From 4af738e0c8b561b6f15c614037cc0ea5d1ccfd80 Mon Sep 17 00:00:00 2001 From: runge Date: Sat, 7 Oct 2006 14:54:56 +0000 Subject: Changes for ETV, double SSL/SSH. --- x11vnc/README | 200 ++++++----- x11vnc/misc/enhanced_tightvnc_viewer/README | 5 + .../Windows/util/connect_br.tcl | 239 +++++++++++++ .../Windows/util/info/stunnel/location.url | 1 + .../bin/util/ssl_tightvncviewer.tcl | 385 +++++++++++++++++---- .../bin/util/ssl_vncviewer | 45 +++ .../enhanced_tightvnc_viewer/src/patches/_bundle | 2 +- .../misc/enhanced_tightvnc_viewer/src/zips/README | 1 + x11vnc/x11vnc.1 | 4 +- x11vnc/x11vnc_defs.c | 2 +- 10 files changed, 736 insertions(+), 148 deletions(-) create mode 100755 x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl (limited to 'x11vnc') diff --git a/x11vnc/README b/x11vnc/README index 0edfb7b..0bb54c4 100644 --- a/x11vnc/README +++ b/x11vnc/README @@ -1,5 +1,5 @@ -x11vnc README file Date: Sat Sep 23 19:30:26 EDT 2006 +x11vnc README file Date: Sat Oct 7 10:35:03 EDT 2006 The following information is taken from these URLs: @@ -35,11 +35,11 @@ x11vnc: a VNC server for real X displays impossible to build on Solaris and had poor performance. The primary x0rfbserver build problems centered around esoteric C++ toolkits. x11vnc is written in plain C and uses only standard libraries and so - should work on nearly all Unixes. I also added a some enhancements to + should work on nearly all Unixes. I also added some enhancements to improve the interactive response, add many esoteric features, etc. - This page and the [14]FAQ contain a lot of information [15][*] and - solutions to many problems and interesting applications, but + This page and the [14]FAQ contain a lot of information [15][*], + solutions to many problems, and interesting applications, but nevertheless please feel free to [16]contact me if you have problems or questions. @@ -3892,6 +3892,9 @@ ied) * Turn off Anti-aliased fonts on your system, web browser, terminal windows, etc. AA fonts do not compress as well as traditional fonts (sometimes 10X less). + * On Firefox/Mozilla (and anything else) turn off "Smooth Scroll" + animations. In Firefox put in the URL "about:config" and set + general.smoothScroll to false. * On XFree86 turn on the Shadow Framebuffer to speed up reading. (Option "ShadowFB" "true" in the Device section of /etc/X11/XF86Config) This disables 2D acceleration on the physical @@ -7358,13 +7361,17 @@ http://www.karlrunge.com/x11vnc/ssl-portal.html: -t -L 5900:myworkstation:5900 user@gateway) to set up the encrypted channel that VNC is then tunneled through. Next he starts up the VNC viewer on the machine where he is sitting directed to the local tunnel - port. - - The SSH scheme is nice because it is a common and well tested login - technique for users connecting to machines inside their company or - home firewall. It is a bit awkward, however, because SSH needs to be - installed on the Viewer machine and the user usually has to rig up his - own port redirection plumbing. + port (e.g. localhost:0). + + The SSH scheme is nice because it is a widely used and well tested + login technique for users connecting to machines inside their company + or home firewall. For VNC access it is a bit awkward, however, because + SSH needs to be installed on the Viewer machine and the user usually + has to rig up his own port redirection plumbing. Also, some users have + restrictive work environments where SSH and similar applications are + prohibited (i.e. only outgoing connections to standard WWW ports are + allowed, perhaps mediated by a proxy server) and have used the method + described below for remote access. With the SSL support in x11vnc and the SSL enabled Java VNC viewer applet, a convenient and secure alternative exists that uses the @@ -7372,17 +7379,19 @@ http://www.karlrunge.com/x11vnc/ssl-portal.html: connection is already running apache as a web server (either SSL or non-SSL) and we add to it the ability to act as a gateway for SSL VNC connections. The only thing needed on the Viewer side is a Java - enabled Web Browser. The stunnel VNC viewer wrapper script provided + enabled Web Browser: the user enters a URL that starts the VNC + connection process. The stunnel VNC viewer wrapper script provided (ssl_vncviewer) can also take advantage of the method described here. - The apache solution may be overkill for you (e.g. home system) see - [1]below for some simpler setups. - There are numerous ways to do this. We present the simplest one here. - Important: these schemes allow incoming connections from anywhere on - the Internet to specific ports on machines inside the firewall. Care - must be taken to implement and test thoroughly. If one is paranoid one - can (and should) add extra layers of protection. (e.g. extra - passwords, packet filtering, SSL certificate verification, etc). + This apache solution may be overkill for you (e.g. home system) see + [1]below for some simpler setups that avoid using SSH. + + There are numerous ways to achieve this with Apache. We present the + simplest one here. Important: these schemes allow incoming connections + from anywhere on the Internet to fixed ports on machines inside the + firewall. Care must be taken to implement and test thoroughly. If one + is paranoid one can (and should) add extra layers of protection. (e.g. + extra passwords, packet filtering, SSL certificate verification, etc). The scheme described here sets up apache on the firewall/gateway as a regular Web proxy into the intranet and allows connections to a fixed @@ -7398,9 +7407,10 @@ http://www.karlrunge.com/x11vnc/ssl-portal.html: We choose 563 because it is the rarely used SNEWS port that is usually allowed by Web proxies for the CONNECT method. The idea is the user may be coming out of another firewall using a proxy (not the one we - describe here, that is, the case when two proxies are involved; the - "double proxy" problem) and using port 563 simplifies things because - CONNECT's to it are usually allowed by default. + describe here, that is, the case when two proxies are involved, e.g. + one at work and another, Apache at home redirecting into our firewall; + the "double proxy" problem) and using port 563 simplifies things + because CONNECT's to it are usually allowed by default. We also assume all of the x11vnc servers on the internal machines are all listening on port 5915 ("-rfbport 5915") instead of the default @@ -7470,10 +7480,11 @@ t:563/ into the browser: http://www.gateway.east:563/vnc/mach2 - to connect to internal workstation mach2, etc. There will be a number - of SSL certificate, etc, dialogs he will have to respond to in - addition to any passwords he is required to provide (this depends on - how you set up user authentication for x11vnc). + to connect to internal workstation mach2, etc. (Important: do not put + a trailing "/" on the URL, since that will defeat the RewriteRules.) + There will be a number of SSL certificate, etc, dialogs he will have + to respond to in addition to any passwords he is required to provide + (this depends on how you set up user authentication for x11vnc). If a second Web proxy is involved (i.e. the user's browser is inside another firewall that requires proxying) then use this URL: @@ -7499,7 +7510,8 @@ t:563/ Next, the "ProxyRequests On" and "AllowCONNECT 5915" enable the web server to forward proxy requests to port 5915 (and only this port) - INSIDE the firewall. Test this carefully. + INSIDE the firewall. Research the implications of this thoroughly and + test it carefully. The "ProxyPass /vnc/mach1/ ..." lines forward the initial page (e.g. index.vnc) and Java applet JAR file (e.g. VncViewer.jar) requests to @@ -7534,18 +7546,33 @@ t:563/ Web browser's acceptance of the certificate. Unfortunately the applet currently is not able to save its own list of - Certificates (e.g. the user says trust this certificate always). As an - applet it cannot open local files, etc. Sadly, the applet cannot even - remember certificates in the same browser session because it is - completely reinitialized for each connection. + Certificates (e.g. the user says trust this VNC certificate 'always'). + This is because an applet it cannot open local files, etc. Sadly, the + applet cannot even remember certificates in the same browser session + because it is completely reinitialized for each connection. + + + Problems: + + One user reported that the ProxyRemoteMatch did not work for his + Apache setup and had to use something like this: + + Order deny,allow + Deny from all + + + in the global config section. Some Ideas for adding extra authentication, etc. for the paranoid: * VNC passwords: [6]-rfbauth, [7]-passwdfile, or [8]-usepw. Even - adding a company-wide VNC password helps block unwanted access. + adding a simple company-wide VNC password helps block unwanted + access. * Unix passwords: [9]-unixpw * SSL Client certificates: [10]-sslverify * Apache AuthUserFile directive: .htaccess, etc. + * Use Port-knocking on your firewall as described in: [11]Enhanced + TightVNC Viewer. * Add proxy password authentication (requires Viewer changes?) * Run a separate instance of Apache that provides this VNC service so it can be brought up and down independently of the normal web @@ -7555,14 +7582,14 @@ t:563/ Using non-Java viewers with this scheme: - The [11]ssl_vncviewer stunnel wrapper script for VNC viewers has the + The [12]ssl_vncviewer stunnel wrapper script for VNC viewers has the -proxy option that can take advantage of this method. For the case of the "double proxy" situation (see below) supply both separated by a comma. ssl_vncviewer -proxy www.gateway.east:563 mach1:15 ssl_vncviewer -proxy proxy1.foobar.com:8080,www.gateway.east:563 mach1:15 - For the [12]Enhanced TightVNC Viewer GUI (it uses ssl_vncviewer on + For the [13]Enhanced TightVNC Viewer GUI (it uses ssl_vncviewer on Unix) enter these into the 'VNC Server' entry box: mach1:15 www.gateway.east:563 mach1:15 proxy1.foobar.com:8080,www.gateway.east:563 @@ -7573,20 +7600,21 @@ t:563/ Downloading the Java applet via HTTPS: - To have the Java applet downloaded to the user's Web Browswer via an + To have the Java applet downloaded to the user's Web Browser via an encrypted (and evidently safer) SSL connection the Apache webserver - should be configured for SSL via [13]mod_ssl (this is probably not + should be configured for SSL via [14]mod_ssl (this is probably not absolutely necessary; show us how you did it). - It is actually possible to use the x11vnc [14]Key Management utility - "[15]-sslGenCert" to generate your Apache/SSL .crt and .key files. (In + It is actually possible to use the x11vnc [15]Key Management utility + "[16]-sslGenCert" to generate your Apache/SSL .crt and .key files. (In brief, run something like "x11vnc -sslGenCert server self:apache" then copy the resulting self:apache.crt file to conf/ssl.crt/server.crt and extract the private key part from self:apache.pem and paste it into conf/ssl.key/server.key). Setting the env var REQ_ARGS='-days 730' will bump up the expiration date (2 years in this case). Or you can use the standard methods described in the Apache mod_ssl - documentation. + documentation. Then restart Apache, usually something like "apachectl + startssl". In addition to the above sections in httpd.conf one should add the following to ssl.conf: @@ -7612,6 +7640,7 @@ RT=563&forceProxy=yes [R,NE] ProxyPass /vnc/mach2/ http://mach2:5815/ ProxyPass /vnc/mach3/ http://mach3:5815/ ProxyPass /vnc/mach4/ http://mach4:5815/ + # single port VNC+HTTPS: ProxyPass /vncs/mach1/ https://mach1:5915/ ProxyPass /vncs/mach2/ https://mach2:5915/ ProxyPass /vncs/mach3/ https://mach3:5915/ @@ -7625,7 +7654,8 @@ RT=563&forceProxy=yes [R,NE] or https://www.gateway.east/vnc/proxy/mach2 - for the "double proxy" case. + for the "double proxy" case. (Important: do not put a trailing "/" on + the URL, since that will defeat the RewriteRules.) Note that inside the firewall the Java applet download traffic is not encrypted (only over the Internet is SSL used) for these cases: @@ -7637,19 +7667,22 @@ RT=563&forceProxy=yes [R,NE] the Java applet download is encrypted via SSL for both legs. Note that the two legs are two separate SSL sessions. So the data is decrypted - inside an apache process and reencrypted for the 2nd SSL session - inside the same apache process (a very small gap one might overlook). + inside an apache process and reencrypted by the apache process for the + 2nd SSL session inside the same apache process (a very small gap one + might overlook). In all of the above cases the VNC traffic from Viewer to x11vnc is encrypted end-to-end in a single SSL session, even for the "double - proxy" case. This is the important part to have encrypted. + proxy" case because the CONNECT method is used (there are actually two + CONNECT's for the "double