}
- wm protocol .snd WM_DELETE_WINDOW {destroy .snd; set use_sound 0}
- button .snd.done -text "Done" -command {destroy .snd; if {$use_sound} {set_ssh}}
- bind .snd.lport.e <Return> {destroy .snd; if {$use_sound} {set_ssh}}
-
- pack .snd.done .snd.cancel .snd.lport -side bottom -fill x
- pack .snd.f -side bottom -fill both -expand 1
-
- center_win .snd
- focus .snd.lport.e
-}
-
-proc sound_dialog {} {
-
- global is_windows
- global ts_only
- if {$ts_only} {
- ts_sound_dialog;
- return
- }
-
- toplev .snd
- wm title .snd "ESD/ARTSD Sound Tunnelling"
-
- global uname
- set h 28
- if [small_height] {
- set h 14
- } elseif {$uname == "Darwin"} {
- set h 20
- }
- scroll_text .snd.f 80 $h
-
- set msg {
- Sound tunnelling to a sound daemon requires SSH be used to set up the
- service port redirection. This will be either of the "Use SSH" or
- "SSH+SSL" modes. NOTE: For pure SSL tunnelling it currently will not work.
-
- This method requires working Sound daemon (e.g. ESD or ARTSD) software
- setups on BOTH the remote and local sides of the connection.
-
- Often this means you want to run your ENTIRE remote desktop with ALL
- applications instructed to use the sound daemon's network port. E.g.
-
- esddsp -s localhost:16001 startkde
- esddsp -s localhost:16001 gnome-session
-
- and similarly for artsdsp, etc. You put this in your ~/.xession,
- or other startup file. This is non standard. If you do not want to
- do this you still can direct *individual* sound applications through
- the tunnel, for example "esddsp -s localhost:16001 soundapp", where
- "soundapp" is some application that makes noise (say xmms or mpg123).
-
- Select "Pass -env FD_ESD=<Port> to x11vnc command line." if you are
- starting x11vnc as the Remote SSH Command, and x11vnc is running in
- -create mode (i.e. FINDCREATEDISPLAY). That way, your X session is
- started via "esddsp -s ... <session>" and the ESD variables will be
- set correctly for the entire session. (This mode make most sense for
- a virtual, e.g. Xvfb or Xdummy session, not one a physical display).
-
- Also, usually the remote Sound daemon must be killed BEFORE the SSH port
- redir is established (because it is listening on the port we want to use
- for the SSH redir), and, presumably, restarted when the VNC connection
- finished.
-
- One may also want to start and kill a local sound daemon that will
- play the sound received over the network on the local machine.
-
- You can indicate the remote and local Sound daemon commands below and
- how they should be killed and/or restart. Some examples:
-
- esd -promiscuous -as 5 -port 16001 -tcp -bind 127.0.0.1
- artsd -n -p 7265 -F 10 -S 4096 -n -s 5 -m artsmessage -l 3 -f
-
- or you can leave some or all blank and kill/start them manually.
-
- For convenience, a Windows port of ESD is provided in the util/esound
- directory, and so this might work for a Local command:
-
- esound\esd -promiscuous -as 5 -port 16001 -tcp -bind 127.0.0.1
-
- NOTE: If you indicate "Remote Sound daemon: Kill at start." below,
- then THERE WILL BE TWO SSH'S: THE FIRST ONE TO KILL THE DAEMON.
- So you may need to supply TWO SSH PASSWORDS, unless you are using
- something like ssh-agent(1), the Putty PW setting, etc.
-
- You will also need to supply the remote and local sound ports for
- the SSH redirs. For esd the default port is 16001, but you can choose
- another one if you prefer.
-
- For "Local Sound Port" you can also supply "host:port" instead of just
- a numerical port to specify non-localhost connections, e.g. to another
- nearby machine.
-
- For more info see: http://www.karlrunge.com/x11vnc/faq.html#faq-sound
-}
- .snd.f.t insert end $msg
-
- global sound_daemon_remote_port sound_daemon_local_port sound_daemon_local_cmd
- if {$sound_daemon_remote_port == ""} {
- set sound_daemon_remote_port 16001
- }
- if {$sound_daemon_local_port == ""} {
- set sound_daemon_local_port 16001
- }
-
- if {$sound_daemon_local_cmd == ""} {
- global is_windows
- if {$is_windows} {
- set sound_daemon_local_cmd {esound\esd -promiscuous -as 5 -port %PORT -tcp -bind 127.0.0.1}
- } else {
- set sound_daemon_local_cmd {esd -promiscuous -as 5 -port %PORT -tcp -bind 127.0.0.1}
- }
- regsub {%PORT} $sound_daemon_local_cmd $sound_daemon_local_port sound_daemon_local_cmd
- }
-
-
- frame .snd.remote
- label .snd.remote.l -anchor w -text "Remote Sound daemon cmd: "
- entry .snd.remote.e -width 45 -textvariable sound_daemon_remote_cmd
- pack .snd.remote.e -side right
- pack .snd.remote.l -side left -expand 1 -fill x
-
- frame .snd.local
- label .snd.local.l -anchor w -text "Local Sound daemon cmd: "
- entry .snd.local.e -width 45 -textvariable sound_daemon_local_cmd
- pack .snd.local.e -side right
- pack .snd.local.l -side left -expand 1 -fill x
-
- frame .snd.rport
- label .snd.rport.l -anchor w -text "Remote Sound Port: "
- entry .snd.rport.e -width 45 -textvariable sound_daemon_remote_port
- pack .snd.rport.e -side right
- pack .snd.rport.l -side left -expand 1 -fill x
-
- frame .snd.lport
- label .snd.lport.l -anchor w -text "Local Sound Port: "
- entry .snd.lport.e -width 45 -textvariable sound_daemon_local_port
- pack .snd.lport.e -side right
- pack .snd.lport.l -side left -expand 1 -fill x
-
-
- checkbutton .snd.sdk -anchor w -variable sound_daemon_kill -text \
- "Remote Sound daemon: Kill at start."
-
- checkbutton .snd.sdr -anchor w -variable sound_daemon_restart -text \
- "Remote Sound daemon: Restart at end."
-
- checkbutton .snd.sdsl -anchor w -variable sound_daemon_local_start -text \
- "Local Sound daemon: Run at start."
-
- checkbutton .snd.sdkl -anchor w -variable sound_daemon_local_kill -text \
- "Local Sound daemon: Kill at end."
-
- checkbutton .snd.x11vnc -anchor w -variable sound_daemon_x11vnc -text \
- "Pass -env FD_ESD=<Port> to x11vnc command line."
-
- button .snd.guess -text "Help me decide ..." -command {}
- .snd.guess configure -state disabled
-
- global is_win9x
- if {$is_win9x} {
- .snd.local.e configure -state disabled
- .snd.local.l configure -state disabled
- .snd.sdsl configure -state disabled
- .snd.sdkl configure -state disabled
- }
-
- button .snd.cancel -text "Cancel" -command {destroy .snd; set use_sound 0}
- bind .snd <Escape> {destroy .snd; set use_sound 0}
- wm protocol .snd WM_DELETE_WINDOW {destroy .snd; set use_sound 0}
- button .snd.done -text "Done" -command {destroy .snd; if {$use_sound} {set_ssh}}
-
- pack .snd.done .snd.cancel .snd.guess .snd.x11vnc .snd.sdkl .snd.sdsl .snd.sdr .snd.sdk .snd.lport .snd.rport \
- .snd.local .snd.remote -side bottom -fill x
- pack .snd.f -side bottom -fill both -expand 1
-
- center_win .snd
- focus .snd.remote.e
-}
-
-# Share ideas.
-#
-# Unix:
-#
-# if type smbclient
-# first parse smbclient -L localhost -N
-# and/or smbclient -L `hostname` -N
-# Get Sharenames and Servers and Domain.
-#
-# loop over servers, doing smbclient -L server -N
-# pile this into a huge list, sep by disk and printers.
-#
-# WinXP:
-#
-# parse "NET VIEW" output similarly.
-#
-# Have checkbox for each disk. Set default root to /var/tmp/${USER}-mnts
-# Let them change that at once and have it populate.
-#
-# use //hostname/share /var/tmp/runge-mnts/hostname/share
-#
-#
-# Printers, hmmm. Can't add to remote cups list... I guess have the list
-# ready for CUPS dialog to suggest which SMB servers they want to redirect
-# to...
-
-proc get_hostname {} {
- global is_windows is_win9x
- set str ""
- if {$is_windows} {
- if {1} {
- catch {set str [exec hostname]}
- regsub -all {[\r]} $str "" str
- } else {
- catch {set str [exec net config]}
- if [regexp -nocase {Computer name[ \t]+\\\\([^ \t]+)} $str mv str] {
- ;
- } else {
- set str ""
- }
- }
- } else {
- catch {set str [exec hostname]}
- }
- set str [string trim $str]
- return $str
-}
-
-proc smb_list_windows {smbhost} {
- global smb_local smb_local_hosts smb_this_host
- global is_win9x
- set dbg 0
-
- set domain ""
-
- if {$is_win9x} {
- # exec net view ... doesn't work.
- set smb_this_host "unknown"
- return
- }
-
- set this_host [get_hostname]
- set This_host [string toupper $this_host]
- set smb_this_host $This_host
-
- if {$smbhost == $smb_this_host} {
- catch {set out0 [exec net view]}
- regsub -all {[\r]} $out0 "" out0
- foreach line [split $out0 "\n"] {
- if [regexp -nocase {in workgroup ([^ \t]+)} $line mv wg] {
- regsub -all {[.]} $wg "" wg
- set domain $wg
- } elseif [regexp {^\\\\([^ \t]+)[ \t]*(.*)} $line mv host comment] {
- set smb_local($smbhost:server:$host) $comment
- }
- }
- }
-
- set out1 ""
- set h "\\\\$smbhost"
- catch {set out1 [exec net view $h]}
- regsub -all {[\r]} $out1 "" out1
-
- if {$dbg} {puts "SMBHOST: $smbhost"}
-
- set mode ""
- foreach line [split $out1 "\n"] {
- if [regexp {^[ \t]*---} $line] {
- continue
- }
- if [regexp -nocase {The command} $line] {
- continue
- }
- if [regexp -nocase {Shared resources} $line] {
- continue
- }
- if [regexp -nocase {^[ \t]*Share[ \t]*name} $line] {
- set mode "shares"
- continue
- }
- set line [string trim $line]
- if {$line == ""} {
- continue
- }
- if {$mode == "shares"} {
- if [regexp {^([^ \t]+)[ \t]+([^ \t]+)[ \t]*(.*)$} $line mv name type comment] {
- if {$dbg} {
- puts "SHR: $name"
- puts "---: $type"
- puts "---: $comment"
- }
- if [regexp -nocase {^Disk$} $type] {
- set smb_local($smbhost:disk:$name) $comment
- } elseif [regexp -nocase {^Print} $type] {
- set smb_local($smbhost:printer:$name) $comment
- }
- }
- }
- }
-
- set smb_local($smbhost:domain) $domain
-}
-
-proc smb_list_unix {smbhost} {
- global smb_local smb_local_hosts smb_this_host
- set smbclient [in_path smbclient]
- if {[in_path smbclient] == ""} {
- return ""
- }
- set dbg 0
-
- set this_host [get_hostname]
- set This_host [string toupper $this_host]
- set smb_this_host $This_host
-
- set out1 ""
- catch {set out1 [exec smbclient -N -L $smbhost 2>@ stdout]}
-
- if {$dbg} {puts "SMBHOST: $smbhost"}
- if {$smbhost == $this_host || $smbhost == $This_host} {
- if {$out1 == ""} {
- catch {set out1 [exec smbclient -N -L localhost 2>@ stdout]}
- }
- }
-
- set domain ""
- set mode ""
- foreach line [split $out1 "\n"] {
- if [regexp {^[ \t]*---} $line] {
- continue
- }
- if [regexp {Anonymous login} $line] {
- continue
- }
- if {$domain == "" && [regexp {Domain=\[([^\]]+)\]} $line mv domain]} {
- if {$dbg} {puts "DOM: $domain"}
- continue
- }
- if [regexp {^[ \t]*Sharename} $line] {
- set mode "shares"
- continue
- }
- if [regexp {^[ \t]*Server} $line] {
- set mode "server"
- continue
- }
- if [regexp {^[ \t]*Workgroup} $line] {
- set mode "workgroup"
- continue
- }
- set line [string trim $line]
- if {$mode == "shares"} {
- if [regexp {^([^ \t]+)[ \t]+([^ \t]+)[ \t]*(.*)$} $line mv name type comment] {
- if {$dbg} {
- puts "SHR: $name"
- puts "---: $type"
- puts "---: $comment"
- }
- if [regexp -nocase {^Disk$} $type] {
- set smb_local($smbhost:disk:$name) $comment
- } elseif [regexp -nocase {^Printer$} $type] {
- set smb_local($smbhost:printer:$name) $comment
- }
- }
- } elseif {$mode == "server"} {
- if [regexp {^([^ \t]+)[ \t]*(.*)$} $line mv host comment] {
- if {$dbg} {
- puts "SVR: $host"
- puts "---: $comment"
- }
- set smb_local($smbhost:server:$host) $comment
- }
- } elseif {$mode == "workgroup"} {
- if [regexp {^([^ \t]+)[ \t]+(.*)$} $line mv work host] {
- if {$dbg} {
- puts "WRK: $work"
- puts "---: $host"
- }
- if {$host != ""} {
- set smb_local($smbhost:master:$work) $host
- }
- }
- }
- }
-
- set smb_local($smbhost:domain) $domain
-}
-
-proc smb_list {} {
- global is_windows smb_local smb_local_hosts
- global smb_host_list
-
- set smb_local(null) ""
-
- if {! [info exists smb_host_list]} {
- set smb_host_list ""
- }
- if [info exists smb_local] {
- unset smb_local
- }
- if [info exists smb_local_hosts] {
- unset smb_local_hosts
- }
-
- set this_host [get_hostname]
- set this_host [string toupper $this_host]
- if {$is_windows} {
- smb_list_windows $this_host
- } else {
- smb_list_unix $this_host
- }
- set did($this_host) 1
- set keys [array names smb_local]
- foreach item [split $smb_host_list] {
- if {$item != ""} {
- set item [string toupper $item]
- lappend keys "$this_host:server:$item"
- }
- }
- foreach key $keys {
- if [regexp "^$this_host:server:(.*)\$" $key mv host] {
- if {$host == ""} {
- continue
- }
- set smb_local_hosts($host) 1
- if {! [info exists did($host)]} {
- if {$is_windows} {
- smb_list_windows $host
- } else {
- smb_list_unix $host
- }
- set did($host) 1
- }
- }
- }
-}
-
-proc smb_check_selected {} {
- global smbmount_exists smbmount_sumode
- global smb_selected smb_selected_mnt smb_selected_cb smb_selected_en
-
- set ok 0
- if {$smbmount_exists && $smbmount_sumode != "dontknow"} {
- set ok 1
- }
- set state disabled
- if {$ok} {
- set state normal
- }
-
- foreach cb [array names smb_selected_cb] {
- catch {$cb configure -state $state}
- }
- foreach en [array names smb_selected_en] {
- catch {$en configure -state $state}
- }
-}
-
-proc make_share_widgets {w} {
-
- set share_label $w.f.hl
- catch {$share_label configure -text "Share Name: PROBING ..."}
- update
-
- smb_list
-
- set saw_f 0
- foreach child [winfo children $w] {
- if {$child == "$w.f"} {
- set saw_f 1
- continue
- }
- catch {destroy $child}
- }
-
- set w1 47
- set w2 44
-
- if {! $saw_f} {
- set wf $w.f
- frame $wf
- label $wf.hl -width $w1 -text "Share Name:" -anchor w
- label $wf.hr -width $w2 -text " Mount Point:" -anchor w
-
- pack $wf.hl $wf.hr -side left -expand 1
- pack $wf -side top -fill x
-
- .smbwiz.f.t window create end -window $w
- }
-
- global smb_local smb_local_hosts smb_this_host smb_selected smb_selected_mnt
- global smb_selected_host smb_selected_name
- global smb_selected_cb smb_selected_en
- global smb_host_list
- if [info exists smb_selected] {array unset smb_selected }
- if [info exists smb_selected_mnt] {array unset smb_selected_mnt}
- if [info exists smb_selected_cb] {array unset smb_selected_cb}
- if [info exists smb_selected_en] {array unset smb_selected_en}
- if [info exists smb_selected_host] {array unset smb_selected_host}
- if [info exists smb_selected_name] {array unset smb_selected_name}
-
- set hosts [list $smb_this_host]
- lappend hosts [lsort [array names smb_local_hosts]]
-
- set smb_host_list ""
- set i 0
-
- global smb_mount_prefix
- set smb_mount_prefix "/var/tmp/%USER-mnts"
-
- foreach host [lsort [array names smb_local_hosts]] {
-
- if [info exists did($host)] {
- continue
- }
- set did($host) 1
-
- append smb_host_list "$host "
-
- foreach key [lsort [array names smb_local]] {
- if [regexp {^([^:]+):([^:]+):(.*)$} $key mv host2 type name] {
- if {$host2 != $host} {
- continue
- }
- if {$type != "disk"} {
- continue
- }
- set wf $w.f$i
- frame $wf
- checkbutton $wf.c -anchor w -width $w1 -variable smb_selected($i) \
- -text "//$host/$name" -relief ridge
- if {! [info exists smb_selected($i)]} {
- set smb_selected($i) 0
- }
-
- entry $wf.e -width $w2 -textvariable smb_selected_mnt($i)
- set smb_selected_mnt($i) "$smb_mount_prefix/$host/$name"
-
- set smb_selected_host($i) $host
- set smb_selected_name($i) $name
-
- set smb_selected_cb($wf.c) $i
- set smb_selected_en($wf.e) $i
- set comment $smb_local($key)
-
- bind $wf.c <Enter> "$share_label configure -text {Share Name: $comment}"
- bind $wf.c <Leave> "$share_label configure -text {Share Name:}"
-
- $wf.c configure -state disabled
- $wf.e configure -state disabled
-
- pack $wf.c $wf.e -side left -expand 1
- pack $wf -side top -fill x
- incr i
- }
- }
- }
- if {$i == 0} {
- global is_win9x
- $share_label configure -text {Share Name: No SMB Share Hosts were found!}
- if {$is_win9x} {
- .smbwiz.f.t insert end "\n(this feature does not work on Win9x you have have to enter them manually: //HOST/share /var/tmp/mymnt)\n"
- }
- } else {
- $share_label configure -text "Share Name: Found $i SMB Shares"
- }
- smb_check_selected
-}
-
-proc smb_help_me_decide {} {
- global is_windows
- global smb_local smb_local_hosts smb_this_host smb_selected smb_selected_mnt
- global smb_selected_host smb_selected_name
- global smb_selected_cb smb_selected_en
- global smb_host_list
-
- toplev .smbwiz
- set title "SMB Filesystem Tunnelling -- Help Me Decide"
- wm title .smbwiz $title
- set id " "
-
- set h 40
- if [small_height] {
- set h 30
- }
- scroll_text .smbwiz.f 100 $h
-
- set msg {
-For now you will have to verify the following information manually.
-
-You can do this by either logging into the remote machine to find the info or asking the sysadmin for it.
-
-}
-
- if {! $is_windows} {
- .smbwiz.f.t configure -font {Helvetica -12 bold}
- }
- .smbwiz.f.t insert end $msg
-
- set w .smbwiz.f.t.f1
- frame $w -bd 1 -relief ridge -cursor {top_left_arrow}
-
- .smbwiz.f.t insert end "\n"
-
- .smbwiz.f.t insert end "1) Indicate the existence of the 'smbmount' command on the remote system:\n"
- .smbwiz.f.t insert end "\n$id"
- global smbmount_exists
- set smbmount_exists 0
-
- checkbutton $w.smbmount_exists -pady 1 -anchor w -variable smbmount_exists \
- -text "Yes, the 'smbmount' command exists on the remote system." \
- -command smb_check_selected
-
- pack $w.smbmount_exists
- .smbwiz.f.t window create end -window $w
-
- .smbwiz.f.t insert end "\n\n\n"
-
- set w .smbwiz.f.t.f2
- frame $w -bd 1 -relief ridge -cursor {top_left_arrow}
-
- .smbwiz.f.t insert end "2) Indicate your authorization to run 'smbmount' on the remote system:\n"
- .smbwiz.f.t insert end "\n$id"
- global smbmount_sumode
- set smbmount_sumode "dontknow"
-
- radiobutton $w.dk -pady 1 -anchor w -variable smbmount_sumode -value dontknow \
- -text "I do not know if I can mount SMB shares on the remote system via 'smbmount'" \
- -command smb_check_selected
- pack $w.dk -side top -fill x
-
- radiobutton $w.su -pady 1 -anchor w -variable smbmount_sumode -value su \
- -text "I know the Password to run commands as root on the remote system via 'su'" \
- -command smb_check_selected
- pack $w.su -side top -fill x
-
- radiobutton $w.sudo -pady 1 -anchor w -variable smbmount_sumode -value sudo \
- -text "I know the Password to run commands as root on the remote system via 'sudo'" \
- -command smb_check_selected
- pack $w.sudo -side top -fill x
-
- radiobutton $w.ru -pady 1 -anchor w -variable smbmount_sumode -value none \
- -text "I do not need to be root on the remote system to mount SMB shares via 'smbmount'" \
- -command smb_check_selected
- pack $w.ru -side top -fill x
-
- .smbwiz.f.t window create end -window $w
-
- global smb_wiz_done
- set smb_wiz_done 0
-
- button .smbwiz.cancel -text "Cancel" -command {set smb_wiz_done 1}
- button .smbwiz.done -text "Done" -command {set smb_wiz_done 1}
- pack .smbwiz.done -side bottom -fill x
- pack .smbwiz.f -side top -fill both -expand 1
-
- wm protocol .smbwiz WM_DELETE_WINDOW {set smb_wiz_done 1}
- center_win .smbwiz
-
- wm title .smbwiz "Searching for Local SMB shares..."
- update
- wm title .smbwiz $title
-
- global smb_local smb_this_host
- .smbwiz.f.t insert end "\n\n\n"
-
- set w .smbwiz.f.t.f3
- catch {destroy $w}
- frame $w -bd 1 -relief ridge -cursor {top_left_arrow}
-
- .smbwiz.f.t insert end "3) Select SMB shares to mount and their mount point on the remote system:\n"
- .smbwiz.f.t insert end "\n${id}"
-
- make_share_widgets $w
-
- .smbwiz.f.t insert end "\n(%USER will be expanded to the username on the remote system and %HOME the home directory)\n"
-
- .smbwiz.f.t insert end "\n\n\n"
-
- .smbwiz.f.t insert end "You can change the list of Local SMB hosts to probe and the mount point prefix here:\n"
- .smbwiz.f.t insert end "\n$id"
- set w .smbwiz.f.t.f4
- frame $w -bd 1 -relief ridge -cursor {top_left_arrow}
- set wf .smbwiz.f.t.f4.f
- frame $wf
- label $wf.l -text "SMB Hosts: " -anchor w
- entry $wf.e -textvariable smb_host_list -width 60
- button $wf.b -text "Apply" -command {make_share_widgets .smbwiz.f.t.f3}
- bind $wf.e <Return> "$wf.b invoke"
- pack $wf.l $wf.e $wf.b -side left
- pack $wf
- pack $w
-
- .smbwiz.f.t window create end -window $w
-
- .smbwiz.f.t insert end "\n$id"
-
- set w .smbwiz.f.t.f5
- frame $w -bd 1 -relief ridge -cursor {top_left_arrow}
- set wf .smbwiz.f.t.f5.f
- frame $wf
- label $wf.l -text "Mount Prefix:" -anchor w
- entry $wf.e -textvariable smb_mount_prefix -width 60
- button $wf.b -text "Apply" -command {apply_mount_point_prefix .smbwiz.f.t.f5.f.e}
- bind $wf.e <Return> "$wf.b invoke"
- pack $wf.l $wf.e $wf.b -side left
- pack $wf
- pack $w
-
- .smbwiz.f.t window create end -window $w
-
- .smbwiz.f.t insert end "\n\n\n"
-
- .smbwiz.f.t see 1.0
- .smbwiz.f.t configure -state disabled
- update
-
- vwait smb_wiz_done
- catch {destroy .smbwiz}
-
- if {! $smbmount_exists || $smbmount_sumode == "dontknow"} {
- tk_messageBox -type ok -parent .oa -icon warning -message "Sorry we couldn't help out!\n'smbmount' info on the remote system is required for SMB mounting" -title "SMB mounting -- aborting"
- global use_smbmnt
- set use_smbmnt 0
- catch {raise .oa}
- return
- }
- global smb_su_mode
- set smb_su_mode $smbmount_sumode
-
- set max 0
- foreach en [array names smb_selected_en] {
- set i $smb_selected_en($en)
- set host $smb_selected_host($i)
- set name $smb_selected_name($i)
-
- set len [string length "//$host/$name"]
- if {$len > $max} {
- set max $len
- }
- }
-
- set max [expr $max + 8]
-
- set strs ""
- foreach en [array names smb_selected_en] {
- set i $smb_selected_en($en)
- if {! $smb_selected($i)} {
- continue
- }
- set host $smb_selected_host($i)
- set name $smb_selected_name($i)
- set mnt $smb_selected_mnt($i)
-
- set share "//$host/$name"
- set share [format "%-${max}s" $share]
-
- lappend strs "$share $mnt"
- }
- set text ""
- foreach str [lsort $strs] {
- append text "$str\n"
- }
-
- global smb_mount_list
- set smb_mount_list $text
-
- smb_dialog
-}
-
-proc apply_mount_point_prefix {w} {
- global smb_selected_host smb_selected_name
- global smb_selected_en smb_selected_mnt
-
- set prefix ""
- catch {set prefix [$w get]}
- if {$prefix == ""} {
- mesg "No mount prefix."
- bell
- return
- }
-
- foreach en [array names smb_selected_en] {
- set i $smb_selected_en($en)
- set host $smb_selected_host($i)
- set name $smb_selected_name($i)
- set smb_selected_mnt($i) "$prefix/$host/$name"
- }
-}
-
-proc smb_dialog {} {
- toplev .smb
- wm title .smb "SMB Filesystem Tunnelling"
- global smb_su_mode smb_mount_list
- global use_smbmnt
-
- global help_font
-
- global uname
- set h 33
- if [small_height] {
- set h 17
- } elseif {$uname == "Darwin"} {
- set h 24
- }
- scroll_text .smb.f 80 $h
-
- set msg {
- Windows/Samba Filesystem mounting requires SSH be used to set up the SMB
- service port redirection. This will be either of the "Use SSH" or
- "SSH+SSL" modes. NOTE: For pure SSL tunnelling it currently will not work.
