summaryrefslogtreecommitdiffstats
path: root/x11vnc/x11vnc.1
diff options
context:
space:
mode:
authorrunge <runge>2008-11-22 18:36:33 +0000
committerrunge <runge>2008-11-22 18:36:33 +0000
commit6fbba525a924961083bf2e43bb841bd15671f526 (patch)
tree3ec0cf4b285fb0140294a151b801c91bc78a612e /x11vnc/x11vnc.1
parent63b98dba790fa9835e970b8502d93258862a9373 (diff)
downloadlibtdevnc-6fbba525a924961083bf2e43bb841bd15671f526.tar.gz
libtdevnc-6fbba525a924961083bf2e43bb841bd15671f526.zip
x11vnc: x11vnc.desktop file. -reopen, -dhparams, -sslCRL,
-setdefer options. -rfbport PROMPT VeNCrypt and TLSVNC SSL/TLS encryption support. Tweaks to choose_delay() algorithm. -ssl ANON anonymouse Diffie-Hellman mode. Fix bugs in certs management. Additions to tray=setpass naive user mode.
Diffstat (limited to 'x11vnc/x11vnc.1')
-rw-r--r--x11vnc/x11vnc.1270
1 files changed, 214 insertions, 56 deletions
diff --git a/x11vnc/x11vnc.1 b/x11vnc/x11vnc.1
index 0d822ed..7053ef9 100644
--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@@ -2,7 +2,7 @@
.TH X11VNC "1" "November 2008" "x11vnc " "User Commands"
.SH NAME
x11vnc - allow VNC connections to real X11 displays
- version: 0.9.6, lastmod: 2008-11-04
+ version: 0.9.6, lastmod: 2008-11-22
.SH SYNOPSIS
.B x11vnc
[OPTION]...
@@ -90,6 +90,22 @@ Automatically probe for a free VNC port starting at n.
The default is to start probing at 5900. Use this to
stay away from other VNC servers near 5900.
.PP
+\fB-rfbport\fR \fIstr\fR
+.IP
+The VNC port to listen on (a libvncserver option), e.g.
+5900, 5901, etc. If specified as "\fB-rfbport\fR \fIPROMPT\fR"
+then the x11vnc \fB-gui\fR is used to prompt the user to
+enter the port number.
+.PP
+\fB-reopen\fR
+.IP
+If the X server connection is disconnected, try to
+reopen the X display (up to one time.) This is of use
+for display managers like GDM (KillInitClients option)
+that kill x11vnc just after the user logs into the
+X session. Note: the reopened state may be unstable.
+Set X11VNC_REOPEN_DISPLAY=n to reopen n times.
+.PP
\fB-reflect\fR \fIhost:N\fR
.IP
Instead of connecting to and polling an X display,
@@ -1408,6 +1424,89 @@ module for the h/w display however it will work only
for finding the display and the user must already be
logged into the X console.
.PP
+\fB-vencrypt\fR \fImode\fR
+.IP
+The VeNCrypt extension to the VNC protocol allows
+encrypted SSL/TLS connections. If the \fB-ssl\fR mode is
+enabled, then VeNCrypt is enabled as well BY DEFAULT
+(they both use the SSL/TLS tunnel, only the protocol
+handshake is a little different.)
+.IP
+To control when and how VeNCrypt is used, specify the
+mode string. If mode is "never", then VeNCrypt is
+not used. If mode is "support" (the default) then
+VeNCrypt is supported. If mode is "only", then the
+similar and older TLSVNC protocol is not simultaneously
+supported. x11vnc's normal SSL mode (vncs://) will be
+supported under \fB-ssl\fR unless you set mode to "force".
+.IP
+If mode is prefixed with "nodh:", then Diffie Hellman
+anonymous key exchange is disabled. If mode is prefixed
+with "nox509:", then X509 key exchange is disabled.
+.IP
+To disable all Anonymous Diffie-Hellman access
+(susceptible to Man-In-The-Middle attack) you will need
+to supply "\fB-vencrypt\fR \fInodh:support \fB-tlsvnc\fR never\fR"
+.IP
+If mode is prefixed with "newdh:", then new Diffie
+Hellman parameters are generated for each connection
+(this can be time consuming: 1-60 secs) rather than
+using the fixed values in the program. Using fixed,
+publicly known values is not known to be a security
+problem. This setting applies to TLSVNC as well.