proxy" case). This part (the VNC traffic) is + the important part to have encrypted. Note that the Certificate dialogs the user has in his web browser will be for the Apache Certificate, while for the Java applet it will be the x11vnc certificate. Note also that you can have Apache serve up the Jar file VncViewer.jar - instead of each x11vnc if you want to. + and/or index.vnc/proxy.vnc instead of each x11vnc if you want to. INETD automation: @@ -7701,7 +7734,7 @@ RT=563&forceProxy=yes [R,NE] -inetd -oa /var/log/x11vnc-15.log -http_ssl -display WAIT:cmd=HTTPONCE where the long inetd.conf line has been split. Note how the - [16]-http_ssl tries to automatically find the .../classes/ssl + [17]-http_ssl tries to automatically find the .../classes/ssl subdirectory. Also note the use of "-ssl SAVE" above. This way a saved server.pem is @@ -7826,7 +7859,7 @@ Certs=yes [R,NE] the first time you connect carefully check the Certificate and then tell your Browser and Java Virtual Machine to trust the certificate 'Always'. Then if you later get an unexpected dialog, you know - something is wrong. Nearly always it is just an changed or expired + something is wrong. Nearly always it is just a changed or expired certificate, but better safe than sorry... References @@ -7841,12 +7874,13 @@ References 8. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-usepw 9. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-unixpw 10. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-sslverify - 11. http://www.karlrunge.com/x11vnc/index.html#ssl_vncviewer - 12. http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html - 13. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html - 14. http://www.karlrunge.com/x11vnc/ssl.html - 15. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-sslGenCert - 16. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-http_ssl + 11. http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html + 12. http://www.karlrunge.com/x11vnc/index.html#ssl_vncviewer + 13. http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html + 14. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html + 15. http://www.karlrunge.com/x11vnc/ssl.html + 16. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-sslGenCert + 17. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-http_ssl ======================================================================= http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html: @@ -7856,17 +7890,22 @@ http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html: Enhanced TightVNC Viewer - The Enhanced TightVNC Viewer package is a project to add some patches - to the long neglected Unix TightVNC Viewer. + The Enhanced TightVNC Viewer package started as a project to add some + patches to the long neglected Unix TightVNC Viewer. + + It now also adds a front-end GUI for Windows and Unix that + automatically starts up a STUNNEL SSL tunnel for SSL connections to + [1]x11vnc (or any other VNC Server also running an SSL tunnel, such as + STUNNEL, at their end), and then launches the TightVNC Viewer. The + front-end program can also be used to set up SSH tunnelled connections + instead. And many additional features (see below for a list). - It also adds a front-end GUI for Windows and Unix that automatically - starts up a STUNNEL SSL tunnel for SSL connections to [1]x11vnc (or - any other VNC Server also running an SSL tunnel, such as STUNNEL, at - their end), and then launches the TightVNC Viewer. The front-end - program can also be used to set up SSH tunnelled connections instead. + It is a self-contained package, you could carry it around on, say, a + USB memory stick for secure VNC viewing from almost any machine, Unix + or Windows. Patches were created for the TightVNC 1.3dev7 vnc_unixsrc tree (and - various wrappers written) to add these features: + various wrappers and a tcl/tk GUI written) to add these features: * SSL support for connections using the co-bundled stunnel program. * Automatic SSH connections from the GUI (system ssh is used on Unix; co-bundled plink is used on Windows) @@ -7930,15 +7969,15 @@ Enhanced TightVNC Viewer (and there should be kinks to work out). This package can be downloaded here: - [8]enhanced_tightvnc_viewer-1.0.4.zip All Unix and Windows -binaries and source. (~6MB) - [9]enhanced_tightvnc_viewer-1.0.4.tar.gz All Unix and Windows -binaries and source. (~6MB) - [10]enhanced_tightvnc_viewer_all-1.0.4.zip All Unix and Windows - binaries and source and full archives in zip dir. (~9MB) - [11]enhanced_tightvnc_viewer_windows_only-1.0.4.zip Only the Windows bin -aries. (~4MB) - [12]enhanced_tightvnc_viewer_no_windows-1.0.4.tar.gz No Windows binaries. + [8]enhanced_tightvnc_viewer-1.0.5.zip All Unix and Windows +binaries and source. (~8MB) + [9]enhanced_tightvnc_viewer-1.0.5.tar.gz All Unix and Windows +binaries and source. (~8MB) + [10]enhanced_tightvnc_viewer_all-1.0.5.zip All Unix and Windows + binaries and source and full archives in zip dir. (~11MB) + [11]enhanced_tightvnc_viewer_windows_only-1.0.5.zip Only the Windows bin +aries. (~6MB) + [12]enhanced_tightvnc_viewer_no_windows-1.0.5.tar.gz No Windows binaries. (~2MB) Sorry for the inconvenience of lumping all the Unix binaries and @@ -7971,7 +8010,7 @@ aries. (~4MB) [17]http://www.chiark.greenend.org.uk/~sgtatham/putty/ It is my belief (but I cannot be absolutely sure) that the bundle - enhanced_tightvnc_viewer_no_windows-1.0.4.tar.gz contains no + enhanced_tightvnc_viewer_no_windows-1.0.5.tar.gz contains no cryptographic software (again, if your situation warrants, you will need to check). This "no_windows" tarball only contains software (from the above URL's and elsewhere) that will use cryptographic software @@ -8027,6 +8066,9 @@ Also, a Windows SSL wrapper for the co-bundled TightVNC binary and other utilities are provided. (Launch ssl_tightvncviewer.exe in the Windows subdirectory). +It is a self-contained package, you could carry it around on, say, +a USB memory stick for secure VNC viewing from almost any machine, +Unix or Windows. Features: -------- @@ -8076,7 +8118,7 @@ If you need to Build: -------------------- If your OS/arch is not included, the script "build.unix" may be able to -successfully build on for you and deposit the binaries down in ./bin/... +successfully build one for you and deposit the binaries down in ./bin/... using the included source code. You must run the build.unix script from this directory (that this toplevel @@ -8232,11 +8274,11 @@ References 5. http://www.karlrunge.com/x11vnc/index.html#faq-smb-shares 6. http://www.karlrunge.com/x11vnc/index.html#faq-cups 7. http://www.karlrunge.com/x11vnc/index.html#faq-sound - 8. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.4.zip - 9. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.4.tar.gz - 10. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_all-1.0.4.zip - 11. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_windows_only-1.0.4.zip - 12. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_no_windows-1.0.4.tar.gz + 8. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.5.zip + 9. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.5.tar.gz + 10. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_all-1.0.5.zip + 11. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_windows_only-1.0.5.zip + 12. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_no_windows-1.0.5.tar.gz 13. http://www.tightvnc.com/ 14. http://www.realvnc.com/ 15. http://www.stunnel.org/ @@ -8254,7 +8296,7 @@ x11vnc: a VNC server for real X displays Here are all of x11vnc command line options: % x11vnc -opts (see below for -help long descriptions) -x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-23 +x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-10-07 x11vnc options: -display disp -auth file -id windowid @@ -8355,7 +8397,7 @@ libvncserver-tight-extension options: % x11vnc -help -x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-23 +x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-10-07 (type "x11vnc -opts" to just list the options.) diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/README b/x11vnc/misc/enhanced_tightvnc_viewer/README index 0946d89..6811b9d 100644 --- a/x11vnc/misc/enhanced_tightvnc_viewer/README +++ b/x11vnc/misc/enhanced_tightvnc_viewer/README @@ -17,6 +17,7 @@ by others. See these sites and related ones for more information: http://www.tightvnc.com http://www.realvnc.com http://www.stunnel.org + http://stunnel.mirt.net http://www.openssl.org http://www.chiark.greenend.org.uk/~sgtatham/putty/ @@ -46,6 +47,9 @@ Also, a Windows SSL wrapper for the co-bundled TightVNC binary and other utilities are provided. (Launch ssl_tightvncviewer.exe in the Windows subdirectory). +It is a self-contained package, you could carry it around on, say, +a USB memory stick for secure VNC viewing from almost any machine, +Unix or Windows. Features: -------- @@ -215,6 +219,7 @@ See also: x11vnc -h | more http://www.stunnel.org + http://stunnel.mirt.net http://www.openssl.org http://www.tightvnc.com http://www.realvnc.com diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl new file mode 100755 index 0000000..e8654a3 --- /dev/null +++ b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl @@ -0,0 +1,239 @@ +#!/usr/bin/wish + +global env + +set proxy1 "" +set proxy2 "" +set client_fh "" +set server_fh "" + +set debug 0 +if {$debug} { + if {! [info exists env(SSL_VNC_DEST)]} { + set env(SSL_VNC_DEST) "haystack:2037" + } + if {! [info exists env(SSL_VNC_PROXY)]} { + set env(SSL_VNC_PROXY) "haystack:2037" + } + if {! [info exists env(SSL_VNC_LISTEN)]} { + set env(SSL_VNC_LISTEN) "6789" + } +} + +set dest $env(SSL_VNC_DEST) + +if [regexp {,} $env(SSL_VNC_PROXY)] { + set s [split $env(SSL_VNC_PROXY) ","] + set proxy1 [lindex $s 0] + set proxy2 [lindex $s 1] +} else { + set proxy1 $env(SSL_VNC_PROXY) +} + +set s [split $proxy1 ":"] +set proxy1_host [lindex $s 0] +set proxy1_port [lindex $s 1] + +if {$proxy2 != ""} { + set s [split $proxy2 ":"] + set proxy2_host [lindex $s 0] + set proxy2_port [lindex $s 1] +} + +set lport $env(SSL_VNC_LISTEN) + +set got_connection 0 +set lsock [socket -myaddr 127.0.0.1 -server handle_connection $lport] + +if {1} { + wm withdraw . +} +button .b -text "CONNECT_BR" -command {destroy .} +pack .b +after 1000 check_callback + +proc check_callback {} { + global debug + if {$debug} { + puts stderr "." + } + check_closed + after 1000 check_callback +} + +proc check_closed {} { + global client_fh server_fh debug + global got_connection + + if {! $got_connection} { + return + } + set delay 100 + if {$client_fh != "" && [eof $client_fh]} { + if {$debug} { + puts stderr "client_fh EOF" + } + catch {flush $client_fh} + after $delay + catch {close $client_fh} + after $delay + catch {flush $server_fh} + after $delay + catch {close $server_fh} + destroy . + exit + } + if {$server_fh != "" && [eof $server_fh]} { + if {$debug} { + puts stderr "server_fh EOF" + } + catch {flush $server_fh} + after $delay + catch {close $server_fh} + after $delay + catch {flush $client_fh} + after $delay + catch {close $client_fh} + destroy . + exit + } +} + +proc xfer_in_to_out {} { + global client_fh server_fh debug + if {$client_fh != "" && ![eof $client_fh]} { + set str [read $client_fh 4096] + if {$debug} { + puts stderr "xfer_in_to_out: $str" + } + if {$server_fh != ""} { + puts -nonewline $server_fh $str + flush $server_fh + } + } + check_closed +} + +proc xfer_out_to_in {} { + global client_fh server_fh debug + if {$server_fh != "" && ![eof $server_fh]} { + set str [read $server_fh 4096] + if {$debug} { + puts stderr "xfer_out_to_in: $str" + } + if {$client_fh != ""} { + puts -nonewline $client_fh $str + flush $client_fh + } + } + check_closed +} + +proc handle_connection {fh host port} { + global proxy1_host proxy1_port + global proxy2_host proxy2_port + global proxy1 proxy2 + global dest + global debug + global got_connection + + if {$got_connection} { + catch {close $fh} + return + } + set got_connection 1 + + if {$debug} { + puts stderr "connection from: $host $port" + puts stderr "socket $proxy1_host $proxy1_port" + } + + set sock [socket $proxy1_host $proxy1_port] + + global client_fh server_fh + set client_fh $fh + set server_fh $sock + + fconfigure $fh -translation binary -blocking 0 + fconfigure $sock -translation binary -blocking 0 + + set con "" + if {$proxy2 != ""} { + append con "CONNECT $proxy2 HTTP/1.1\r\n" + append con "Host: $proxy2\r\n\r\n" + } else { + append con "CONNECT $dest HTTP/1.1\r\n" + append con "Host: $dest\r\n\r\n" + } + + puts -nonewline $sock $con + flush $sock + + set r "" + set cnt 0 + while {1} { + set c [read $sock 1] + if {$c == ""} { + check_closed + after 20 + } + incr cnt + if {$debug} { + .b configure -text "A $cnt -- $c" + update + } + append r $c + if {[regexp "\r\n\r\n" $r] || [regexp "a--no--\n\n" $r]} { + break + } + if {$cnt > 3000} { + break + } + } + if {! [regexp {HTTP/.