From a9a9c812f7feb5bfb1d017575762c6a6390227b9 Mon Sep 17 00:00:00 2001 From: runge Date: Sun, 5 Mar 2006 00:35:33 +0000 Subject: x11vnc: -unixpw on *bsd, hpux and tru64. -unixpw_nis mode. stunnel and gui tweaks. --- x11vnc/help.c | 122 +++++++++++++++++++++++++++++++++------------------------- 1 file changed, 70 insertions(+), 52 deletions(-) (limited to 'x11vnc/help.c') diff --git a/x11vnc/help.c b/x11vnc/help.c index d31a038..a0c1bc3 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -401,34 +401,38 @@ void print_help(int mode) { " and last line be \"__BEGIN_VIEWONLY__\" to have 2\n" " full-access passwords)\n" "\n" -"-unixpw [list] Experimental option: use Unix username and password\n" -" authentication. x11vnc uses the su(1) program to verify\n" -" the user's password. [list] is an optional comma\n" -" separated list of allowed Unix usernames. See below\n" -" for per-user options that can be applied.\n" +"-unixpw [list] Use Unix username and password authentication. x11vnc\n" +" uses the su(1) program to verify the user's password.\n" +" [list] is an optional comma separated list of allowed\n" +" Unix usernames. See below for per-user options that\n" +" can be applied.\n" "\n" " A familiar \"login:\" and \"Password:\" dialog is\n" " presented to the user on a black screen inside the\n" " vncviewer. The connection is dropped if the user fails\n" " to supply the correct password in 3 tries or does not\n" -" send one before a 20 second timeout. Existing clients\n" +" send one before a 25 second timeout. Existing clients\n" " are view-only during this period.\n" "\n" " Since the detailed behavior of su(1) can vary from\n" " OS to OS and for local configurations, please test\n" " the mode carefully on your systems before using it.\n" -" Try different combinations of valid/invalid usernames\n" -" and passwords.\n" +" E.g. try different combinations of valid/invalid\n" +" usernames and valid/invalid passwords to see if it\n" +" behaves correctly. x11vnc will be conservative and\n" +" reject a user if anything abnormal occurs.\n" " \n" -" For example, on FreeBSD and the other BSD's and Tru64\n" -" it does not appear to be possible for the user running\n" -" x11vnc to validate his *own* password via su(1).\n" -" The x11vnc login will always fail in this case.\n" -" A possible workaround would be to start x11vnc as\n" -" root with the \"-users +nobody\" option to immediately\n" -" switch to user nobody. Another source of problems are\n" -" PAM modules that prompt for extra info, e.g. password\n" -" aging modules. These logins will always fail as well.\n" +" For example, on FreeBSD and the other BSD's by default\n" +" it is impossible for the user running x11vnc to validate\n" +" his *own* password via su(1) (evidently commenting\n" +" out the pam_self.so entry in /etc/pam.d/su eliminates\n" +" the problem). So the x11vnc login will always fail for\n" +" this case. A possible workaround would be to start\n" +" x11vnc as root with the \"-users +nobody\" option to\n" +" immediately switch to user nobody. Another source of\n" +" problems are PAM modules that prompt for extra info,\n" +" e.g. password aging modules. These logins will always\n" +" fail as well.\n" "\n" " *IMPORTANT*: to prevent the Unix password being sent in\n" " *clear text* over the network, two x11vnc options are\n" @@ -444,17 +448,18 @@ void print_help(int mode) { " Set UNIXPW_DISABLE_STUNNEL=1 to disable using -stunnel.\n" " Evidently you will be using a different method to\n" " encrypt the data between the vncviewer and x11vnc:\n" -" e.g. ssh(1) or a VPN. Note that use of ssh(1) with\n" -" -localhost is roughly the same as requiring a Unix\n" -" user login (since Unix password or the user's public\n" -" key authentication is used by ssh)\n" -"\n" -" As a convenience, if you ssh(1) in and start x11vnc\n" -" it will look to see if the environment variable\n" -" SSH_CONNECTION is set and appears reasonable. If it\n" -" does, then the stunnel requirement is dropped since\n" -" it is assumed you are using ssh for the encrypted\n" -" tunnelling. Use -stunnel to force stunnel usage.\n" +" e.g. ssh(1) or a VPN. Note that use of -localhost\n" +" with ssh(1) is roughly the same as requiring a Unix\n" +" user login (since a Unix password or the user's public\n" +" key authentication is used by ssh on the machine where\n" +" x11vnc runs and only local connections are accepted)\n" +"\n" +" As a convenience, if you ssh(1) in and start x11vnc it\n" +" will check if the environment variable SSH_CONNECTION\n" +" is set and appears reasonable. If it does, then the\n" +" stunnel requirement is dropped since it is assumed\n" +" you are using ssh for the encrypted tunnelling.