From d14cf0a84c88a02222caad1692228584b610aacc Mon Sep 17 00:00:00 2001 From: runge Date: Wed, 5 Apr 2006 21:26:45 +0000 Subject: SSL Java viewer work thru proxy. -sslGenCA, etc key/cert management utils for x11vnc. FBPM "support". --- x11vnc/help.c | 468 +++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 427 insertions(+), 41 deletions(-) (limited to 'x11vnc/help.c') diff --git a/x11vnc/help.c b/x11vnc/help.c index 544d26b..409ecd9 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -528,14 +528,14 @@ void print_help(int mode) { "-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n" " use the traditional getpwnam(3) + crypt(3) method to\n" " verify passwords instead. This requires that the\n" -" encrpyted passwords be readable. Passwords stored\n" +" encrypted passwords be readable. Passwords stored\n" " in /etc/shadow will be inaccessible unless x11vnc\n" " is run as root.\n" "\n" " This is called \"NIS\" mode simply because in most\n" " NIS setups the user encrypted passwords are accessible\n" " (e.g. \"ypcat passwd\"). NIS is not required for this\n" -" mode to work (only that getpwnam(3) return the encrpyted\n" +" mode to work (only that getpwnam(3) return the encrypted\n" " password is required), but it is unlikely it will work\n" " for any other modern environment. All of the -unixpw\n" " options and contraints apply.\n" @@ -549,18 +549,19 @@ void print_help(int mode) { "\n" " [pem] is optional, use \"-ssl /path/to/mycert.pem\"\n" " to specify a PEM certificate file to use to identify\n" -" and provide a key for this server. See openssl(1)\n" -" for what a PEM can be.\n" +" and provide a key for this server. See openssl(1) for\n" +" more info about PEMs and the -sslGenCert option below.\n" "\n" -" Connecting VNC viewer SSL tunnels can optionally\n" +" The connecting VNC viewer SSL tunnel can optionally\n" " authenticate this server if they have the public\n" " key part of the certificate (or a common certificate\n" " authority, CA, is a more sophisicated way to verify\n" -" this server's cert). This is used to prevent\n" -" man-in-the-middle attacks. Otherwise, if the VNC\n" -" viewer accepts this server's key without verification,\n" -" at least the traffic is protected from passive sniffing\n" -" on the network (but NOT from man-in-the-middle attacks).\n" +" this server's cert, see -sslGenCA below). This is\n" +" used to prevent man-in-the-middle attacks. Otherwise,\n" +" if the VNC viewer accepts this server's key without\n" +" verification, at least the traffic is protected\n" +" from passive sniffing on the network (but NOT from\n" +" man-in-the-middle attacks).\n" "\n" " If [pem] is not supplied and the openssl(1) utility\n" " command exists in PATH, then a temporary, self-signed\n" @@ -573,15 +574,34 @@ void print_help(int mode) { " temporary certificate, the public part of it will be\n" " displayed to stderr (e.g. one could copy it to the\n" " client-side to provide authentication of the server to\n" -" VNC viewers.)\n" +" VNC viewers.) See following paragraphs for how to save\n" +" keys to reuse when x11vnc is restarted.\n" "\n" " Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc\n" " print out the entire certificate, including the PRIVATE\n" " KEY part, to stderr. One could reuse this cert if saved\n" " in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1\n" " to not delete the temporary PEM file: the file name\n" -" will be printed to stderr (so one could move it to a\n" -" safe place for reuse).\n" +" will be printed to stderr (so one could move it to\n" +" a safe place for reuse). You will be prompted for a\n" +" passphrase for the private key.