summaryrefslogtreecommitdiffstats
path: root/classes
diff options
context:
space:
mode:
Diffstat (limited to 'classes')
-rwxr-xr-xclasses/ssl/ssl_vncviewer181
1 files changed, 148 insertions, 33 deletions
diff --git a/classes/ssl/ssl_vncviewer b/classes/ssl/ssl_vncviewer
index 820a666..96ad36d 100755
--- a/classes/ssl/ssl_vncviewer
+++ b/classes/ssl/ssl_vncviewer
@@ -1,21 +1,26 @@
#!/bin/sh
#
-# ssl_vncviewer: wrapper for vncviewer to use an stunnel SSL tunnel.
+# ssl_vncviewer: wrapper for vncviewer to use an stunnel SSL tunnel
+# or an SSH tunnel.
#
# Copyright (c) 2006 by Karl J. Runge <runge@karlrunge.com>
#
-# You must have stunnel(8) installed on the system and in your
-# PATH (n.b. stunnel is usually in an sbin subdir).
+# You must have stunnel(8) installed on the system and in your PATH
+# (however, see the -ssh option below, in which case you will need ssh(1)
+# installed) Note: stunnel is usually installed in an "sbin" subdirectory.
#
# You should have "x11vnc -ssl ..." or "x11vnc -stunnel ..."
-# running as the VNC server.
+# already running as the VNC server on the remote machine.
+# (or use stunnel on the server side for any other VNC server)
#
-# usage: ssl_vncviewer [cert-args] host:display <vncviewer-args>
+#
+# Usage: ssl_vncviewer [cert-args] host:display <vncviewer-args>
#
# e.g.: ssl_vncviewer snoopy:0
# ssl_vncviewer snoopy:0 -encodings "copyrect tight zrle hextile"
#
# [cert-args] can be:
+#
# -verify /path/to/cacert.pem
# -mycert /path/to/mycert.pem
# -proxy host:port
@@ -30,7 +35,39 @@
# to reach the VNC server (e.g. your firewall requires a proxy).
# For the "double proxy" case use -proxy host1:port1,host2:port2
#
-# A couple other args (not related to certs):
+# See http://www.karlrunge.com/x11vnc/#faq-ssl-ca for details on SSL
+# certificates with VNC.
+#
+# A few other args (not related to SSL and certs):
+#
+# -ssh Use ssh instead of stunnel SSL. ssh(1) must be installed and you
+# must be able to log into the remote machine via ssh.
+#
+# In this case "host:display" may be of the form "user@host:display"
+# where "user@host" is used for the ssh login (see ssh(1) manpage).
+#
+# If -proxy is supplied it can be of the forms: "gwhost" "gwhost:port"
+# "user@gwhost" or "user@gwhost:port". "gwhost" is an incoming ssh
+# gateway machine (the VNC server is not running there), an ssh -L
+# redir is used to "host" in "host:display" from "gwhost". Any "user@"
+# part must be in the -proxy string (not in "host:display").
+#
+# Under -proxy use "gwhost:port" if connecting to any ssh port
+# other than the default (22). (even for the non-gateway case,
+# -proxy must be used to specify a non-standard ssh port)
+#
+# Examples:
+#
+# ssl_vncviewer -ssh bob@bobs-home.net:0
+# ssl_vncviewer -ssh -sshcmd 'x11vnc -localhost' bob@bobs-home.net:0
+#
+# ssl_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0
+# ssl_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0
+#
+#
+# -sshcmd cmd Run "cmd" via ssh instead of the default "sleep 15"
+# e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900'
+#
#
# -alpha turn on cursor alphablending hack if you are using the
# enhanced tightvnc vncviewer.
@@ -40,14 +77,15 @@
# fvwm that do not otherwise work in fullscreen mode)
#
#
-# set VNCVIEWERCMD to whatever vncviewer command you want to use:
+# set VNCVIEWERCMD to whatever vncviewer command you want to use.
#
VNCIPCMD=${VNCVIEWERCMD:-vncip}
VNCVIEWERCMD=${VNCVIEWERCMD:-vncviewer}
#
-# Same for STUNNEL, e.g. /path/to/stunnel or stunnel4, etc.
+# Same for STUNNEL, e.g. set it to /path/to/stunnel or stunnel4, etc.