+.IP
+Long example: \fB-vencrypt\fR newdh:nox509:support
+.IP
+Also, if mode is prefixed with "plain:", then
+if \fB-unixpw\fR mode is active the VeNCrypt "*Plain"
+username+passwd method is enabled for Unix logins.
+Otherwise in \fB-unixpw\fR mode the normal login panel is
+provided.
+.IP
+You *MUST* supply the \fB-ssl\fR option for VeNCrypt to be
+active. This option only fine-tunes its operation.
+.PP
+\fB-tlsvnc\fR \fImode\fR
+.IP
+The TLSVNC extension to the VNC protocol allows
+encrypted SSL/TLS connections. If the \fB-ssl\fR mode is
+enabled, then TLSVNC is enabled as well BY DEFAULT
+(they both use the SSL/TLS tunnel, only the protocol
+handshake is a little different.)
+.IP
+To control when and how TLSVNC is used, specify the
+mode string. If mode is "never", then TLSVNC is not
+used. If mode is "support" (the default) then TLSVNC
+is supported. If mode is "only", then the similar
+VeNCrypt protocol is not simultaneously supported.
+x11vnc's normal SSL mode (vncs://) will be supported
+under \fB-ssl\fR unless you set mode to "force".
+.IP
+If mode is prefixed with "newdh:", then new Diffie
+Hellman parameters are generated for each connection
+(this can be time consuming: 1-60 secs) rather than
+using the fixed values in the program. Using fixed,
+publicly known values is not known to be a security
+problem. This setting applies to VeNCrypt as well.
+See the description of "plain:" under \fB-vencrypt.\fR
+.IP
+Long example: \fB-tlsvnc\fR newdh:plain:support
+.IP
+You *MUST* supply the \fB-ssl\fR option for TLSVNC to be
+active. This option only fine-tunes its operation.
+.PP
+\fB-dhparams\fR \fIfile\fR
+.IP
+For some operations a set of Diffie Hellman parameters
+(prime and generator) is needed. If so, use the
+parameters in \fIfile\fR. In particular, the VeNCrypt and
+TLSVNC anonymous DH mode need them. By default a
+fixed set is used. If you do not want to do that you
+can specify "newdh:" to the \fB-vencrypt\fR and \fB-tlsvnc\fR
+options to generate a new set each session. If that
+is too slow for you, use \fB-dhparams\fR file to a set you
+created manually via "openssl dhparam \fB-out\fR file 1024"
+.PP
\fB-nossl\fR
.IP
Disable the \fB-ssl\fR option (see below). Since \fB-ssl\fR is off
@@ -1417,44 +1516,49 @@ to unset any *earlier* \fB-ssl\fR option (or \fB-svc...)\fR
\fB-ssl\fR \fI[pem]\fR
.IP
Use the openssl library (www.openssl.org) to provide a
-built-in encrypted SSL tunnel between VNC viewers and
-x11vnc. This requires libssl support to be compiled
+built-in encrypted SSL/TLS tunnel between VNC viewers
+and x11vnc. This requires libssl support to be compiled
into x11vnc at build time. If x11vnc is not built
with libssl support it will exit immediately when \fB-ssl\fR
is prescribed.
.IP
-The VNC Viewer-side needs support SSL as well.
-See this URL and also the discussion below for ideas
-on how to enable SSL support for the viewer:
+The VNC Viewer-side needs to support SSL/TLS as well.
+See this URL and also the discussion below for
+ideas on how to enable SSL support for the viewer:
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers
+x11vnc provides an SSL enabled Java viewer applet in
+the classes/ssl directory (-http or \fB-httpdir\fR options.)
+The SSVNC viewer package supports SSL too.
.IP
-[pem] is optional, use "\fB-ssl\fR \fI/path/to/mycert.pem\fR"
-to specify a PEM certificate file to use to identify
-and provide a key for this server. See
+[pem] is optional, use "\fB-ssl\fR \fI/path/to/mycert.pem\fR" to
+specify a PEM certificate file to use to identify and
+provide a key for this server. See
.IR openssl (1)
-for
-more info about PEMs and the \fB-sslGenCert\fR option below.
-.IP
-The connecting VNC viewer SSL tunnel can optionally
-authenticate this server if they have the public
-key part of the certificate (or a common certificate
-authority, CA, is a more sophisticated way to verify
-this server's cert, see \fB-sslGenCA\fR below). This is
-used to prevent man-in-the-middle attacks. Otherwise,
-if the VNC viewer accepts this server's key without
-verification, at least the traffic is protected
-from passive sniffing on the network (but *NOT* from
-man-in-the-middle attacks).