\n" +" Use -stunnel to force stunnel usage.\n" "\n" " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" " requirement. One should never do this (i.e. allow the\n" @@ -471,16 +476,28 @@ void print_help(int mode) { " where \"opts\" is a \"+\" separated list of\n" " \"viewonly\", \"fullaccess\", \"input=XXXX\", or\n" " \"deny\", e.g. \"karl,fred:viewonly,boss:input=M\".\n" -" For \"input=\" it is the K,M,B,C describe under -input.\n" -"\n" -" If a user in the list is \"*\" that means those options\n" -" apply to all users. It also means all users are allowed\n" -" to log in. Use \"deny\" to explicitly deny some users\n" -" if you use \"*\" to set a global option.\n" -"\n" -"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide an\n" -" encrypted SSL tunnel between viewers and x11vnc.\n" -" This requires stunnel be installed on the system and\n" +" For \"input=\" it is the K,M,B,C described under -input.\n" +"\n" +" If a user in the list is \"*\" that means those\n" +" options apply to all users. It also means all users\n" +" are allowed to log in after supplying a valid password.\n" +" Use \"deny\" to explicitly deny some users if you use\n" +" \"*\" to set a global option.\n" +"\n" +"-unixpw_nis [list] As -unixpw above, however do not run su(1) but rather\n" +" use the traditional getpwnam() + crypt() method instead.\n" +" This requires that the encrpyted passwords be readable.\n" +" Passwords stored in /etc/shadow will be inaccessible\n" +" unless run as root. This is called \"NIS\" mode\n" +" simply because in most NIS setups the user encrypted\n" +" passwords are accessible (e.g. \"ypcat passwd\").\n" +" NIS is not required for this mode to work, but it\n" +" is unlikely it will work for any other environment.\n" +" All of the -unixpw options and contraints apply.\n" +"\n" +"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n" +" an encrypted SSL tunnel between viewers and x11vnc.\n" +" This requires stunnel to be installed on the system and\n" " available via PATH (n.b. stunnel is often installed in\n" " sbin directories). Version 4.x of stunnel is assumed;\n" " see -stunnel3 below.\n" @@ -492,9 +509,9 @@ void print_help(int mode) { "\n" " stunnel is started up as a child process of x11vnc and\n" " any SSL connections stunnel receives are decrypted and\n" -" sent to x11vnc over a local socket. The strings \"The\n" -" SSL VNC desktop is ...\" and SSLPORT=... are printed\n" -" out at startup.\n" +" sent to x11vnc over a local socket. The strings\n" +" \"The SSL VNC desktop is ...\" and \"SSLPORT=...\"\n" +" are printed out at startup.\n" "\n" " The -localhost option is enforced by default to\n" " avoid people routing around the SSL channel. Set\n" @@ -502,7 +519,7 @@ void print_help(int mode) { "\n" " Your VNC viewer will need to be able to connect via SSL.\n" " Unfortunately not too many do this. UltraVNC seems to\n" -" have a SSL plugin. It is not too difficult to set up\n" +" have a SSL plugin. It is not too difficult to set up\n" " an stunnel or other SSL tunnel on the viewer side.\n" "\n" " A simple example on Unix using stunnel 3.x is:\n" @@ -2100,16 +2117,17 @@ void print_help(int mode) { " http_url auth xauth users rootshift clipshift\n" " scale_str scaled_x scaled_y scale_numer scale_denom\n" " scale_fac scaling_blend scaling_nomult4 scaling_pad\n" -" scaling_interpolate inetd privremote unsafe safer nocmds\n" -" passwdfile unixpw unixpw_list stunnel stunnel_pem\n" -" using_shm logfile o flag rc norc h help V version\n" -" lastmod bg sigpipe threads readrate netrate netlatency\n" -" pipeinput clients client_count pid ext_xtest ext_xtrap\n" -" ext_xrecord ext_xkb ext_xshm ext_xinerama ext_overlay\n" -" ext_xfixes ext_xdamage ext_xrandr rootwin num_buttons\n" -" button_mask mouse_x mouse_y bpp depth indexed_color\n" -" dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y\n" -" coff_x coff_y rfbauth passwd viewpasswd\n" +" scaling_interpolate inetd privremote unsafe safer\n" +" nocmds passwdfile unixpw unixpw_nis unixpw_list stunnel\n" +" stunnel_pem using_shm logfile o flag rc norc h help\n" +" V version lastmod bg sigpipe threads readrate netrate\n" +" netlatency pipeinput clients client_count pid ext_xtest\n" +" ext_xtrap ext_xrecord ext_xkb ext_xshm ext_xinerama\n" +" ext_overlay ext_xfixes ext_xdamage ext_xrandr rootwin\n" +" num_buttons button_mask mouse_x mouse_y bpp depth\n" +" indexed_color dpy_x dpy_y wdpy_x wdpy_y off_x off_y\n" +" cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd\n" +"\n" "-QD variable Just like -query variable, but returns the default\n" " value for that parameter (no running x11vnc server\n" " is consulted)\n" -- cgit v1.2.1