From 6fbba525a924961083bf2e43bb841bd15671f526 Mon Sep 17 00:00:00 2001 From: runge Date: Sat, 22 Nov 2008 18:36:33 +0000 Subject: x11vnc: x11vnc.desktop file. -reopen, -dhparams, -sslCRL, -setdefer options. -rfbport PROMPT VeNCrypt and TLSVNC SSL/TLS encryption support. Tweaks to choose_delay() algorithm. -ssl ANON anonymouse Diffie-Hellman mode. Fix bugs in certs management. Additions to tray=setpass naive user mode. --- x11vnc/help.c | 259 ++++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 196 insertions(+), 63 deletions(-) (limited to 'x11vnc/help.c') diff --git a/x11vnc/help.c b/x11vnc/help.c index 2a92cc2..cd78723 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -91,6 +91,18 @@ void print_help(int mode) { " The default is to start probing at 5900. Use this to\n" " stay away from other VNC servers near 5900.\n" "\n" +"-rfbport str The VNC port to listen on (a libvncserver option), e.g.\n" +" 5900, 5901, etc. If specified as \"-rfbport PROMPT\"\n" +" then the x11vnc -gui is used to prompt the user to\n" +" enter the port number.\n" +"\n" +"-reopen If the X server connection is disconnected, try to\n" +" reopen the X display (up to one time.) This is of use\n" +" for display managers like GDM (KillInitClients option)\n" +" that kill x11vnc just after the user logs into the\n" +" X session. Note: the reopened state may be unstable.\n" +" Set X11VNC_REOPEN_DISPLAY=n to reopen n times.\n" +"\n" "-reflect host:N Instead of connecting to and polling an X display,\n" " connect to the remote VNC server host:N and be a\n" " reflector/repeater for it. This is useful for trying\n" @@ -421,9 +433,7 @@ void print_help(int mode) { " to the program location and in standard locations\n" " (/usr/local/share/x11vnc/classes, etc). Under -ssl or\n" " -stunnel the ssl classes subdirectory is sought.\n" -#ifndef NO_SSL_OR_UNIXPW "-http_ssl As -http, but force lookup for ssl classes subdir.\n" -#endif "\n" "-avahi Use the Avahi/mDNS ZeroConf protocol to advertise\n" " this VNC server to the local network. (Related terms:\n" @@ -737,7 +747,6 @@ void print_help(int mode) { " and last line be \"__BEGIN_VIEWONLY__\" to have 2\n" " full-access passwords)\n" "\n" -#ifndef NO_SSL_OR_UNIXPW "-unixpw [list] Use Unix username and password authentication. x11vnc\n" " uses the su(1) program to verify the user's password.\n" " [list] is an optional comma separated list of allowed\n" @@ -903,7 +912,6 @@ void print_help(int mode) { " If a list of allowed users is needed use -unixpw [list]\n" " in addition to this option.\n" "\n" -#endif "-find Find the user's display using FINDDISPLAY. This is an\n" " alias for \"-display WAIT:cmd=FINDDISPLAY\".\n" "\n" @@ -1018,7 +1026,6 @@ void print_help(int mode) { " xauthority data for the display (e.g. \"xauth extract -\n" " $DISPLAY\" output).\n" "\n" -#ifndef NO_SSL_OR_UNIXPW " In the case of -unixpw (but not -unixpw_nis), then the\n" " above command is run as the user who just authenticated\n" " via the login and password prompt.\n" @@ -1078,7 +1085,6 @@ void print_help(int mode) { " process that will not switch, but it is only encoding\n" " and decoding the encrypted stream at that point.\n" "\n" -#endif " As a special case, WAIT:cmd=FINDDISPLAY will run a\n" " script that works on most Unixes to determine a user's\n" " DISPLAY variable and xauthority data (see who(1)).\n" @@ -1224,61 +1230,152 @@ void print_help(int mode) { " for finding the display and the user must already be\n" " logged into the X console.\n" "\n" -#ifndef NO_SSL_OR_UNIXPW +"-vencrypt mode The VeNCrypt extension to the VNC protocol allows\n" +" encrypted SSL/TLS connections. If the -ssl mode is\n" +" enabled, then VeNCrypt is enabled as well BY DEFAULT\n" +" (they both use the SSL/TLS tunnel, only the protocol\n" +" handshake is a little different.)\n" +"\n" +" To control when and how VeNCrypt is used, specify the\n" +" mode string. If mode is \"never\", then VeNCrypt is\n" +" not used. If mode is \"support\" (the default) then\n" +" VeNCrypt is supported. If mode is \"only\", then the\n" +" similar and older TLSVNC protocol is not simultaneously\n" +" supported. x11vnc's normal SSL mode (vncs://) will be\n" +" supported under -ssl unless you set mode to \"force\".