+for more
+info about PEMs and the \fB-sslGenCert\fR and "\fB-ssl\fR \fISAVE\fR"
+options below for how to create them.
+.IP
+The connecting VNC viewer SSL tunnel can (optionally)
+authenticate this server if they have the public key
+part of the certificate (or a common certificate
+authority, CA, is a more sophisticated way to
+verify this server's cert, see \fB-sslGenCA\fR below).
+This is used to prevent Man-In-The-Middle attacks.
+Otherwise, if the VNC viewer accepts this server's
+key WITHOUT verification, the traffic is protected
+from passive sniffing on the network, but *NOT* from
+Man-In-The-Middle attacks.
.IP
If [pem] is not supplied and the
.IR openssl (1)
utility
command exists in PATH, then a temporary, self-signed
-certificate will be generated for this session (this
-may take 5-30 seconds on slow machines). If
+certificate will be generated for this session
+(this may take 5-30 seconds on very slow machines).
+If
.IR openssl (1)
-cannot be used to generate a temporary certificate
-x11vnc exits immediately.
+cannot be used to generate a temporary
+certificate x11vnc exits immediately.
.IP
If successful in using
.IR openssl (1)
@@ -1462,17 +1566,27 @@ to generate a
temporary certificate, the public part of it will be
displayed to stderr (e.g. one could copy it to the
client-side to provide authentication of the server to
-VNC viewers.) See following paragraphs for how to save
-keys to reuse when x11vnc is restarted.
-.IP
-Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc
-print out the entire certificate, including the PRIVATE
-KEY part, to stderr. One could reuse this cert if saved
-in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1
-to not delete the temporary PEM file: the file name
-will be printed to stderr (so one could move it to
-a safe place for reuse). You will be prompted for a
-passphrase for the private key.
+VNC viewers.)
+.IP
+NOTE: Unless you safely copy the public part of the
+temporary Cert to the viewer for authenticate *every
+time* (unlikely...), then only passive sniffing
+attacks are prevented and you are still open to
+Man-In-The-Middle attacks. See the following
+paragraphs for how to save keys to reuse them when
+x11vnc is restarted. With saved keys AND the VNC viewer
+authenticating them by using the public certificate,
+then Man-In-The-Middle attacks are prevented.
+.IP
+If [pem] is "ANON" then the Diffie-Hellman anonymous
+key exchange method is used. In this mode there
+are *no* SSL certificates and so it is not possible
+to authenticate either the VNC server or VNC client.
+Thus only passive network sniffing attacks are avoided:
+the "ANON" method is susceptible to Man-In-The-Middle
+attacks. "ANON" is not recommended; instead use
+a SSL PEM you created or the "SAVE" method in the
+next paragraph.
.IP
If [pem] is "SAVE" then the certificate will be saved
to the file ~/.vnc/certs/server.pem, or if that file
@@ -1488,19 +1602,17 @@ to refer to the file ~/.vnc/certs/server-<string>.pem
instead. E.g. "SAVE-charlie" will store to the file
~/.vnc/certs/server-charlie.pem
.IP
+Examples: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
+x11vnc \fB-ssl\fR SAVE-other \fB-display\fR :0 ...
+.IP
See \fB-ssldir\fR below to use a directory besides the
default ~/.vnc/certs
.IP
-Example: x11vnc \fB-ssl\fR SAVE \fB-display\fR :0 ...
-.IP
-Your VNC viewer will need to be able to connect
-via SSL. See the discussion below under \fB-stunnel\fR and
-http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers
-for how this might be achieved. E.g. on Unix it is
-easy to write a shell script that starts up stunnel
-and then vncviewer. Also in the x11vnc source a SSL
-enabled Java VNC Viewer applet is provided in the
-classes/ssl directory.
+Misc Info: In temporary cert creation mode, set the
+env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out
+the entire certificate, including the PRIVATE KEY part,
+to stderr. There are better ways to get/save this info.
+See "SAVE" above and "\fB-sslGenCert\fR" below.
.PP
\fB-ssltimeout\fR \fIn\fR
.IP
@@ -1656,6 +1768,39 @@ Certificates" actions as does the Java applet plugin
Control Panel. stunnel can also use these files (see
the ss_vncviewer example script in the FAQ.)
.PP
+\fB-sslCRL\fR \fIpath\fR
+.IP
+Set the Certificate Revocation Lists (CRL) to \fIpath\fR.
+.IP
+If path is a file, the file contains one more more CRLs
+in PEM format. If path is a directory, it contains
+hash named files of CRLs in the usual OpenSSL manner.