-
- This method requires a working Samba software setup on the remote
- side of the connection (VNC server) and existing Samba or Windows file
- server(s) on the local side (VNC viewer).
-
- The smbmount(8) program MUST be installed on the remote side. This
- evidently limits the mounting to Linux systems. Let us know of similar
- utilities on other Unixes. Mounting onto remote Windows machines is
- currently not supported (our SSH mode with services setup only works
- to Unix). On Debian and Ubuntu the smbmount program is currently in
- the package named 'smbfs'.
-
- Depending on how smbmount is configured you may be able to run it
- as a regular user, or it may require running under su(1) or sudo(8)
- (root password or user password required, respectively). You select
- which one you want via the checkbuttons below.
-
- In addition to a possible su(1) or sudo(8) password, you may ALSO
- need to supply passwords to mount each SMB share. This is an SMB passwd.
- If it has no password just hit enter after the "Password:" prompt.
-
- The passwords are supplied when the 1st SSH connection starts up;
- be prepared to respond to them.
-
- NOTE: USE OF SMB TUNNELLING MODE WILL REQUIRE TWO SSH'S, AND SO YOU
- MAY NEED TO SUPPLY TWO LOGIN PASSWORDS UNLESS YOU ARE USING SOMETHING
- LIKE ssh-agent(1) or the Putty PW setting.
- %WIN
-
- To indicate the Windows/Samba shares to mount enter them one per line
- in one of the forms:
-
- //machine1/share ~/Desktop/my-mount1
- //machine2/fubar /var/tmp/my-foobar2 192.168.100.53:3456
- 1139 //machine3/baz /var/tmp/baz [...]
-
- The first part is the standard SMB host and share name //hostname/dir
- (note this share is on the local viewer-side not on the remote end).
- A leading '#' will cause the entire line to be skipped.
-
- The second part, e.g. /var/tmp/my-foobar2, is the directory to mount
- the share on the remote (VNC Server) side. You must be able to
- write to this directory. It will be created if it does not exist.
- A leading character ~ will be expanded to $HOME. So will the string
- %HOME. The string %USER will get expanded to the remote username.
-
- An optional part like 192.168.100.53:3456 is used to specify the real
- hostname or IP address, and possible non-standard port, on the local
- side if for some reason the //hostname is not sufficient.
-
- An optional leading numerical value, 1139 in the above example, indicates
- which port to use on the Remote side to SSH redirect to the local side.
- Otherwise a random one is tried (a unique one is needed for each SMB
- server:port combination). A fixed one is preferred: choose a free
- remote port.
-
- The standard SMB service ports (local side) are 445 and 139. 139 is
- used by this application.
-
- Sometimes "localhost" will not work on Windows machines for a share
- hostname, and you will have to specify a different network interface
- (e.g. the machine's IP address). If you use the literal string "IP"
- it will be attempted to replace it with the numerical IP address, e.g.:
-
- //machine1/share ~/Desktop/my-mount1 IP
-
- VERY IMPORTANT: Before terminating the VNC Connection, make sure no
- applications are using any of the SMB shares (or shells are cd-ed
- into the share). This way the shares will be automatically unmounted.
- Otherwise you will need to log in again, stop processes from using
- the share, become root and umount the shares manually ("smbumount
- /path/to/share", etc.)
-
- For more info see: http://www.karlrunge.com/x11vnc/faq.html#faq-smb-shares
-}
-
- set msg2 {
- To speed up moving to the next step, iconify the first SSH console
- when you are done entering passwords, etc. and then click on the
- main panel 'VNC Host:Display' label.
-}
-
- global is_windows
- if {! $is_windows} {
- regsub { *%WIN} $msg "" msg
- } else {
- set msg2 [string trim $msg2]
- regsub { *%WIN} $msg " $msg2" msg
- }
- .smb.f.t insert end $msg
-
- frame .smb.r
- label .smb.r.l -text "smbmount(8) auth mode:" -relief ridge
- radiobutton .smb.r.none -text "None" -variable smb_su_mode -value "none"
- radiobutton .smb.r.su -text "su(1)" -variable smb_su_mode -value "su"
- radiobutton .smb.r.sudo -text "sudo(8)" -variable smb_su_mode -value "sudo"
-
- pack .smb.r.l .smb.r.none .smb.r.sudo .smb.r.su -side left -fill x
-
- label .smb.info -text "Supply the mounts (one per line) below:" -anchor w -relief ridge
-
- eval text .smb.mnts -width 80 -height 5 $help_font
- .smb.mnts insert end $smb_mount_list
-
- button .smb.guess -text "Help me decide ..." -command {destroy .smb; smb_help_me_decide}
-
- button .smb.cancel -text "Cancel" -command {set use_smbmnt 0; destroy .smb}
- bind .smb <Escape> {set use_smbmnt 0; destroy .smb}
- wm protocol .smb WM_DELETE_WINDOW {set use_smbmnt 0; destroy .smb}
- button .smb.done -text "Done" -command {if {$use_smbmnt} {set_ssh; set smb_mount_list [.smb.mnts get 1.0 end]}; destroy .smb}
-
- pack .smb.done .smb.cancel .smb.guess .smb.mnts .smb.info .smb.r -side bottom -fill x
- pack .smb.f -side top -fill both -expand 1
-
- center_win .smb
-}
-
-proc help_advanced_opts {} {
- toplev .ah
-
- scroll_text_dismiss .ah.f
-
- center_win .ah
-
- wm title .ah "Advanced Options Help"
-
- set msg {
- These Advanced Options that may require extra software installed on
- the VNC server-side (the remote server machine) and/or on the VNC
- client-side (where this gui is running).
-
- The Service redirection options, CUPS, ESD/ARTSD, and SMB will
- require that you use SSH for tunneling so that they can use the -R
- port redirection will be enabled for each service. I.e. "Use SSH"
- or "SSH + SSL" mode.
-
- These options may also require additional configuration to get them
- to work properly. Please submit bug reports if it appears it should
- be working for your setup but is not.
-
- Brief (and some not so brief) descriptions:
-
- CUPS Print tunnelling:
-
- Redirect localhost:6631 (say) on the VNC server to your local
- CUPS server. SSH mode is required.
-
- ESD/ARTSD Audio tunnelling:
-
- Redirect localhost:16001 (say) on the VNC server to your local
- ESD, etc. sound server. SSH mode is required.
-
- SMB mount tunnelling:
-
- Redirect localhost:1139 (say) on the VNC server and through that
- mount SMB file shares from your local server. The remote machine
- must be Linux with smbmount installed. SSH mode is required.
-
- Additional Port Redirs (via SSH):
-
- Specify additional -L port:host:port and -R port:host:port
- cmdline options for SSH to enable additional services.
- SSH mode is required.
-
- Automatically Find X Login/Greeter:
-
- This mode is similar to "Automatically Find X Session" except
- that it will attach to a X Login/Greeter screen that no one
- has logged into yet. It requires root privileges via sudo(1)
- on the remote machine. SSH mode is required.
-
- As with "Automatically Find X Session" it works only with SSH
- mode and requires x11vnc be installed on the remote computer.
-
- It simply sets the Remote SSH Command to:
-
- PORT= sudo x11vnc -find -localhost -env FD_XDM=1
-
- An initial ssh running 'sudo id' is performed to try to
- 'prime' sudo so the 2nd one that runs x11vnc does not need
- a password. This may not always succeed... please mail us
- the details if it doesn't.
-
- See the 'X Login' description in 'Terminal Services' Mode
- Help for more info.
-
- Private SSH KnownHosts file:
-
- On Unix in SSH mode, let the user specify a non-default
- ssh known_hosts file to be used only by the current profile.
- This is the UserKnownHostsFile ssh option and is described in the
- ssh_config(1) man page. This is useful to avoid proxy 'localhost'
- SSH key collisions.
-
- Normally one should simply let ssh use its default file
- ~/.ssh/known_hosts for tracking SSH keys. The only problem that
- happens is when multiple SSVNC connections use localhost tunnel
- port redirections. These make ssh connect to 'localhost' on some
- port (where the proxy is listening.) Then the different keys
- from the multiple ssh servers collide when ssh saves them under
- 'localhost' in ~/.ssh/known_hosts.
-
- So if you are using a proxy with SSVNC or doing a "double SSH
- gateway" your ssh will connect to a proxy port on localhost, and you
- should set a private KnownHosts file for that connection profile.
- This is secure and avoids man-in-the-middle attack (as long as
- you actually verify the initial save of the SSH key!)
-
- The default file location will be:
-
- ~/.vnc/ssh_known_hosts/profile-name.known
-
- but you can choose any place you like. It must of course be
- unique and not shared with another ssh connection otherwise they
- both may complain about the key for 'localhost' changing, etc.
-
- SSH Local Port Protections:
-
- An LD_PRELOAD hack to limit the number of SSH port redirections
- to 1 and within the first 35 seconds. So there is a smaller
- window when the user can try to use your tunnel compared to
- the duration of your session. SSH mode is required.
-
- STUNNEL Local Port Protections:
-
- Try to prevent Untrusted Local Users (see the main Help panel)
- from using your STUNNEL tunnel to connect to the remote VNC
- Server.
-
- Change VNC Viewer:
-
- Specify a non-bundled VNC Viewer (e.g. UltraVNC or RealVNC)
- to run instead of the bundled TightVNC Viewer.
-
- Port Knocking:
-
- For "closed port" services, first "knock" on the firewall ports
- in a certain way to open the door for SSH or SSL. The port
- can also be closed when the encrypted VNC connection finishes.
-
- UltraVNC DSM Encryption Plugin:
-
- On Unix only, by using the supplied tool, ultravnc_dsm_helper,
- encrypted connections to UltraVNC servers using their plugins
- is enabled. Support for secret key encryption to Non-UltraVNC
- DSM servers is also supported, e.g. x11vnc -enc blowfish:my.key
-
- Do not Probe for VeNCrypt:
-
- Disable VeNCrypt auto-detection probe when not needed.
-
- By default in SSL mode an initial probe for the use of the
- VeNCrypt or ANONTLS protocol is performed. This is done
- during the initial fetch-cert action. Once auto-detected in
- the initial probe, the real connection to the VNC Server will
- use this information to switch to SSL/TLS at the right point in
- the VeNCrypt/ANONTLS handshake.
-
- In "Verify All Certs" mode initial the fetch-cert action is
- required so the automatic probing for VeNCrypt is always done.
- The fetch-cert is not needed if you specified a ServerCert or if
- you disabled "Verify All Certs". But by default the fetch-cert
- is done anyway to try to auto-detect VeNCrypt/ANONTLS.
-
- Set 'Do not Probe for VeNCrypt' to skip this unneeded fetch-cert
- action (and hence speed up connecting.) Use this if you
- know the VNC Server uses normal SSL and not VeNCrypt/ANONTLS.
-
- See also the next option, 'Server uses VeNCrypt SSL encryption'
- to if you know it uses VeNCrypt/ANONTLS (the probing will also
- be skipped if that option is set.)
-
- Server uses VeNCrypt SSL encryption:
-
- Indicate that the VNC server uses the VeNCrypt extension to VNC;
- it switches to an SSL/TLS tunnel at a certain point in the
- VNC Handshake. This is in constrast to the default ssvnc/x11vnc
- SSL tunnel behavior where the *entire* VNC traffic goes through
- SSL (i.e. it is vncs:// in the way https:// uses SSL)
-
- Enable this option if you know the server supports VeNCrypt.
- Also use this option for the older ANONTLS extension (vino).
- Doing so will give the quickest and most reliable connection
- to VeNCrypt/ANONTLS servers. If set, any probing to try to
- auto-detect VeNCrypt/ANONTLS will be skipped.
-
- Some VNC servers supporting VeNCrypt: VeNCrypt, QEMU, ggi,
- virt-manager, and Xen. Vino supports ANONTLS.
-
- The SSVNC VeNCrypt/ANONTLS support even works with 3rd party
- VNC Viewers you specify via 'Change VNC Viewer' (e.g. RealVNC,
- TightVNC, UltraVNC etc.) that do not directly support it.
-
- Note: many VeNCrypt servers only support Anonymous Diffie Hellman
- TLS which has NO built in authentication and you will also need
- to set the option described in the next section.
-
- If you are using VeNCrypt or ANONTLS for REVERSE connections
- (Listen) then you *MUST* set this 'Server uses VeNCrypt SSL
- encryption' option. Note also that REVERSE connections using
- VeNCrypt/ANONTLS currently do not work on Windows.
-
- Also, if you are using the "Use SSH+SSL" double tunnel to a
- VeNCrypt/ANONTLS server, you MUST set 'Server uses VeNCrypt
- SSL encryption' because "Verify All Certs" is disabled in
- SSH+SSL mode.
-
- Server uses Anonymous Diffie-Hellman
-
- Anonymous Diffie-Hellman can be used for SSL/TLS connections but
- there are no Certificates for authentication. Therefore only
- passive eavesdropping attacks are prevented, not Man-In-The-Middle
- attacks. Not recommended; try to use verified X509 certs instead.
-
- Enable this option if you know the server only supports Anon DH.
- When you do so, remember that ALL Certificate checking will be
- skipped (even if you have 'Verify All Certs' selected or set
- a ServerCert.)
-
- SSVNC may be able to autodetect Anon DH even if you haven't
- selected 'Server uses Anonymous Diffie-Hellman'. Once detected, it
- will prompt you whether it should continue. Set the 'Server uses
- Anonymous Diffie-Hellman' option to avoid trying autodetection
- (i.e. forcing the issue.)
-
- Note that most Anonymous Diffie-Hellman VNC Servers do so
- via the VeNCrypt or ANONTLS VNC extensions (see the previous
- section.) For these servers if you select 'Server uses Anonymous
- Diffie-Hellman' you *MUST* ALSO select 'Server uses VeNCrypt SSL
- encryption', otherwise SSVNC may have no chance to auto-detect
- the VeNCrypt/ANONTLS protocol.
-
- Also note, if you are using the "Use SSH+SSL" double tunnel to
- a VeNCrypt/ANONTLS server using Anon DH you MUST set 'Server
- uses Anonymous Diffie-Hellman' because "Verify All Certs"
- is disabled in SSH+SSL mode.
-
- Include:
-
- Default settings and Include Templates:
-
- Before explaining how Include works, first note that if you
- do not prefer some of SSVNC's default settings you can start
- up SSVNC and then change the settings for the options that you
- want to have a different default value. Then type "defaults"
- in VNC Host:Display entry box and press "Save" to save them in
- the "defaults.vnc" profile. After this, SSVNC will initialize
- all of the default values and then apply your override values
- in "defaults".
-
- For example, suppose you always want to use a different, 3rd
- party VNC Viewer. Set Options -> Advanced -> Change VNC Viewer
- to what you want, and then save it as the "defaults" profile.
- Now that default setting will apply to all profiles, and SSVNC
- in its startup state.
-
- To edit the defaults Load it, make changes, and then Save it.
- Delete the "defaults" profile to go back to no modifications.
- Note that defaults created and saved while defaults.vnc existed
- will NOT be automatically adjusted.
-
- Include Templates:
-
- Now suppose you have a certain class of settings that you do
- not want to always be applied, but you want them to apply to a
- group of profiles.
-
- For example, suppose you have some settings for very low
- bandwidth connections (e.g. low color modes and/or aggressive
- compression and quality settings.) Set these values in SSVNC
- and then in the VNC Host:Display entry box type in, say,
- "slowlink" and then press Save. This will save those settings
- in the template profile named "slowlink.vnc".
-
- Now to create a real profile that uses this template type the
- host:disp in "VNC Host:Display" and in Options -> Advanced
- -> Includes type in "slowlink". Then press Save to save the
- host profile. Then re-Load it. The "slowlink" settings will
- be applied after the defaults. Make any other changes to the
- setting for this profile and Save it again. Next time you load
- it in, the Include template settings will override the defaults
- and then the profile itself is read in.
-
- You may supply a comma or space separated list of templates
- to include. They are applied in the order listed. They can be
- full path names or basenames relative to the profiles directory.
- You do not need to supply the .vnc suffix. The non-default
- settings in them will be applied first, and then any values in
- the loaded Profile will override them.
-
- Sleep:
-
- Enter a number to indicate how many extra seconds to sleep
- while waiting for the VNC viewer to start up. On Windows this
- can give extra time to enter the Putty/Plink password, etc.
-
- Putty Args:
-
- Windows only, supply a string to be added to all plink.exe
- and putty.exe commands. Example: -i C:\mykey.ppk
-
- Launch Putty Pagent:
-
- Windows only, launch the Putty key agent tool (pageant) to hold
- your SSH private keys for automatic logging in by putty/plink.
-
- Launch Putty Key-Gen:
-
- Windows only, launch the Putty key generation tool (puttygen)
- to create new SSH private keys.
-
- Unix ssvncviewer:
-
- Display a popup menu with options that apply to the special
- Unix SSVNC VNC Viewer (perhaps called 'ssvncviewer') provided by
- this SSVNC package. This only applies to Unix or Mac OS X.
-
- Use ssh-agent:
-
- On Unix only: restart the GUI in the presence of ssh-agent(1)
- (e.g. in case you forgot to start your agent before starting
- this GUI). An xterm will be used to enter passphrases, etc.
- This can avoid repeatedly entering passphrases for the SSH logins
- (note this requires setting up and distributing SSH keys).
-
-
- About the CheckButtons:
-
- Ahem, Well...., yes quite a klunky UI: you have to toggle the
- CheckButton to pull up the Dialog box a 2nd, etc. time... don't
- worry your settings will still be there!
-}
-
- .ah.f.t insert end $msg
- jiggle_text .ah.f.t
-}
-
-proc help_ssvncviewer_opts {} {
- toplev .av
-
- scroll_text_dismiss .av.f
-
- center_win .av
-
- wm title .av "Unix SSVNC viewer Options Help"
-
- set msg {
- These Unix SSVNC VNC Viewer Options apply only on Unix or Mac OS X
- when using the viewer (ssvncviewer) supplied by this SSVNC package.
-
- Brief descriptions:
-
- Multiple LISTEN Connections:
-
- Allow multiple VNC servers to reverse connect at the same time
- and so display each of their desktops on your screen at the
- same time.
-
- Listen Once:
-
- Try to have the VNC Viewer exit after the first listening
- connection. (It may not always be detected; use Ctrl-C to exit)
-
- Listen Accept Popup Dialog:
-
- In -listen (reverse connection listening) mode when a reverse
- VNC connection comes in show a popup asking whether to Accept
- or Reject the connection. (-acceptpopup vncviewer option.)
-
- Accept Popup UltraVNC Single Click:
-
- As in 'Listen Accept Popup Dialog', except assume the remote
- VNC server is UltraVNC Single Click and force the execution of
- the protocol to retrieve the extra remote-side info (Windows
- User, ComputerName, etc) which is then also displayed in the
- Popup window. (-acceptpopupsc vncviewer option.)
-
- Use X11 Cursor:
-
- When drawing the mouse cursor shape locally, use an X11 cursor
- instead of drawing it directly into the framebuffer. This
- can sometimes give better response, and avoid problems under
- 'Scaling'.
-
- Disable Bell:
-
- Disable beeps coming from remote side.
-
- Use Raw Local:
-
- Use the VNC Raw encoding for 'localhost' connections (instead
- of assuming there is a local tunnel, SSL or SSH, going to the
- remote machine.
-
- Avoid Using Terminal:
-
- By default the Unix ssvncviewer will prompt for usernames,
- passwords, etc. in the terminal it is running inside of.
- Set this option to use windows for messages and prompting as
- much as possible. Messages will also go to the terminal, but
- all prompts will be done via popup window.
-
- Note that stunnel(1) may prompt for a passphrase to unlock a
- private SSL key. This is fairly rare because it is usually
- for Client-side SSL authentication. stunnel will prompt from
- the terminal; there seems to be no way around this.
-
- Also, note that ssh(1) may prompt for an ssh key passphrase
- or Unix password. This can be avoided in a number of ways,
- the simplest one is to use ssh-agent(1) and ssh-add(1).
- However ssh(1) may also prompt you to accept a new public key
- for a host or warn you if the key has changed, etc.
-
- Use Popup Fix:
-
- Enable a fix that warps the popup (F8) to the mouse pointer.
-
- Use XGrabServer (for fullscreen):
-
- On Unix only, use the XGrabServer workaround for older window
- managers. Sometimes also needed on recent (2008) GNOME. This
- workaround can make going into/out-of Fullscreen work better.
-
- Cursor Alphablending:
-
- Use the x11vnc alpha hack for translucent cursors (requires Unix,
- 32bpp and same endianness)
-
- TurboVNC:
-
- If available on your platform, use a ssvncviewer compiled with
- TurboVNC support. This is based on the VirtualGL project:
- http://www.sourceforge.net/projects/virtualgl You will need
- to install the VirtualGL's TurboJPEG library too.
-
- Currently (May/2009) only Linux.i686, Linux.x86_64, and
- Darwin.i386 have vncviewer.turbovnc binaries shipped in the
- ssvnc bundles. See the build instructions for how you might
- compile your own.
-
- Disable Pipelined Updates:
-
- Disable the TurboVNC-like pipelined updates mode. Pipelined
- updates is the default even when not TurboVNC enabled. They
- ask for the next screen update before the current one has
- finished downloading, and so this might reduce the slowdown
- due to high latency or low bandwidth by 2X or so. Disable
- them if they cause problems with the remote VNC Server or
- use too much bandwidth.
-
- Send CLIPBOARD not PRIMARY:
-
- When sending locally selected text to the VNC server side,
- send the CLIPBOARD selection instead of the PRIMARY selection.
-
- Send Selection Every time:
-
- Send selected text to the VNC server side every time the mouse
- focus enters the main VNC Viewer window instead only when it
- appears to have changed since the last send.
-
- Scaling:
-
- Use viewer-side (i.e. local) scaling of the VNC screen. Supply
- a fraction, e.g. 0.75 or 3/4, or a WxH geometry, e.g. 1280x1024,
- or the string 'fit' to fill the current screen. Use 'auto'
- to scale the desktop to match the viewer window size.
-
- If you observe mouse trail painting errors try using X11 Cursor.
-
- Note that since the local scaling is done in software it can
- be slow. Since ZRLE is better than Tight in this regard, when
- scaling is detected, the encoding will be switched to ZRLE.
- Use the Popup to go back to Tight if you want to, or set the
- env. var. SSVNC_PRESERVE_ENCODING=1 to disable the switch.
-
- For additional speedups under local scaling: try having a solid
- desktop background on the remote side (either manually or using
- 'x11vnc -solid ...'); and also consider using client side caching
- 'x11vnc -ncache 10 ...' if the remote server is x11vnc.
-
- Escape Keys:
-
- Enable 'Escape Keys', a set of modifier keys that, if all are
- pressed down, enable local Hot Key actions. Set to 'default'
- to use the default (Alt_L,Super_L on unix, Control_L,Meta_L
- on macosx) or set to a list of modifier keys.
-
- Y Crop:
-
- This is for x11vnc's -ncache client side caching scheme with our
- Unix TightVNC viewer. Sets the Y value to "crop" the viewer
- size at (below the cut is the pixel cache region you do not
- want to see). If the screen is tall (H > 2*W) ycropping will
- be autodetected, or you can set to -1 to force autodection.
- Otherwise, set it to the desired Y value. You can also set
- the scrollbar width (very thin by default) by appending ",sb=N"
- (or use ",sb=N" by itself to just set the scrollbar width).
-
- ScrollBar Width:
-
- This is for x11vnc's -ncache client side caching scheme with our
- Unix TightVNC viewer. For Y-Crop mode, set the size of the
- scrollbars (often one want it to be very narrow, e.g. 2 pixels
- to be less distracting.
-
- RFB Version:
-
- Set the numerical version of RFB (VNC) protocol to pretend to
- be, 3.x. Usually only needed with UltraVNC servers.
-
- Encodings:
-
- List encodings in preferred order, for example
- 'copyrect zrle tight' The list of encodings is:
- copyrect tight zrle zywrle hextile zlib corre rre raw
-
- Extra Options:
-
- String of extra Unix ssvncviewer command line options. I.e. for
- ones like -16bpp that cannot be set inside this SSVNC GUI. For a
- list click Help then 'SSVNC vncviewer -help Output'.
-
-
- These are environment variables one may set to affect the options
- of the SSVNC vncviewer and also the ss_vncviewer wrapper script
- (and hence may apply to 3rd party vncviewers too)
-
- VNCVIEWER_ALPHABLEND (-alpha, see Cursor Alphablending above)
- VNCVIEWER_POPUP_FIX (-popupfix, warp popup to mouse location)
- VNCVIEWER_GRAB_SERVER (-graball, see Use XGrabServer above)
- VNCVIEWER_YCROP (-ycrop, see Y Crop above)
- VNCVIEWER_SBWIDTH (-sbwidth, see ScrollBar Width above)
- VNCVIEWER_RFBVERSION (-rfbversion, e.g. 3.6)
- VNCVIEWER_ENCODINGS (-encodings, e.g. "copyrect zrle hextile")
- VNCVIEWER_NOBELL (-nobell)
- VNCVIEWER_X11CURSOR (-x11cursor, see Use X11 Cursor above)
- VNCVIEWER_RAWLOCAL (-rawlocal, see Use Raw Local above)
- VNCVIEWER_NOTTY (-notty, see Avoid Using Terminal above)
- VNCVIEWER_ESCAPE (-escape, see Escape Keys above)
- VNCVIEWER_ULTRADSM (-ultradsm)
- VNCVIEWER_PIPELINE_UPDATES (-pipeline, see above)
- VNCVIEWER_SEND_CLIPBOARD (-sendclipboard)
- VNCVIEWER_SEND_ALWAYS (-sendalways)
- VNCVIEWER_RECV_TEXT (-recvtext clipboard/primary/both)
- VNCVIEWER_NO_CUTBUFFER (do not send CUTBUFFER0 as fallback)
- VNCVIEWER_NO_PIPELINE_UPDATES (-nopipeline)
- VNCVIEWER_ALWAYS_RECENTER (set to avoid(?) recentering on resize)
- VNCVIEWER_IS_REALVNC4 (indicate vncviewer is realvnc4 flavor.)