\n" +"\n" +" If mode is prefixed with \"nodh:\", then Diffie Hellman\n" +" anonymous key exchange is disabled. If mode is prefixed\n" +" with \"nox509:\", then X509 key exchange is disabled.\n" +"\n" +" To disable all Anonymous Diffie-Hellman access\n" +" (susceptible to Man-In-The-Middle attack) you will need\n" +" to supply \"-vencrypt nodh:support -tlsvnc never\"\n" +"\n" +" If mode is prefixed with \"newdh:\", then new Diffie\n" +" Hellman parameters are generated for each connection\n" +" (this can be time consuming: 1-60 secs) rather than\n" +" using the fixed values in the program. Using fixed,\n" +" publicly known values is not known to be a security\n" +" problem. This setting applies to TLSVNC as well.\n" +"\n" +" Long example: -vencrypt newdh:nox509:support\n" +"\n" +" Also, if mode is prefixed with \"plain:\", then\n" +" if -unixpw mode is active the VeNCrypt \"*Plain\"\n" +" username+passwd method is enabled for Unix logins.\n" +" Otherwise in -unixpw mode the normal login panel is\n" +" provided.\n" +"\n" +" You *MUST* supply the -ssl option for VeNCrypt to be\n" +" active. This option only fine-tunes its operation.\n" +"\n" +"-tlsvnc mode The TLSVNC extension to the VNC protocol allows\n" +" encrypted SSL/TLS connections. If the -ssl mode is\n" +" enabled, then TLSVNC is enabled as well BY DEFAULT\n" +" (they both use the SSL/TLS tunnel, only the protocol\n" +" handshake is a little different.)\n" +"\n" +" To control when and how TLSVNC is used, specify the\n" +" mode string. If mode is \"never\", then TLSVNC is not\n" +" used. If mode is \"support\" (the default) then TLSVNC\n" +" is supported. If mode is \"only\", then the similar\n" +" VeNCrypt protocol is not simultaneously supported.\n" +" x11vnc's normal SSL mode (vncs://) will be supported\n" +" under -ssl unless you set mode to \"force\".\n" +"\n" +" If mode is prefixed with \"newdh:\", then new Diffie\n" +" Hellman parameters are generated for each connection\n" +" (this can be time consuming: 1-60 secs) rather than\n" +" using the fixed values in the program. Using fixed,\n" +" publicly known values is not known to be a security\n" +" problem. This setting applies to VeNCrypt as well.\n" +" See the description of \"plain:\" under -vencrypt.\n" +"\n" +" Long example: -tlsvnc newdh:plain:support\n" +"\n" +" You *MUST* supply the -ssl option for TLSVNC to be\n" +" active. This option only fine-tunes its operation.\n" +"\n" +"\n" +"-dhparams file For some operations a set of Diffie Hellman parameters\n" +" (prime and generator) is needed. If so, use the\n" +" parameters in \"file\". In particular, the VeNCrypt and\n" +" TLSVNC anonymous DH mode need them. By default a\n" +" fixed set is used. If you do not want to do that you\n" +" can specify \"newdh:\" to the -vencrypt and -tlsvnc\n" +" options to generate a new set each session. If that\n" +" is too slow for you, use -dhparams file to a set you\n" +" created manually via \"openssl dhparam -out file 1024\"\n" +"\n" "-nossl Disable the -ssl option (see below). Since -ssl is off\n" " by default -nossl would only be used on the commandline\n" " to unset any *earlier* -ssl option (or -svc...)\n" "\n" "-ssl [pem] Use the openssl library (www.openssl.org) to provide a\n" -" built-in encrypted SSL tunnel between VNC viewers and\n" -" x11vnc. This requires libssl support to be compiled\n" +" built-in encrypted SSL/TLS tunnel between VNC viewers\n" +" and x11vnc. This requires libssl support to be compiled\n" " into x11vnc at build time. If x11vnc is not built\n" " with libssl support it will exit immediately when -ssl\n" " is prescribed.\n" "\n" -" The VNC Viewer-side needs support SSL as well.\n" -" See this URL and also the discussion below for ideas\n" -" on how to enable SSL support for the viewer:\n" +" The VNC Viewer-side needs to support SSL/TLS as well.\n" +" See this URL and also the discussion below for\n" +" ideas on how to enable SSL support for the viewer:\n" " http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers\n" -"\n" -" [pem] is optional, use \"-ssl /path/to/mycert.pem\"\n" -" to specify a PEM certificate file to use to identify\n" -" and provide a key for this server. See openssl(1) for\n" -" more info about PEMs and the -sslGenCert option below.