+See the OpenSSL and
+.IR stunnel (8)
+documentation for
+more info.
+.IP
+This option only applies if \fB-sslverify\fR has been
+supplied: it checks for revocation along the
+certificate chain used to verify the VNC client.
+The \fB-sslCRL\fR setting will be ignored when \fB-sslverify\fR is
+not specified.
+.IP
+Only rarely will one's x11vnc \fB-ssl\fR infrastructure be so
+large that this option would be useful (since normally
+maintaining the contents of the \fB-sslverify\fR file or
+directory should be enough.) However, when using
+x11vnc with a Certificate Authority (see \fB-sslGenCA)\fR
+to authenticate Clients via SSL/TLS, the \fB-sslCRL\fR option
+can be useful to revoke users' certs whose private SSL
+keys were lost or stolen (e.g. laptop.) This way a new
+CA cert+key does not need to be created and new signed
+client keys generated and distributed to all users.
+.IP
+To create a CRL file with revoked certificates the
+commands 'openssl ca \fB-revoke\fR ...' and 'openssl ca
+\fB-gencrl\fR ...' are useful. (Run them in ~/.vnc/certs)
+.PP
\fB-sslGenCA\fR \fI[dir]\fR
.IP
Generate your own Certificate Authority private key,
@@ -2606,9 +2751,12 @@ to handle all subsequent resizes (e.g. under \fB-xrandr,\fR
.PP
\fB-o\fR \fIlogfile\fR
.IP
-Write stderr messages to file \fIlogfile\fR instead of
-to the terminal. Same as "\fB-logfile\fR \fIfile\fR". To append
+Write stderr messages to file \fIlogfile\fR instead of to
+the terminal. Same as "\fB-logfile\fR \fIfile\fR". To append
to the file use "\fB-oa\fR \fIfile\fR" or "\fB-logappend\fR \fIfile\fR".
+If \fIlogfile\fR contains the string "%VNCDISPLAY"
+it is expanded to the vnc display (the name may need
+to be guessed at.) "%HOME" works too.
.PP
\fB-flag\fR \fIfile\fR
.IP
@@ -3745,6 +3893,12 @@ has been recent user input (pointer or keyboard).
Improves response, but increases the load whenever you
are moving the mouse or typing. Default: 2.00
.PP
+\fB-setdefer\fR \fIn\fR
+.IP
+When the \fB-wait_ui\fR mechanism cuts down the wait time ms,
+set the defer time to the same ms value. n=1 to enable,
+0 to disable, and -1 to set defer to 0 (no delay).
+.PP
\fB-nowait_bog\fR
.IP
Do not detect if the screen polling is "bogging down"
@@ -4715,6 +4869,10 @@ mdns enable avahi service advertising.
.IP
nomdns disable avahi service advertising.
.IP
+zeroconf enable avahi service advertising.
+.IP
+nozeroconf disable avahi service advertising.
+.IP
connect:host do reverse connection to host, "host"
may be a comma separated list of hosts
or host:ports. See \fB-connect.\fR Passwords
@@ -5287,13 +5445,13 @@ nooverlay_yescursor overlay_nocursor 8to24 no8to24
viewonly noviewonly shared noshared forever noforever
once timeout tightfilexfer notightfilexfer ultrafilexfer
noultrafilexfer rfbversion deny lock nodeny unlock
-avahi mdns noavahi nomdns connect proxy allowonce
-allow localhost nolocalhost listen lookup nolookup
-accept afteraccept gone shm noshm flipbyteorder
-noflipbyteorder onetile noonetile solid_color solid
-nosolid blackout xinerama noxinerama xtrap noxtrap
-xrandr noxrandr xrandr_mode rotate padgeom quiet
-q noquiet modtweak nomodtweak xkb noxkb capslock
+avahi mdns zeroconf noavahi nomdns nozeroconf connect
+proxy allowonce allow localhost nolocalhost listen
+lookup nolookup accept afteraccept gone shm noshm
+flipbyteorder noflipbyteorder onetile noonetile
+solid_color solid nosolid blackout xinerama noxinerama
+xtrap noxtrap xrandr noxrandr xrandr_mode rotate padgeom
+quiet q noquiet modtweak nomodtweak xkb noxkb capslock
nocapslock skip_lockkeys noskip_lockkeys skip_keycodes
sloppy_keys nosloppy_keys skip_dups noskip_dups
add_keysyms noadd_keysyms clear_mods noclear_mods