- VNCVIEWER_NO_IPV4 (-noipv4)
- VNCVIEWER_NO_IPV6 (-noipv6)
- VNCVIEWER_FORCE_UP (force raise on fullscreen graball)
- VNCVIEWER_PASSWORD (danger: set vnc passwd via env. var.)
- VNCVIEWER_MIN_TITLE (minimum window title (appshare))
-
- VNCVIEWERCMD (unix viewer command, default vncviewer)
- VNCVIEWERCMD_OVERRIDE (force override of VNCVIEWERCMD)
- VNCVIEWERCMD_EXTRA_OPTS (extra options to pass to VNCVIEWERCMD)
- VNCVIEWER_LISTEN_LOCALHOST (force ssvncviewer to -listen on localhost)
- VNCVIEWER_NO_SEC_TYPE_TIGHT(force ssvncviewer to skip rfbSecTypeTight)
- HEXTILE_YCROP_TOO (testing: nosync_ycrop for hextile updates.)
-
- SS_DEBUG (very verbose debug printout by script.)
- SS_VNCVIEWER_LISTEN_PORT (force listen port.)
- SS_VNCVIEWER_NO_F (no -f for SSH.)
- SS_VNCVIEWER_NO_T (no -t for SSH.)
- SS_VNCVIEWER_USE_C (force -C compression for SSH.)
- SS_VNCVIEWER_SSH_CMD (override SSH command to run.)
- SS_VNCVIEWER_NO_MAXCONN (no maxconn for stunnel (obsolete))
- SS_VNCVIEWER_RM (file containing vnc passwd to remove.)
- SS_VNCVIEWER_SSH_ONLY (run the SSH command, then exit.)
-
- SSVNC_MULTIPLE_LISTEN (-multilisten, see Multiple LISTEN above)
- SSVNC_ACCEPT_POPUP (-acceptpopup, see Accept Popup Dialog)
- SSVNC_ACCEPT_POPUP_SC (-acceptpopupsc, see Accept Popup Dialog)
- SSVNC_TURBOVNC (see TurboVNC above)
- SSVNC_UNIXPW (-unixpw)
- SSVNC_UNIXPW_NOESC (do not send escape in -unixpw mode)
- SSVNC_SCALE (-scale, see Scaling above)
- SSVNC_NOSOLID (do not do solid region speedup in
- scaling mode.)
- SSVNC_PRESERVE_ENCODING (do not switch to ZRLE when scaling)
- SSVNC_FINISH_SLEEP (on unix/macosx sleep this many seconds
- before exiting the terminal, default 5)
-
- Misc (special usage or debugging or ss_vncviewer settings):
-
- SSVNC_MESG_DELAY (sleep this many millisec between messages)
- SSVNC_NO_ENC_WARN (do not print out a NO ENCRYPTION warning)
- SSVNC_EXTRA_SLEEP (same as Sleep: window)
- SSVNC_NO_ULTRA_DSM (disable ultravnc dsm encryption)
- SSVNC_ULTRA_DSM (the ultravnc_dsm_helper command)
- SSVNC_ULTRA_FTP_JAR (file location of ultraftp.jar jar file)
- SSVNC_KNOWN_HOSTS_FILE (file for per-connection ssh known hosts)
- SSVNC_SCALE_STATS (print scaling stats)
- SSVNC_NOSOLID (disable solid special case while scaling)
- SSVNC_DEBUG_RELEASE (debug printout for keyboard modifiers.)
- SSVNC_DEBUG_ESCAPE_KEYS (debug printout for escape keys)
- SSVNC_NO_MAYBE_SYNC (skip XSync() calls in certain painting)
- SSVNC_MAX_LISTEN (number of time to listen for reverse conn.)
- SSVNC_LISTEN_ONCE (listen for reverse conn. only once)
- STUNNEL_LISTEN (stunnel interface for reverse conn.
- SSVNC_NO_MESSAGE_POPUP (do not place info messages in popup.)
- SSVNC_SET_SECURITY_TYPE (force VeNCrypt security type)
- SSVNC_PREDIGESTED_HANDSHAKE (string used for VeNCrypt, etc. connect)
- SSVNC_SKIP_RFB_PROTOCOL_VERSION (force viewer to be RFB 3.8)
- SSVNC_DEBUG_SEC_TYPES (debug security types for VeNCrypt)
- SSVNC_DEBUG_MSLOGON (extra printout for ultravnc mslogon proto)
- SSVNC_DEBUG_RECTS (printout debug for RFB rectangles.)
- SSVNC_DEBUG_CHAT (printout debug info for chat mode.)
- SSVNC_DELAY_SYNC (faster local drawing delaying XSync)
- SSVNC_DEBUG_SELECTION (printout debug for selection/clipboard)
- SSVNC_REPEATER (URL-ish sslrepeater:// thing for UltraVNC)
- SSVNC_VENCRYPT_DEBUG (debug printout for VeNCrypt mode.)
- SSVNC_VENCRYPT_USERPASS (force VeNCrypt user:pass)
- SSVNC_STUNNEL_DEBUG (increase stunnel debugging printout)
- SSVNC_STUNNEL_VERIFY3 (increase stunnel verify from 2 to 3)
- SSVNC_LIM_ACCEPT_PRELOAD (preload library to limit accept(2))
- SSVNC_SOCKS5 (socks5 for x11vnc PORT= mode, default)
- SSVNC_SOCKS4 (socks4 for x11vnc PORT= mode)
- SSVNC_NO_IPV6_PROXY (do not setup a ipv6:// proxy)
- SSVNC_NO_IPV6_PROXY_DIRECT (do not setup a ipv6:// proxy unencrypted)
- SSVNC_PORT_IPV6 (x11vnc PORT= mode is to ipv6-only)
- SSVNC_IPV6 (0 to disable ss_vncviewer ipv6 check)
- SSVNC_FETCH_TIMEOUT (ss_vncviewer cert fetch timeout)
- SSVNC_USE_S_CLIENT (force cert fetch to be 'openssl s_client')
- SSVNC_SHOWCERT_EXIT_0 (force showcert to exit with success)
- SSVNC_SSH_LOCALHOST_AUTH (force SSH localhost auth check.)
- SSVNC_TEST_SEC_TYPE (force PPROXY VeNCrypt type; testing)
- SSVNC_TEST_SEC_SUBTYPE (force PPROXY VeNCrypt subtype; testing)
- SSVNC_EXIT_DEBUG (testing: prompt to exit at end.)
- SSVNC_UP_DEBUG (gui user/passwd debug mode.)
- SSVNC_UP_FILE (gui user/passwd file.)
-
- STUNNEL_EXTRA_OPTS (extra options for stunnel.)
-
- X11VNC_APPSHARE_DEBUG (for debugging -appshare mode.)
- NO_X11VNC_APPSHARE (shift down for escape keys.)
- DEBUG_HandleFileXfer (ultravnc filexfer)
- DEBUG_RFB_SMSG (RFB server message debug.)
-}
-
- .av.f.t insert end $msg
- button .av.htext -text "SSVNC vncviewer -help Output" -command show_viewer_help
- pack .av.htext -side bottom -fill x
- jiggle_text .av.f.t
-}
-
-proc show_viewer_help {} {
- toplev .vhlp
-
- set h 35
- if [small_height] {
- set h 30
- }
- scroll_text_dismiss .vhlp.f 83 $h
-
- center_win .vhlp
- wm resizable .vhlp 1 0
-
- wm title .vhlp "SSVNC vncviewer -help Output"
-
- set msg "-- No Help Output --"
- catch {set msg [exec ss_vncviewer -viewerhelp 2>/dev/null]}
-
- .vhlp.f.t insert end $msg
- jiggle_text .vhlp.f.t
-}
-
-proc set_viewer_path {} {
- global change_vncviewer_path
- unix_dialog_resize .chviewer
- set change_vncviewer_path [tk_getOpenFile -parent .chviewer]
- catch {raise .chviewer}
- update
-}
-
-proc change_vncviewer_dialog {} {
- global change_vncviewer change_vncviewer_path vncviewer_realvnc4
- global ts_only
-
- toplev .chviewer
- wm title .chviewer "Change VNC Viewer"
-
- global help_font
- if {$ts_only} {
- eval text .chviewer.t -width 90 -height 16 $help_font
- } else {
- eval text .chviewer.t -width 90 -height 27 $help_font
- }
- apply_bg .chviewer.t
-
- set msg {
- To use your own VNC Viewer (i.e. one installed by you, not included in this
- package), e.g. UltraVNC or RealVNC, type in the program name, or browse for
- the full path to it. You can put command line arguments after the program.
-
- Note that due to incompatibilities with respect to command line options
- there may be issues, especially if many command line options are supplied.
- You can specify your own command line options below if you like (and try to
- avoid setting any others in this GUI under "Options").
-
- If the path to the program name has spaces it in, surround it with double quotes:
-
- "C:\Program Files\My Vnc Viewer\VNCVIEWER.EXE"
-
- Make sure the very first character is a quote. You should quote the command
- even if it is only the command line arguments that need extra protection:
-
- "wine" -- "/home/fred/Program Flies/UltraVNC-1.0.2.exe" /64colors
-
- Since the command line options differ between them greatly, if you know it
- is of the RealVNC 4.x flavor, indicate on the check box. Otherwise we guess.
-
- To have SSVNC act as a general STUNNEL redirector (no VNC) set the viewer to be
- "xmessage OK" or "xmessage <port>" or "sleep n" or "sleep n <port>" (or "NOTEPAD"
- on Windows). The default listen port is 5930. The destination is set in "VNC
- Host:Display" (for a remote port less than 200 use the negative of the port value).
-}
-
- if {$ts_only} {
- regsub {Note that due(.|\n)*If the} $msg "If the" msg
- regsub {To have SSVNC act(.|\n)*} $msg "" msg
- }
- .chviewer.t insert end $msg
-
- frame .chviewer.path
- label .chviewer.path.l -text "VNC Viewer:"
- entry .chviewer.path.e -width 40 -textvariable change_vncviewer_path
- button .chviewer.path.b -text "Browse..." -command set_viewer_path
- checkbutton .chviewer.path.r -anchor w -variable vncviewer_realvnc4 -text \
- "RealVNC 4.x"
-
- pack .chviewer.path.l -side left
- pack .chviewer.path.e -side left -expand 1 -fill x
- pack .chviewer.path.b -side left
- pack .chviewer.path.r -side left
-
- button .chviewer.cancel -text "Cancel" -command {destroy .chviewer; set change_vncviewer 0}
- bind .chviewer <Escape> {destroy .chviewer; set change_vncviewer 0}
- wm protocol .chviewer WM_DELETE_WINDOW {destroy .chviewer; set change_vncviewer 0}
- button .chviewer.done -text "Done" -command {destroy .chviewer; catch {raise .oa}}
- bind .chviewer.path.e <Return> {destroy .chviewer; catch {raise .oa}}
-
- pack .chviewer.t .chviewer.path .chviewer.cancel .chviewer.done -side top -fill x
-
- center_win .chviewer
- wm resizable .chviewer 1 0
-
- focus .chviewer.path.e
-}
-
-proc port_redir_dialog {} {
- global additional_port_redirs additional_port_redirs_list
-
- toplev .redirs
- wm title .redirs "Additional Port Redirections (via SSH)"
-
- global help_font uname
- set h 35
- if [small_height] {
- set h 27
- }
- eval text .redirs.t -width 80 -height $h $help_font
- apply_bg .redirs.t
-
- set msg {
- Specify any additional SSH port redirections you desire for the
- connection. Put as many as you want separated by spaces. These only
- apply to SSH and SSH+SSL connections, they do not apply to Pure SSL
- connections.
-
- -L port1:host:port2 will listen on port1 on the local machine (where
- you are sitting) and redirect them to port2 on
- "host". "host" is relative to the remote side
- (VNC Server). Use "localhost" for the remote
- machine itself.
-
- -R port1:host:port2 will listen on port1 on the remote machine
- (where the VNC server is running) and redirect
- them to port2 on "host". "host" is relative
- to the local side (where you are sitting).
- Use "localhost" for this machine.
-
- Perhaps you want a redir to a web server inside an intranet:
-
- -L 8001:web-int:80
-
- Or to redir a remote port to your local SSH daemon:
-
- -R 5022:localhost:22
-
- etc. There are many interesting possibilities.
-
- Sometimes, especially for Windows Shares, you cannot do a -R redir to
- localhost, but need to supply the IP address of the network interface
- (e.g. by default the Shares do not listen on localhost:139). As a
- convenience you can do something like -R 1139:IP:139 (for any port
- numbers) and the IP will be attempted to be expanded. If this fails
- for some reason you will have to use the actual numerical IP address.
-}
- .redirs.t insert end $msg
-
- frame .redirs.path
- label .redirs.path.l -text "Port Redirs:"
- entry .redirs.path.e -width 40 -textvariable additional_port_redirs_list
-
- pack .redirs.path.l -side left
- pack .redirs.path.e -side left -expand 1 -fill x
-
- button .redirs.cancel -text "Cancel" -command {set additional_port_redirs 0; destroy .redirs}
- bind .redirs <Escape> {set additional_port_redirs 0; destroy .redirs}
- wm protocol .redirs WM_DELETE_WINDOW {set additional_port_redirs 0; destroy .redirs}
- button .redirs.done -text "Done" -command {destroy .redirs}
-
- pack .redirs.t .redirs.path .redirs.cancel .redirs.done -side top -fill x
-
- center_win .redirs
- wm resizable .redirs 1 0
-
- focus .redirs.path.e
-}
-
-proc stunnel_sec_dialog {} {
- global stunnel_local_protection
-
- toplev .stlsec
- wm title .stlsec "STUNNEL Local Port Protections"
-
- global help_font uname
-
- set h 37
- if [small_height] {
- set h 26
- }
- scroll_text .stlsec.f 82 $h
-
- apply_bg .stlsec.f
-
- set msg {
- See the discussion of "Untrusted Local Users" in the main 'Help'
- panel for info about users who are able to log into the workstation
- you run SSVNC on and might try to use your encrypted tunnel to gain
- access to the remote VNC machine.
-
- On Unix, for STUNNEL SSL tunnels we provide two options as extra
- safeguards against untrusted local users. Both only apply to Unix/MacOSX.
- Note that Both options are *IGNORED* in reverse connection (Listen) mode.
-
- 1) The first one 'Use stunnel EXEC mode' (it is mutually exclusive with
- option 2). For this case the modified SSVNC Unix viewer must be
- used: it execs the stunnel program instead of connecting to it via
- TCP/IP. Thus there is no localhost listening port involved at all.
-
- This is the best solution for SSL stunnel tunnels, it works well and
- is currently enabled by default. Disable it if there are problems.
-
- 2) The second one 'Use stunnel IDENT check', uses the stunnel(8)
- 'ident = username' to use the local identd daemon (IDENT RFC 1413
- http://www.ietf.org/rfc/rfc1413.txt) to check that the locally
- connecting program (the SSVNC vncviewer) is being run by your userid.
- See the stunnel(8) man page for details.
-
- Normally the IDENT check service cannot be trusted much when used
- *remotely* (the remote host may be have installed a modified daemon).
- However when using the IDENT check service *locally* it should be
- reliable. If not, it means the local machine (where you run SSVNC)
- has already been root compromised and you have a serious problem.
-
- Enabling 'Use stunnel IDENT check' requires a working identd on the
- local machine. Often it is not installed or enabled (because it is not
- deemed to be useful, etc). identd is usually run out of the inetd(8)
- super-server. Even when installed and running it is often configured
- incorrectly. On a Debian/lenny system we actually found that the
- kernel module 'tcp_diag' needed to be loaded! ('modprobe tcp_diag')
-}
- .stlsec.f.t insert end $msg
-
- radiobutton .stlsec.ident -relief ridge -anchor w -variable stunnel_local_protection_type -value "ident" -text "Use stunnel IDENT check"
- radiobutton .stlsec.exec -relief ridge -anchor w -variable stunnel_local_protection_type -value "exec" -text "Use stunnel EXEC mode"
-
- button .stlsec.cancel -text "Cancel" -command {set stunnel_local_protection 0; destroy .stlsec}
- bind .stlsec <Escape> {set stunnel_local_protection 0; destroy .stlsec}
- wm protocol .stlsec WM_DELETE_WINDOW {set stunnel_local_protection 0; destroy .stlsec}
- button .stlsec.done -text "Done" -command {if {$stunnel_local_protection_type == "none"} {set stunnel_local_protection 0}; destroy .stlsec}
-
- pack .stlsec.f .stlsec.exec .stlsec.ident .stlsec.cancel .stlsec.done -side top -fill x
-
- center_win .stlsec
- wm resizable .stlsec 1 0
-}
-
-proc disable_ssl_workarounds_dialog {} {
- global disable_ssl_workarounds disable_ssl_workarounds_type
-
- toplev .sslwrk
- wm title .sslwrk "Disable SSL Workarounds"
-
- global help_font uname
- set h 36
- if [small_height] {
- set h 24
- }
- scroll_text .sslwrk.f 86 $h
-
- apply_bg .sslwrk.f
-
- set msg {
- Some SSL implementations are incomplete or buggy or do not work properly
- with other implementations. SSVNC uses STUNNEL for its SSL encryption,
- and STUNNEL uses the OpenSSL SSL implementation.
-
- This causes some problems with non-OpenSSL implementations on the VNC server
- side. The most noticable one is the UltraVNC Single Click III (SSL) server:
-
- http://www.uvnc.com/pchelpware/SCIII/index.html
-
- It can make a reverse connection to SSVNC via an encrypted SSL tunnel.
-
- Unfortunately, in the default operation with STUNNEL the connection will be
- dropped after 2-15 minutes due to an unexpected packet.
-
- Because of this, by default SSVNC will enable some SSL workarounds to make
- connections like these work. This is the STUNNEL 'options = ALL' setting:
- it enables a basic set of SSL workarounds.
-
- You can read all about these workarounds in the stunnel(8) manpage and the
- OpenSSL SSL_CTX_set_options(3) manpage.
-
- Why are we mentioning this? STUNNELS's 'options = ALL' lowers the SSL
- security a little bit. If you know you do not have an incompatible SSL
- implementation on the server side (e.g. any one using OpenSSL is compatible,
- x11vnc in particular), then you can regain that little bit of security by
- selecting the "Disable SSL Workarounds" option.
-
- "Disable All SSL Workarounds" selected below will do that. On the other hand,
- choose "Keep the DONT_INSERT_EMPTY_FRAGMENTS Workaround" to retain that one,
- commonly needed workaround.
-
- BTW, you can set the environment variable STUNNEL_EXTRA_OPTS_USER to add
- any lines to the STUNNEL global config that you want to. See the stunnel(8)
- man page for more details.
-}
- .sslwrk.f.t insert end $msg
-
- radiobutton .sslwrk.none -relief ridge -anchor w -variable disable_ssl_workarounds_type -value "none" -text "Disable All Workarounds"
- radiobutton .sslwrk.noempty -relief ridge -anchor w -variable disable_ssl_workarounds_type -value "noempty" -text "Keep the DONT_INSERT_EMPTY_FRAGMENTS Workaround"
-
- button .sslwrk.cancel -text "Cancel" -command {set disable_ssl_workarounds 0; destroy .sslwrk}
- bind .sslwrk <Escape> {set disable_ssl_workarounds 0; destroy .sslwrk}
- wm protocol .sslwrk WM_DELETE_WINDOW {set disable_ssl_workarounds 0; destroy .sslwrk}
- button .sslwrk.done -text "Done" -command {destroy .sslwrk}
-
- pack .sslwrk.f .sslwrk.none .sslwrk.noempty .sslwrk.cancel .sslwrk.done -side top -fill x
-
- center_win .sslwrk
- wm resizable .sslwrk 1 0
-}
-
-proc update_no_ultra_dsm {} {
- global ultra_dsm_noultra
- global ultra_dsm_type
-
- foreach b {bf des3 aes aes256 l e} {
- if {! $ultra_dsm_noultra} {
- .ultradsm.nou.$b configure -state disabled
- } else {
- .ultradsm.nou.$b configure -state normal
- }
- }
- if {! $ultra_dsm_noultra} {
- if {$ultra_dsm_type == "arc4"} {
- ;
- } elseif {$ultra_dsm_type == "aesv2"} {
- ;
- } elseif {$ultra_dsm_type == "msrc4"} {
- ;
- } elseif {$ultra_dsm_type == "msrc4_sc"} {
- ;
- } elseif {$ultra_dsm_type == "securevnc"} {
- ;
- } else {
- set ultra_dsm_type guess
- }
- catch {.ultradsm.key.securevnc configure -state normal}
- catch {.ultradsm.key.msrc4_sc configure -state normal}
- } else {
- catch {.ultradsm.key.securevnc configure -state disabled}
- catch {.ultradsm.key.msrc4_sc configure -state disabled}
- }
-}
-
-proc ultra_dsm_dialog {} {
- global ultra_dsm ultra_dsm_file ultra_dsm_type
-
- toplev .ultradsm
- wm title .ultradsm "UltraVNC DSM Encryption Plugin"
-
- global help_font
- set h 40
- if [small_height] {
- set h 22
- }
- scroll_text .ultradsm.f 85 $h
-
- set msg {
- On Unix and MacOSX with the provided SSVNC vncviewer, you can connect to an
- UltraVNC server that is using one of its DSM encryption plugins: MSRC4, ARC4,
- AESV2, and SecureVNC. More info at: http://www.uvnc.com/features/encryption.html
-
- IMPORTANT: The UltraVNC DSM MSRC4, ARC4, and AESV2 implementations contain
- unfixed errors that could allow an eavesdropper to recover the session
- key or traffic easily. They often do not provide strong encryption, but
- only provide basic obscurity instead. Do not use them with critical data.
- The newer SecureVNC Plugin does not suffer from these problems.
-
- See the bottom of this help text for how to use symmetric encryption with
- Non-UltraVNC servers (for example, x11vnc 0.9.5 or later). This mode does not
- suffer the shortcomings of the UltraVNC MSRC4, ARC4, and AESV2 implementations.
-
- You will need to specify the corresponding UltraVNC encryption key (created
- by you using an UltraVNC server or viewer). It is usually called 'rc4.key'
- (for MSRC4), 'arc4.key' (for ARC4), and 'aesv2.key' (for AESV2). Specify the
- path to it or Browse for it. Also, specify which type of plugin it is (or use
- 'guess' to have it guess via the before mentioned filenames).
-
- The choice "UVNC SC" enables a special workaround for use with UltraVNC Single
- Click and the MSRC4 plugin. It may not be needed on recent SC (e.g. from
- ~2009 and later; select "MSRC4" for these newer ones.)
-
- You can also specify pw=my-password instead of a keyfile. Use single quotes
- pw='....' if the password contains shell meta-characters `!$&*(){}[]|;<>?
-
- Use the literal string 'pw=VNCPASSWD' to have the VNC password that you
- entered into the 'VNC Password:' be used for the pw=...
-
- SSL and SSH tunnels do not apply in this mode (any settings are ignored.)
-
- Proxying works in this mode, as well as Reverse Connections (Listen)
-
- The choice "SecureVNC" refers to the SecureVNC Plugin using 128 bit AES or
- ARC4 with 2048 bit RSA key exchange described here:
-
- http://adamwalling.com/SecureVNC
-
- Note in its default mode SecureVNC is *Vulnerable* to Man-In-The-Middle attacks
- (encryption but no server authentication) so do not use it with critical data.
- In SecureVNC mode you do not need to supply a 'Ultra DSM Keyfile'. However,
- if you DO supply a keyfile filename (recommended) if that file does not exist
- you will be prompted if you want to save the UltraVNC server's RSA key in it.
- The key's MD5 checksum is displayed so that you can verify that the key is
- trusted. One way to print out the SecureVNC public key MD5 checksum is:
-
- openssl rsa -inform DER -outform DER -pubout -in ./Server_SecureVNC.pkey | dd bs=1 skip=24 | md5sum
-
- Then on subsequent connections, if you continue to specify this filename, the
- SecureVNCPlugin server's RSA key will be checked against the file's contents
- and if they differ the connection will be dropped.
-
- NOTE, However, if the SecureVNC keyfile ends in the string 'ClientAuth.pkey'
- then its contents are used for SecureVNC's normal Client Authentication dialog
- (you need to use Windows SecureVNCPlugin to generate this file on the server
- side, it is usually called "Viewer_ClientAuth.pkey", and then safely copy it
- to the viewer side.) If you want to do BOTH Client Auth and server RSA key
- storing (recommended), have the keyfile end in 'ClientAuth.pkey.rsa'; that way
- the file will be used for storing the server RSA key and then the '.rsa' is
- trimmed off and the remainder used for the SecureVNC Client Auth data filename.
-
- Note that despite its intentions, Client Authentication in the FIRST release of
- SecureVNC is still susceptible to Man-In-The-Middle attacks. Even when that
- is fixed, SecureVNC Client Authentication is still susceptible to "spoofing"
- attacks where the viewer user may be tricked into revealing his VNC or MS-Logon
- password if his connection is intercepted. It is recommended you verify and
- save the Server key (see above) in addition to using Client Authentication.
-
- UltraVNC DSM encryption modes are currently experimental because unfortunately
- the UltraVNC DSM plugin also modifies the RFB protocol(!), and so the SSVNC
- vncviewer had to be modified to support it. The tight, zlib, and some minor
- encodings currently do not work in this mode and are disabled.
-
- Note that this mode also requires the utility tool named 'ultravnc_dsm_helper'
- that should be included in your SSVNC kit.
-
- Select 'Non-Ultra DSM' to use symmetric encryption to a Non-UltraVNC server via
- a supported symmetric key cipher. x11vnc supports symmetric encryption via,
- e.g., "x11vnc -enc aesv2:./my.key". Extra ciphers are enabled for this mode
- (e.g. blowfish and 3des). 'UVNC SC' and SecureVNC do not apply in this mode.
-
- Note for the Non-Ultra DSM case it will also work with any VNC Viewer
- (i.e. selected by Options -> Advanced -> Change VNC Viewer) not only the
- supplied SSVNC vncviewer.
-
- For experts: You can also set the random salt size and initialization vector
- size in Salt,IV for example "8,16". See the x11vnc and 'ultravnc_dsm_helper
- -help' documentation for more info on this.