\n" +"\n" +" If [pem] is \"SAVE\" then the certificate will be saved\n" +" to the file ~/.vnc/certs/server.pem, or if that file\n" +" exists it will be used directly. Similarly, if [pem]\n" +" is \"SAVE_PROMPT\" the server.pem certificate will be\n" +" made based on your answers to its prompts for info such\n" +" as OrganizationalName, CommonName, etc.\n" +"\n" +" Use \"SAVE-\" and \"SAVE_PROMPT-\"\n" +" to refer to the file ~/.vnc/certs/server-.pem\n" +" instead. E.g. \"SAVE-charlie\" will store to the file\n" +" ~/.vnc/certs/server-charlie.pem\n" +"\n" +" See -ssldir below to use a directory besides the\n" +" default ~/.vnc/certs\n" +"\n" +" Example: x11vnc -ssl SAVE -display :0 ...\n" "\n" " Reverse connections are disabled in -ssl mode because\n" " there is no way to ensure that data channel will\n" @@ -589,33 +609,369 @@ void print_help(int mode) { " override this.\n" "\n" " Your VNC viewer will also need to be able to connect\n" -" via SSL. See the discussion below under -stunnel\n" -" and the FAQ for how this might be achieved. E.g. on\n" -" Unix it is easy to write a shell script that starts up\n" -" stunnel and then vncviewer. Also in the x11vnc source\n" -" a SSL enabled Java VNC Viewer applet is provided in\n" -" the classes/ssl directory.\n" +" via SSL. See the discussion below under -stunnel and\n" +" the FAQ (ssl_vncviewer script) for how this might be\n" +" achieved. E.g. on Unix it is easy to write a shell\n" +" script that starts up stunnel and then vncviewer.\n" +" Also in the x11vnc source a SSL enabled Java VNC Viewer\n" +" applet is provided in the classes/ssl directory.\n" +"\n" +"-ssldir [dir] Use [dir] as an alternate ssl certificate and key\n" +" management toplevel directory. The default is\n" +" ~/.vnc/certs\n" +"\n" +" This directory is used to store server and other\n" +" certificates and keys and also other materials. E.g. in\n" +" the simplest case, \"-ssl SAVE\" will store the x11vnc\n" +" server cert in [dir]/server.pem\n" +"\n" +" Use of alternate directories via -ssldir allows you to\n" +" manage multiple VNC Certificate Authority (CA) keys.\n" +" Another use is if ~/.vnc/cert is on an NFS share you\n" +" might want your certificates and keys to be on a local\n" +" filesystem to prevent network snooping (for example\n" +" -ssldir /var/lib/x11vnc-certs).\n" +"\n" +" -ssldir effects the other -ssl* options. In the case\n" +" of maintenance commands where the VNC server is not run\n" +" (e.g. -sslGenCA), the -ssldir option must precede the\n" +" command. E.g. x11vnc -ssldir ~/mydir -sslCertInfo LIST\n" "\n" "-sslverify [path] For either of the -ssl or -stunnel modes, use [path]\n" " to provide certificates to authenticate incoming VNC\n" -" client connections. This can be used as a method to\n" -" replace standard password authentication of clients.\n" +" *Client* connections (normally only the server is\n" +" authenticated in SSL.) This can be used as a method\n" +" to replace standard password authentication of clients.\n" "\n" " If [path] is a directory it contains the client (or CA)\n" -" certificates in separate files. If [path] is a file, it\n" -" contains multiple certificates. These correspond to the\n" -" \"CApath = dir\" and \"CAfile = file\" stunnel options.\n" -" See the stunnel(8) manpage for details.\n" +" certificates in separate files. If [path] is a file,\n" +" it contains multiple certificates. See special tokens\n" +" below. These correspond to the \"CApath = dir\" and\n" +" \"CAfile = file\" stunnel options. See the stunnel(8)\n" +" manpage for details.\n" +"\n" +" Examples:\n" +" x11vnc -ssl -sslverify ~/my.pem\n" +" x11vnc -ssl -sslverify ~/my_pem_dir/\n" +"\n" +" Note that if [path] is a directory, it must contain\n" +" the certs in separate files named like .0, where\n" +" the value of is found by running the command\n" +" \"openssl x509 -hash -noout -in file.crt\". Evidently\n" +" one uses .1 if there is a collision...