* 200} $r]} { + puts stderr "did not find HTTP 200 #1" + if {1} { + destroy . + exit 1 + } + } + + if {$proxy2 != ""} { + set con "" + append con "CONNECT $dest HTTP/1.1\r\n" + append con "Host: $dest\r\n\r\n" + + puts -nonewline $sock $con + flush $sock + + set r "" + set cnt 0 + while {1} { + set c [read $sock 1] + if {$c == ""} { + check_closed + after 20 + } + incr cnt + if {$debug} { + .b configure -text "B $cnt -- $c" + update + } + append r $c + if {[regexp "\r\n\r\n" $r] || [regexp "a--no--\n\n" $r]} { + break + } + if {$cnt > 3000} { + break + } + } + if {! [regexp {HTTP/.* 200} $r]} { + puts stderr "did not find HTTP 200 #2" + destroy . + exit 1 + } + } + + fileevent $fh readable xfer_in_to_out + fileevent $sock readable xfer_out_to_in +} diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url index c700866..4f87491 100644 --- a/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url +++ b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url @@ -1 +1,2 @@ http://www.stunnel.org/download/binaries.html +http://stunnel.mirt.net/ diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl index c055e0a..986edd0 100755 --- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl +++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl @@ -108,11 +108,16 @@ proc help {} { Proxies: If an intermediate proxy is needed to make the SSL connection (e.g. web gateway out of a firewall), supply both hosts separated - by spaces (with the proxy 2nd): + by spaces (with the proxy second): host:number gwhost:port - E.g.: far-way.east:0 mygateway.com:8080 + E.g.: far-away.east:0 mygateway.com:8080 + + If the "double proxy" case is required (e.g. coming out of a web + proxied firewall environment), separate them via a comma, e.g.: + + far-away:0 local-proxy:8080,mygateway.com:443 See the ssl_vncviewer description and x11vnc FAQ for info on proxies: @@ -164,8 +169,15 @@ proc help {} { 2) If you use "user@hostname cmd=SHELL" then you get an SSH shell only: no VNC viewer will be launched. On Windows "user@hostname cmd=PUTTY" - will try to use putty.exe (better terminal emulation than plink.exe) - A shortcut for this is Ctrl-S as long as user@hostname is present. + will try to use putty.exe (better terminal emulation than + plink.exe). A shortcut for this is Ctrl-S as long as user@hostname + is present in the entry box. + + 3) If you use "user@hostname cmd=KNOCK" then only the port-knocking + is performed. A shortcut for this is Ctrl-P as long as hostname + is present in the entry box. If it matches cmd=KNOCKF, i.e. an + extra "F", then the port-knocking "FINISH" sequence is sent, if any. + A shortcut for this Shift-Ctrl-P as long as hostname is present. } .h.f.t insert end $msg @@ -265,18 +277,18 @@ set msg { tunnel. You must be able to log in via ssh to the remote host. On Unix the cmdline ssh(1) program will be run in an xterm - for authentication, etc. On Windows the cmdline plink.exe - program will be launched in a Windows Console window. + for passphrase authentication, etc. On Windows the cmdline + plink.exe program will be launched in a Windows Console window. - You can set the "VNC Server" to "user@host:disp" to indicate - ssh should log in as "user" on "host". On Windows you must + You can set the "VNC Server" to "user@host:disp" to indicate ssh + should log in as "user" on "host". NOTE: On Windows you MUST always supply the "user@" part (due to a plink deficiency). E.g.: fred@far-away.east:0 - If a gateway machine must be used (e.g. to enter a firewall; - the VNC Server is not running on it), put something like this - in the "VNC Server" entry box: + If an intermediate gateway machine must be used (e.g. to enter + a firewall; the VNC Server is not running on it), put something + like this in the "VNC Server" entry box: workstation:0 user@gateway-host:port @@ -285,6 +297,16 @@ set msg { ":port" is optional, use it if the gateway-host SSH port is not the default value 22. + One can also do a "double ssh", i.e. a first SSH to the + gateway login machine then a 2nd ssh to the destination machine + (presumably it is running the vnc server). Unlike the above + example, the "last leg" (gateway-host -> workstation) is also + encrypted by SSH this way. Do this by splitting the gateway + in two with a comma, the part before it is the first SSH: + + :0 user@gateway-host:port,user@workstation:port + + At the very end of the entry box, you can also append a cmd=... string to indicate that command should be run via ssh on the remote machine instead of the default "sleep 15". E.g.: @@ -293,6 +315,7 @@ set msg { (if a gateway is also needed, put it just before the cmd=...) + Trick: If you use "cmd=SHELL" then you get an SSH shell only: no VNC viewer will be launched. On Windows "cmd=PUTTY" will try to use putty.exe (better terminal emulation than plink.exe) @@ -345,18 +368,14 @@ set msg { with Load Profile. Use the Browse... button to select the filename via the GUI. - Include: Profile template(s) to load before loading a profile - (see Load Profile above). For example if you Save - a profile called "globals" that has some settings - you use often, then just supply "Include: globals" - to have them applied. - - You may supply a comma or space separated list of - templates to include. They can be full path names or - basenames relative to the profiles directory. You do - not need to supply the .vnc suffix. The non-default - settings in them will be applied first, and then any - values then in the loaded Profile will override them. + Note: On Windows since the TightVNC Viewer will save + its own settings in the registry, some unexpected + behavior is possible because the viewer is nearly + always directed to the VNC host "localhost:30". E.g. if + you specify "View Only" in this gui once but not next + time the Windows VNC Viewer may remember the setting. + Unfortunately there is not a /noreg option for the Viewer. + Clear Options: Set all options to their defaults (i.e. unset). @@ -880,6 +899,24 @@ proc make_plink {} { update } +proc ssh_split {str} { + if {! [regexp {:} $str]} { + append str ":22" + } + regsub {:.*$} $str "" ssh_host + regsub {^.*:} $str "" ssh_port + if {$ssh_port == ""} { + set ssh_port 22 + } + if [regexp {@} $ssh_host] { + regsub {@.*$} $ssh_host "" ssh_user + regsub {^.