-}
-
- .ultradsm.f.t insert end $msg
-
- frame .ultradsm.path
- label .ultradsm.path.l -text "Ultra DSM Keyfile:"
- entry .ultradsm.path.e -width 40 -textvariable ultra_dsm_file
- button .ultradsm.path.b -text "Browse..." -command {set_ultra_dsm_file .ultradsm}
-
- pack .ultradsm.path.l -side left
- pack .ultradsm.path.e -side left -expand 1 -fill x
- pack .ultradsm.path.b -side left
-
- frame .ultradsm.key
- label .ultradsm.key.l -text "Type of Key: "
- radiobutton .ultradsm.key.guess -pady 1 -anchor w -variable ultra_dsm_type -value guess \
- -text "Guess"
- radiobutton .ultradsm.key.arc4 -pady 1 -anchor w -variable ultra_dsm_type -value arc4 \
- -text "ARC4"
-
- radiobutton .ultradsm.key.aesv2 -pady 1 -anchor w -variable ultra_dsm_type -value aesv2 \
- -text "AESV2"
-
- radiobutton .ultradsm.key.msrc4 -pady 1 -anchor w -variable ultra_dsm_type -value msrc4 \
- -text "MSRC4"
-
- radiobutton .ultradsm.key.msrc4_sc -pady 1 -anchor w -variable ultra_dsm_type -value msrc4_sc \
- -text "UVNC SC"
-
- radiobutton .ultradsm.key.securevnc -pady 1 -anchor w -variable ultra_dsm_type -value securevnc \
- -text "SecureVNC"
-
- pack .ultradsm.key.l -side left
- pack .ultradsm.key.guess -side left
- pack .ultradsm.key.arc4 -side left
- pack .ultradsm.key.aesv2 -side left
- pack .ultradsm.key.msrc4 -side left
- pack .ultradsm.key.msrc4_sc -side left
- pack .ultradsm.key.securevnc -side left
-
- frame .ultradsm.nou
- checkbutton .ultradsm.nou.cb -text "Non-Ultra DSM" -variable ultra_dsm_noultra -command update_no_ultra_dsm
- radiobutton .ultradsm.nou.bf -pady 1 -anchor w -variable ultra_dsm_type -value blowfish \
- -text "Blowfish"
-
- radiobutton .ultradsm.nou.des3 -pady 1 -anchor w -variable ultra_dsm_type -value 3des \
- -text "3DES"
-
- radiobutton .ultradsm.nou.aes -pady 1 -anchor w -variable ultra_dsm_type -value "aes-cfb" \
- -text "AES-CFB"
-
- radiobutton .ultradsm.nou.aes256 -pady 1 -anchor w -variable ultra_dsm_type -value "aes256" \
- -text "AES-256"
-
- label .ultradsm.nou.l -text " Salt,IV"
- entry .ultradsm.nou.e -width 6 -textvariable ultra_dsm_salt
-
- pack .ultradsm.nou.cb -side left
- pack .ultradsm.nou.bf -side left
- pack .ultradsm.nou.des3 -side left
- pack .ultradsm.nou.aes -side left
- pack .ultradsm.nou.aes256 -side left
- pack .ultradsm.nou.l -side left
- pack .ultradsm.nou.e -side left -expand 0
-
- update_no_ultra_dsm
-
- button .ultradsm.cancel -text "Cancel" -command {destroy .ultradsm; set ultra_dsm 0}
- bind .ultradsm <Escape> {destroy .ultradsm; set ultra_dsm 0}
- wm protocol .ultradsm WM_DELETE_WINDOW {destroy .ultradsm; set ultra_dsm 0}
- button .ultradsm.done -text "Done" -command {destroy .ultradsm; catch {raise .oa}}
- bind .ultradsm.path.e <Return> {destroy .ultradsm; catch {raise .oa}}
-
- pack .ultradsm.f .ultradsm.path .ultradsm.key .ultradsm.nou .ultradsm.cancel .ultradsm.done -side top -fill x
-
- center_win .ultradsm
- wm resizable .ultradsm 1 0
-
- focus .ultradsm.path.e
-}
-
-proc ssh_known_hosts_dialog {} {
- global ssh_known_hosts ssh_known_hosts_filename
-
- toplev .sshknownhosts
- wm title .sshknownhosts "Private SSH KnownHosts file"
-
- global help_font
- set h 31
- if [small_height] {
- set h 23
- }
- scroll_text .sshknownhosts.f 80 $h
-
- set msg {
- Private SSH KnownHosts file:
-
- On Unix in SSH mode, let the user specify a non-default
- ssh known_hosts file to be used only by the current profile.
- This is the UserKnownHostsFile ssh option and is described in the
- ssh_config(1) man page. This is useful to avoid proxy 'localhost'
- SSH key collisions.
-
- Normally one should simply let ssh use its default file
- ~/.ssh/known_hosts for tracking SSH keys. The only problem with
- that happens when multiple SSVNC connections use localhost tunnel
- port redirections. These make ssh connect to 'localhost' on some
- port (where the proxy is listening.) Then the different keys
- from the multiple ssh servers collide when ssh saves them under
- 'localhost' in ~/.ssh/known_hosts.
-
- So if you are using a proxy with SSVNC or doing a "double SSH
- gateway" your ssh will connect to a proxy port on localhost, and you
- should set a private KnownHosts file for that connection profile.
- This is secure and avoids man-in-the-middle attack (as long as
- you actually verify the initial save of the SSH key!)
-
- The default file location will be:
-
- ~/.vnc/ssh_known_hosts/profile-name.known
-
- but you can choose any place you like. It must of course be
- unique and not shared with another ssh connection otherwise they
- both may complain about the key for 'localhost' changing, etc.
-}
-
- .sshknownhosts.f.t insert end $msg
-
- frame .sshknownhosts.path
- label .sshknownhosts.path.l -text "SSH KnownHosts file:"
- entry .sshknownhosts.path.e -width 40 -textvariable ssh_known_hosts_filename
- button .sshknownhosts.path.b -text "Browse..." -command {set_ssh_known_hosts_file .sshknownhosts}
-
- pack .sshknownhosts.path.l -side left
- pack .sshknownhosts.path.e -side left -expand 1 -fill x
- pack .sshknownhosts.path.b -side left
-
- button .sshknownhosts.cancel -text "Cancel" -command {destroy .sshknownhosts; set ssh_known_hosts 0}
- bind .sshknownhosts <Escape> {destroy .sshknownhosts; set ssh_known_hosts 0}
- wm protocol .sshknownhosts WM_DELETE_WINDOW {destroy .sshknownhosts; set ssh_known_hosts 0}
- button .sshknownhosts.done -text "Done" -command {destroy .sshknownhosts; catch {raise .oa}}
- bind .sshknownhosts.path.e <Return> {destroy .sshknownhosts; catch {raise .oa}}
-
- pack .sshknownhosts.f .sshknownhosts.path .sshknownhosts.cancel .sshknownhosts.done -side top -fill x
-
- center_win .sshknownhosts
- wm resizable .sshknownhosts 1 0
-
- focus .sshknownhosts.path.e
-}
-
-proc ssh_sec_dialog {} {
- global ssh_local_protection
-
- toplev .sshsec
- wm title .sshsec "SSH Local Port Protections"
-
- global help_font
- eval text .sshsec.t -width 80 -height 28 $help_font
-
- apply_bg .sshsec.t
-
- set msg {
- See the discussion of "Untrusted Local Users" in the main 'Help'
- panel for info about users who are able to log into the workstation
- you run SSVNC on and might try to use your encrypted tunnel to gain
- access to the remote VNC machine.
-
- On Unix, for SSH tunnels we have an LD_PRELOAD hack (lim_accept.so)
- that will limit ssh from accepting any local redirection connections
- after the first one or after 35 seconds, whichever comes first.
- The first SSH port redirection connection is intended to be the one
- that tunnels your VNC Viewer to reach the remote server.
-
- You can adjust these defaults LIM_ACCEPT=1 LIM_ACCEPT_TIME=35 by
- setting those env. vars. to different values.
-
- Note that there is still a window of a few seconds the Untrusted
- Local User can try to connect before your VNC Viewer does. So this
- method is far from perfect. But once your VNC session is established,
- he should be blocked out. Test to make sure blocking is taking place.
-
- Do not use this option if you are doing SSH Service redirections
- 'Additional Port Redirections (via SSH)' that redirect a local port
- to the remote server via ssh -L.
-
- Note that if the shared object "lim_accept.so" cannot be found,
- this option has no effect. Watch the output in the terminal for
- the "SSVNC_LIM_ACCEPT_PRELOAD" setting.
-}
- .sshsec.t insert end $msg
-
- button .sshsec.cancel -text "Cancel" -command {set ssh_local_protection 0; destroy .sshsec}
- bind .sshsec <Escape> {set ssh_local_protection 0; destroy .sshsec}
- wm protocol .sshsec WM_DELETE_WINDOW {set ssh_local_protection 0; destroy .sshsec}
- button .sshsec.done -text "Done" -command {destroy .sshsec}
-
- pack .sshsec.t .sshsec.cancel .sshsec.done -side top -fill x
-
- center_win .sshsec
- wm resizable .sshsec 1 0
-}
-
-proc multilisten_dialog {} {
- global multiple_listen
-
- toplev .multil
- wm title .multil "Multiple LISTEN Connections"
-
- global help_font
- set h 36
- if [small_height] {
- set h 30
- }
- eval text .multil.t -width 84 -height $h $help_font
-
- apply_bg .multil.t
-
- set msg {
- Set this option to allow SSVNC (when in LISTEN / Reverse connections
- mode) to allow multiple VNC servers to connect at the same time and
- so display each of their desktops on your screen at the same time.
-
- This option only applies on Unix or MaOSX when using the supplied
- SSVNC vncviewer. If you specify your own VNC Viewer it has no effect.
-
- On Windows (only the stock TightVNC viewer is provided) it has no effect
- because the Windows SSVNC can ONLY do "Multiple LISTEN Connections".
- Similarly on MacOSX if the COTVNC viewer is used there is no effect.
-
- Rationale: To play it safe, the Unix vncviewer provided by SSVNC
- (ssvncviewer) only allows one LISTEN reverse connection at a time.
- This is to prohibit malicious people on the network from depositing
- as many desktops on your screen as he likes, even if you are already
- connected to VNC server you desire.
-
- For example, perhaps the malicious user could trick you into typing
- a password into the desktop he displays on your screen.
-
- This protection is not perfect, because the malicious user could
- try to reverse connect to you before the correct VNC server reverse
- connects to you. This is even more of a problem if you keep your
- SSVNC viewer in LISTEN mode but unconnected for long periods of time.
- Pay careful attention in this case if you are to supplying sensitive
- information to the remote desktop.
-
- Enable 'Multiple LISTEN Connections' if you want to disable the default
- protection in the Unix SSVNC vncviewer; i.e. allow multiple reverse
- connections simultaneously (all vnc viewers we know of do this by default)
-
- For more control, do not select 'Multiple LISTEN Connections', but
- rather set the env. var SSVNC_MULTIPLE_LISTEN=MAX:n to limit the number
- of simultaneous reverse connections to "n"
-}
- .multil.t insert end $msg
-
- button .multil.cancel -text "Cancel" -command {set multiple_listen 0; destroy .multil}
- bind .multil <Escape> {set multiple_listen 0; destroy .multil}
- wm protocol .multil WM_DELETE_WINDOW {set multiple_listen 0; destroy .multil}
- button .multil.done -text "Done" -command {destroy .multil}
-
- pack .multil.t .multil.cancel .multil.done -side top -fill x
-
- center_win .multil
- wm resizable .multil 1 0
-}
-
-proc use_grab_dialog {} {
- global usg_grab
-
- toplev .usegrb
- wm title .usegrb "Use XGrabServer (for fullscreen)"
-
- global help_font
- eval text .usegrb.t -width 85 -height 29 $help_font
-
- apply_bg .usegrb.t
-
- set msg {
- On Unix, some Window managers and some Desktops make it difficult for the
- SSVNC Unix VNC viewer to go into full screen mode (F9) and/or return.
-
- Sometimes one can go into full screen mode, but then your keystrokes or
- Mouse actions do not get through. This can leave you trapped because you
- cannot inject input (F9 again) to get out of full screen mode. (Tip:
- press Ctrl-Alt-F2 for a console login shell; then kill your vncviewer
- process, e.g. pkill vncviewer; then Alt-F7 to get back to your desktop)
-
- We have seen this in some very old Window managers (e.g. fvwm2 circa
- 1998) and some very new Desktops (e.g. GNOME circa 2008). We try
- to work around the problem on recent desktops by using the NEW_WM
- interface, but if you use Fullscreen, you may need to use this option.
-
- The default for the SSVNC Unix VNC viewer is '-grabkbd' mode where it will
- try to exclusively grab the keyboard. This often works correctly.
-
- However if Fullscreen is not working properly, try setting this
- 'Use XGrabServer' option to enable '-graball' mode where it tries to grab
- the entire X server. This usually works, but can be a bit flakey.
-
- Sometimes toggling F9 a few times gets lets the vncviewer fill the whole
- screen. Sometimes tapping F9 very quickly gets it to snap in. If GNOME
- (or whatever desktop) is still showing its taskbars, it is recommended
- you toggle F9 until it isn't. Otherwise, it is not clear who gets the input.
-
- Best of luck.
-}
- .usegrb.t insert end $msg
-
- button .usegrb.cancel -text "Cancel" -command {set use_grab 0; destroy .usegrb}
- bind .usegrb <Escape> {set use_grab 0; destroy .usegrb}
- wm protocol .usegrb WM_DELETE_WINDOW {set use_grab 0; destroy .usegrb}
- button .usegrb.done -text "Done" -command {destroy .usegrb}
-
- pack .usegrb.t .usegrb.cancel .usegrb.done -side top -fill x
-
- center_win .usegrb
- wm resizable .usegrb 1 0
-}
-
-
-proc find_netcat {} {
- global is_windows
-
- set nc ""
-
- if {! $is_windows} {
- set nc [in_path "netcat"]
- if {$nc == ""} {
- set nc [in_path "nc"]
- }
- } else {
- set try "netcat.exe"
- if [file exists $try] {
- set nc $try
- }
- }
- return $nc
-}
-
-proc pk_expand {cmd host} {
- global tcl_platform
- set secs [clock seconds]
- set msecs [clock clicks -milliseconds]
- set user $tcl_platform(user)
- if [regexp {%IP} $cmd] {
- set ip [guess_ip]
- if {$ip == ""} {
- set ip "unknown"
- }
- regsub -all {%IP} $cmd $ip cmd
- }
- if [regexp {%NAT} $cmd] {
- set ip [guess_nat_ip]
- regsub -all {%NAT} $cmd $ip cmd
- }
- regsub -all {%HOST} $cmd $host cmd
- regsub -all {%USER} $cmd $user cmd
- regsub -all {%SECS} $cmd $secs cmd
- regsub -all {%MSECS} $cmd $msecs cmd
-
- return $cmd
-}
-
-proc backtick_expand {str} {
- set str0 $str
- set collect ""
- set count 0
- while {[regexp {^(.*)`([^`]+)`(.*)$} $str mv p1 cmd p2]} {
- set out [eval exec $cmd]
- set str "$p1$out$p2"
- incr count
- if {$count > 10} {
- break
- }
- }
- return $str
-}
-
-proc read_from_pad {file} {
- set fh ""
- if {[catch {set fh [open $file "r"]}] != 0} {
- return "FAIL"
- }
-
- set accum ""
- set match ""
- while {[gets $fh line] > -1} {
- if [regexp {^[ \t]*#} $line] {
- append accum "$line\n"
- } elseif [regexp {^[ \t]*$} $line] {
- append accum "$line\n"
- } elseif {$match == ""} {
- set match $line
- append accum "# $line\n"
- } else {
- append accum "$line\n"
- }
- }
-
- close $fh
-
- if {$match == ""} {
- return "FAIL"
- }
-
- if {[catch {set fh [open $file "w"]}] != 0} {
- return "FAIL"
- }
-
- puts -nonewline $fh $accum
-
- return $match
-}
-
-proc do_port_knock {hp mode} {
- global use_port_knocking port_knocking_list
- global is_windows
-
- if {! $use_port_knocking} {
- return 1
- }
- if {$port_knocking_list == ""} {
- return 1
- }
- set list $port_knocking_list
-
- if {$mode == "finish"} {
- if {! [regexp {FINISH} $list]} {
- mesg "PortKnock(finish): done"
- return 1
- } else {
- regsub {^.*FINISH} $list "" list
- }
- } elseif {$mode == "start"} {
- if {[regexp {FINISH} $list]} {
- regsub {FINISH.*$} $list "" list
- }
- }
-
- set default_delay 150
-
- set host [string trim $hp]
- # XXX host_part
- regsub {^vnc://} $host "" host
- regsub {^.*@} $host "" host
- regsub {:[0-9][0-9]*$} $host "" host
- set host0 [string trim $host]
-
- if {$host0 == ""} {
- bell
- mesg "PortKnock: No host: $hp"
- return 0
- }
-
- set m ""
-
- if [regexp {PAD=([^\n]+)} $list mv padfile] {
- set tlist [read_from_pad $padfile]
- set tlist [string trim $tlist]
- if {$tlist == "" || $tlist == "FAIL"} {
- raise .
- tk_messageBox -type ok -icon error \
- -message "Failed to read entry from $padfile" \
- -title "Error: Padfile $padfile"
- return 0
- }
- regsub -all {PAD=([^\n]+)} $list $tlist list
- }
-
- set spl ",\n\r"
- if [regexp {CMD=} $list] {set spl "\n\r"}
- if [regexp {CMDX=} $list] {set spl "\n\r"}
- if [regexp {SEND=} $list] {set spl "\n\r"}
- if [regexp {SENDX=} $list] {set spl "\n\r"}
-
- set i 0
- set pi 0
-
- foreach line [split $list $spl] {
- set line [string trim $line]
- set line0 $line
-
- if {$line == ""} {
- continue
- }
- if [regexp {^#} $line] {
- continue
- }
-
- if [regexp {^sleep[ \t][ \t]*([0-9][0-9]*)} $line mv sl] {
- set m "PortKnock: sleep $sl"
- mesg $m
- after $sl
- continue
- }
- if [regexp {^delay[ \t][ \t]*([0-9][0-9]*)} $line mv sl] {
- set m "PortKnock: delay=$sl"
- mesg $m
- set default_delay $sl
- continue
- }
-
- if [regexp {^CMD=(.*)} $line mv cmd] {
- set m "PortKnock: CMD: $cmd"
- mesg $m
- eval exec $cmd
- continue
- }
- if [regexp {^CMDX=(.*)} $line mv cmd] {
- set cmd [pk_expand $cmd $host0]
- set m "PortKnock: CMDX: $cmd"
- mesg $m
- eval exec $cmd
- continue
- }
-
- if [regexp {`} $line] {
- #set line [backtick_expand $line]
- }
-
- set snd ""
- if [regexp {^(.*)SEND=(.*)$} $line mv line snd] {
- set line [string trim $line]
- set snd [string trim $snd]
- regsub -all {%NEWLINE} $snd "\n" snd
- } elseif [regexp {^(.*)SENDX=(.*)$} $line mv line snd] {
- set line [string trim $line]
- set snd [string trim $snd]
- set snd [pk_expand $snd $host0]
- regsub -all {%NEWLINE} $snd "\n" snd
- }
-
- set udp 0
- if [regexp -nocase {[/:]udp} $line] {
- set udp 1
- regsub -all -nocase {[/:]udp} $line " " line
- set line [string trim $line]
- }
- regsub -all -nocase {[/:]tcp} $line " " line
- set line [string trim $line]
-
- set delay 0
- if [regexp {^(.*)[ \t][ \t]*([0-9][0-9]*)$} $line mv first delay] {
- set line [string trim $first]
- }
-
- if {[regexp {^(.*):([0-9][0-9]*)$} $line mv host port]} {
- ;
- } else {
- set host $host0
- set port $line
- }
- set host [string trim $host]
- set port [string trim $port]
-
- if {$host == ""} {
- set host $host0
- }
-
- if {$port == ""} {
- bell
- set m "PortKnock: No port found: \"$line0\""
- mesg $m
- return 0
- }
- if {! [regexp {^[0-9][0-9]*$} $port]} {
- bell
- set m "PortKnock: Invalid port: \"$port\""
- mesg $m
- return 0
- }
- regsub {,.*$} $host "" host
- if {[regexp {[ \t]} $host]} {
- bell
- set m "PortKnock: Invalid host: \"$host\""
- mesg $m
- return 0
- }
- if {! [regexp {^[-A-z0-9_.][-A-z0-9_.]*$} $host]} {
- bell
- set m "PortKnock: Invalid host: \"$host\""
- mesg $m
- return 0
- }
-
- set nc ""
- if {$udp || $snd != ""} {
- set nc [find_netcat]
- if {$nc == ""} {
- bell
- set m "PortKnock: UDP: netcat(1) not found"
- mesg $m
- after 1000
- continue
- }
- }
-
- if {$snd != ""} {
- global env
- set pfile "payload$pi.txt"
- if {! $is_windows} {
- set pfile "$env(SSVNC_HOME)/.$pfile"
- }
- set pfiles($pi) $pfile
- incr pi
- set fh [open $pfile "w"]
- puts -nonewline $fh "$snd"
- close $fh
-
- set m "PortKnock: SEND: $host $port"
- mesg $m
- if {$is_windows} {
- if {$udp} {
- catch {exec $nc -d -u -w 1 "$host" "$port" < $pfile &}
- } else {
- catch {exec $nc -d -w 1 "$host" "$port" < $pfile &}
- }
- } else {
- if {$udp} {
- catch {exec $nc -u -w 1 "$host" "$port" < $pfile &}
- } else {
- catch {exec $nc -w 1 "$host" "$port" < $pfile &}
- }
- }
- catch {after 50; file delete $pfile}
-
- } elseif {$udp} {
- set m "PortKnock: UDP: $host $port"
- mesg $m
- if {! $is_windows} {
- catch {exec echo a | $nc -u -w 1 "$host" "$port" &}
- } else {
- set fh [open "nc_in.txt" "w"]
- puts $fh "a"
- close $fh
- catch {exec $nc -d -u -w 1 "$host" "$port" < "nc_in.txt" &}
- }
- } else {
- set m "PortKnock: TCP: $host $port"
- mesg $m
- set s ""
- set emess ""
- set rc [catch {set s [socket -async $host $port]} emess]
- if {$rc != 0} {
- raise .
- tk_messageBox -type ok -icon error -message $emess -title "Error: socket -async $host $port"
- }
- set sockets($i) $s
- # seems we have to close it immediately to avoid multiple SYN's.
- # does not help on Win9x.
- catch {after 30; close $s};
- incr i
- }
-
- if {$delay == 0} {
- if {$default_delay > 0} {
- after $default_delay
- }
- } elseif {$delay > 0} {
- after $delay
- }
- }
-
- if {0} {
- for {set j 0} {$j < $i} {incr j} {
- set $s $sockets($j)
- if {$s != ""} {
- catch {close $s}
- }
- }
- }
- for {set j 0} {$j < $pi} {incr j} {
- set f $pfiles($j)
- if {$f != ""} {
- if [file exists $f] {
- after 100
- }
- catch {file delete $f}
- }
- }
- if {$is_windows} {
- catch {file delete "nc_in.txt"}
- }
- if {$m != ""} {
- set m "$m,"
- }
- if {$mode == "finish"} {
- mesg "PortKnock(finish): done"
- } else {
- mesg "PortKnock: done"
- }
- return 1
-}
-
-proc port_knocking_dialog {} {
- toplev .pk
- wm title .pk "Port Knocking"
- global use_port_knocking port_knocking_list
-
- global help_font
-
- global uname
-
- set h 35
- if [small_height] {
- set h 22
- } elseif {$uname == "Darwin"} {
- set h 25
- }
- scroll_text .pk.f 85 $h
-
- set msg {
- Description:
-
- Port Knocking is where a network connection to a service is not provided
- to just any client, but rather only to those that immediately prior to
- connecting send a more or less secret pattern of connections to other
- ports on the firewall.
-
- Somewhat like "knocking" on the door with the correct sequence before it
- being opened (but not necessarily letting you in yet). It is also possible
- to have a single encrypted packet (e.g. UDP) payload communicate with the
- firewall instead of knocking on a sequence of ports.
-
- Only after the correct sequence of ports is observed by the firewall does
- it allow the IP address of the client to attempt to connect to the service.
-
- So, for example, instead of allowing any host on the internet to connect
- to your SSH service and then try to login with a username and password, the
- client first must "tickle" your firewall with the correct sequence of ports.
- Only then will it be allowed to connect to your SSH service at all.
-
- This does not replace the authentication and security of SSH, it merely
- puts another layer of protection around it. E.g., suppose an exploit for
- SSH was discovered, you would most likely have more time to fix/patch
- the problem than if any client could directly connect to your SSH server.
-
- For more information http://www.portknocking.org/ and
- http://www.linuxjournal.com/article/6811
-
-
- Tip:
-
- If you just want to use the Port Knocking for an SSH shell and not
- for a VNC tunnel, then specify something like "user@hostname cmd=SHELL"
- (or "user@hostname cmd=PUTTY" on Windows) in the VNC Host:Display entry box
- on the main panel. This will do everything short of starting the viewer.
- A shortcut for this is Ctrl-S as long as user@hostname is present.
-
-
- Specifying the Knocks:
-
- In the text area below "Supply port knocking pattern" you put in the pattern
- of "knocks" needed for this connection. You can separate the knocks by
- commas or put them one per line.
-
- Each "knock" is of this form:
-
- [host:]port[/udp] [delay]
-
- In the simplest form just a numerical port, e.g. 5433, is supplied.
- Items inside [...] are optional and described below.
-
- The packet is sent to the same host that the VNC (or SSH) connection will
- be made to. If you want it to go to a different host or IP use the [host:]
- prefix. It can be either a hostname or numerical IP.
-
- A TCP packet is sent by default.
-
- If you need to send a UDP packet, the netcat (aka "nc") program must be
- installed on Unix (tcl/tk does not support udp connections). Indicate this
- with "/udp" following the port number (you can also use "/tcp", but since
- it is the default it is not necessary). (You can also use ":udp" to match
- the knockd syntax). See the example below. For convenience a Windows netcat
- binary is supplied.
-
- The last field, [delay], is an optional number of milliseconds to delay
- before continuing on to the next knock.
-
-
- Examples:
-
- 5433, 12321, 1661
-
- fw.example.com:5433, 12321/udp 3000, 1661 2000
-
- fw.example.com:5433
- 12321/udp 3000
- 1661 2000
-
- Note how the first two examples separate their knocks via commas ",".
- The 3rd example is equivalent to the 2nd and splits them up by new lines.
-
- Note for each knock any second number (e.g. the "2000" in "1661 2000") is
- a DELAY in milliseconds, not a port number. If you had a comma separating
- them: "1661, 2000" that would mean two separate knocks: one to port 1661
- followed by one to 2000 (with basically no delay between them).