\n" +"\n" +" The the key-management utility \"-sslCertInfo HASHON\"\n" +" and \"-sslCertInfo HASHOFF\" will create/delete these\n" +" hashes for you automatically (via symlink) in the HASH\n" +" subdirs it manages. Then you can point -sslverify to\n" +" the HASH subdir.\n" +"\n" +" Special tokens: in -ssl mode, if [path] is not a file or\n" +" a directory, it is taken as a comma separated list of\n" +" tokens that are interpreted as follows:\n" +"\n" +" If a token is \"CA\" that means load the CA/cacert.pem\n" +" file from the ssl directory. If a token is \"clients\"\n" +" then all the files clients/*.crt in the ssl directory\n" +" are loaded. Otherwise the file clients/token.crt\n" +" is attempted to be loaded. As a kludge, use a token\n" +" like ../server-foo to load a server cert if you find\n" +" that necessary.\n" +" \n" +" Use -ssldir to use a directory different from the\n" +" ~/.vnc/certs default.\n" +" \n" +" Note that if the \"CA\" cert is loaded you do not need\n" +" to load any of the certs that have been signed by it.\n" +" You will need to load any additional self-signed certs\n" +" however.\n" +" \n" +" Examples:\n" +" x11vnc -ssl -sslverify CA\n" +" x11vnc -ssl -sslverify self:fred,self:jim\n" +" x11vnc -ssl -sslverify CA,clients\n" +" \n" +" Usually \"-sslverify CA\" is the most effective.\n" +" See the -sslGenCA and -sslGenCert options below for\n" +" how to set up and manage the CA framework.\n" +" \n" +"\n" +"\n" +" NOTE: the following utilities, -sslGenCA, -sslGenCert,\n" +" -sslEncKey, and -sslCertInfo are provided for\n" +" completeness, but for casual usage they are overkill.\n" +"\n" +" They provide VNC Certificate Authority (CA) key creation\n" +" and server / client key generation and signing. So they\n" +" provide a basic Public Key management framework for\n" +" VNC-ing with x11vnc. (note that they require openssl(1)\n" +" be installed on the system)\n" +"\n" +" However, the simplest usage mode (where x11vnc\n" +" automatically generates its own, self-signed, temporary\n" +" key and the VNC viewers always accept it, e.g. accepting\n" +" via a dialog box) is probably safe enough for most\n" +" scenarios. CA management is not needed.\n" +"\n" +" To protect against Man-In-The-Middle attacks the\n" +" simplest mode can be improved by using \"-ssl SAVE\"\n" +" to have x11vnc create a longer term self-signed\n" +" certificate, and then (safely) copy the corresponding\n" +" public key cert to the desired client machines (care\n" +" must be taken the private key part is not stolen;\n" +" you will be prompted for a passphrase).\n" +"\n" +" So keep in mind no CA key creation or management\n" +" (-sslGenCA and -sslGenCert) is needed for either of\n" +" the above two common usage modes.\n" +"\n" +" One might want to use -sslGenCA and -sslGenCert\n" +" if you had a large number of VNC client and server\n" +" workstations. That way the administrator could generate\n" +" a single CA key with -sslGenCA and distribute its\n" +" certificate part to all of the workstations.\n" +"\n" +" Next, he could create signed VNC server keys\n" +" (-sslGenCert server ...) for each workstation or user\n" +" that then x11vnc would use to authenticate itself to\n" +" any VNC client that has the CA cert.\n" +"\n" +" Optionally, the admin could also make it so the\n" +" VNC clients themselves are authenticated to x11vnc\n" +" (-sslGenCert client ...) For this -sslverify would be\n" +" pointed to the CA cert (and/or self-signed certs).\n" +"\n" +" x11vnc will be able to use all of these cert and\n" +" key files. On the VNC client side, they will need to\n" +" be \"imported\" somehow. Web browsers have \"Manage\n" +" Certificates\" actions as does the Java applet plugin\n" +" Control Panel. stunnel can also use these files (see\n" +" the ssl_vncviewer example script in the FAQ.)