*@} $ssh_host "" ssh_host + } else { + set ssh_user "" + } + return [list $ssh_user $ssh_host $ssh_port] +} + proc launch_windows_ssh {hp file n} { global is_win9x env global use_sshssl use_ssh putty_pw @@ -918,16 +955,65 @@ proc launch_windows_ssh {hp file n} { set ssh_host $hpnew regsub {:.*$} $ssh_host "" ssh_host + set double_ssh "" + set p_port "" if {$proxy != ""} { - set ssh_host $proxy + if [regexp {,} $proxy] { + if {$is_win9x} { + mesg "Double proxy does not work on Win9x" + bell + return 0 + } + # user1@gateway:port1,user2@workstation:port2 + set proxy1 "" + set proxy2 "" + set s [split $proxy ","] + set proxy1 [lindex $s 0] + set proxy2 [lindex $s 1] + + set p_port [expr 3000 + 1000 * rand()] + set p_port [expr round($p_port)] + + set s [ssh_split $proxy1] + set ssh_user1 [lindex $s 0] + set ssh_host1 [lindex $s 1] + set ssh_port1 [lindex $s 2] + + set s [ssh_split $proxy2] + set ssh_user2 [lindex $s 0] + set ssh_host2 [lindex $s 1] + set ssh_port2 [lindex $s 2] + + set u1 "" + if {$ssh_user1 != ""} { + set u1 "${ssh_user1}@" + } + set u2 "" + if {$ssh_user2 != ""} { + set u2 "${ssh_user2}@" + } + + set double_ssh "-L $p_port:$ssh_host2:$ssh_port2 -P $ssh_port1 $u1$ssh_host1" + set proxy_use "${u2}localhost:$p_port" + + } else { + # user1@gateway:port1 + set proxy_use $proxy + } + + set ssh_host $proxy_use regsub {:.*$} $ssh_host "" ssh_host - set ssh_port $proxy + set ssh_port $proxy_use regsub {^.*:} $ssh_port "" ssh_port if {$ssh_port == ""} { set ssh_port 22 } + set vnc_host $hpnew regsub {:.*$} $vnc_host "" vnc_host + if {$vnc_host == ""} { + set vnc_host "localhost" + } } if {![regexp {^[^ ][^ ]*@} $ssh_host]} { @@ -974,6 +1060,8 @@ proc launch_windows_ssh {hp file n} { set tag [contag] + set file_double "" + set file_pre "" set file_pre_cmd "" if {$do_pre} { @@ -1077,6 +1165,10 @@ proc launch_windows_ssh {hp file n} { append extra_redirs [get_additional_redir] } + if {$vnc_host == ""} { + set vnc_host "localhost" + } + set plink_str "plink.exe -ssh -P $ssh_port $verb -L $use:$vnc_host:$vnc_port $extra_redirs -t" if {$extra_redirs != ""} { regsub {exe} $plink_str "exe -C" plink_str @@ -1125,6 +1217,41 @@ proc launch_windows_ssh {hp file n} { return 0 } + if {$double_ssh != ""} { + set plink_str_double_ssh "plink.exe -ssh -t $pw $double_ssh \"echo sleep 60 ...; sleep 60; echo done.\"" + + regsub {\.bat} $file "dob.bat" file_double + set fhdouble [open $file_double "w"] + puts $fhdouble $plink_str_double_ssh + puts $fhdouble "del $file_double" + close $fhdouble + + set com "cmd.exe" + if [info exists env(COMSPEC)] { + set com $env(COMSPEC) + } + + exec $com /c $file_double & + + set waited 0 + set gotit 0 + while {$waited < 30000} { + after 500 + update + set ns [get_netstat] + set re ":$p_port" + append re {[ ][ ]*[0:.][0:.]*[ ][ ]*LISTEN} + if [regexp $re $ns] { + set gotit 1 + break + } + set waited [expr "$waited + 500"] + } + if {! $gotit} { + after 5000 + } + } + if {$is_win9x} { wm withdraw . update @@ -1282,6 +1409,9 @@ proc launch_windows_ssh {hp file n} { if {$file_pre_cmd != ""} { catch {file delete $file_pre_cmd} } + if {$file_double != ""} { + catch {file delete $file_double} + } global sound_daemon_local_kill if {! $is_win9x && $use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} { @@ -1453,6 +1583,35 @@ proc do_unix_pre {tag proxy hp pk_hp} { } } +proc port_knock_only {hp {mode KNOCK}} { + if {$hp == ""} { + global vncdisplay + set hp $vncdisplay + if {$hp == ""} { + mesg "No host port found" + bell + return + } + } + set hpnew [get_ssh_hp $hp] + set proxy [get_ssh_proxy $hp] + set sshcmd [get_ssh_cmd $hp] + set hp $hpnew + + set pk_hp "" + if {$proxy != ""} { + set pk_hp $proxy + } + if {$pk_hp == ""} { + set pk_hp $hp + } + if {$mode == "KNOCK"} { + do_port_knock $pk_hp start + } elseif {$mode == "FINISH"} { + do_port_knock $pk_hp finish + } +} + proc launch_unix {hp} { global smb_redir_0 smb_mounts env @@ -1823,6 +1982,7 @@ proc launch {{hp ""}} { global vncdisplay tcl_platform is_windows global mycert svcert crtdir global pids_before pids_after pids_new + global env global use_ssh use_sshssl set debug 0 @@ -1844,6 +2004,16 @@ proc launch {{hp ""}} { mesg "Using: $hp" after 600 + set sc [get_ssh_cmd $hp] + if {[regexp {^KNOCK} $sc]} { + if [regexp {^KNOCKF} $sc] { + port_knock_only $hp "FINISH" + } else { + port_knock_only $hp "KNOCK" + } + return + } + if {$debug} { mesg "\"$tcl_platform(os)\" | \"$tcl_platform(osVersion)\"" after 1000 @@ -1896,6 +2066,11 @@ proc launch {{hp ""}} { set n2 "" set now [clock seconds] + set proxy [get_ssh_proxy $hp] + if {$use_sshssl} { + set proxy "" + } + for {set i 30} {$i < 90} {incr i} { set try "$prefix-$i.$suffix" if {[file exists $try]} { @@ -1907,7 +2082,7 @@ proc launch {{hp ""}} { } } if {! [file exists $try]} { - if {$use_sshssl} { + if {$use_sshssl || $proxy != ""} { if {$file != ""} { set file2 $try set n2 $i @@ -1916,7 +2091,7 @@ proc launch {{hp ""}} { } set file $try set n $i - if {! $use_sshssl} { + if {! $use_sshssl && $proxy == ""} { break } } @@ -1947,23 +2122,13 @@ proc launch {{hp ""}} { return } - if [regexp {[ ]} $hp] { - # proxy or cmd case (should not happen? yet?) - regsub {[ ].*$} $hp "" hp2 - } else { - set list [split $hp ":"] - set host [lindex $list 0] - set disp [lindex $list 1] - set disp [string trim $disp] - regsub { .*$} $disp "" disp - if {$disp == ""} { - set disp 0 - } - set port [expr "$disp + 5900"] - } - set list [split $hp ":"] + set host [lindex $list 0] + if {$host == ""} { + set host "localhost" + } + set disp [lindex $list 1] set disp [string trim $disp] regsub { .