#
+
PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH
if [ "X$STUNNEL" = "X" ]; then
@@ -60,10 +98,13 @@ if [ "X$STUNNEL" = "X" ]; then
fi
help() {
- head -39 $0 | tail +2
+ tail +2 "$0" | sed -e '/^$/ q'
}
gotalpha=""
+use_ssh=""
+ssl_sleep=15
+ssh_cmd="sleep $ssl_sleep"
# grab our cmdline options:
while [ "X$1" != "X" ]
@@ -75,12 +116,18 @@ do
;;
"-proxy") shift; proxy="$1"
;;
+ "-ssh") use_ssh=1
+ ;;
+ "-sshcmd") shift; ssh_cmd="$1"
+ ;;
"-alpha") gotalpha=1
;;
"-grab") VNCVIEWER_GRAB_SERVER=1; export VNCVIEWER_GRAB_SERVER
;;
"-h"*) help; exit 0
;;
+ "--h"*) help; exit 0
+ ;;
*) break
;;
esac
@@ -95,6 +142,13 @@ fi
orig="$1"
shift
+if [ "X$use_ssh" = "X1" ]; then
+ if [ "X$mycert" != "X" -o "X$verify" != "X" ]; then
+ echo "-mycert and -verify cannot be used in -ssh mode"
+ exit 1
+ fi
+fi
+
# play around with host:display port:
if echo "$orig" | grep ':' > /dev/null; then
:
@@ -117,7 +171,7 @@ fi
use=""
inuse=""
if uname | grep Linux > /dev/null; then
- inuse=`netstat -ant | grep LISTEN | awk '{print $4}' | sed 's/^.*://'`
+ inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'`
elif uname | grep SunOS > /dev/null; then
inuse=`netstat -an -f inet -P tcp | grep LISTEN | awk '{print $1}' | sed 's/^.*\.//'`
fi
@@ -140,6 +194,53 @@ if [ "X$use" = "X" ]; then
use=`expr $use + 5930`
fi
+if [ $use -ge 5900 ]; then
+ N=`expr $use - 5900`
+else
+ N=$use
+fi
+
+if echo "$0" | grep vncip > /dev/null; then
+ VNCVIEWERCMD="$VNCIPCMD"
+fi
+
+if [ "X$use_ssh" = "X1" ]; then
+ ssh_port="22"
+ ssh_host="$host"
+ vnc_host="localhost"
+ ssh=${SSH:-"ssh -x"}
+ if [ "X$proxy" != "X" ]; then
+ ssh_port=`echo "$proxy" | awk -F: '{print $2}'`
+ if [ "X$ssh_port" = "X" ]; then
+ ssh_port="22"
+ fi
+ ssh_host=`echo "$proxy" | awk -F: '{print $1}'`
+ vnc_host="$host"
+ fi
+ echo ""
+ echo "Running ssh:"
+ echo "$ssh -f -p $ssh_port -L ${use}:${vnc_host}:${port} $ssh_host \"$ssh_cmd\""
+ $ssh -f -p $ssh_port -L ${use}:${vnc_host}:${port} $ssh_host "$ssh_cmd"
+ if [ "$?" != "0" ]; then
+ echo ""
+ echo "ssh to $ssh_host failed."
+ exit 1
+ fi
+ echo ""
+ if [ "X$ssh_cmd" = "Xsleep $ssl_sleep" ] ; then
+ sleep 1
+ else
+ # let any command get started a bit.
+ sleep 5
+ fi
+ echo ""
+ echo "Running viewer:"
+ echo $VNCVIEWERCMD "$@" localhost:$N
+ $VNCVIEWERCMD "$@" localhost:$N
+
+ exit $?
+fi
+
# create the stunnel config file:
if [ "X$verify" != "X" ]; then
if [ -d $verify ]; then
@@ -154,6 +255,27 @@ if [ "X$mycert" != "X" ]; then
cert="cert = $mycert"
fi
+mytmp() {
+ tf=$1
+ rm -rf "$tf" || exit 1
+ if [ -d "$tf" ]; then
+ echo "tmp file $tf still exists as a directory."
+ exit 1
+ elif [ -L "$tf" ]; then
+ echo "tmp file $tf still exists as a symlink."
+ exit 1
+ elif [ -f "$tf" ]; then
+ echo "tmp file $tf still exists."
+ exit 1
+ fi
+ touch "$tf" || exit 1
+ chmod 600 "$tf" || exit 1
+}
+
+if echo "$RANDOM" | grep '[^0-9]' > /dev/null; then
+ RANDOM=`date +%S`
+fi
+
pcode() {
tf=$1
SSL_VNC_PROXY=$proxy; export SSL_VNC_PROXY
@@ -274,19 +396,15 @@ sub xfer {
close($out);
}
'
- rm -f $tf
- if [ -f $tf ]; then
- echo "$tf still exists!"
- exit 1
- fi
echo "$cod" > $tf
chmod 700 $tf
}
ptmp=""
if [ "X$proxy" != "X" ]; then
- ptmp="/tmp/ssl_vncviewer.$$.pl"
- pcode $ptmp
+ ptmp="/tmp/ssl_vncviewer${RANDOM}.$$.pl"
+ mytmp "$ptmp"
+ pcode "$ptmp"
connect="exec = $ptmp"
else
connect="connect = $host:$port"
@@ -294,8 +412,10 @@ fi
##debug = 7
-tmp=/tmp/ssl_vncviewer.$$
-cat > $tmp <<END
+tmp=/tmp/ssl_vncviewer${RANDOM}.$$
+mytmp "$tmp"
+
+cat > "$tmp" <<END
foreground = yes
pid =
client = yes
@@ -311,12 +431,13 @@ END
echo ""
echo "Using this stunnel configuration:"
echo ""
-cat $tmp | uniq
+cat "$tmp" | uniq
echo ""
sleep 1
-echo "running: $STUNNEL $tmp"
-$STUNNEL $tmp < /dev/tty > /dev/tty &
+echo ""
+echo "Running: $STUNNEL $tmp"
+$STUNNEL "$tmp" < /dev/tty > /dev/tty &
pid=$!
echo ""
@@ -326,18 +447,12 @@ if [ "X$mycert" != "X" ]; then
sleep 4
fi
sleep 2
-rm -f $tmp
+rm -f "$tmp"
-if [ $use -ge 5900 ]; then
- n=`expr $use - 5900`
-fi
-
-if echo "$0" | grep vncip > /dev/null; then
- # hack for runge's special wrapper script vncip.
- $VNCIPCMD "$@" localhost:$n
-else
- $VNCVIEWERCMD "$@" localhost:$n
-fi
+echo ""
+echo "Running viewer:"
+echo $VNCVIEWERCMD "$@" localhost:$N
+$VNCVIEWERCMD "$@" localhost:$N
kill $pid
sleep 1