-
- In examples 2 and 3, "fw.example.com" represents some machine other than
- the VNC/SSH host. By default, the VNC/SSH host is the one the packet is
- sent to.
-
- If one of the items is the string "FINISH", then the part before it is
- used prior to connecting and the part after is used once the connection
- is finished. This can be used, say, to close the firewall port. Example:
-
- 5433, 12321, FINISH, 7659, 2314
-
- (or one can split them up via lines as above.)
-
-
- Advanced port knock actions:
-
- If the string in the text field contains anywhere the strings "CMD=", "CMDX=",
- or "SEND=", then splitting on commas is not done: it is only split on lines.
-
- Then, if a line begins CMD=... the string after the = is run as an
- external command. The command could be anything you want, e.g. it could
- be a port-knocking client that does the knocking, perhaps encrypting the
- "knocks" pattern somehow or using a Single Packet Authorization method such
- as http://www.cipherdyne.com/fwknop/
-
- Extra quotes (sometimes "'foo bar'") may be needed to preserve spaces in
- command line arguments because the tcl/tk eval(n) command is used. You
- can also use {...} for quoting strings with spaces.
-
- If a line begins CMDX=... then before the command is run the following
- tokens are expanded to strings:
-
- %IP Current machine's IP address (NAT may make this not useful).
- %NAT Try to get effective IP by contacting http://www.whatismyip.com
- %HOST The remote host of the connection.
- %USER The current user.
- %SECS The current time in seconds (platform dependent).
- %MSECS Platform dependent time having at least millisecond granularity.
-
- Lines not matching CMD= or CMDX= are treated as normal port knocks but with
- one exception. If a line ends in SEND=... (i.e. after the [host:]port,
- etc., part) then the string after the = is sent as a payload for the tcp
- or udp connection to [host:]port. netcat is used for these SEND cases
- (and must be available on Unix). If newlines (\n) are needed in the
- SEND string, use %NEWLINE. Sending binary data is not yet supported;
- use CMD= with your own program.
-
-
- Advanced Examples:
-
- CMD=port_knock_client -password wombat33
- CMDX=port_knock_client -password wombat33 -host %HOST -src %NAT
-
- fw.example.com:5433/udp SEND=ASDLFKSJDF
-
-
- More tricks:
-
- To temporarily "comment out" a knock, insert a leading "#" character.
-
- Use "sleep N" to insert a raw sleep for N milliseconds (e.g. between
- CMD=... items or at the very end of the knocks to wait).
-
- If a knock entry matches "delay N" the default delay is set to
- N milliseconds (it is 150 initially).
-
-
- One Time Pads:
-
- If the text contains a (presumably single) line of the form:
-
- PAD=/path/to/a/one/time/pad/file
-
- then that file is opened and the first non-blank line not beginning
- with "#" is used as the knock pattern. The pad file is rewritten
- with that line starting with a "#" (so it will be skipped next time).
-
- The PAD=... string is replaced with the read-in knock pattern line.
- So, if needed, one can preface the PAD=... with "delay N" to set the
- default delay, and one can also put a "sleep N" after the PAD=...
- line to indicate a final sleep. One can also surround the PAD=
- line with other knock and CMD= CMDX= lines, but that usage sounds
- a bit rare. Example:
-
- delay 1000
- PAD=C:\My Pads\work-pad1.txt
- sleep 4000
-
-
- Port knock only:
-
- If, in the 'VNC Host:Display' entry, you use "user@hostname cmd=KNOCK"
- then only the port-knocking is performed. A shortcut for this is
- Ctrl-P as long as hostname is present in the entry box. If it
- matches cmd=KNOCKF, i.e. an extra "F", then the port-knocking
- "FINISH" sequence is sent, if any. A shortcut for this Shift-Ctrl-P
- as long as hostname is present.
-}
- .pk.f.t insert end $msg
-
- label .pk.info -text "Supply port knocking pattern:" -anchor w -relief ridge
-
- eval text .pk.rule -width 80 -height 5 $help_font
- .pk.rule insert end $port_knocking_list
-
- button .pk.cancel -text "Cancel" -command {set use_port_knocking 0; destroy .pk}
- bind .pk <Escape> {set use_port_knocking 0; destroy .pk}
- wm protocol .pk WM_DELETE_WINDOW {set use_port_knocking 0; destroy .pk}
- button .pk.done -text "Done" -command {if {$use_port_knocking} {set port_knocking_list [.pk.rule get 1.0 end]}; destroy .pk}
-
- pack .pk.done .pk.cancel .pk.rule .pk.info -side bottom -fill x
- pack .pk.f -side top -fill both -expand 1
-
- center_win .pk
-}
-
-proc choose_desktop_dialog {} {
- toplev .sd
- wm title .sd "Desktop Type"
- global ts_desktop_type choose_desktop
-
- global ts_desktop_type_def
- set def "kde"
- if {$ts_desktop_type_def != ""} {
- set def $ts_desktop_type_def
- }
-
- if {$ts_desktop_type == ""} {
- set ts_desktop_type $def
- }
-
- label .sd.l1 -anchor w -text "Select the type of remote Desktop"
- label .sd.l2 -anchor w -text "for your session (default: $def)"
-
- radiobutton .sd.b1 -anchor w -variable ts_desktop_type -value kde -text kde
- radiobutton .sd.b2 -anchor w -variable ts_desktop_type -value gnome -text gnome
- radiobutton .sd.b3 -anchor w -variable ts_desktop_type -value Xsession -text cde
- radiobutton .sd.b4 -anchor w -variable ts_desktop_type -value mwm -text mwm
- radiobutton .sd.b5 -anchor w -variable ts_desktop_type -value wmaker -text wmaker
- radiobutton .sd.b6 -anchor w -variable ts_desktop_type -value xfce -text xfce
- radiobutton .sd.b7 -anchor w -variable ts_desktop_type -value enlightenment -text enlightenment
- radiobutton .sd.b8 -anchor w -variable ts_desktop_type -value twm -text twm
- radiobutton .sd.b9 -anchor w -variable ts_desktop_type -value failsafe -text failsafe
-
- button .sd.cancel -text "Cancel" -command {destroy .sd; set choose_desktop 0; set ts_desktop_type ""}
- bind .sd <Escape> {destroy .sd; set choose_desktop 0; set ts_desktop_type ""}
- wm protocol .sd WM_DELETE_WINDOW {destroy .sd; set choose_desktop 0; set ts_desktop_type ""}
- button .sd.done -text "Done" -command {destroy .sd}
-
- pack .sd.l1 .sd.l2 .sd.b1 .sd.b2 .sd.b3 .sd.b4 .sd.b5 .sd.b6 .sd.b7 .sd.b8 .sd.b9 .sd.cancel .sd.done -side top -fill x
-
- center_win .sd
-}
-
-proc choose_size_dialog {} {
- toplev .sz
- wm title .sz "Desktop Size"
- global ts_desktop_size ts_desktop_depth choose_desktop_geom
-
- set def1 "1280x1024"
- set def2 "16"
-
- global ts_desktop_size_def ts_desktop_depth_def
- if {$ts_desktop_size_def != ""} {
- set def1 $ts_desktop_size_def
- }
- if {$ts_desktop_depth_def != ""} {
- set def2 $ts_desktop_depth_def
- }
-
- if {$ts_desktop_size == ""} {
- set ts_desktop_size $def1
- }
- if {$ts_desktop_depth == ""} {
- set ts_desktop_depth $def2
- }
-
- label .sz.l1 -anchor w -text "Select the Size and Color depth"
- label .sz.l2 -anchor w -text "for your Desktop session."
- label .sz.l3 -anchor w -text "Default: $def1 and $def2 bits/pixel."
-
- label .sz.g0 -anchor w -text "Width x Height:" -relief groove
-
- radiobutton .sz.g1 -anchor w -variable ts_desktop_size -value "640x480" -text " 640x480"
- radiobutton .sz.g2 -anchor w -variable ts_desktop_size -value "800x600" -text " 800x600"
- radiobutton .sz.g3 -anchor w -variable ts_desktop_size -value "1024x768" -text " 1024x768"
- radiobutton .sz.g4 -anchor w -variable ts_desktop_size -value "1280x1024" -text "1280x1024"
- radiobutton .sz.g5 -anchor w -variable ts_desktop_size -value "1400x1050" -text "1400x1050"
- radiobutton .sz.g6 -anchor w -variable ts_desktop_size -value "1600x1200" -text "1600x1200"
- radiobutton .sz.g7 -anchor w -variable ts_desktop_size -value "1920x1200" -text "1920x1200"
-
- frame .sz.c
- label .sz.c.l -anchor w -text "Custom:"
- entry .sz.c.e -width 10 -textvariable ts_desktop_size
- pack .sz.c.l -side left
- pack .sz.c.e -side left -expand 1 -fill x
- bind .sz.c.e <Return> {destroy .sz}
-
- label .sz.d0 -anchor w -text "Color Depth:" -relief groove
-
- radiobutton .sz.d1 -anchor w -variable ts_desktop_depth -value "8" -text " 8 bits/pixel"
- radiobutton .sz.d2 -anchor w -variable ts_desktop_depth -value "16" -text "16 bits/pixel"
- radiobutton .sz.d3 -anchor w -variable ts_desktop_depth -value "24" -text "24 bits/pixel"
-
- button .sz.cancel -text "Cancel" -command {destroy .sz; set choose_desktop_geom 0; set ts_desktop_size ""; set ts_desktop_depth ""}
- bind .sz <Escape> {destroy .sz; set choose_desktop_geom 0; set ts_desktop_size ""; set ts_desktop_depth ""}
- wm protocol .sz WM_DELETE_WINDOW {destroy .sz; set choose_desktop_geom 0; set ts_desktop_size ""; set ts_desktop_depth ""}
- button .sz.done -text "Done" -command {destroy .sz}
-
- pack .sz.l1 .sz.l2 .sz.l3 \
- .sz.g0 .sz.g1 .sz.g2 .sz.g3 .sz.g4 .sz.g5 .sz.g6 .sz.g7 \
- .sz.c \
- .sz.d0 .sz.d1 .sz.d2 .sz.d3 \
- .sz.cancel .sz.done -side top -fill x
-
- center_win .sz
- focus .sz.c.e
-}
-
-proc choose_xserver_dialog {} {
- toplev .st
- wm title .st "X Server Type"
- global ts_xserver_type choose_xserver
-
- set def "Xvfb"
- global ts_xserver_type_def
- if {$ts_xserver_type_def != ""} {
- set def $ts_xserver_type_def
- }
-
- if {$ts_xserver_type == ""} {
- set ts_xserver_type $def
- }
-
- label .st.l1 -anchor w -text "Select the type of remote X server"
- label .st.l2 -anchor w -text "for your session (default: $def)"
-
- radiobutton .st.b1 -anchor w -variable ts_xserver_type -value Xvfb -text "Xvfb"
-
- radiobutton .st.b2 -anchor w -variable ts_xserver_type -value Xdummy -text "Xdummy"
-
- radiobutton .st.b3 -anchor w -variable ts_xserver_type -value Xvnc -text "Xvnc"
-
- radiobutton .st.b4 -anchor w -variable ts_xserver_type -value Xvnc.redirect -text "Xvnc.redirect"
-
- button .st.cancel -text "Cancel" -command {destroy .st; set choose_xserver 0; set ts_xserver_type ""}
- bind .st <Escape> {destroy .st; set choose_xserver 0; set ts_xserver_type ""}
- wm protocol .st WM_DELETE_WINDOW {destroy .st; set choose_xserver 0; set ts_xserver_type ""}
- button .st.done -text "Done" -command {destroy .st}
-
- pack .st.l1 .st.l2 .st.b1 .st.b2 .st.b3 .st.b4 .st.cancel .st.done -side top -fill x
-
- center_win .st
-}
-
-proc set_ts_options {} {
- global use_cups use_sound use_smbmnt
- global change_vncviewer choose_xserver
- global ts_only is_windows
- global darwin_cotvnc use_x11_macosx uname
- if {! $ts_only} {
- return
- }
- catch {destroy .o}
- toplev .ot
- wm title .ot "Options"
-
- set i 1
-
- checkbutton .ot.b$i -anchor w -variable choose_desktop -text \
- "Desktop Type" \
- -command {if {$choose_desktop} {choose_desktop_dialog}}
- incr i
-
- checkbutton .ot.b$i -anchor w -variable choose_desktop_geom -text \
- "Desktop Size" \
- -command {if {$choose_desktop_geom} {choose_size_dialog}}
- incr i
-
- checkbutton .ot.b$i -anchor w -variable choose_xserver -text \
- "X Server Type" \
- -command {if {$choose_xserver} {choose_xserver_dialog}}
- incr i
-
- checkbutton .ot.b$i -anchor w -variable use_cups -text \
- "Enable Printing" \
- -command {if {$use_cups} {cups_dialog}}
- incr i
-
- checkbutton .ot.b$i -anchor w -variable use_sound -text \
- "Enable Sound" \
- -command {if {$use_sound} {sound_dialog}}
- incr i
-
-# checkbutton .ot.b$i -anchor w -variable use_smbmnt -text \
-# "Enable SMB mount tunnelling" \
-# -command {if {$use_smbmnt} {smb_dialog}}
-# incr i
-
- checkbutton .ot.b$i -anchor w -variable choose_filexfer -text \
- "File Transfer" \
- -command {if {$choose_filexfer} {ts_filexfer_dialog}}
- incr i
-
- checkbutton .ot.b$i -anchor w -variable use_viewonly -text \
- "View Only"
- incr i
-
- checkbutton .ot.b$i -anchor w -variable change_vncviewer -text \
- "Change VNC Viewer" \
- -command change_vncviewer_dialog_wrap
- incr i
-
- if {!$is_windows && $uname == "Darwin"} {
- checkbutton .ot.b$i -anchor w -variable use_x11_macosx -text \
- "X11 viewer MacOSX" \
- -command {if {$use_x11_macosx} {set darwin_cotvnc 0} else {set darwin_cotvnc 1}; set_darwin_cotvnc_buttons}
- incr i
- }
-
- button .ot.b$i -anchor w -text " Delete Profile..." \
- -command {destroy .ot; delete_profile}
- incr i
-
- button .ot.b$i -anchor w -text " Advanced ..." -command {set_ts_adv_options}
- incr i
-
- for {set j 1} {$j < $i} {incr j} {
- pack .ot.b$j -side top -fill x
- }
-
- frame .ot.b
- button .ot.b.done -text "Done" -command {destroy .ot}
- button .ot.b.help -text "Help" -command help_ts_opts
- pack .ot.b.help .ot.b.done -fill x -expand 1 -side left
-
- bind .ot <Escape> {destroy .ot}
- wm protocol .ot WM_DELETE_WINDOW {destroy .ot}
-
- pack .ot.b -side top -fill x
-
- center_win .ot
- wm resizable .ot 1 0
- focus .ot
-}
-
-proc set_ts_adv_options {} {
- global ts_only ts_unixpw ts_vncshared
- global ts_ncache ts_multisession
- global choose_othervnc darwin_cotvnc choose_sleep
- global is_windows
-
- if {! $ts_only} {
- return
- }
- catch {destroy .ot}
- toplev .ot2
- wm title .ot2 "Advanced"
-
- set i 1
-
- checkbutton .ot2.b$i -anchor w -variable ts_vncshared -text \
- "VNC Shared" \
- -command {if {$ts_vncshared} {ts_vncshared_dialog}}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable choose_multisession -text \
- "Multiple Sessions" \
- -command {if {$choose_multisession} {ts_multi_dialog}}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable ts_xlogin -text \
- "X Login Greeter" \
- -command {if {$ts_xlogin} {ts_xlogin_dialog}}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable choose_othervnc -text \
- "Other VNC Server" \
- -command {if {$choose_othervnc} {ts_othervnc_dialog}}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable ts_unixpw -text \
- "Use unixpw" \
- -command {if {$ts_unixpw} {ts_unixpw_dialog}}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable use_bgr233 -text \
- "Client 8bit Color"
- if {$darwin_cotvnc} {.ot2.b$i configure -state disabled}
- global darwin_cotvnc_blist
- set darwin_cotvnc_blist(.ot2.b$i) 1
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable choose_ncache -text \
- "Client-Side Caching" \
- -command {if {$choose_ncache} {ts_ncache_dialog}}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable choose_x11vnc_opts -text \
- "X11VNC Options" \
- -command {if {$choose_x11vnc_opts} {ts_x11vnc_opts_dialog}}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable choose_sleep -text \
- "Extra Sleep" \
- -command {if {$choose_sleep} {ts_sleep_dialog}}
- incr i
-
- if {$is_windows} {
- checkbutton .ot2.b$i -anchor w -variable choose_parg -text \
- "Putty Args" \
- -command {if {$choose_parg} {ts_putty_args_dialog}}
- incr i
- }
-
- if {!$is_windows} {
- checkbutton .ot2.b$i -anchor w -variable ssh_local_protection -text \
- "SSH Local Protections" \
- -command {if {$ssh_local_protection} {ssh_sec_dialog}}
- if {$is_windows} {.ot2.b$i configure -state disabled}
- incr i
-
- checkbutton .ot2.b$i -anchor w -variable ssh_known_hosts -text \
- "SSH KnownHosts file" \
- -command {if {$ssh_known_hosts} {ssh_known_hosts_dialog}}
- if {$is_windows} {.ot2.b$i configure -state disabled}
- incr i
- }
-
- if {$is_windows} {
- button .ot2.b$i -anchor w -text " Putty Agent" \
- -command {catch {exec pageant.exe &}}
- incr i
-
- button .ot2.b$i -anchor w -text " Putty Key-Gen" \
- -command {catch {exec puttygen.exe &}}
- incr i
- }
-
- global env
- if {![info exists env(SSVNC_TS_ALWAYS)]} {
- button .ot2.b$i -anchor w -text " SSVNC Mode" \
- -command {destroy .ot2; to_ssvnc}
- incr i
- }
-
- if {!$is_windows} {
- button .ot2.b$i -anchor w -text " Unix ssvncviewer ..." \
- -command {set_ssvncviewer_options}
- if {$is_windows} {
- .ot2.b$i configure -state disabled
- }
- global change_vncviewer
- if {$change_vncviewer} {
- .ot2.b$i configure -state disabled
- }
- global ts_uss_button
- set ts_uss_button .ot2.b$i
- incr i
- }
-
- for {set j 1} {$j < $i} {incr j} {
- pack .ot2.b$j -side top -fill x
- }
-
- frame .ot2.b
- button .ot2.b.done -text "Done" -command {destroy .ot2}
- button .ot2.b.help -text "Help" -command help_ts_opts
- pack .ot2.b.help .ot2.b.done -fill x -expand 1 -side left
-
- bind .ot2 <Escape> {destroy .ot2}
- wm protocol .ot2 WM_DELETE_WINDOW {destroy .ot2}
-
- pack .ot2.b -side top -fill x
-
- center_win .ot2
- wm resizable .ot2 1 0
- focus .ot2
-}
-
-proc change_vncviewer_dialog_wrap {} {
- global change_vncviewer ts_uss_button is_windows
- if {$change_vncviewer} {
- change_vncviewer_dialog
- catch {tkwait window .chviewer}
- }
- if {$change_vncviewer || $is_windows} {
- catch {.oa.ss configure -state disabled}
- } else {
- catch {.oa.ss configure -state normal}
- }
- if [info exists ts_uss_button] {
- if {$change_vncviewer || $is_windows} {
- catch {$ts_uss_button configure -state disabled}
- } else {
- catch {$ts_uss_button configure -state normal}
- }
- }
-}
-
-proc set_advanced_options {} {
- global use_cups use_sound use_smbmnt
- global change_vncviewer
- global use_port_knocking port_knocking_list
- global is_windows darwin_cotvnc
- global use_ssh use_sshssl
- global use_x11_macosx
- global adv_ssh
- global showing_no_encryption
- global x11vnc_xlogin_widget
-
- catch {destroy .o}
- toplev .oa
- wm title .oa "Advanced Options"
-
- set i 1
-
- checkbutton .oa.b$i -anchor w -variable use_cups -text \
- "Enable CUPS Print tunnelling" \
- -command {if {$use_cups} {cups_dialog}}
- if {!$use_ssh && !$use_sshssl} {.oa.b$i configure -state disabled}
- set adv_ssh(cups) .oa.b$i
- incr i
-
- checkbutton .oa.b$i -anchor w -variable use_sound -text \
- "Enable ESD/ARTSD Audio tunnelling" \
- -command {if {$use_sound} {sound_dialog}}
- if {!$use_ssh && !$use_sshssl} {.oa.b$i configure -state disabled}
- set adv_ssh(snd) .oa.b$i
- incr i
-
- checkbutton .oa.b$i -anchor w -variable use_smbmnt -text \
- "Enable SMB mount tunnelling" \
- -command {if {$use_smbmnt} {smb_dialog}}
- if {!$use_ssh && !$use_sshssl} {.oa.b$i configure -state disabled}
- set adv_ssh(smb) .oa.b$i
- incr i
-
- checkbutton .oa.b$i -anchor w -variable use_x11vnc_xlogin -text \
- "Automatically Find X Login/Greeter" -command {x11vnc_find_adjust "xlogin"}
- if {!$use_ssh && !$use_sshssl} {.oa.b$i configure -state disabled}
- set x11vnc_xlogin_widget ".oa.b$i"
- incr i
-
- checkbutton .oa.b$i -anchor w -variable additional_port_redirs -text \
- "Additional Port Redirs (via SSH)" \
- -command {if {$additional_port_redirs} {port_redir_dialog}}
- if {!$use_ssh && !$use_sshssl} {.oa.b$i configure -state disabled}
- set adv_ssh(redirs) .oa.b$i
- incr i
-
- global use_ssl use_ssh use_sshssl
-
- if {!$is_windows} {
- checkbutton .oa.b$i -anchor w -variable ssh_known_hosts -text \
- "Private SSH KnownHosts file" \
- -command {if {$ssh_known_hosts} {ssh_known_hosts_dialog}}
- set adv_ssh(knownhosts) .oa.b$i
- if {$use_ssl} {.oa.b$i configure -state disabled}
- if {$is_windows} {.oa.b$i configure -state disabled}
- incr i
-
- checkbutton .oa.b$i -anchor w -variable ssh_local_protection -text \
- "SSH Local Port Protections" \
- -command {if {$ssh_local_protection} {ssh_sec_dialog}}
- global ssh_local_protection_button
- set ssh_local_protection_button .oa.b$i
- if {$use_ssl} {.oa.b$i configure -state disabled}
- if {$is_windows} {.oa.b$i configure -state disabled}
- incr i
- }
-
- global ssh_only
- if {!$ssh_only} {
- if {!$is_windows} {
- checkbutton .oa.b$i -anchor w -variable stunnel_local_protection -text \
- "STUNNEL Local Port Protections" \
- -command {if {$stunnel_local_protection} {stunnel_sec_dialog}}
- global stunnel_local_protection_button
- set stunnel_local_protection_button .oa.b$i
- if {$use_ssh} {.oa.b$i configure -state disabled}
- if {$is_windows} {.oa.b$i configure -state disabled}
- incr i
- }
-
- checkbutton .oa.b$i -anchor w -variable disable_ssl_workarounds -text \
- "Disable SSL Workarounds" \
- -command {if {$disable_ssl_workarounds} {disable_ssl_workarounds_dialog}}
- global disable_ssl_workarounds_button
- set disable_ssl_workarounds_button .oa.b$i
- if {$use_ssh} {.oa.b$i configure -state disabled}
- incr i
-
- if {!$is_windows} {
- checkbutton .oa.b$i -anchor w -variable ultra_dsm -text \
- "UltraVNC DSM Encryption Plugin" \
- -command {if {$ultra_dsm} {ultra_dsm_dialog}}
- global ultra_dsm_button
- set ultra_dsm_button .oa.b$i
- if {$is_windows} {.oa.b$i configure -state disabled}
- if {$use_ssh} {.oa.b$i configure -state disabled}
- incr i
- }
-
- checkbutton .oa.b$i -anchor w -variable no_probe_vencrypt -text \
- "Do not Probe for VeNCrypt"
- global no_probe_vencrypt_button
- set no_probe_vencrypt_button .oa.b$i
- if {$use_ssh} {.oa.b$i configure -state disabled}
- incr i
-
- checkbutton .oa.b$i -anchor w -variable server_vencrypt -text \
- "Server uses VeNCrypt SSL encryption"
- global vencrypt_button
- set vencrypt_button .oa.b$i
- if {$use_ssh} {.oa.b$i configure -state disabled}
- incr i
-
- checkbutton .oa.b$i -anchor w -variable server_anondh -text \
- "Server uses Anonymous Diffie-Hellman" -command no_certs_tutorial_mesg
- global anondh_button
- set anondh_button .oa.b$i
- if {$use_ssh} {.oa.b$i configure -state disabled}
- incr i
- }
-
- checkbutton .oa.b$i -anchor w -variable change_vncviewer -text \
- "Change VNC Viewer" \
- -command change_vncviewer_dialog_wrap
- incr i
-
- checkbutton .oa.b$i -anchor w -variable use_port_knocking -text \
- "Port Knocking" \
- -command {if {$use_port_knocking} {port_knocking_dialog}}
- incr i
-
- for {set j 1} {$j < $i} {incr j} {
- pack .oa.b$j -side top -fill x
- }
-
- global include_list extra_sleep
- frame .oa.fis
- frame .oa.fis.fL
- frame .oa.fis.fR
- label .oa.fis.fL.la -anchor w -text "Include:"
- label .oa.fis.fL.lb -anchor w -text "Sleep:"
- if {$is_windows} {
- label .oa.fis.fL.lc -anchor w -text "Putty Args:"
- pack .oa.fis.fL.la .oa.fis.fL.lb .oa.fis.fL.lc -side top -fill x
- } else {
- pack .oa.fis.fL.la .oa.fis.fL.lb -side top -fill x
- }
-
- entry .oa.fis.fR.ea -width 10 -textvariable include_list
- entry .oa.fis.fR.eb -width 10 -textvariable extra_sleep
- if {$is_windows} {
- entry .oa.fis.fR.ec -width 10 -textvariable putty_args
- pack .oa.fis.fR.ea .oa.fis.fR.eb .oa.fis.fR.ec -side top -fill x
- } else {
- pack .oa.fis.fR.ea .oa.fis.fR.eb -side top -fill x
- }
-
- pack .oa.fis.fL -side left
- pack .oa.fis.fR -side right -expand 1 -fill x
-
- pack .oa.fis -side top -fill x
-
-
- if {!$is_windows} {
- global uname
- set t1 " Unix ssvncviewer ..."