*$} $disp "" disp @@ -1972,6 +2137,12 @@ proc launch {{hp ""}} { } set port [expr "$disp + 5900"] + if {$proxy != ""} { + set env(SSL_VNC_PROXY) $proxy + set env(SSL_VNC_LISTEN) [expr "$n2 + 5900"] + set env(SSL_VNC_DEST) "$host:$port" + } + if {$debug} { mesg "file: $file" after 1000 @@ -2024,7 +2195,7 @@ proc launch {{hp ""}} { set port2 [expr "$n + 5900"] puts $fh "accept = localhost:$port2" - if {$use_sshssl} { + if {$use_sshssl || $proxy != ""} { set port [expr "$n2 + 5900"] puts $fh "connect = localhost:$port" } else { @@ -2047,6 +2218,16 @@ proc launch {{hp ""}} { return } + set proxy_pid "" + if {$proxy != ""} { + mesg "Starting TCP helper on port $port ..." + after 600 + set proxy_pid [exec "connect_br.exe" &] + unset -nocomplain env(SSL_VNC_PROXY) + unset -nocomplain env(SSL_VNC_LISTEN) + unset -nocomplain env(SSL_VNC_DEST) + } + mesg "Starting STUNNEL on port $port2 ..." after 600 @@ -2158,6 +2339,7 @@ proc set_mycert {} { set mycert $t } catch {wm deiconify .c} + v_mycert update } @@ -2192,6 +2374,26 @@ proc show_cert {crt} { catch {raise $w} } +proc v_svcert {} { + global svcert + if {$svcert == "" || ! [file exists $svcert]} { + catch {.c.svcert.i configure -state disabled} + } else { + catch {.c.svcert.i configure -state normal} + } + return 1 +} + +proc v_mycert {} { + global mycert + if {$mycert == "" || ! [file exists $mycert]} { + catch {.c.mycert.i configure -state disabled} + } else { + catch {.c.mycert.i configure -state normal} + } + return 1 +} + proc show_mycert {} { global mycert show_cert $mycert @@ -2216,6 +2418,7 @@ proc set_svcert {} { set svcert $t } catch {wm deiconify .c} + v_svcert update } @@ -2452,6 +2655,8 @@ emailAddress_max = 64 set geometry [xterm_center_geometry] update eval exec xterm -geometry $geometry -title Running_OpenSSL -e $cmd + catch {file attributes $pem -permissions go-rw} + catch {file attributes $crt -permissions go-w} } catch {file delete $tmp} @@ -2851,6 +3056,13 @@ proc do_save {} { -message $emess -title "Save File: $import_save_file" return } + global is_windows + if {! $is_windows} { + catch {file attributes $import_save_file -permissions go-w} + if {[regexp {PRIVATE} $str] || [regexp {\.pem$} $import_save_file]} { + catch {file attributes $import_save_file -permissions go-rw} + } + } puts -nonewline $fh $str close $fh catch {destroy .icrt} @@ -2988,12 +3200,22 @@ proc getcerts {} { label .c.svcert.l -anchor w -width 12 -text "ServerCert:" label .c.crtdir.l -anchor w -width 12 -text "CertsDir:" - entry .c.mycert.e -width 32 -textvariable mycert - entry .c.svcert.e -width 32 -textvariable svcert + entry .c.mycert.e -width 32 -textvariable mycert -vcmd v_mycert + entry .c.svcert.e -width 32 -textvariable svcert -vcmd v_svcert + bind .c.mycert.e {.c.mycert.e validate} + bind .c.mycert.e {.c.mycert.e validate} + bind .c.svcert.e {.c.svcert.e validate} + bind .c.svcert.e {.c.svcert.e validate} entry .c.crtdir.e -width 32 -textvariable crtdir button .c.mycert.b -text "Browse..." -command {set_mycert; catch {raise .c}} button .c.svcert.b -text "Browse..." -command {set_svcert; catch {raise .c}} button .c.crtdir.b -text "Browse..." -command {set_crtdir; catch {raise .c}} + button .c.mycert.i -text "Info" -command {show_mycert} + button .c.svcert.i -text "Info" -command {show_svcert} + button .c.crtdir.i -text "Info" -command {} + .c.mycert.i configure -state disabled + .c.svcert.i configure -state disabled + .c.crtdir.i configure -state disabled bind .c.mycert.b "show_mycert" bind .c.svcert.b "show_svcert" @@ -3010,6 +3232,7 @@ proc getcerts {} { pack .c.$w.l -side left pack .c.$w.e -side left -expand 1 -fill x pack .c.$w.b -side left + pack .c.$w.i -side left bind .c.$w.e ".c.$w.b invoke" if {$use_ssh} { .c.$w.l configure -state disabled @@ -3722,19 +3945,21 @@ set cmd(5) { if [ "$rc" = 0 ]; then if [ "X$have_perl_done" = "X1" -o 1 = 1 ] ; then echo - echo "Your SMB shares will be be unmounted when the VNC connection" - echo "closes. If that fails follow these instructions:" + echo "Your SMB shares will be unmounted when the VNC connection closes," + echo "*As Long As* No Applications have any of the share files opened or are" + echo "cd-ed into any of the share directories." + echo + echo "Try to make sure nothing is accessing the SMB shares before disconnecting" + echo "the VNC session. If you fail to do that follow these instructions:" fi echo - echo "To unmount your SMB shares make sure no applications are still using" - echo "any of the files and no shells are still cd-ed into the share area," - echo "then type:" + echo "To unmount your SMB shares make sure no applications are still using any of" + echo "the files and no shells are still cd-ed into the share area, then type:" echo echo " rm -f $smb_script" echo - echo "(to avoid a 2nd ssh, try to do this before terminating the VNC Viewer)" - echo - echo "In the worst case run: smbumount /path/to/mount/point for each mount." + echo "In the worst case run: smbumount /path/to/mount/point for each mount as root" + echo "Even with the remote redirection gone the kernel should umount after a timeout." else echo if [ "$DO_SMB_SU" = "1" ]; then @@ -3819,7 +4044,6 @@ set cmd(6) { fi - echo #FINMSG echo echo "--vnc-helper-exiting--" @@ -4927,7 +5151,7 @@ proc smb_dialog {} { VERY IMPORTANT: Before terminating the VNC Connection, make sure no applications are using any of the SMB shares (or shells are cd-ed - into the share). This way the shares will be automatically umounted. + into the share). This way the shares will be automatically unmounted. Otherwise you will need to log in again, stop processes from using the share, become root and umount the shares manually ("smbumount /path/to/share", etc.) @@ -5022,7 +5246,18 @@ proc help_advanced_opts {} { firewall ports in a certain way to open the door for SSH or SSL. The port can also be closed when the encrypted VNC connection finishes. - + + Include: Profile template(s) to load before loading a profile + (see Load Profile under "Options"). For example if you Save a + profile called "globals" that has some settings you use often, + then just supply "Include: globals" to have them applied. + You may supply a comma or space separated list of templates + to include. They can be full path names or basenames relative + to the profiles directory. You do not need to supply the .vnc + suffix. The non-default settings in them will be applied first, + and then any values in the loaded Profile will override them. + + About the CheckButtons: Ahem, Well...., yes quite a klunky UI: you have to toggle the @@ -5268,6 +5503,7 @@ proc do_port_knock {hp mode} { if {$mode == "finish"} { if {! [regexp {FINISH} $list]} { + mesg "PortKnock(finish): done" return 1 } else { regsub {^.*FINISH} $list "" list @@ -5407,6 +5643,7 @@ proc do_port_knock {hp mode} { mesg $m return 0 } + regsub {,.