\n" +"\n" +"-sslGenCA [dir] Generate your own Certificate Authority private key,\n" +" certificate, and other files in directory [dir].\n" +"\n" +" If [dir] is not supplied, a -ssldir setting is used,\n" +" or otherwise ~/.vnc/certs is used.\n" +"\n" +" This command also creates directories where server and\n" +" client certs and keys will be stored. The openssl(1)\n" +" program must be installed on the system and available\n" +" in PATH.\n" +"\n" +" After the CA files and directories are created the\n" +" command exits; the VNC server is not run.\n" +"\n" +" You will be prompted for information to put into the CA\n" +" certificate. The info does not have to be accurate just\n" +" as long as clients accept the cert for VNC connections.\n" +" You will also need to supply a passphrase of at least\n" +" 4 characters for the CA private key.\n" +"\n" +" Once you have generated the CA you can distribute\n" +" its certificate part, [dir]/CA/cacert.pem, to other\n" +" workstations where VNC viewers will be run. One will\n" +" need to \"import\" this certicate in the applications,\n" +" e.g. Web browser, Java applet plugin, stunnel, etc.\n" +" Next, you can create and sign keys using the CA with\n" +" the -sslGenCert option below.\n" +"\n" +" Examples:\n" +" x11vnc -sslGenCA\n" +" x11vnc -sslGenCA ~/myCAdir\n" +" x11vnc -ssldir ~/myCAdir -sslGenCA\n" +"\n" +" (the last two lines are equivalent)\n" +"\n" +"-sslGenCert type name Generate a VNC server or client certificate and private\n" +" key pair signed by the CA created previously with\n" +" -sslGenCA. The openssl(1) program must be installed\n" +" on the system and available in PATH.\n" +"\n" +" After the Certificate is generated the command exits;\n" +" the VNC server is not run.\n" +"\n" +" The type of key to be generated is the string \"type\".\n" +" It is either \"server\" (i.e. for use by x11vnc) or\n" +" \"client\" (for a VNC viewer). Note that typically\n" +" only \"server\" is used: the VNC clients authenticate\n" +" themselves by a non-public-key method (e.g. VNC or\n" +" unix password). \"type\" is required.\n" +"\n" +" An arbitrary default name you want to associate with\n" +" the key is supplied by the \"name\" string. You can\n" +" change it at the various prompts when creating the key.\n" +" \"name\" is optional.\n" +"\n" +" If name is left blank for clients keys then \"nobody\"\n" +" is used. If left blank for server keys, then the\n" +" primary server key: \"server.pem\" is created (this\n" +" is the saved one referenced by \"-ssl SAVE\" when the\n" +" server is started)\n" +"\n" +" If \"name\" begins with the string \"self:\" then\n" +" a self-signed certificate is created instead of one\n" +" signed by your CA key.\n" +"\n" +" If \"name\" begins with the string \"req:\" then only a\n" +" key (.key) and a certificate signing *request* (.req)\n" +" are generated. You can then send the .req file to\n" +" an external CA (even a professional one, e.g. Thawte)\n" +" and then combine the .key and the received cert into\n" +" the .pem file with the same basename.\n" +"\n" +" The distinction between \"server\" and \"client\" is\n" +" simply the choice of output filenames and sub-directory.\n" +" This makes it so the -ssl SAVE-name option can easily\n" +" pick up the x11vnc PEM file this option generates.\n" +" And similarly makes it easy for the -sslverify option\n" +" to pick up your client certs.\n" +"\n" +" There is nothing special about the filename or directory\n" +" location of either the \"server\" and \"client\" certs.\n" +" You can rename the files or move them to wherever\n" +" you like.