- if {$uname == "Darwin" } { regsub {^ *} $t1 "" t1 }
- button .oa.ss -anchor w -text $t1 -command set_ssvncviewer_options
- pack .oa.ss -side top -fill x
- if {$is_windows} {
- .oa.ss configure -state disabled
- }
- global change_vncviewer
- if {$change_vncviewer} {
- .oa.ss configure -state disabled
- }
-
- set t2 " Use ssh-agent"
- if {$uname == "Darwin" } { regsub {^ *} $t2 "" t2 }
-
- button .oa.sa -anchor w -text $t2 -command ssh_agent_restart
- pack .oa.sa -side top -fill x
- if {$is_windows} {
- .oa.sa configure -state disabled
- }
- } else {
- set t1 " Launch Putty Agent"
- button .oa.pa -anchor w -text $t1 -command {catch {exec pageant.exe &}}
- pack .oa.pa -side top -fill x
-
- set t2 " Launch Putty Key-Gen"
- button .oa.pg -anchor w -text $t2 -command {catch {exec puttygen.exe &}}
- pack .oa.pg -side top -fill x
- }
-
- frame .oa.b
- button .oa.b.done -text "Done" -command {destroy .oa}
- bind .oa <Escape> {destroy .oa}
- wm protocol .oa WM_DELETE_WINDOW {destroy .oa}
- button .oa.b.help -text "Help" -command help_advanced_opts
-
- global use_listen
- if {$use_listen} {
- button .oa.b.connect -text "Listen" -command launch
- } else {
- button .oa.b.connect -text "Connect" -command launch
- }
-
- pack .oa.b.help .oa.b.connect .oa.b.done -fill x -expand 1 -side left
-
- pack .oa.b -side top -fill x
-
- center_win .oa
- wm resizable .oa 1 0
- focus .oa
-}
-
-proc set_ssvncviewer_options {} {
- global is_windows darwin_cotvnc
- global use_ssh use_sshssl use_x11cursor use_rawlocal use_notty use_popupfix use_alpha use_turbovnc disable_pipeline use_grab use_nobell
- global use_send_clipboard use_send_always
- global ssvnc_scale ssvnc_escape
- global server_vencrypt server_anondh
-
- if {$is_windows} {
- return
- }
-
- catch {destroy .oa}
- toplev .os
- wm title .os "Unix ssvncviewer Options"
-
- set darwinlist [list]
-
- set f0 .os.f
- frame $f0
- set fl $f0.fl
- frame $fl
- set fr $f0.fr
- frame $fr
-
- set i 1
- set j 1
-
- checkbutton $fl.b$i -anchor w -variable multiple_listen -text \
- "Multiple LISTEN Connections" \
- -command {if {$multiple_listen} {multilisten_dialog}}
- global multiple_listen_button use_listen
- set multiple_listen_button $fl.b$i
- if {$is_windows} {$fl.b$i configure -state disabled}
- if {!$use_listen} {$fl.b$i configure -state disabled}
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable listen_once -text \
- "Listen Once"
- global listen_once_button
- set listen_once_button $fl.b$i
- if {!$use_listen} {$fl.b$i configure -state disabled}
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable listen_accept_popup -text \
- "Listen Accept Popup Dialog" \
- -command { if {$listen_accept_popup} { catch {$listen_accept_popup_button_sc configure -state normal} } else { catch {$listen_accept_popup_button_sc configure -state disabled} } }
- global listen_accept_popup_button
- set listen_accept_popup_button $fl.b$i
- if {!$use_listen} {$fl.b$i configure -state disabled}
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- global listen_accept_popup
- checkbutton $fl.b$i -anchor w -variable listen_accept_popup_sc -text \
- " Accept Popup UltraVNC Single Click"
- global listen_accept_popup_button_sc
- set listen_accept_popup_button_sc $fl.b$i
- if {!$use_listen} {$fl.b$i configure -state disabled}
- if {!$listen_accept_popup} {$fl.b$i configure -state disabled}
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_x11cursor -text \
- "Use X11 Cursor"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_nobell -text \
- "Disable Bell"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_rawlocal -text \
- "Use Raw Local"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_notty -text \
- "Avoid Using Terminal"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_popupfix -text \
- "Use Popup Fix"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_grab -text \
- "Use XGrabServer (for fullscreen)" \
- -command {if {$use_grab} {use_grab_dialog}}
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_alpha -text \
- "Cursor Alphablending (32bpp required) "
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_turbovnc -text \
- "TurboVNC (if available on platform)"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable disable_pipeline -text \
- "Disable Pipelined Updates"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_send_clipboard -text \
- "Send CLIPBOARD not PRIMARY"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- checkbutton $fl.b$i -anchor w -variable use_send_always -text \
- "Send Selection Every time"
- lappend darwinlist $fl.b$i; if {$darwin_cotvnc} {$fl.b$i configure -state disabled}
- incr i
-
- set relief ridge
-
- frame $fr.b$j -height 2; incr j
-
- frame $fr.b$j -relief $relief -borderwidth 2
-
- global ffont
- label $fr.b$j.l -font $ffont -anchor w -text "Examples: '0.75', '1024x768', 'fit' (fill screen), or 'auto' ";
-
- global ssvnc_scale
- frame $fr.b$j.f
- label $fr.b$j.f.l -text "Scaling: "
- lappend darwinlist $fr.b$j.f.l; if {$darwin_cotvnc} {$fr.b$j.f.l configure -state disabled}
- entry $fr.b$j.f.e -width 10 -textvariable ssvnc_scale
- lappend darwinlist $fr.b$j.f.e; if {$darwin_cotvnc} {$fr.b$j.f.e configure -state disabled}
- pack $fr.b$j.f.l -side left
- pack $fr.b$j.f.e -side right -expand 1 -fill x
-
- pack $fr.b$j.f $fr.b$j.l -side top -fill x
-
- incr j
-
- frame $fr.b$j -height 2; incr j
-
- frame $fr.b$j -relief $relief -borderwidth 2
-
- label $fr.b$j.l -font $ffont -anchor w -text "Examples: 'default', 'Control_L,Alt_L', 'never'";
-
- global ssvnc_escape
- frame $fr.b$j.f
- label $fr.b$j.f.l -text "Escape Keys: "
- lappend darwinlist $fr.b$j.f.l; if {$darwin_cotvnc} {$fr.b$j.f.l configure -state disabled}
- entry $fr.b$j.f.e -width 10 -textvariable ssvnc_escape
- lappend darwinlist $fr.b$j.f.e; if {$darwin_cotvnc} {$fr.b$j.f.e configure -state disabled}
- button $fr.b$j.f.b -relief ridge -text Help -command ssvnc_escape_help
- lappend darwinlist $fr.b$j.f.b; if {$darwin_cotvnc} {$fr.b$j.f.b configure -state disabled}
- pack $fr.b$j.f.l -side left
- pack $fr.b$j.f.b -side right
- pack $fr.b$j.f.e -side right -expand 1 -fill x
-
- pack $fr.b$j.f $fr.b$j.l -side top -fill x
-
- incr j
-
- frame $fr.b$j -height 2; incr j
-
- frame $fr.b$j -relief $relief -borderwidth 2
-
- label $fr.b$j.l -font $ffont -anchor w -text "Enter the max height in pixels, e.g. '900'";
-
- global ycrop_string
- frame $fr.b$j.f
- label $fr.b$j.f.l -text "Y Crop: "
- lappend darwinlist $fr.b$j.f.l; if {$darwin_cotvnc} {$fr.b$j.f.l configure -state disabled}
- entry $fr.b$j.f.e -width 10 -textvariable ycrop_string
- lappend darwinlist $fr.b$j.f.e; if {$darwin_cotvnc} {$fr.b$j.f.e configure -state disabled}
- pack $fr.b$j.f.l -side left
- pack $fr.b$j.f.e -side right -expand 1 -fill x
-
- pack $fr.b$j.f $fr.b$j.l -side top -fill x
-
- incr j
-
- frame $fr.b$j -height 2; incr j
-
- frame $fr.b$j -relief $relief -borderwidth 2
-
- label $fr.b$j.l -font $ffont -anchor w -text "Enter the scrollbar width in pixels, e.g. '4'";
-
- global sbwid_string
- frame $fr.b$j.f
- label $fr.b$j.f.l -text "ScrollBar Width: "
- lappend darwinlist $fr.b$j.f.l; if {$darwin_cotvnc} {$fr.b$j.f.l configure -state disabled}
- entry $fr.b$j.f.e -width 10 -textvariable sbwid_string
- lappend darwinlist $fr.b$j.f.e; if {$darwin_cotvnc} {$fr.b$j.f.e configure -state disabled}
- pack $fr.b$j.f.l -side left
- pack $fr.b$j.f.e -side right -expand 1 -fill x
-
- pack $fr.b$j.f $fr.b$j.l -side top -fill x
-
- incr j
-
- frame $fr.b$j -height 2; incr j
-
- frame $fr.b$j -relief $relief -borderwidth 2
-
- label $fr.b$j.l -font $ffont -anchor w -text "Enter the RFB version to pretend to be using, e.g. '3.4'";
- label $fr.b$j.l2 -font $ffont -anchor w -text "Sometimes needed for UltraVNC: 3.4, 3.6, 3.14, 3.16";
-
- global rfbversion
- frame $fr.b$j.f
- label $fr.b$j.f.l -text "RFB Version: "
- lappend darwinlist $fr.b$j.f.l; if {$darwin_cotvnc} {$fr.b$j.f.l configure -state disabled}
- entry $fr.b$j.f.e -width 10 -textvariable rfbversion
- lappend darwinlist $fr.b$j.f.e; if {$darwin_cotvnc} {$fr.b$j.f.e configure -state disabled}
- pack $fr.b$j.f.l -side left
- pack $fr.b$j.f.e -side right -expand 1 -fill x
-
- pack $fr.b$j.f $fr.b$j.l $fr.b$j.l2 -side top -fill x
-
- incr j
-
- frame $fr.b$j -height 2; incr j
-
- frame $fr.b$j -relief $relief -borderwidth 2
-
- label $fr.b$j.l1 -font $ffont -anchor w -text "List encodings in preferred order, for example";
- label $fr.b$j.l2 -font $ffont -anchor w -text "'copyrect zrle tight' The full list of encodings is:";
- label $fr.b$j.l3 -font $ffont -anchor w -text "copyrect tight zrle zywrle hextile zlib corre rre raw";
-
- global ssvnc_encodings
- frame $fr.b$j.f
- label $fr.b$j.f.l -text "Encodings: "
- lappend darwinlist $fr.b$j.f.l; if {$darwin_cotvnc} {$fr.b$j.f.l configure -state disabled}
- entry $fr.b$j.f.e -width 10 -textvariable ssvnc_encodings
- lappend darwinlist $fr.b$j.f.e; if {$darwin_cotvnc} {$fr.b$j.f.e configure -state disabled}
- pack $fr.b$j.f.l -side left
- pack $fr.b$j.f.e -side right -expand 1 -fill x
-
- pack $fr.b$j.f $fr.b$j.l1 $fr.b$j.l2 $fr.b$j.l3 -side top -fill x
-
- incr j
-
- frame $fr.b$j -height 2; incr j
-
- frame $fr.b$j -relief $relief -borderwidth 2
-
- label $fr.b$j.l1 -font $ffont -anchor w -text "Add any extra options for ssvncviewer that you want.";
- label $fr.b$j.l2 -font $ffont -anchor w -text "For example: -16bpp -appshare -noshm etc. See Help for a list.";
-
- global ssvnc_extra_opts
- frame $fr.b$j.f
- label $fr.b$j.f.l -text "Extra Options: "
- lappend darwinlist $fr.b$j.f.l; if {$darwin_cotvnc} {$fr.b$j.f.l configure -state disabled}
- entry $fr.b$j.f.e -width 10 -textvariable ssvnc_extra_opts
- lappend darwinlist $fr.b$j.f.e; if {$darwin_cotvnc} {$fr.b$j.f.e configure -state disabled}
- pack $fr.b$j.f.l -side left
- pack $fr.b$j.f.e -side right -expand 1 -fill x
-
- pack $fr.b$j.f $fr.b$j.l1 $fr.b$j.l2 -side top -fill x
-
- incr j
-
- frame $fr.b$j -height 2; incr j
-
- for {set k 1} {$k < $i} {incr k} {
- pack $fl.b$k -side top -fill x
- }
- for {set k 1} {$k < $j} {incr k} {
- pack $fr.b$k -side top -fill x
- }
-
- pack $fl -side left -fill both
- pack $fr -side left -fill both -expand 1
-
- pack $f0 -side top -fill both
-
- frame .os.b
- button .os.b.done -text "Done" -command {destroy .os}
- bind .os <Escape> {destroy .os}
- wm protocol .os WM_DELETE_WINDOW {destroy .os}
- button .os.b.help -text "Help" -command help_ssvncviewer_opts
-
- global use_listen
- if {$use_listen} {
- button .os.b.connect -text "Listen" -command launch
- } else {
- button .os.b.connect -text "Connect" -command launch
- }
-
- pack .os.b.help .os.b.connect .os.b.done -fill x -expand 1 -side left
-
- pack .os.b -side top -fill x
-
- global darwin_cotvnc_blist
- foreach b $darwinlist {
- set darwin_cotvnc_blist($b) 1
- }
-
- center_win .os
- wm resizable .os 1 0
- wm minsize .os [winfo reqwidth .os] [winfo reqheight .os]
- focus .os
-}
-
-
-proc in_path {cmd} {
- global env
- set p $env(PATH)
- foreach dir [split $p ":"] {
- set try "$dir/$cmd"
- if [file exists $try] {
- return "$try"
- }
- }
- return ""
-}
-
-proc ssh_agent_restart {} {
- global env
-
- set got_ssh_agent 0
- set got_ssh_add 0
- set got_ssh_agent2 0
- set got_ssh_add2 0
-
- if {[in_path "ssh-agent"] != ""} {set got_ssh_agent 1}
- if {[in_path "ssh-agent2"] != ""} {set got_ssh_agent2 1}
- if {[in_path "ssh-add"] != ""} {set got_ssh_add 1}
- if {[in_path "ssh-add2"] != ""} {set got_ssh_add2 1}
-
- set ssh_agent ""
- set ssh_add ""
- if {[info exists env(USER)] && $env(USER) == "runge"} {
- if {$got_ssh_agent2} {
- set ssh_agent "ssh-agent2"
- }
- if {$got_ssh_add2} {
- set ssh_add "ssh-add2"
- }
- }
- if {$ssh_agent == "" && $got_ssh_agent} {
- set ssh_agent "ssh-agent"
- }
- if {$ssh_add == "" && $got_ssh_add} {
- set ssh_add "ssh-add"
- }
- if {$ssh_agent == ""} {
- bell
- mesg "could not find ssh-agent in PATH"
- return
- }
- if {$ssh_add == ""} {
- bell
- mesg "could not find ssh-add in PATH"
- return
- }
- set tmp $env(SSVNC_HOME)/.vnc-sa[tpid]
- set tmp [mytmp $tmp]
- set fh ""
- catch {set fh [open $tmp "w"]}
- if {$fh == ""} {
- bell
- mesg "could not open tmp file $tmp"
- return
- }
-
- puts $fh "#!/bin/sh"
- puts $fh "eval `$ssh_agent -s`"
- puts $fh "$ssh_add"
- puts $fh "SSVNC_GUI_CHILD=\"\""
- puts $fh "export SSVNC_GUI_CHILD"
-
- global buck_zero
- set cmd $buck_zero
-
- if [info exists env(SSVNC_GUI_CMD)] {
- set cmd $env(SSVNC_GUI_CMD)
- }
- #puts $fh "$cmd </dev/null 1>/dev/null 2>/dev/null &"
- puts $fh "nohup $cmd &"
- puts $fh "sleep 1"
- puts $fh "rm -f $tmp"
- close $fh
-
- wm withdraw .
- catch {wm withdraw .o}
- catch {wm withdraw .oa}
-
- unix_terminal_cmd "+200+200" "Restarting with ssh-agent/ssh-add" "sh $tmp" 1
- after 10000
- destroy .
- exit
-}
-
-proc putty_pw_entry {mode} {
- if {$mode == "check"} {
- global use_sshssl use_ssh
- if {$use_sshssl || $use_ssh} {
- putty_pw_entry enable
- } else {
- putty_pw_entry disable
- }
- return
- }
- if {$mode == "disable"} {
- catch {.o.pw.l configure -state disabled}
- catch {.o.pw.e configure -state disabled}
- } else {
- catch {.o.pw.l configure -state normal}
- catch {.o.pw.e configure -state normal}
- }
-}
-proc adv_ssh_tog {on} {
- global adv_ssh
- foreach b {cups snd smb redirs knownhosts} {
- if [info exists adv_ssh($b)] {
- if {$on} {
- catch {$adv_ssh($b) configure -state normal}
- } else {
- catch {$adv_ssh($b) configure -state disabled}
- }
- }
- }
-}
-
-proc adv_listen_ssl_tog {on} {
- global stunnel_local_protection_button is_windows
- global disable_ssl_workarounds_button
- global vencrypt_button no_probe_vencrypt_button anondh_button ultra_dsm_button
-
- set blist [list]
- if [info exists stunnel_local_protection_button] {
- lappend blist $stunnel_local_protection_button
- }
- if [info exists disable_ssl_workarounds_button] {
- lappend blist $disable_ssl_workarounds_button
- }
- if [info exists ultra_dsm_button] {
- lappend blist $ultra_dsm_button
- }
- if [info exists no_probe_vencrypt_button] {
- lappend blist $no_probe_vencrypt_button
- }
- if [info exists vencrypt_button] {
- lappend blist $vencrypt_button
- }
- if [info exists anondh_button] {
- lappend blist $anondh_button
- }
- foreach b $blist {
- if {$on} {
- catch {$b configure -state normal}
- } else {
- catch {$b configure -state disabled}
- }
- }
-
- if {$is_windows} {
- catch {$stunnel_local_protection_button configure -state disabled}
- catch {$ultra_dsm_button configure -state disabled}
- }
-}
-
-proc adv_listen_ssh_tog {on} {
- global ssh_local_protection_button is_windows
- if [info exists ssh_local_protection_button] {
- if {$on} {
- catch {$ssh_local_protection_button configure -state normal}
- } else {
- catch {$ssh_local_protection_button configure -state disabled}
- }
- }
- if {$is_windows} {
- catch {$ssh_local_protection_button configure -state disabled}
- }
-}
-
-proc ssl_ssh_adjust {which} {
- global use_ssl use_ssh use_sshssl sshssl_sw
- global remote_ssh_cmd_list
- global x11vnc_find_widget x11vnc_xlogin_widget uvnc_bug_widget
-
- if {$which == "ssl"} {
- set use_ssl 1
- set use_ssh 0
- set use_sshssl 0
- set sshssl_sw "ssl"
- catch {.f4.getcert configure -state normal}
- catch {.f4.always configure -state normal}
- if [info exists x11vnc_find_widget] {
- catch {$x11vnc_find_widget configure -state disabled}
- }
- if [info exists x11vnc_xlogin_widget] {
- catch {$x11vnc_xlogin_widget configure -state disabled}
- }
- if [info exists uvnc_bug_widget] {
- catch {$uvnc_bug_widget configure -state normal}
- }
- adv_ssh_tog 0
- adv_listen_ssl_tog 1
- adv_listen_ssh_tog 0
- } elseif {$which == "none"} {
- set use_ssl 0
- set use_ssh 0
- set use_sshssl 0
- set sshssl_sw "none"
- catch {.f4.getcert configure -state disabled}
- catch {.f4.always configure -state disabled}
- if [info exists x11vnc_find_widget] {
- catch {$x11vnc_find_widget configure -state disabled}
- }
- if [info exists x11vnc_xlogin_widget] {
- catch {$x11vnc_xlogin_widget configure -state disabled}
- }
- if [info exists uvnc_bug_widget] {
- catch {$uvnc_bug_widget configure -state normal}
- }
- adv_ssh_tog 0
- adv_listen_ssl_tog 0
- adv_listen_ssh_tog 0
- } elseif {$which == "ssh"} {
- set use_ssl 0
- set use_ssh 1
- set use_sshssl 0
- set sshssl_sw "ssh"
- catch {.f4.getcert configure -state disabled}
- catch {.f4.always configure -state disabled}
- if [info exists x11vnc_find_widget] {
- catch {$x11vnc_find_widget configure -state normal}
- }
- if [info exists x11vnc_xlogin_widget] {
- catch {$x11vnc_xlogin_widget configure -state normal}
- }
- if [info exists uvnc_bug_widget] {
- catch {$uvnc_bug_widget configure -state disabled}
- }
- adv_ssh_tog 1
- adv_listen_ssl_tog 0
- adv_listen_ssh_tog 1
- } elseif {$which == "sshssl"} {
- set use_ssl 0
- set use_ssh 0
- set use_sshssl 1
- set sshssl_sw "sshssl"
- catch {.f4.getcert configure -state disabled}
- catch {.f4.always configure -state disabled}
- if [info exists x11vnc_find_widget] {
- catch {$x11vnc_find_widget configure -state normal}
- }
- if [info exists x11vnc_xlogin_widget] {
- catch {$x11vnc_xlogin_widget configure -state normal}
- }
- if [info exists uvnc_bug_widget] {
- catch {$uvnc_bug_widget configure -state normal}
- }
- adv_ssh_tog 1
- adv_listen_ssl_tog 1
- adv_listen_ssh_tog 1
- }
-
- if [info exists remote_ssh_cmd_list] {
- if {$use_ssh || $use_sshssl} {
- foreach w $remote_ssh_cmd_list {
- $w configure -state normal
- }
- }
- if {$use_ssl || $sshssl_sw == "none"} {
- foreach w $remote_ssh_cmd_list {
- $w configure -state disabled
- }
- }
- }
-
- if {! $use_ssl && ! $use_ssh && ! $use_sshssl} {
- if {$sshssl_sw != "none"} {
- set use_ssl 1
- set sshssl_sw "ssl"
- }
- }
- global ssh_only ts_only
- if {$ssh_only || $ts_only} {
- set use_ssl 0
- set use_sshssl 0
- set use_ssh 1
- set sshssl_sw "ssh"
- }
-
- putty_pw_entry check
-}
-
-proc listen_adjust {} {
- global use_listen revs_button multiple_listen_button is_windows
- global listen_once_button listen_accept_popup_button listen_accept_popup_button_sc
- if {![info exists multiple_listen_button]} {
- set multiple_listen_button "none"
- }
- if {$use_listen} {
- catch {.b.conn configure -text "Listen"}
- catch {.o.b.connect configure -text "Listen"}
- catch {$multiple_listen_button configure -state normal}
- catch {$listen_once_button configure -state normal}
- catch {$listen_accept_popup_button configure -state normal}
- catch {$listen_accept_popup_button_sc configure -state normal}
- catch {mesg "Listen :N -> Port 5500+N, i.e. :0 -> 5500, :1 -> 5501, :2 -> 5502 ..."}
- } else {
- catch {.b.conn configure -text "Connect"}
- catch {.o.b.connect configure -text "Connect"}
- catch {$multiple_listen_button configure -state disabled}
- catch {$listen_once_button configure -state disabled}
- catch {$listen_accept_popup_button configure -state disabled}
- catch {$listen_accept_popup_button_sc configure -state disabled}
- catch {mesg "Switched to Forward Connection mode."}
- }
- if {$is_windows} {
- catch {$multiple_listen_button configure -state disabled}
- catch {$listen_once_button configure -state disabled}
- catch {$listen_accept_popup_button configure -state disabled}
- catch {$listen_accept_popup_button_sc configure -state disabled}
- }
-}
-
-proc unixpw_adjust {} {
- global is_windows use_unixpw darwin_cotvnc
- if {$is_windows || $darwin_cotvnc} {
- return;
- }
- if {$use_unixpw} {
- pack configure .fu -after .f1 -fill x
- catch {focus .fu.e}
- } else {
- pack forget .fu
- }
-}
-
-proc x11vnc_find_adjust {which} {
- global remote_ssh_cmd
- global use_x11vnc_find x11vnc_find_widget
- global use_x11vnc_xlogin x11vnc_xlogin_widget
-
- if {$which == "find"} {
- if {$use_x11vnc_find} {
- set use_x11vnc_xlogin 0
- }
- } elseif {$which == "xlogin"} {
- if {$use_x11vnc_xlogin} {
- set use_x11vnc_find 0
- }
- }
- if {! $use_x11vnc_find && ! $use_x11vnc_xlogin} {
- set remote_ssh_cmd "";
- return
- }
- if {![regexp {x11vnc} $remote_ssh_cmd]} {
- set remote_ssh_cmd "";
- }
- regsub {^[ ]*PORT= [ ]*} $remote_ssh_cmd "" remote_ssh_cmd
- regsub {^[ ]*P= [ ]*} $remote_ssh_cmd "" remote_ssh_cmd
- regsub {^[ ]*sudo x11vnc[ ]*} $remote_ssh_cmd "" remote_ssh_cmd
- regsub {^[ ]*x11vnc[ ]*} $remote_ssh_cmd "" remote_ssh_cmd
- regsub -all {[ ]*-find[ ]*} $remote_ssh_cmd " " remote_ssh_cmd
- regsub -all {[ ]*-localhost[ ]*} $remote_ssh_cmd " " remote_ssh_cmd
- regsub -all {[ ]*-env FD_XDM=1[ ]*} $remote_ssh_cmd " " remote_ssh_cmd
- if {$use_x11vnc_find} {
- set remote_ssh_cmd "PORT= x11vnc -find -localhost -nopw $remote_ssh_cmd"
- } else {
- set remote_ssh_cmd "PORT= sudo x11vnc -find -localhost -env FD_XDM=1 -nopw $remote_ssh_cmd"
- }
- regsub {[ ]*$} $remote_ssh_cmd "" remote_ssh_cmd
- regsub {^[ ]*} $remote_ssh_cmd "" remote_ssh_cmd
- regsub -all {[ ][ ]*} $remote_ssh_cmd " " remote_ssh_cmd
-}
-
-proc set_darwin_cotvnc_buttons {} {
- global darwin_cotvnc uname darwin_cotvnc_blist
-
- if {$uname == "Darwin" && [info exists darwin_cotvnc_blist]} {
- foreach b [array names darwin_cotvnc_blist] {
