From 79310af7e7a289d2baf1bdc295daefdcc76ecc0e Mon Sep 17 00:00:00 2001 From: runge Date: Sat, 25 Feb 2006 05:10:37 +0000 Subject: x11vnc: -unixpw and -stunnel. Add clipboard to input control. --- x11vnc/help.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 87 insertions(+), 12 deletions(-) (limited to 'x11vnc/help.c') diff --git a/x11vnc/help.c b/x11vnc/help.c index 7cccbd4..113e0ac 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -348,16 +348,17 @@ void print_help(int mode) { "\n" "-input string Fine tuning of allowed user input. If \"string\" does\n" " not contain a comma \",\" the tuning applies only to\n" -" normal clients. Otherwise the part before \",\" is\n" -" for normal clients and the part after for view-only\n" -" clients. \"K\" is for Keystroke input, \"M\" for\n" -" Mouse-motion input, and \"B\" for Button-click input.\n" -" Their presence in the string enables that type of input.\n" -" E.g. \"-input M\" means normal users can only move\n" -" the mouse and \"-input KMB,M\" lets normal users do\n" -" anything and enables view-only users to move the mouse.\n" -" This option is ignored when a global -viewonly is in\n" -" effect (all input is discarded in that case).\n" +" normal clients. Otherwise the part before \",\" is for\n" +" normal clients and the part after for view-only clients.\n" +" \"K\" is for Keystroke input, \"M\" for Mouse-motion\n" +" input, \"B\" for Button-click input, and \"C\" is for\n" +" Clipboard input. Their presence in the string enables\n" +" that type of input. E.g. \"-input M\" means normal\n" +" users can only move the mouse and \"-input KMBC,M\"\n" +" lets normal users do anything and enables view-only\n" +" users to move the mouse. This option is ignored when\n" +" a global -viewonly is in effect (all input is discarded\n" +" in that case).\n" "\n" "-viewpasswd string Supply a 2nd password for view-only logins. The -passwd\n" " (full-access) password must also be supplied.\n" @@ -399,7 +400,81 @@ void print_help(int mode) { " used to have viewonly passwords. (tip: make the 3rd\n" " and last line be \"__BEGIN_VIEWONLY__\" to have 2\n" " full-access passwords)\n" - +"\n" +"-unixpw [list] Experimental option: use Unix username and password\n" +" authentication. x11vnc uses the su(1) program to\n" +" verify the user's password. [list] is an optional\n" +" comma separated list of allowed Unix usernames.\n" +"\n" +" A familiar \"login:\" and \"Password:\" dialog is\n" +" presented to the user on a black screen inside the\n" +" vncviewer. The connection is dropped if the user fails\n" +" to supply the correct password in 3 tries or does not\n" +" send one before a 20 second timeout. Existing clients\n" +" are view-only during this period.\n" +"\n" +" *IMPORTANT*: to prevent the Unix password being sent in\n" +" *clear text* over the network, two x11vnc options are\n" +" enforced: 1) -localhost and 2) -stunnel. The former\n" +" requires the viewer connection to appear to come from\n" +" the same machine x11vnc is running on (e.g. from a ssh\n" +" -L port redirection). The latter requires the -stunnel\n" +" SSL mode be used (see the description below).\n" +"\n" +" To override these restrictions you can set environment\n" +" variables before starting x11vnc:\n" +"\n" +" Set UNIXPW_DISABLE_STUNNEL=1 to disable using -stunnel.\n" +" Evidently you will be using a different method to\n" +" encrypt the data between the vncviewer and x11vnc:\n" +" e.g. ssh(1) or a VPN. Note that use of ssh(1) with\n" +" -localhost is roughly the same as requiring a Unix\n" +" user login (since Unix password or the user's public\n" +" key authentication is used by ssh)\n" +"\n" +" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" +" requirement. One should never do this (i.e. allow the\n" +" Unix passwords to be sniffed on the network).\n" +"\n" +" NOTE: in -inetd mode the two settings are not enforced\n" +" since x11vnc does not make network connections in\n" +" that case. Be sure to use encryption from the viewer\n" +" to inetd. One can also have your own stunnel spawn\n" +" x11vnc in -inetd mode.\n" +"\n" +"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide an\n" +" encrypted SSL tunnel between viewers and x11vnc.\n" +" This requires stunnel be installed on the system and\n" +" available via PATH (n.b. stunnel is often installed in\n" +" sbin directories). Version 4.x of stunnel is assumed.\n" +"\n" +" [pem] is optional, use \"-stunnel /path/to/stunnel.pem\"\n" +" to specify a PEM certificate file to pass to stunnel.\n" +"\n" +" stunnel is started up as a child process and any SSL\n" +" connections it receives are decrypted and sent to x11vnc\n" +" over a local socket. The strings \"The SSL VNC desktop\n" +" is ...\" and SSLPORT=... are printed out at startup.\n" +"\n" +" The -localhost option is enforced by default. Set\n" +" STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.\n" +"\n" +" Your VNC viewer will need to be able to connect via SSL.\n" +" Unfortunately not too many do this. UltraVNC seems to\n" +" have a SSL plugin. It is not too difficult to set up\n" +" an stunnel or other SSL tunnel on the viewer side.\n" +"\n" +" A simple example on Unix using stunnel 3.x is:\n" +"\n" +" %% stunnel -c -d localhost:5901 -r remote:5900\n" +" %% vncviewer localhost:1\n" +"\n" +" For Windows, stunnel has been ported to it and there\n" +" are probably other such tools available.\n" +"\n" +"-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of\n" +" version 4.x\n" +"\n" "-nopw Disable the big warning message when you use x11vnc\n" " without some sort of password.\n" "-storepasswd pass file Store password \"pass\" as the VNC password in the\n" @@ -2063,7 +2138,7 @@ void print_help(int mode) { /* have both our help and rfbUsage to stdout for more(1), etc. */ dup2(1, 2); - /* register extention(s) to get their help output */ + /* register extension(s) to get their help output */ #ifdef LIBVNCSERVER_WITH_TIGHTVNC_FILETRANSFER rfbRegisterTightVNCFileTransferExtension(); #endif -- cgit v1.2.1