\n" +"\n" +" Precede this option with -ssldir [dir] to use a\n" +" directory other than the default ~/.vnc/certs You will\n" +" need to run -sslGenCA on that directory first before\n" +" doing any -sslGenCert key creation.\n" +"\n" +" Note you cannot recreate a cert with exactly the same\n" +" distiguished name (DN) as an existing one. To do so,\n" +" you will need to edit the [dir]/CA/index.txt file to\n" +" delete the line.\n" +"\n" +" Similar to -sslGenCA, you will be prompted to fill\n" +" in some information that will be recorded in the\n" +" certificate when it is created. Tip: if you know\n" +" the fully-quailified hostname other people will be\n" +" connecting to you can use that as the CommonName \"CN\"\n" +" to avoid some applications (e.g. web browsers and java\n" +" plugin) complaining it does not match the hostname.\n" +"\n" +" You will also need to supply the CA private key\n" +" passphrase to unlock the private key created from\n" +" -sslGenCA. This private key is used to sign the server\n" +" or client certicate.\n" +"\n" +" The \"server\" certs can be used by x11vnc directly by\n" +" pointing to them via the -ssl [pem] option. The default\n" +" file will be ~/.vnc/certs/server.pem. This one would\n" +" be used by simply typing -ssl SAVE. The pem file\n" +" contains both the certificate and the private key.\n" +" server.crt file contains the cert only.\n" +"\n" +" The \"client\" cert + private key file will need\n" +" to be copied and imported into the VNC viewer\n" +" side applications (Web browser, Java plugin,\n" +" stunnel, etc.) Once that is done you can delete the\n" +" \"client\" private key file on this machine since\n" +" it is only needed on the VNC viewer side. The,\n" +" e.g. ~/.vnc/certs/clients/.pem contains both\n" +" the cert and private key. The .crt contains the\n" +" certificate only.\n" +"\n" +" NOTE: It is very important to know one should always\n" +" generate new keys with a passphrase. Otherwise if an\n" +" untrusted user steals the key file he could use it to\n" +" masquerade as the x11vnc server (or VNC viewer client).\n" +" You will be prompted whether to encrypt the key with\n" +" a passphrase or not. It is recommended that you do.\n" +" One inconvenience to a passphrase is that it must\n" +" be suppled every time x11vnc or the client app is\n" +" started up.\n" +"\n" +" Examples:\n" +"\n" +" x11vnc -sslGenCert server\n" +" x11vnc -ssl SAVE -display :0 ...\n" +"\n" +" and then on viewer using ssl_vncviewer stunnel wrapper\n" +" (see the FAQ):\n" + +" ssl_vncviewer -verify ./cacert.crt hostname:0\n" +"\n" +" (this assumes the cacert.crt cert from -sslGenCA\n" +" was safely copied to the VNC viewer machine where\n" +" ssl_vncviewer is run)\n" +"\n" +" Example using a name:\n" +"\n" +" x11vnc -sslGenCert server charlie\n" +" x11vnc -ssl SAVE-charlie -display :0 ...\n" +"\n" +" Example for a client certificate (rarely used):\n" +"\n" +" x11vnc -sslGenCert client roger\n" +" scp ~/.vnc/certs/clients/roger.pem somehost:.\n" +" rm ~/.vnc/certs/clients/roger.pem\n" +"\n" +" x11vnc is then started with the the option -sslverify\n" +" ~/.vnc/certs/clients/roger.crt (or simply -sslverify\n" +" roger), and on the viewer user on somehost could do\n" +" for example:\n" +"\n" +" ssl_vncviewer -mycert ./roger.pem hostname:0\n" +"\n" +"-sslEncKey [pem] Utility to encrypt an existing PEM file with a\n" +" passphrase you supply when prompted. For that key to be\n" +" used (e.g. by x11vnc) the passphrase must be supplied\n" +" each time.\n" +"\n" +" The \"SAVE\" notation described under -ssl applies as\n" +" well. (precede this option with -ssldir [dir] to refer\n" +" a directory besides the default ~/.vnc/certs)\n" +"\n" +" The openssl(1) program must be installed on the system\n" +" and available in PATH. After the Key file is encrypted\n" +" the command exits; the VNC server is not run.