summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c99
1 files changed, 87 insertions, 12 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index 7cccbd4..113e0ac 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -348,16 +348,17 @@ void print_help(int mode) {
"\n"
"-input string Fine tuning of allowed user input. If \"string\" does\n"
" not contain a comma \",\" the tuning applies only to\n"
-" normal clients. Otherwise the part before \",\" is\n"
-" for normal clients and the part after for view-only\n"
-" clients. \"K\" is for Keystroke input, \"M\" for\n"
-" Mouse-motion input, and \"B\" for Button-click input.\n"
-" Their presence in the string enables that type of input.\n"
-" E.g. \"-input M\" means normal users can only move\n"
-" the mouse and \"-input KMB,M\" lets normal users do\n"
-" anything and enables view-only users to move the mouse.\n"
-" This option is ignored when a global -viewonly is in\n"
-" effect (all input is discarded in that case).\n"
+" normal clients. Otherwise the part before \",\" is for\n"
+" normal clients and the part after for view-only clients.\n"
+" \"K\" is for Keystroke input, \"M\" for Mouse-motion\n"
+" input, \"B\" for Button-click input, and \"C\" is for\n"
+" Clipboard input. Their presence in the string enables\n"
+" that type of input. E.g. \"-input M\" means normal\n"
+" users can only move the mouse and \"-input KMBC,M\"\n"
+" lets normal users do anything and enables view-only\n"
+" users to move the mouse. This option is ignored when\n"
+" a global -viewonly is in effect (all input is discarded\n"
+" in that case).\n"
"\n"
"-viewpasswd string Supply a 2nd password for view-only logins. The -passwd\n"
" (full-access) password must also be supplied.\n"
@@ -399,7 +400,81 @@ void print_help(int mode) {
" used to have viewonly passwords. (tip: make the 3rd\n"
" and last line be \"__BEGIN_VIEWONLY__\" to have 2\n"
" full-access passwords)\n"
-
+"\n"
+"-unixpw [list] Experimental option: use Unix username and password\n"
+" authentication. x11vnc uses the su(1) program to\n"
+" verify the user's password. [list] is an optional\n"
+" comma separated list of allowed Unix usernames.\n"
+"\n"
+" A familiar \"login:\" and \"Password:\" dialog is\n"
+" presented to the user on a black screen inside the\n"
+" vncviewer. The connection is dropped if the user fails\n"
+" to supply the correct password in 3 tries or does not\n"
+" send one before a 20 second timeout. Existing clients\n"
+" are view-only during this period.\n"
+"\n"
+" *IMPORTANT*: to prevent the Unix password being sent in\n"
+" *clear text* over the network, two x11vnc options are\n"
+" enforced: 1) -localhost and 2) -stunnel. The former\n"
+" requires the viewer connection to appear to come from\n"
+" the same machine x11vnc is running on (e.g. from a ssh\n"
+" -L port redirection). The latter requires the -stunnel\n"
+" SSL mode be used (see the description below).\n"
+"\n"
+" To override these restrictions you can set environment\n"
+" variables before starting x11vnc:\n"
+"\n"
+" Set UNIXPW_DISABLE_STUNNEL=1 to disable using -stunnel.\n"
+" Evidently you will be using a different method to\n"
+" encrypt the data between the vncviewer and x11vnc:\n"
+" e.g. ssh(1) or a VPN. Note that use of ssh(1) with\n"
+" -localhost is roughly the same as requiring a Unix\n"
+" user login (since Unix password or the user's public\n"
+" key authentication is used by ssh)\n"
+"\n"
+" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
+" requirement. One should never do this (i.e. allow the\n"
+" Unix passwords to be sniffed on the network).\n"
+"\n"
+" NOTE: in -inetd mode the two settings are not enforced\n"
+" since x11vnc does not make network connections in\n"
+" that case. Be sure to use encryption from the viewer\n"
+" to inetd. One can also have your own stunnel spawn\n"
+" x11vnc in -inetd mode.\n"
+"\n"
+"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide an\n"
+" encrypted SSL tunnel between viewers and x11vnc.\n"
+" This requires stunnel be installed on the system and\n"
+" available via PATH (n.b. stunnel is often installed in\n"
+" sbin directories). Version 4.x of stunnel is assumed.\n"
+"\n"
+" [pem] is optional, use \"-stunnel /path/to/stunnel.pem\"\n"
+" to specify a PEM certificate file to pass to stunnel.\n"
+"\n"
+" stunnel is started up as a child process and any SSL\n"
+" connections it receives are decrypted and sent to x11vnc\n"
+" over a local socket. The strings \"The SSL VNC desktop\n"
+" is ...\" and SSLPORT=... are printed out at startup.\n"
+"\n"
+" The -localhost option is enforced by default. Set\n"
+" STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.\n"
+"\n"
+" Your VNC viewer will need to be able to connect via SSL.\n"
+" Unfortunately not too many do this. UltraVNC seems to\n"
+" have a SSL plugin. It is not too difficult to set up\n"
+" an stunnel or other SSL tunnel on the viewer side.\n"
+"\n"
+" A simple example on Unix using stunnel 3.x is:\n"
+"\n"
+" %% stunnel -c -d localhost:5901 -r remote:5900\n"
+" %% vncviewer localhost:1\n"
+"\n"
+" For Windows, stunnel has been ported to it and there\n"
+" are probably other such tools available.\n"
+"\n"
+"-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of\n"
+" version 4.x\n"
+"\n"
"-nopw Disable the big warning message when you use x11vnc\n"
" without some sort of password.\n"
"-storepasswd pass file Store password \"pass\" as the VNC password in the\n"
@@ -2063,7 +2138,7 @@ void print_help(int mode) {
/* have both our help and rfbUsage to stdout for more(1), etc. */
dup2(1, 2);
- /* register extention(s) to get their help output */
+ /* register extension(s) to get their help output */
#ifdef LIBVNCSERVER_WITH_TIGHTVNC_FILETRANSFER
rfbRegisterTightVNCFileTransferExtension();
#endif