*$} $host "" host if {[regexp {[ \t]} $host]} { bell set m "PortKnock: Invalid host: \"$host\"" @@ -5520,7 +5757,11 @@ proc do_port_knock {hp mode} { if {$m != ""} { set m "$m," } - mesg "PortKnock: done" + if {$mode == "finish"} { + mesg "PortKnock(finish): done" + } else { + mesg "PortKnock: done" + } return 1 } @@ -5699,6 +5940,16 @@ proc port_knocking_dialog {} { delay 1000 PAD=C:\My Pads\work-pad1.txt sleep 4000 + + + Port knock only: + + If, in the 'VNC Server' entry box, you use "user@hostname cmd=KNOCK" + then only the port-knocking is performed. A shortcut for this is + Ctrl-P as long as hostname is present in the entry box. If it + matches cmd=KNOCKF, i.e. an extra "F", then the port-knocking + "FINISH" sequence is sent, if any. A shortcut for this Shift-Ctrl-P + as long as hostname is present. } .pk.f.t insert end $msg @@ -5761,6 +6012,15 @@ proc set_advanced_options {} { -command {if {$use_port_knocking} {port_knocking_dialog}} incr i + global include_list + frame .oa.b$i + label .oa.b$i.l -text "Include:" + entry .oa.b$i.e -width 10 -textvariable include_list + pack .oa.b$i.l -side left + pack .oa.b$i.e -side right -expand 1 -fill x + + incr i + for {set j 1} {$j < $i} {incr j} { pack .oa.b$j -side top -fill x } @@ -5995,20 +6255,13 @@ proc set_options {} { pack .o.sa -side top -fill x } - global include_list - frame .o.inc - label .o.inc.l -text "Include:" - entry .o.inc.e -width 10 -textvariable include_list - pack .o.inc.l -side left - pack .o.inc.e -side right -expand 1 -fill x - button .o.s_prof -text "Save Profile ..." -command {save_profile; raise .o} button .o.l_prof -text " Load Profile ..." -command {load_profile; raise .o} button .o.advanced -text "Advanced ..." -command set_advanced_options button .o.clear -text "Clear Options" -command set_defaults pack .o.s_prof -side top -fill x pack .o.l_prof -side top -fill x - pack .o.inc -side top -fill x + #pack .o.inc -side top -fill x pack .o.clear -side top -fill x pack .o.advanced -side top -fill x @@ -6091,6 +6344,8 @@ if {[info exists env(SSL_VNC_GUI_CMD)]} { bind . "destroy .; exit" bind . "destroy .; exit" bind . "launch_shell_only" +bind . {port_knock_only "" "KNOCK"} +bind . {port_knock_only "" "FINISH"} global entered_gui_top button_gui_top set entered_gui_top 0 diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer index 5827601..85d5920 100755 --- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer +++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer @@ -33,7 +33,10 @@ # # -proxy try host:port as a Web proxy to use the CONNECT method # to reach the VNC server (e.g. your firewall requires a proxy). +# # For the "double proxy" case use -proxy host1:port1,host2:port2 +# (the first CONNECT is done through host1:port1 to host2:port2 +# and then a 2nd CONNECT to the destination VNC server.) # # See http://www.karlrunge.com/x11vnc/#faq-ssl-ca for details on SSL # certificates with VNC. @@ -56,6 +59,14 @@ # other than the default (22). (even for the non-gateway case, # -proxy must be used to specify a non-standard ssh port) # +# A "double ssh" can be specified via a -proxy string with the two +# hosts separated by a comma: +# +# [user1@]host1[:port1],[user2@]host2[:port2] +# +# in which case a ssh to host1 and thru it via a -L redir a 2nd +# ssh is established to host2. +# # Examples: # # ssl_vncviewer -ssh bob@bobs-home.net:0 @@ -64,6 +75,8 @@ # ssl_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0 # ssl_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0 # +# ssl_vncviewer -ssh -proxy fred@gw-host,fred@peecee localhost:0 +# # -sshcmd cmd Run "cmd" via ssh instead of the default "sleep 15" # e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900' # @@ -239,6 +252,38 @@ if [ "X$use_ssh" = "X1" ]; then ssh_host="$host" vnc_host="localhost" ssh=${SSH:-"ssh -x"} + if echo "$proxy" | grep "," > /dev/null; then + proxy1=`echo "$proxy" | awk -F, '{print $1}'` + proxy2=`echo "$proxy" | awk -F, '{print $2}'` + # user1@gw1.com:port1,user2@ws2:port2 + ssh_host1=`echo "$proxy1" | awk -F: '{print $1}'` + ssh_port1=`echo "$proxy1" | awk -F: '{print $2}'` + if [ "X$ssh_port1" = "X" ]; then + ssh_port1="22" + fi + ssh_host2=`echo "$proxy2" | awk -F: '{print $1}'` + ssh_user2=`echo "$ssh_host2" | awk -F@ '{print $1}'` + ssh_host2=`echo "$ssh_host2" | awk -F@ '{print $2}'` + if [ "X$ssh_host2" = "X" ]; then + ssh_host2=$ssh_user2 + ssh_user2="" + else + ssh_user2="${ssh_user2}@" + fi + ssh_port2=`echo "$proxy2" | awk -F: '{print $2}'` + if [ "X$ssh_port2" = "X" ]; then + ssh_port2="22" + fi + proxport=`findfree 3500` + echo + echo "Running 1st ssh proxy:" + echo "$ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 \"sleep 30\"" + $ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 "sleep 30" + ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes" + sleep 1 + stty sane + proxy="${ssh_user2}localhost:$proxport" + fi if [ "X$proxy" != "X" ]; then ssh_port=`echo "$proxy" | awk -F: '{print $2}'` if [ "X$ssh_port" = "X" ]; then diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle b/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle index 379e229..f31e673 100755 --- a/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle +++ b/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle @@ -1,7 +1,7 @@ #!/bin/sh rm -rf ./src/tmp/* || exit 1 -vers=1.0.4 +vers=1.0.5 cd .. || exit 1 diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README b/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README index 776d4bf..e2405b2 100644 --- a/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README +++ b/x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README @@ -2,6 +2,7 @@ This is where we keep the 3rd party source zip and tar.gz files used to build this package. www.stunnel.org source 488512 Jul 25 15:09 stunnel-4.14.tar.gz +http://stunnel.mirt.net www.tightvnc.com source 2182134 Jul 25 15:11 tightvnc-1.3dev7_unixsrc.tar.gz www.tightvnc.com windows standalone viewer binary: 209149 Jul 25 15:10 tightvnc-1.3dev7_x86_viewer.zip diff --git a/x11vnc/x11vnc.1 b/x11vnc/x11vnc.1 index 0dcd61b..b8b8c4a 100644 --- a/x11vnc/x11vnc.1 +++ b/x11vnc/x11vnc.1 @@ -1,8 +1,8 @@ .\" This file was automatically generated from x11vnc -help output. -.TH X11VNC "1" "September 2006" "x11vnc " "User Commands" +.TH X11VNC "1" "October 2006" "x11vnc " "User Commands" .SH NAME x11vnc - allow VNC connections to real X11 displays - version: 0.8.3, lastmod: 2006-09-23 + version: 0.8.3, lastmod: 2006-10-07 .SH SYNOPSIS .B x11vnc [OPTION]... diff --git a/x11vnc/x11vnc_defs.c b/x11vnc/x11vnc_defs.c index 50fa5f0..60af429 100644 --- a/x11vnc/x11vnc_defs.c +++ b/x11vnc/x11vnc_defs.c @@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; int xdamage_base_event_type = 0; /* date +'lastmod: %Y-%m-%d' */ -char lastmod[] = "0.8.3 lastmod: 2006-09-23"; +char lastmod[] = "0.8.3 lastmod: 2006-10-07"; /* X display info */ -- cgit v1.2.1