- if {$darwin_cotvnc} {
- catch {$b configure -state disabled}
- } else {
- catch {$b configure -state normal}
- }
- }
- }
-}
-
-proc disable_encryption {} {
- global env
- if {[info exists env(SSVNC_DISABLE_ENCRYPTION_BUTTON)]} {
- set s $env(SSVNC_DISABLE_ENCRYPTION_BUTTON)
- if {$s != "" && $s != "0"} {
- return 1;
- }
- }
- return 0;
-}
-proc set_options {} {
- global use_alpha use_grab use_ssh use_sshssl use_viewonly use_fullscreen use_bgr233
- global use_nojpeg use_raise_on_beep use_compresslevel use_quality use_x11_macosx
- global use_send_clipboard use_send_always
- global compresslevel_text quality_text
- global env is_windows darwin_cotvnc uname
- global use_listen
- global use_x11vnc_find x11vnc_find_widget
- global use_x11vnc_xlogin x11vnc_xlogin_widget uvnc_bug_widget
- global ts_only
- global darwin_cotvnc_blist
- global showing_no_encryption no_enc_button no_enc_prev
-
- if {$ts_only} {
- set_ts_options
- return
- }
-
- toplev .o
- wm title .o "SSL/SSH VNC Options"
-
- set i 1
-
- radiobutton .o.b$i -anchor w -variable sshssl_sw -value ssl -text \
- "Use SSL" -command {ssl_ssh_adjust ssl}
- incr i
-
- radiobutton .o.b$i -anchor w -variable sshssl_sw -value ssh -text \
- "Use SSH" -command {ssl_ssh_adjust ssh}
- incr i
-
- radiobutton .o.b$i -anchor w -variable sshssl_sw -value sshssl -text \
- "Use SSH+SSL" -command {ssl_ssh_adjust sshssl}
- set iss $i
- set no_enc_prev .o.b$i
- incr i
-
- radiobutton .o.b$i -anchor w -variable sshssl_sw -value none -text \
- "No Encryption" -command {ssl_ssh_adjust none}
- set no_enc_button .o.b$i
- set ine $i
- incr i
-
- checkbutton .o.b$i -anchor w -variable use_x11vnc_find -text \
- "Automatically Find X Session" -command {x11vnc_find_adjust "find"}
- if {!$use_ssh && !$use_sshssl} {.o.b$i configure -state disabled}
- set x11vnc_find_widget ".o.b$i"
- incr i
-
- if {! $is_windows} {
- checkbutton .o.b$i -anchor w -variable use_unixpw -text \
- "Unix Username & Password" -command {unixpw_adjust}
- if {$darwin_cotvnc} {.o.b$i configure -state disabled}
- set darwin_cotvnc_blist(.o.b$i) 1
- incr i
- }
-
- checkbutton .o.b$i -anchor w -variable use_listen -text \
- "Reverse VNC Connection (-LISTEN)" -command {listen_adjust; if {$vncdisplay == ""} {set vncdisplay ":0"} else {set vncdisplay ""}; if {0 && $use_listen} {destroy .o}}
- #if {$is_windows} {.o.b$i configure -state disabled}
- #if {$darwin_cotvnc} {.o.b$i configure -state disabled}
- #set darwin_cotvnc_blist(.o.b$i) 1
- incr i
-
- checkbutton .o.b$i -anchor w -variable use_viewonly -text \
- "View Only"
- incr i
-
- checkbutton .o.b$i -anchor w -variable use_fullscreen -text \
- "Fullscreen"
- incr i
-
- checkbutton .o.b$i -anchor w -variable use_raise_on_beep -text \
- "Raise On Beep"
- if {$darwin_cotvnc} {.o.b$i configure -state disabled}
- set darwin_cotvnc_blist(.o.b$i) 1
- incr i
-
- checkbutton .o.b$i -anchor w -variable use_bgr233 -text \
- "Use 8bit color (-bgr233)"
- if {$darwin_cotvnc} {.o.b$i configure -state disabled}
- set darwin_cotvnc_blist(.o.b$i) 1
- incr i
-
- checkbutton .o.b$i -anchor w -variable use_nojpeg -text \
- "Do not use JPEG (-nojpeg)"
- if {$darwin_cotvnc} {.o.b$i configure -state disabled}
- set darwin_cotvnc_blist(.o.b$i) 1
- incr i
-
- if {$uname == "Darwin"} {
- checkbutton .o.b$i -anchor w -variable use_x11_macosx -text \
- "Use X11 vncviewer on MacOSX" \
- -command {if {$use_x11_macosx} {set darwin_cotvnc 0} else {set darwin_cotvnc 1}; set_darwin_cotvnc_buttons}
- if {$uname != "Darwin"} {.o.b$i configure -state disabled}
- incr i
- }
-
- if {$is_windows} {
- global kill_stunnel
- checkbutton .o.b$i -anchor w -variable kill_stunnel -text \
- "Kill Stunnel Automatically"
- incr i
- }
-
-
- menubutton .o.b$i -anchor w -menu .o.b$i.m -textvariable compresslevel_text -relief groove
- set compresslevel_text "Compress Level: $use_compresslevel"
- if {$darwin_cotvnc} {.o.b$i configure -state disabled}
- set darwin_cotvnc_blist(.o.b$i) 1
-
- menu .o.b$i.m -tearoff 0
- for {set j -1} {$j < 10} {incr j} {
- set v $j
- set l $j
- if {$j == -1} {
- set v "default"
- set l "default"
- }
- .o.b$i.m add radiobutton -variable use_compresslevel \
- -value $v -label $l -command \
- {set compresslevel_text "Compress Level: $use_compresslevel"}
- }
- incr i
-
- menubutton .o.b$i -anchor w -menu .o.b$i.m -textvariable quality_text -relief groove
- set quality_text "Quality: $use_quality"
- if {$darwin_cotvnc} {.o.b$i configure -state disabled}
- set darwin_cotvnc_blist(.o.b$i) 1
-
- menu .o.b$i.m -tearoff 0
- for {set j -1} {$j < 10} {incr j} {
- set v $j
- set l $j
- if {$j == -1} {
- set v "default"
- set l "default"
- }
- .o.b$i.m add radiobutton -variable use_quality \
- -value $v -label $l -command \
- {set quality_text "Quality: $use_quality"}
- }
- incr i
-
- global use_mode ts_only ssh_only
- if {$ts_only} {
- set use_mode "Terminal Services (tsvnc)"
- } elseif {$ssh_only} {
- set use_mode "SSH-Only (sshvnc)"
- } else {
- set use_mode "SSVNC"
- }
- global mode_text
- set mode_text "Mode: $use_mode"
-
- menubutton .o.b$i -anchor w -menu .o.b$i.m -textvariable mode_text -relief groove
-
- menu .o.b$i.m -tearoff 0
- .o.b$i.m add radiobutton -variable use_mode -value "SSVNC" \
- -label "SSVNC" -command { if {$ts_only || $ssh_only} {to_ssvnc; set mode_text "Mode: SSVNC"; destroy .o}}
- .o.b$i.m add radiobutton -variable use_mode -value "SSH-Only (sshvnc)" \
- -label "SSH-Only (sshvnc)" -command { if {$ts_only || ! $ssh_only} {to_sshonly; set mode_text "Mode: SSH-Only (sshvnc)"; destroy .o}}
- .o.b$i.m add radiobutton -variable use_mode -value "Terminal Services (tsvnc)" \
- -label "Terminal Services (tsvnc)" -command {to_tsonly; set mode_text "Mode: Terminal Services (tsvnc)"; destroy .o}
- incr i
-
- global started_with_noenc
-
- if {0 && $started_with_noenc && $showing_no_encryption} {
- ;
- } elseif {$ssh_only} {
- ;
- } else {
- checkbutton .o.b$i -anchor w -variable showing_no_encryption -text \
- "Show 'No Encryption' Option" -pady 5 \
- -command {toggle_no_encryption 1}
- # -relief raised
- incr i
- }
-
- for {set j 1} {$j < $i} {incr j} {
- global ssh_only ts_only
- if {$ssh_only && $j <= 3} {
- continue;
- }
- if {$ts_only && $j <= 3} {
- continue;
- }
- if {!$showing_no_encryption && $j == $ine} {
- continue;
- }
-
- pack .o.b$j -side top -fill x
- }
-
- if {$is_windows} {
- global port_slot putty_pw
-
- frame .o.pp
- frame .o.pp.fL
- frame .o.pp.fR
- label .o.pp.fL.la -anchor w -text "Putty PW:"
- label .o.pp.fL.lb -anchor w -text "Port Slot:"
- pack .o.pp.fL.la .o.pp.fL.lb -side top -fill x
-
- entry .o.pp.fR.ea -width 10 -show * -textvariable putty_pw
- entry .o.pp.fR.eb -width 10 -textvariable port_slot
- pack .o.pp.fR.ea .o.pp.fR.eb -side top -fill x
-
- pack .o.pp.fL -side left
- pack .o.pp.fR -side right -expand 1 -fill x
-
- pack .o.pp -side top -fill x
-
- putty_pw_entry check
- }
-
- global uname
- set t1 " Advanced ..."
- set t2 " Use Defaults"
- set t3 " Delete Profile ..."
- if {$uname == "Darwin"} {
- regsub {^ *} $t1 "" t1
- regsub {^ *} $t2 "" t2
- regsub {^ *} $t3 "" t3
- }
-
- button .o.advanced -anchor w -text $t1 -command set_advanced_options
- button .o.clear -anchor w -text $t2 -command {set_defaults; init_vncdisplay}
- button .o.delete -anchor w -text $t3 -command {destroy .o; delete_profile}
-
- pack .o.clear -side top -fill x
- pack .o.delete -side top -fill x
- pack .o.advanced -side top -fill x
-
-# pack .o.s_prof -side top -fill x
-# pack .o.l_prof -side top -fill x
-
- frame .o.b
- button .o.b.done -text "Done" -command {destroy .o}
- bind .o <Escape> {destroy .o}
- wm protocol .o WM_DELETE_WINDOW {destroy .o}
- button .o.b.help -text "Help" -command help_opts
- global use_listen
- if {$use_listen} {
- button .o.b.connect -text "Listen" -command launch
- } else {
- button .o.b.connect -text "Connect" -command launch
- }
-
- pack .o.b.help .o.b.connect .o.b.done -fill x -expand 1 -side left
-
- pack .o.b -side top -fill x
-
- center_win .o
- wm resizable .o 1 0
- focus .o
-}
-
-proc check_writable {} {
- set test test[pid].txt
- catch {set f [open $test "w"]; puts $f "test"; close $f}
-
- ###catch {file delete -force $test} # testing.
-
- if ![file exists $test] {
- global env
- if [info exists env(SSVNC_HOME)] {
- set dir "$env(SSVNC_HOME)/ss_vnc/cache"
- catch {file mkdir $dir}
- if ![file exists $dir] {
- return
- }
- foreach f [glob -type f * */* */*/*] {
- set dest "$dir/$f"
- set dirn [file dirname $dest]
- catch {file mkdir $dirn}
- catch {file copy -force -- $f $dest}
- }
- cd $dir
- ###catch {set f [open $test "w"]; puts $f "test"; close $f}
- }
- } else {
- catch {file delete -force $test}
- }
-}
-
-proc print_help {} {
-
- global help_main help_prox help_misc help_tips
- set b "\n============================================================================\n"
- help
- #set str [.h.f.t get 1.0 end]
- #puts "${b}Help:\n$str"
- puts "${b}Help Main:\n$help_main"
- puts "${b}Help Proxies:\n$help_prox"
- puts "${b}Help Misc:\n$help_misc"
- puts "${b}Help Tips:\n$help_tips"
- destroy .h
-
- help_opts
- set str [.oh.f.t get 1.0 end]
- puts "${b}SSL/SSH Viewer Options Help:\n$str"
- destroy .oh
-
- help_advanced_opts
- set str [.ah.f.t get 1.0 end]
- puts "${b}Advanced Options Help:\n$str"
- destroy .ah
-
- help_ssvncviewer_opts
- set str [.av.f.t get 1.0 end]
- puts "${b}ssvncviewer Options Help:\n$str"
- destroy .av
-
- help_certs
- set str [.ch.f.t get 1.0 end]
- puts "${b}SSL Certificates Help:\n$str"
- destroy .ch
-
- help_fetch_cert
- set str [.fh.f.t get 1.0 end]
- puts "${b}Fetch Certificates Help:\n$str"
- destroy .fh
-
- create_cert
- set str [.ccrt.f.t get 1.0 end]
- puts "${b}Create SSL Certificate Dialog:\n$str"
- destroy .ccrt
-
- import_cert
- set str [.icrt.f.t get 1.0 end]
- puts "${b}Import SSL Certificate Dialog:\n$str"
- destroy .icrt
-
- global cert_text
- set cert_text "empty"
- save_cert "help:0"
- set str [.scrt.f.t get 1.0 end]
- puts "${b}Save SSL Certificate Dialog:\n$str"
- destroy .scrt
-
- ts_help
- set str [.h.f.t get 1.0 end]
- puts "${b}Terminal Services Help:\n$str"
- destroy .h
-
- help_ts_opts
- set str [.oh.f.t get 1.0 end]
- puts "${b}Terminal Services VNC Options Help:\n$str"
- destroy .oh
-
- ts_unixpw_dialog
- set str [.uxpw.f.t get 1.0 end]
- puts "${b}Terminal Services Use unixpw Dialog:\n$str"
- destroy .uxpw
-
- ts_vncshared_dialog
- set str [.vncs.f.t get 1.0 end]
- puts "${b}Terminal Services VNC Shared Dialog:\n$str"
- destroy .vncs
-
- ts_multi_dialog
- set str [.mult.f.t get 1.0 end]
- puts "${b}Terminal Services Multiple Sessions Dialog:\n$str"
- destroy .mult
-
- ts_xlogin_dialog
- set str [.xlog.f.t get 1.0 end]
- puts "${b}Terminal Services X Login Dialog:\n$str"
- destroy .xlog
-
- ts_othervnc_dialog
- set str [.ovnc.f.t get 1.0 end]
- puts "${b}Terminal Services Other VNC Server Dialog:\n$str"
- destroy .ovnc
-
- ts_ncache_dialog
- set str [.nche.f.t get 1.0 end]
- puts "${b}Terminal Services Client-Side Caching Dialog:\n$str"
- destroy .nche
-
- ts_x11vnc_opts_dialog
- set str [.x11v.f.t get 1.0 end]
- puts "${b}Terminal Services x11vnc Options Dialog:\n$str"
- destroy .x11v
-
- ts_filexfer_dialog
- set str [.xfer.f.t get 1.0 end]
- puts "${b}Terminal Services File Transfer Dialog:\n$str"
- destroy .xfer
-
- ts_sound_dialog
- set str [.snd.f.t get 1.0 end]
- puts "${b}Terminal Services Sound Tunnelling Dialog:\n$str"
- destroy .snd
-
- ts_cups_dialog
- set str [.cups.f.t get 1.0 end]
- puts "${b}Terminal Services CUPS Dialog:\n$str"
- destroy .cups
-
- help_ssvncviewer_opts
- set str [.av.f.t get 1.0 end]
- puts "${b}Unix SSVNC viewer Options Help:\n$str"
- destroy .av
-
- change_vncviewer_dialog
- set str [.chviewer.t get 1.0 end]
- puts "${b}Unix Change VNC Viewer Dialog:\n$str"
- destroy .chviewer
-
- cups_dialog
- set str [.cups.f.t get 1.0 end]
- puts "${b}CUPS Dialog:\n$str"
- destroy .cups
-
- sound_dialog
- set str [.snd.f.t get 1.0 end]
- puts "${b}ESD Audio Tunnelling Dialog:\n$str"
- destroy .snd
-
- smb_dialog
- set str [.smb.f.t get 1.0 end]
- puts "${b}SMB Mounting Dialog:\n$str"
- destroy .smb
-
- port_redir_dialog
- set str [.redirs.t get 1.0 end]
- puts "${b}Additional Port Redirections Dialog:\n$str"
- destroy .redirs
-
- port_knocking_dialog
- set str [.pk.f.t get 1.0 end]
- puts "${b}Port Knocking Dialog:\n$str"
- destroy .pk
-
- ssvnc_escape_help
- set str [.ekh.f.t get 1.0 end]
- puts "${b}SSVNC Escape Keys Help:\n$str"
- destroy .ekh
-
- stunnel_sec_dialog
- set str [.stlsec.f.t get 1.0 end]
- puts "${b}STUNNEL Local Port Protections Dialog:\n$str"
- destroy .stlsec
-
- disable_ssl_workarounds_dialog
- set str [.sslwrk.f.t get 1.0 end]
- puts "${b}Disable SSL Workarounds Dialog:\n$str"
- destroy .sslwrk
-
- ultra_dsm_dialog
- set str [.ultradsm.f.t get 1.0 end]
- puts "${b}UltraVNC DSM Encryption Plugin Dialog:\n$str"
- destroy .ultradsm
-
- ssh_known_hosts_dialog
- set str [.sshknownhosts.f.t get 1.0 end]
- puts "${b}Private SSH KnownHosts file Dialog:\n$str"
- destroy .sshknownhosts
-
- ssh_sec_dialog
- set str [.sshsec.t get 1.0 end]
- puts "${b}SSH Local Port Protections Dialog:\n$str"
- destroy .sshsec
-
- multilisten_dialog
- set str [.multil.t get 1.0 end]
- puts "${b}Multiple LISTEN Connections Dialog:\n$str"
- destroy .multil
-
- use_grab_dialog
- set str [.usegrb.t get 1.0 end]
- puts "${b}Use XGrabServer (for fullscreen) Dialog:\n$str"
- destroy .usegrb
-}
-
-proc zeroconf_fill {b m} {
- global is_windows zeroconf_command last_post
-
- if {$is_windows} {
- return;
- }
-
- if {![info exists last_post]} {
- set last_post 0
- }
- set now [clock seconds]
- if {$now < [expr $last_post + 10]} {
- # cache menu for 10 secs.
- return
- }
-
- . config -cursor {watch}
- $b config -cursor {watch}
- $b configure -state disabled
-
- $m delete 0 end
- update
-
- set emsg ""
- set output ""
- set none "No VNC servers detected"
-
- set rc 1
- set rd 0
- if {$zeroconf_command == "avahi-browse"} {
- set rc [catch {set output [exec avahi-browse -r -t -p -k _rfb._tcp 2>/dev/null]} emsg]
- } elseif {$zeroconf_command == "dns-sd"} {
- set rc [catch {set output [exec /bin/sh -c {pid=$$; export pid; (sleep 1; kill $pid) & exec dns-sd -B _rfb._tcp} 2>/dev/null]} emsg]
- set rd 1
- } elseif {$zeroconf_command == "mDNS"} {
- set rc [catch {set output [exec /bin/sh -c {pid=$$; export pid; (sleep 1; kill $pid) & exec mDNS -B _rfb._tcp} 2>/dev/null]} emsg]
- set rd 1
- }
-
- #puts "rc=$rc output=$output"
- if {$rd == 1 && $rc != 0} {
- if [regexp {_rfb} $emsg] {
- set rc 0
- set output $emsg
- }
- }
-
- set count 0
-
- if {$rc != 0} {
- $m add command -label $none
- incr count
-
- } elseif {$output == "" || [regexp {^[ \t\n]*$} $output]} {
- $m add command -label $none
- incr count
-
- } elseif {$zeroconf_command == "avahi-browse"} {
- set lines [split $output "\n"]
- set saw("__none__") 1
- foreach line $lines {
- set items [split $line ";"]
- if {[llength $items] != 10} {
- continue
- }
- if {[lindex $items 0] != "="} {
- continue
- }
-
- # =;eth0;IPv4;tmp2\0582;_rfb._tcp;local;tmp2.local;10.0.2.252;5902;
- set eth [lindex $items 1]
- set ipv [lindex $items 2]
- set name [lindex $items 3]
- set type [lindex $items 4]
- set loc [lindex $items 5]
- set host [lindex $items 6]
- set ip [lindex $items 7]
- set port [lindex $items 8]
-
- if {![regexp -nocase {ipv4} $ipv]} {
- continue
- }
-
- set name0 $name
- regsub -all {\\\\} $name "__bockslosh__" name
- regsub -all {\\\.} $name "." name
-
- set n 0
- while {1} {
- incr n
- if {$n > 100} {
- break
- }
- if {[regexp {\\[0-9][0-9][0-9]} $name match]} {
- #puts "match1=$match"
- regsub {\\} $match "" match
- set d $match
- regsub {^0*} $d "" d
- set c [format "%c" $d]
- if {"$c" == "&"} {
- set c "\\$c"
- }
- regsub "\\\\$match" $name $c name
- #puts "match: $match c='$c'\nname=$name"
- } else {
- break
- }
- }
-
- regsub -all {__bockslosh__} $name "\\" name
-
- set hp $host
- if {$port >= 5900 && $port <= 6100} {
- set d [expr $port - 5900]
- set hp "$host:$d"
- } else {
- set hp "$host:$port"
- }
- if {![info exists saw($name)]} {
- regsub -all {[^[:alnum:],./:@%_=+-]} $hp "" hp
- $m add command -label "$name - $hp" -command "set vncdisplay \"$hp\""
- incr count
- set p $port
- if {$p <= 200} {
- set p "-$port"
- }
- regsub -all {[^[:alnum:],./:@%_=+-]} "$ip:$p" "" ipp
- $m add command -label "$name - $ipp" -command "set vncdisplay \"$ipp\""
- incr count
- set saw($name) 1
- }
- }
- } else {
- set lines [split $output "\n"]
- set saw("__none__") 1
- global dns_sd_cache last_dns_sd
- if {![info exists last_dns_sd]} {
- set last_dns_sd 0
- }
- if {[clock seconds] > [expr $last_dns_sd + 1800]} {
- catch { unset dns_sd_cache }
- set last_dns_sd [clock seconds]
- }
- foreach line $lines {
- if [regexp -nocase {^Browsing} $line] {
- continue;
- }
- if [regexp -nocase {^Timestamp} $line] {
- continue;
- }
- if [regexp -nocase {killed:} $line] {
- continue;
- }
- if {![regexp {_rfb\._tcp} $line]} {
- continue;
- }
- regsub {[ \t\n]*$} $line "" line
- regsub {^.*_rfb\._tcp[^ ]* *} $line "" name
-
- if {[info exists saw($name)]} {
- continue
- }
- set saw($name) 1
-
- set hp "$name"
- if {[info exists dns_sd_cache($name)]} {
- set hp $dns_sd_cache($name)
- } else {
- global env
- regsub -all {"} $name "" name2
- set env(DNS_SD_LU) $name2
- set emsg ""
- if {$zeroconf_command == "dns-sd"} {
- set rc [catch {set output [exec /bin/sh -c {pid=$$; export pid; (sleep 1; kill $pid) & exec dns-sd -L "$DNS_SD_LU" _rfb._tcp .} 2>/dev/null]} emsg]
- } elseif {$zeroconf_command == "mDNS"} {
- set rc [catch {set output [exec /bin/sh -c {pid=$$; export pid; (sleep 1; kill $pid) & exec mDNS -L "$DNS_SD_LU" _rfb._tcp .} 2>/dev/null]} emsg]
- regsub -all {[ \t][ \t]*:} $emsg ":" emsg
- }
- regsub -all { *} $emsg " " emsg
- if [regexp -nocase {be reached at *([^ \t\n][^ \t\n]*)} $emsg match hpm] {
- if [regexp {^(.*):([0-9][0-9]*)$} $hpm mv hm pm] {
- if {$pm >= 5900 && $pm <= 6100} {
- set pm [expr $pm - 5900]
- }
- set hp "$hm:$pm"
- } else {
- set hp $hpm
- }
- set dns_sd_cache($name) $hp
- } else {
- set hp "$name"
- if {![regexp {:[0-9][0-9]*$} $hp]} {
- set hp "$name:0"
- }
- }
- }
- regsub -all {[^[:alnum:],./:@%_=+-]} $hp "" hp
- $m add command -label "$name - $hp" -command "set vncdisplay \"$hp\""
- incr count
- }
- }
- $b configure -state normal
- . config -cursor {}
- $b config -cursor {}
- if {$count == 0} {
- $m add command -label $none
- }
- set last_post [clock seconds]
-}
-
-proc check_zeroconf_browse {} {
- global is_windows zeroconf_command
-
- set zeroconf_command ""
- if {$is_windows} {
- return 0;
- }
- set p ""
- set r [catch {set p [exec /bin/sh -c {type avahi-browse}]}]
- if {$r == 0} {
- regsub {^.* is *} $p "" p
- regsub -all {[ \t\n\r]} $p "" p
- if [file exists $p] {
- set zeroconf_command "avahi-browse"
- return 1
- }
- }
- set p ""
- set r [catch {set p [exec /bin/sh -c {type dns-sd}]}]
- if {$r == 0} {
- regsub {^.* is *} $p "" p
- regsub -all {[ \t\n\r]} $p "" p
- if [file exists $p] {
- set zeroconf_command "dns-sd"
- global env
- if [info exists env(USE_MDNS)] {
- # testing
- set zeroconf_command "mDNS"
- }
- return 1
- }
- }
- set p ""
- set r [catch {set p [exec /bin/sh -c {type mDNS}]}]
- if {$r == 0} {
- regsub {^.* is *} $p "" p
- regsub -all {[ \t\n\r]} $p "" p
- if [file exists $p] {
- set zeroconf_command "mDNS"
- return 1
- }
- }
- return 0
-}
-
-proc toggle_no_encryption {{rev 0}} {
- global showing_no_encryption
- global no_enc_button no_enc_prev
- global ts_only ssh_only
- global use_ssl use_ssh use_sshssl
-
- if {$rev} {
- # reverse it first
- if {$showing_no_encryption} {
- set showing_no_encryption 0
- } else {
- set showing_no_encryption 1
- }
- }
-
- if {$showing_no_encryption} {
- catch {pack forget .f4.none}
- catch {pack forget $no_enc_button}
- if {!$use_ssl && !$use_ssh && !$use_sshssl} {
- set use_ssl 1
- sync_use_ssl_ssh
- }
- set showing_no_encryption 0
- } else {
- if {$ts_only || $ssh_only} {
- return
- }
- catch {pack .f4.none -side left}
- if {![info exists no_enc_button]} {
- catch {destroy .o}
- } elseif {![winfo exists $no_enc_button]} {
- catch {destroy .o}
- } else {
- catch {pack $no_enc_button -after $no_enc_prev -fill x}
- }
- set showing_no_encryption 1
- }
-}
-
-proc toggle_vnc_prefix {} {
- global vncdisplay
- if [regexp -nocase {^vnc://} $vncdisplay] {
- regsub -nocase {^vnc://} $vncdisplay "" vncdisplay
- } else {
- regsub -nocase {^[a-z0-9+]*://} $vncdisplay "" vncdisplay
- set vncdisplay "Vnc://$vncdisplay"
- }
- catch {.f0.e icursor end}
-}
-
-############################################
-
-global env
-
-if {[regexp -nocase {Windows.9} $tcl_platform(os)]} {
- set is_win9x 1
-} else {
- set is_win9x 0
-}
-
-set is_windows 0
-if { [regexp -nocase {Windows} $tcl_platform(os)]} {
- set is_windows 1
-}
-
-set uname ""
-if {! $is_windows} {
- catch {set uname [exec uname]}
-}
-
-set ffont "fixed"
-
-global have_ipv6
-set have_ipv6 ""
-check_for_ipv6
-
-# need to check if "fixed" font under XFT on tk8.5 is actually fixed width!!