\n" +"\n" +" Examples:\n" +" x11vnc -sslEncKey /path/to/foo.pem\n" +" x11vnc -sslEncKey SAVE\n" +" x11vnc -sslEncKey SAVE-charlie\n" +"\n" +"-sslCertInfo [pem] Prints out information about an existing PEM file.\n" +" In addition the public certificate is also printed.\n" +" The openssl(1) program must be in PATH. Basically the\n" +" command \"openssl x509 -text\" is run on the pem.\n" +"\n" +" The \"SAVE\" notation described under -ssl applies\n" +" as well.\n" +"\n" +" Using \"LIST\" will give a list of all certs being\n" +" managed (in the ~/.vnc/certs dir, use -ssldir to refer\n" +" to another dir). \"ALL\" will print out the info for\n" +" every managed key (this can be very long). Giving a\n" +" client or server cert shortname will also try a lookup\n" +" (e.g. -sslCertInfo charlie). Use \"LISTL\" or \"LL\"\n" +" for a long (ls -l style) listing.\n" +"\n" +" Using \"HASHON\" will create subdirs [dir]/HASH and\n" +" [dir]/HASH with OpenSSL hash filenames (e.g. 0d5fbbf1.0)\n" +" symlinks pointing up to the corresponding *.crt file.\n" +" ([dir] is ~/.vnc/certs or one given by -ssldir.)\n" +" This is a useful way for other OpenSSL applications\n" +" (e.g. stunnel) to access all of the certs without\n" +" having to concatenate them. x11vnc will not use them\n" +" unless you specifically reference them. \"HASHOFF\"\n" +" removes these HASH subdirs.\n" +"\n" +" The LIST, LISTL, LL, ALL, HASHON, HASHOFF words can\n" +" also be lowercase, e.g. \"list\".\n" +"\n" +"-sslDelCert [pem] Prompts you to delete all .crt .pem .key .req files\n" +" associated with [pem]. \"SAVE\" and lookups as in\n" +" -sslCertInfo apply as well.\n" "\n" -" To create certificates for all sorts of authentications\n" -" (clients, servers, via CA, etc) see the openssl(1)\n" -" command. Of particular usefulness is the \"x509\"\n" -" subcommand of openssl(1).\n" "\n" "-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide an\n" -" encrypted SSL tunnel between viewers and x11vnc. This\n" -" was implemented prior to the integrated -ssl encrpytion.\n" -" It works well. This requires stunnel to be installed\n" +" encrypted SSL tunnel between viewers and x11vnc.\n" +"\n" +" This external tunnel method was implemented prior to the\n" +" integrated -ssl encryption described above. It still\n" +" works well. This requires stunnel to be installed\n" " on the system and available via PATH (n.b. stunnel is\n" " often installed in sbin directories). Version 4.x of\n" " stunnel is assumed (but see -stunnel3 below.)\n" @@ -641,14 +997,13 @@ void print_help(int mode) { " SSL. Unfortunately not too many do this. UltraVNC has\n" " an encryption plugin but it does not seem to be SSL.\n" "\n" -" In the x11vnc distribution, a patched TightVNC Java\n" -" applet is provided in classes/ssl that does SSL\n" +" Also, in the x11vnc distribution, a patched TightVNC\n" +" Java applet is provided in classes/ssl that does SSL\n" " connections (only).\n" "\n" " It is also not too difficult to set up an stunnel or\n" -" other SSL tunnel on the viewer side.\n" -"\n" -" A simple example on Unix using stunnel 3.x is:\n" +" other SSL tunnel on the viewer side. A simple example\n" +" on Unix using stunnel 3.x is:\n" "\n" " %% stunnel -c -d localhost:5901 -r remotehost:5900\n" " %% vncviewer localhost:1\n" @@ -704,9 +1059,10 @@ void print_help(int mode) { " file \"file\". Once the password is stored the\n" " program exits. Use the password via \"-rfbauth file\"\n" "\n" -" If called with no arguments, i.e., \"-storepasswd\",\n" +" If called with no arguments, \"x11vnc -storepasswd\",\n" " the user is prompted for a password and it is stored\n" -" in the file ~/.vnc/passwd\n" +" in the file ~/.vnc/passwd. Called with one argument,\n" +" that will be the file to store the prompted password in.