-if {$tcl_platform(platform) == "unix"} {
- set ls ""
- catch {set ls [font metrics $ffont -linespace]}
- set fs ""
- catch {set fs [font metrics $ffont -fixed]}
- set redo 0
- if {$fs != "" && $fs != "1"} {
- set redo 1
- }
- if {$ls != "" && $ls > 14} {
- set redo 1
- }
- if {$redo} {
- foreach fn [font names] {
- if {$fn == "TkFixedFont"} {
- set ffont $fn
- break
- }
- }
- }
- catch {option add *Dialog.msg.font {helvetica -14 bold}}
- catch {option add *Dialog.msg.wrapLength 4i}
-}
-
-if {$uname == "Darwin"} {
- set ffont "Monaco 10"
-
- #option add *Button.font Helvetica widgetDefault
- catch {option add *Button.font {System 10} widgetDefault}
-}
-
-# set SSVNC_HOME to HOME in case we modify it for mobile use:
-if [info exists env(HOME)] {
- if {! [info exists env(SSVNC_HOME)]} {
- set env(SSVNC_HOME) $env(HOME)
- }
-}
-
-# For mobile use, e.g. from a USB flash drive, we look for a "home" or "Home"
-# directory relative to this script where the profiles and certs will be kept
-# by default.
-if [file exists $buck_zero] {
- #puts "$buck_zero"
- set up [file dirname $buck_zero]
-
- if {$up == "."} {
- # this is actually bad news on windows because we cd'd to util.
- set up ".."
- } else {
- set up [file dirname $up]
- }
- set dirs [list $up]
-
- if {! $is_windows && $up != ".."} {
- # get rid of bin
- set up [file dirname $up]
- lappend dirs $up
- }
-
- for {set i 0} {$i < $argc} {incr i} {
- set it0 [lindex $argv $i]
- if {$it0 == "."} {
- if {![file isdirectory "$up/home"] && ![file isdirectory "$up/Home"]} {
- catch {file mkdir "$up/Home"}
- }
- break
- }
- }
-
- set gotone 0
-
- foreach d $dirs {
- set try "$d/home"
- #puts "$try"
- if [file isdirectory $try] {
- set env(SSVNC_HOME) $try
- set gotone 1
- break
- }
- set try "$d/Home"
- #puts "$try"
- if [file isdirectory $try] {
- set env(SSVNC_HOME) $try
- set gotone 1
- break
- }
- }
- if {$gotone} {
- set b ""
- if {$is_windows} {
- set b "$env(SSVNC_HOME)/ss_vnc"
- } else {
- set b "$env(SSVNC_HOME)/.vnc"
- }
- catch {file mkdir $b}
- catch {file mkdir "$b/certs"}
- catch {file mkdir "$b/profiles"}
- }
- #puts "HOME: $env(SSVNC_HOME)"
-}
-
-global svcert_default mycert_default crlfil_default
-global svcert_default_force mycert_default_force crlfil_default_force
-set svcert_default ""
-set mycert_default ""
-set crlfil_default ""
-set svcert_default_force 0
-set mycert_default_force 0
-set crlfil_default_force 0
-
-set saw_ts_only 0
-set saw_ssh_only 0
-
-set ssvncrc $env(SSVNC_HOME)/.ssvncrc
-if {$is_windows} {
- set ssvncrc $env(SSVNC_HOME)/ssvnc_rc
-}
-
-global ts_desktop_size_def ts_desktop_depth_def ts_desktop_type_def ts_xserver_type_def
-set ts_desktop_size_def ""
-set ts_desktop_depth_def ""
-set ts_desktop_type_def ""
-set ts_xserver_type_def ""
-
-global win_localhost
-set win_localhost "127.0.0.1"
-
-global kill_stunnel
-set kill_stunnel 1
-
-global started_with_noenc
-
-if {! [info exists env(SSVNC_DISABLE_ENCRYPTION_BUTTON)]} {
- set env(SSVNC_DISABLE_ENCRYPTION_BUTTON) 1
- set started_with_noenc 1
-} else {
- if {$env(SSVNC_DISABLE_ENCRYPTION_BUTTON) == "0"} {
- set started_with_noenc 0
- } elseif {$env(SSVNC_DISABLE_ENCRYPTION_BUTTON) == "1"} {
- set started_with_noenc 1
- } else {
- set env(SSVNC_DISABLE_ENCRYPTION_BUTTON) 1
- set started_with_noenc 1
- }
-}
-
-if [file exists $ssvncrc] {
- set fh ""
- catch {set fh [open $ssvncrc "r"]}
- if {$fh != ""} {
- while {[gets $fh line] > -1} {
- set str [string trim $line]
- if [regexp {^#} $str] {
- continue
- }
- if [regexp {^mode=tsvnc} $str] {
- set saw_ts_only 1
- set saw_ssh_only 0
- } elseif [regexp {^mode=sshvnc} $str] {
- set saw_ts_only 0
- set saw_ssh_only 1
- } elseif [regexp {^mode=ssvnc} $str] {
- set saw_ts_only 0
- set saw_ssh_only 0
- }
- if [regexp {^desktop_type=(.*)$} $str m val] {
- set val [string trim $val]
- set ts_desktop_type_def $val
- }
- if [regexp {^desktop_size=(.*)$} $str m val] {
- set val [string trim $val]
- set ts_desktop_size_def $val
- }
- if [regexp {^desktop_depth=(.*)$} $str m val] {
- set val [string trim $val]
- set ts_desktop_depth_def $val
- }
- if [regexp {^xserver_type=(.*)$} $str m val] {
- set val [string trim $val]
- set ts_xserver_type_def $val
- }
- if [regexp {^font_default=(.*)$} $str m val] {
- set val [string trim $val]
- catch {option add *font $val}
- catch {option add *Dialog.msg.font $val}
- }
- if [regexp {^font_fixed=(.*)$} $str m val] {
- set val [string trim $val]
- set ffont $val
- }
- if [regexp {^noenc=1} $str] {
- global env
- set env(SSVNC_DISABLE_ENCRYPTION_BUTTON) 1
- set started_with_noenc 1
- }
- if [regexp {^noenc=0} $str] {
- global env
- set env(SSVNC_DISABLE_ENCRYPTION_BUTTON) 0
- set started_with_noenc 0
- }
- if [regexp {^cotvnc=1} $str] {
- global env
- set env(SSVNC_COTVNC) 1
- }
- if [regexp {^cotvnc=0} $str] {
- global env
- set env(SSVNC_COTVNC) 0
- }
- if [regexp {^killstunnel=1} $str] {
- set kill_stunnel 1
- }
- if [regexp {^killstunnel=0} $str] {
- set kill_stunnel 0
- }
- global have_ipv6
- if [regexp {^ipv6=1} $str] {
- set have_ipv6 1
- set env(SSVNC_IPV6) 1
- }
- if [regexp {^ipv6=0} $str] {
- set have_ipv6 0
- set env(SSVNC_IPV6) 0
- }
- if [regexp {^mycert=(.*)$} $str m val] {
- set val [string trim $val]
- set mycert_default $val
- }
- if [regexp {^cert=(.*)$} $str m val] {
- set val [string trim $val]
- set mycert_default $val
- }
- if [regexp {^cacert=(.*)$} $str m val] {
- set val [string trim $val]
- set svcert_default $val
- }
- if [regexp {^ca=(.*)$} $str m val] {
- set val [string trim $val]
- set svcert_default $val
- }
- if [regexp {^crl=(.*)$} $str m val] {
- set val [string trim $val]
- set crlfil_default $val
- }
- if [regexp {^env=([^=]*)=(.*)$} $str m var val] {
- global env
- set env($var) $val
- }
- }
- close $fh
- }
-}
-
-for {set i 0} {$i < $argc} {incr i} {
- set item [lindex $argv $i]
- regsub {^--} $item "-" item
- if {$item == "-profiles" || $item == "-list"} {
- set dir [get_profiles_dir]
- #puts stderr "VNC Profiles:"
- #puts stderr " "
- if {[info exists env(SSVNC_TS_ONLY)]} {
- set saw_ts_only 1
- } elseif {[info exists env(SSVNC_SSH_ONLY)]} {
- set saw_ssh_only 1
- }
- set profs [list]
- foreach prof [glob -nocomplain -directory $dir "*.vnc"] {
- set s [file tail $prof]
- regsub {\.vnc$} $s "" s
- if {$saw_ts_only || $saw_ssh_only} {
- set ok 0;
- set tsok 0;
- set fh ""
- catch {set fh [open $prof "r"]}
- if {$fh != ""} {
- while {[gets $fh line] > -1} {
- if {[regexp {use_ssh=1} $line]} {
- set ok 1
- }
- if {[regexp {ts_mode=1} $line]} {
- set tsok 1
- }
- }
- close $fh
- }
- if {$saw_ts_only && !$tsok} {
- continue;
- } elseif {! $ok} {
- continue
- }
- }
- lappend profs $s
- }
- foreach prof [lsort $profs] {
- puts "$prof"
- }
- exit
- } elseif {$item == "-nvb"} {
- global env
- set env(SSVNC_NO_VERIFY_ALL_BUTTON) 1
- } elseif {$item == "-noenc"} {
- global env
- set env(SSVNC_DISABLE_ENCRYPTION_BUTTON) 1
- set started_with_noenc 1
- } elseif {$item == "-enc"} {
- global env
- set env(SSVNC_DISABLE_ENCRYPTION_BUTTON) 0
- } elseif {$item == "-bigger"} {
- global env
- if {![info exists env(SSVNC_BIGGER_DIALOG)]} {
- set env(SSVNC_BIGGER_DIALOG) 1
- }
- } elseif {$item == "-ssh"} {
- set saw_ssh_only 1
- set saw_ts_only 0
- } elseif {$item == "-ts"} {
- set saw_ts_only 1
- set saw_ssh_only 0
- } elseif {$item == "-ssl" || $item == "-ss"} {
- set saw_ts_only 0
- set saw_ssh_only 0
- } elseif {$item == "-tso"} {
- global env
- set env(SSVNC_TS_ALWAYS) 1
- set saw_ts_only 1
- } elseif {$item == "-killstunnel"} {
- set kill_stunnel 1
- } elseif {$item == "-nokillstunnel"} {
- set kill_stunnel 0
- } elseif {$item == "-mycert" || $item == "-cert"} {
- incr i
- set mycert_default [lindex $argv $i]
- } elseif {$item == "-cacert" || $item == "-ca"} {
- incr i
- set svcert_default [lindex $argv $i]
- } elseif {$item == "-crl"} {
- incr i
- set crlfil_default [lindex $argv $i]
- }
-}
-
-if [info exists env(SSVNC_FONT_FIXED)] {
- set ffont $env(SSVNC_FONT_FIXED)
-}
-
-if [info exists env(SSVNC_FONT_DEFAULT)] {
- catch {option add *font $env(SSVNC_FONT_DEFAULT)}
- catch {option add *Dialog.msg.font $env(SSVNC_FONT_DEFAULT)}
-}
-
-if [regexp {[ ]} $ffont] {
- set help_font "-font \"$ffont\""
-} else {
- set help_font "-font $ffont"
-}
-
-if { [regexp -nocase {Windows} $tcl_platform(os)]} {
- cd util
- if {$help_font == "-font fixed"} {
- set help_font ""
- }
-}
-
-if {$saw_ts_only && $saw_ssh_only} {
- set saw_ssh_only 0
-}
-
-global ssh_only
-set ssh_only 0
-if {[info exists env(SSVNC_SSH_ONLY)] || $saw_ssh_only} {
- set ssh_only 1
-}
-
-global ts_only
-set ts_only 0
-if {[info exists env(SSVNC_TS_ONLY)] || $saw_ts_only} {
- set ts_only 1
-}
-
-if {$mycert_default != ""} {
- if [regexp -nocase {^FORCE:} $mycert_default] {
- set mycert_default_force 1
- regsub -nocase {^FORCE:} $mycert_default "" mycert_default
- }
- if {![file exists $mycert_default]} {
- set idir [get_idir_certs ""]
- set mycert_default "$idir/$mycert_default"
- }
-}
-
-if {$svcert_default != ""} {
- if [regexp -nocase {^FORCE:} $svcert_default] {
- set svcert_default_force 1
- regsub -nocase {^FORCE:} $svcert_default "" svcert_default
- }
- if {![file exists $svcert_default]} {
- set idir [get_idir_certs ""]
- if {$svcert_default == "CA"} {
- set svcert_default "$idir/CA/cacert.pem"
- } else {
- set svcert_default "$idir/$svcert_default"
- }
- }
-}
-
-if {$crlfil_default != ""} {
- if [regexp -nocase {^FORCE:} $crlfil_default] {
- set crlfil_default_force 1
- regsub -nocase {^FORCE:} $crlfil_default "" crlfil_default
- }
- if {![file exists $crlfil_default]} {
- set idir [get_idir_certs ""]
- set crlfil_default "$idir/$crlfil_default"
- }
-}
-
-if {$is_windows} {
- check_writable
-}
-
-
-set darwin_cotvnc 0
-if {$uname == "Darwin"} {
- if {! [info exists env(DISPLAY)]} {
- set darwin_cotvnc 1
- } elseif {[regexp {/tmp/} $env(DISPLAY)]} {
- set darwin_cotvnc 1
- }
- if [info exists env(SSVNC_HOME)] {
- set t "$env(SSVNC_HOME)/.vnc"
- if {! [file exists $t]} {
- catch {file mkdir $t}
- }
- }
-}
-
-##for testing macosx
-if [info exists env(FORCE_DARWIN)] {
- set uname Darwin
- set darwin_cotvnc 1
-}
-
-set putty_pw ""
-
-global scroll_text_focus
-set scroll_text_focus 1
-
-set multientry 1
-
-wm withdraw .
-if {$ssh_only} {
- wm title . "SSH VNC Viewer"
-} elseif {$ts_only} {
- wm title . "Terminal Services VNC Viewer"
-} else {
- wm title . "SSL/SSH VNC Viewer"
-}
-
-wm resizable . 1 0
-
-set_defaults
-if {$uname == "Darwin"} {
- if [info exists use_x11_macosx] {
- if {$use_x11_macosx} {
- set darwin_cotvnc 0
- }
- }
-}
-set skip_pre 0
-
-set vncdisplay ""
-set last_load ""
-set vncproxy ""
-set remote_ssh_cmd ""
-set vncauth_passwd ""
-
-global did_listening_message
-set did_listening_message 0
-
-global accepted_cert_dialog_in_progress
-set accepted_cert_dialog_in_progress 0
-
-global fetch_cert_filename
-set fetch_cert_filename ""
-
-set vhd "VNC Host:Display"
-if {$ssh_only} {
- label .l -text "SSH VNC Viewer" -relief ridge
-} elseif {$ts_only} {
- label .l -text "Terminal Services VNC Viewer" -relief ridge
- set vhd "VNC Terminal Server:"
-} else {
- label .l -text "SSL/SSH VNC Viewer" -relief ridge
-}
-
-set wl 21
-set we 40
-frame .f0
-if {$multientry} {
- label .f0.l -width $wl -anchor w -text "$vhd" -relief ridge
-} else {
- label .f0.l -anchor w -text "$vhd" -relief ridge
-}
-entry .f0.e -width $we -textvariable vncdisplay
-pack .f0.l -side left
-bind .f0.e <Return> launch
-bind .f0.e <Control-E> {toggle_vnc_prefix}
-pack .f0.e -side left -expand 1 -fill x
-
-if {[check_zeroconf_browse]} {
- menubutton .f0.mb -relief ridge -menu .f0.mb.m -text "Find"
- menu .f0.mb.m -tearoff 0 -postcommand {zeroconf_fill .f0.mb .f0.mb.m}
- pack .f0.mb -side left
-}
-
-frame .f1
-label .f1.l -width $wl -anchor w -text "VNC Password:" -relief ridge
-entry .f1.e -width $we -textvariable vncauth_passwd -show *
-pack .f1.l -side left
-pack .f1.e -side left -expand 1 -fill x
-bind .f1.e <Return> launch
-
-frame .fu
-label .fu.l -width $wl -anchor w -text "Unix Username:" -relief ridge
-entry .fu.e -width 14 -textvariable unixpw_username
-label .fu.m -anchor w -text "Unix Password:" -relief ridge
-entry .fu.f -textvariable unixpw_passwd -show *
-pack .fu.l -side left
-pack .fu.e .fu.m -side left
-pack .fu.f -side left -expand 1 -fill x
-bind .fu.f <Return> launch
-
-frame .f2
-label .f2.l -width $wl -anchor w -text "Proxy/Gateway:" -relief ridge
-entry .f2.e -width $we -textvariable vncproxy
-pack .f2.l -side left
-pack .f2.e -side left -expand 1 -fill x
-bind .f2.e <Return> launch
-
-frame .f3
-label .f3.l -width $wl -anchor w -text "Remote SSH Command:" -relief ridge
-entry .f3.e -width $we -textvariable remote_ssh_cmd
-pack .f3.l -side left
-pack .f3.e -side left -expand 1 -fill x
-.f3.l configure -state disabled
-.f3.e configure -state disabled
-bind .f3.e <Return> launch
-
-set remote_ssh_cmd_list {.f3.e .f3.l}
-
-frame .f4
-radiobutton .f4.ssl -anchor w -variable sshssl_sw -value ssl -command {ssl_ssh_adjust ssl} -text "Use SSL"
-radiobutton .f4.ssh -anchor w -variable sshssl_sw -value ssh -command {ssl_ssh_adjust ssh} -text "Use SSH"
-radiobutton .f4.sshssl -anchor w -variable sshssl_sw -value sshssl -command {ssl_ssh_adjust sshssl} -text "SSH+SSL"
-pack .f4.ssl .f4.ssh .f4.sshssl -side left -fill x
-
-set showing_no_encryption 0
-radiobutton .f4.none -anchor w -variable sshssl_sw -value none -command {ssl_ssh_adjust none} -text "None "
-if [disable_encryption] {
- pack .f4.none -side left
- set showing_no_encryption 1
-}
-
-global skip_verify_accepted_certs
-set skip_verify_accepted_certs 0
-global anon_dh_detected
-set anon_dh_detected 0
-global vencrypt_detected
-set vencrypt_detected ""
-
-global always_verify_ssl
-set always_verify_ssl 1;
-if {[info exists env(SSVNC_NO_VERIFY_ALL)]} {
- set always_verify_ssl 0;
-}
-
-if {$uname == "Darwin"} {
- button .f4.getcert -command {fetch_cert 1} -text "Fetch Cert"
-} else {
- button .f4.getcert -command {fetch_cert 1} -text "Fetch Cert" -padx 3
-}
-checkbutton .f4.always -variable always_verify_ssl -text "Verify All Certs" -command no_certs_tutorial_mesg
-pack .f4.getcert -side right -fill x
-if {[info exists env(SSVNC_NO_VERIFY_ALL_BUTTON)]} {
- set always_verify_ssl 0;
-} else {
- pack .f4.always -side right -fill x
-}
-
-if {$ssh_only || $ts_only} {
- ssl_ssh_adjust ssh
-} else {
- ssl_ssh_adjust ssl
-}
-
-frame .b
-button .b.help -text "Help" -command help
-button .b.certs -text "Certs ..." -command getcerts
-button .b.opts -text "Options ..." -command set_options
-button .b.load -text "Load" -command {load_profile}
-button .b.save -text "Save" -command {save_profile}
-button .b.conn -text "Connect" -command launch
-button .b.exit -text "Exit" -command {destroy .; exit}
-
-
-if {$ssh_only || $ts_only} {
- pack .b.opts .b.save .b.load .b.conn .b.help .b.exit -side left -expand 1 -fill x
-} else {
- pack .b.certs .b.opts .b.save .b.load .b.conn .b.help .b.exit -side left -expand 1 -fill x
-}
-
-if {$multientry} {
- if {! $is_windows} {
- if {$ssh_only} {
- pack .l .f0 .f1 .f2 .f3 .b -side top -fill x
- } elseif {$ts_only} {
- pack .l .f0 .f2 .b -side top -fill x
- } else {
- pack .l .f0 .f1 .f2 .f3 .f4 .b -side top -fill x
- }
- } else {
- if {$ssh_only} {
- pack .l .f0 .f2 .f3 .b -side top -fill x
- } elseif {$ts_only} {
- pack .l .f0 .f2 .b -side top -fill x
- } else {
- pack .l .f0 .f2 .f3 .f4 .b -side top -fill x
- }
- }
-} else {
- pack .l .f0 .b -side top -fill x
-}
-if {![info exists env(SSVNC_GUI_CHILD)] || $env(SSVNC_GUI_CHILD) == ""} {
- center_win .
-}
-focus .f0.e
-
-wm deiconify .
-
-global system_button_face
-set system_button_face ""
-foreach item [.b.help configure -bg] {
- set system_button_face $item
-}
-
-if {[info exists env(SSVNC_GUI_CMD)]} {
- set env(SSVNC_GUI_CHILD) 1
- bind . <Control-n> "exec $env(SSVNC_GUI_CMD) &"
-}
-bind . <Control-q> "destroy .; exit"
-bind . <Shift-Escape> "destroy .; exit"
-bind . <Control-s> "launch_shell_only"
-bind . <Control-p> {port_knock_only "" "KNOCK"}
-bind . <Control-P> {port_knock_only "" "FINISH"}
-bind . <Control-l> {load_profile}
-bind . <B3-ButtonRelease> {load_profile}
-
-bind . <Control-t> {toggle_tsonly}
-bind . <Control-d> {delete_profile}
-bind . <Shift-B3-ButtonRelease> {toggle_tsonly}
-bind . <Shift-B2-ButtonRelease> {toggle_tsonly}
-bind .l <Shift-ButtonRelease> {toggle_tsonly}
-bind . <Control-h> {toggle_sshonly}
-bind . <Control-T> {to_ssvnc}
-bind . <Control-a> {set_advanced_options}
-bind . <Control-o> {set_options}
-bind . <Control-u> {set_ssvncviewer_options}
-bind . <Control-e> {toggle_no_encryption}
-
-global entered_gui_top button_gui_top
-set entered_gui_top 0
-set button_gui_top 0
-bind . <Enter> {set entered_gui_top 1}
-bind .l <ButtonPress> {set button_gui_top 1}
-bind .f0.l <ButtonPress> {set button_gui_top 1}
-
-update
-
-mac_raise
-
-set didload 0
-
-for {set i 0} {$i < $argc} {incr i} {
- set item [lindex $argv $i]
- regsub {^--} $item "-" item
- if {$item == "."} {
- ;
- } elseif {$item == "-nv"} {
- set always_verify_ssl 0
- } elseif {$item == "-help"} {
- help
- } elseif {$item == "-ssh"} {
- ;
- } elseif {$item == "-bigger"} {
- ;
- } elseif {$item == "-ts"} {
- ;
- } elseif {$item == "-ss"} {
- ;
- } elseif {$item == "-ssl"} {
- ;
- } elseif {$item == "-tso"} {
- ;
- } elseif {$item == "-mycert" || $item == "-cert"} {
- incr i
- } elseif {$item == "-cacert" || $item == "-ca"} {
- incr i
- } elseif {$item == "-crl"} {
- incr i
- } elseif {$item == "-printhelp"} {
- print_help
- exit;
- } elseif {$item != ""} {
- if {[file exists $item] && [file isfile $item]} {
- set didload 1
- load_profile . $item
- } else {
- set ok 0
- set dir [get_profiles_dir]
- set try "$dir/$item"
- foreach try [list $dir/$item $dir/$item.vnc] {
- if {[file exists $try] && [file isfile $try]} {
- load_profile . $try
- set ok 1
- break;
- }
- }
- if {! $ok && [regexp {:[0-9][0-9]*$} $item]} {
- global vncdisplay
- set vncdisplay $item
- set ok 1
- }
-
- if {! $ok} {
- if {$ts_only || $ssh_only} {
- global vncdisplay
- set vncdisplay $item
- set ok 1
- }
- }
- if {$ok} {
- update
- set didload 1
- if [info exists env(SSVNC_PROFILE_LOADONLY)] {
- if {$env(SSVNC_PROFILE_LOADONLY) == "1"} {
- set ok 0
- }
- }
- if {$ok} {
- after 750
- launch
- }
- }
- }
- }
-}
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/stunnel-server.conf b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/stunnel-server.conf
deleted file mode 100644
index 327327a..0000000
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/stunnel-server.conf
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# Example SSL stunnel SERVER configuration file. (e.g. for your VNC
-# server on this same machine.)
-#
-# To use this file you may need to edit it. Then you will need
-# to manually start up stunnel using it.
-# (e.g. /path/to/stunnel stunnel-server.conf)
-#
-# NOTE: You MUST specify a cert = PEM file line for server mode.
-# SSVNC or x11vnc can be used to create one if you like.
-#
-# This is just an example and is not used by the tools in this package.
-# It is here in case you wanted to see how to add SSL support to any
-# VNC server you have.
-#
-RNDbytes = 2048
-RNDfile = bananarand.bin
-RNDoverwrite = yes
-#
-# Remote client certs could go here:
-# CApath = /path/to/.../crt-dir
-# CAfile = /path/to/.../foo.crt
-# verify = 2
-#
-# The server cert goes here (**IT MUST BE SPECIFIED IN SERVER MODE**):
-# cert = /path/to/.../my.pem
-#
-[vnc]
-#
-# Set to local listening port number (e.g. 5901 for vnc display 1):
-# so the remote viewers would connect to: yourmachine:1
-#
-accept = 5901
-#
-# Set to localhost:port to connect to VNC server on this same machine:
-# (E.g. you run WinVNC on :0, preferably listening on localhost).
-#
-connect = localhost:5900