\n" "\n" "-nopw Disable the big warning message when you use x11vnc\n" " without some sort of password.\n" @@ -1718,6 +2074,22 @@ void print_help(int mode) { " to really throttle down the screen polls (i.e. sleep\n" " for about 1.5 secs). Use 0 to disable. Default: %d\n" "\n" +"-nofbpm If the system supports the FBPM (Frame Buffer Power\n" +"-fbpm Management) extension (i.e. some Sun systems), then\n" +" prevent the video h/w from going into a reduced power\n" +" state when VNC clients are connected.\n" +"\n" +" FBPM capable video h/w save energy when the workstation\n" +" is idle by going into low power states (similar to DPMS\n" +" for monitors). This interferes with x11vnc's polling\n" +" of the framebuffer data.\n" +"\n" +" \"-nofbpm\" means prevent FBPM low power states whenever\n" +" VNC clients are connected, while \"-fbpm\" means to not\n" +" monitor the FBPM state at all. See the xset(1) manpage\n" +" for details. -nofbpm is basically the same as running\n" +" \"xset fbpm force on\" periodically. Default: %s\n" +"\n" "-noxdamage Do not use the X DAMAGE extension to detect framebuffer\n" " changes even if it is available. Use -xdamage if your\n" " default is to have it off.\n" @@ -2176,6 +2548,8 @@ void print_help(int mode) { " nap enable -nap mode.\n" " nonap disable -nap mode.\n" " sb:n set -sb to n s, same as screen_blank:n\n" +" fbpm disable -nofbpm mode.\n" +" nofbpm enable -nofbpm mode.\n" " xdamage enable xdamage polling hints.\n" " noxdamage disable xdamage polling hints.\n" " xd_area:A set -xd_area max pixel area to \"A\"\n" @@ -2296,8 +2670,8 @@ void print_help(int mode) { " debug_pointer dp nodebug_pointer nodp debug_keyboard\n" " dk nodebug_keyboard nodk deferupdate defer wait_ui\n" " wait_bog nowait_bog slow_fb wait readtimeout nap nonap\n" -" sb screen_blank fs gaps grow fuzz snapfb nosnapfb\n" -" rawfb progressive rfbport http nohttp httpport\n" +" sb screen_blank fbpm nofbpm fs gaps grow fuzz snapfb\n" +" nosnapfb rawfb progressive rfbport http nohttp httpport\n" " httpdir enablehttpproxy noenablehttpproxy alwaysshared\n" " noalwaysshared nevershared noalwaysshared dontdisconnect\n" " nodontdisconnect desktop debug_xevents nodebug_xevents\n" @@ -2458,6 +2832,7 @@ void print_help(int mode) { rfbMaxClientWait/1000, take_naps ? "take naps":"no naps", screen_blank, + watch_fbpm ? "-nofbpm":"-fbpm", xdamage_max_area, NSCAN, xdamage_memory, use_threads ? "-threads":"-nothreads", fs_frac, @@ -2574,17 +2949,28 @@ void nopassword_warning_msg(int gotloc) { "#@ @#\n" "#@ an existing ~/.vnc/passwd file will work too. @#\n" "#@ @#\n" +"#@ Running \"x11vnc -storepasswd\" with no arguments @#\n" +"#@ will prompt for a passwd to store in ~/.vnc/passwd. @#\n" +"#@ @#\n" "#@ You can also use the -passwdfile or -passwd options. @#\n" "#@ (note -passwd is unsafe if local users are not trusted) @#\n" "#@ @#\n" "#@ Make sure any -rfbauth and -passwdfile password files @#\n" "#@ cannot be read by untrusted users. @#\n" "#@ @#\n" +"#@ Use x11vnc -usepw to automatically use your @#\n" +"#@ ~/.vnc/passwd or ~/.vnc/passwdfile password files. @#\n" +"#@ (and prompt you to create ~/.vnc/passwd if neither @#\n" +"#@ file exists.) @#\n" +"#@ @#\n" +"#@ @#\n" "#@ Even with a password, the subsequent VNC traffic is @#\n" "#@ sent in the clear. Consider tunnelling via ssh(1): @#\n" "#@ @#\n" "#@ http://www.karlrunge.com/x11vnc/#tunnelling @#\n" "#@ @#\n" +"#@ Or using the x11vnc SSL options: -ssl and -stunnel @#\n" +"#@ @#\n" "#@ Please Read the documention for more info about @#\n" "#@ passwords, security, and encryption. @#\n" "#@ @#\n" -- cgit v1.2.1