\n" -"\n" -" The connecting VNC viewer SSL tunnel can optionally\n" -" authenticate this server if they have the public\n" -" key part of the certificate (or a common certificate\n" -" authority, CA, is a more sophisticated way to verify\n" -" this server's cert, see -sslGenCA below). This is\n" -" used to prevent man-in-the-middle attacks. Otherwise,\n" -" if the VNC viewer accepts this server's key without\n" -" verification, at least the traffic is protected\n" -" from passive sniffing on the network (but *NOT* from\n" -" man-in-the-middle attacks).\n" +" x11vnc provides an SSL enabled Java viewer applet in\n" +" the classes/ssl directory (-http or -httpdir options.)\n" +" The SSVNC viewer package supports SSL too.\n" +"\n" +" [pem] is optional, use \"-ssl /path/to/mycert.pem\" to\n" +" specify a PEM certificate file to use to identify and\n" +" provide a key for this server. See openssl(1) for more\n" +" info about PEMs and the -sslGenCert and \"-ssl SAVE\"\n" +" options below for how to create them.\n" +"\n" +" The connecting VNC viewer SSL tunnel can (optionally)\n" +" authenticate this server if they have the public key\n" +" part of the certificate (or a common certificate\n" +" authority, CA, is a more sophisticated way to\n" +" verify this server's cert, see -sslGenCA below).\n" +" This is used to prevent Man-In-The-Middle attacks.\n" +" Otherwise, if the VNC viewer accepts this server's\n" +" key WITHOUT verification, the traffic is protected\n" +" from passive sniffing on the network, but *NOT* from\n" +" Man-In-The-Middle attacks.\n" "\n" " If [pem] is not supplied and the openssl(1) utility\n" " command exists in PATH, then a temporary, self-signed\n" -" certificate will be generated for this session (this\n" -" may take 5-30 seconds on slow machines). If openssl(1)\n" -" cannot be used to generate a temporary certificate\n" -" x11vnc exits immediately.\n" +" certificate will be generated for this session\n" +" (this may take 5-30 seconds on very slow machines).\n" +" If openssl(1) cannot be used to generate a temporary\n" +" certificate x11vnc exits immediately.\n" "\n" " If successful in using openssl(1) to generate a\n" " temporary certificate, the public part of it will be\n" " displayed to stderr (e.g. one could copy it to the\n" " client-side to provide authentication of the server to\n" -" VNC viewers.) See following paragraphs for how to save\n" -" keys to reuse when x11vnc is restarted.\n" -"\n" -" Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc\n" -" print out the entire certificate, including the PRIVATE\n" -" KEY part, to stderr. One could reuse this cert if saved\n" -" in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1\n" -" to not delete the temporary PEM file: the file name\n" -" will be printed to stderr (so one could move it to\n" -" a safe place for reuse). You will be prompted for a\n" -" passphrase for the private key.\n" +" VNC viewers.)\n" +"\n" +" NOTE: Unless you safely copy the public part of the\n" +" temporary Cert to the viewer for authenticate *every\n" +" time* (unlikely...), then only passive sniffing\n" +" attacks are prevented and you are still open to\n" +" Man-In-The-Middle attacks. See the following\n" +" paragraphs for how to save keys to reuse them when\n" +" x11vnc is restarted. With saved keys AND the VNC viewer\n" +" authenticating them by using the public certificate,\n" +" then Man-In-The-Middle attacks are prevented.\n" +"\n" +" If [pem] is \"ANON\" then the Diffie-Hellman anonymous\n" +" key exchange method is used. In this mode there\n" +" are *no* SSL certificates and so it is not possible\n" +" to authenticate either the VNC server or VNC client.\n" +" Thus only passive network sniffing attacks are avoided:\n" +" the \"ANON\" method is susceptible to Man-In-The-Middle\n" +" attacks. \"ANON\" is not recommended; instead use\n" +" a SSL PEM you created or the \"SAVE\" method in the\n" +" next paragraph.\n" "\n" " If [pem] is \"SAVE\" then the certificate will be saved\n" " to the file ~/.vnc/certs/server.pem, or if that file\n" @@ -1294,19 +1391,17 @@ void print_help(int mode) { " instead. E.g. \"SAVE-charlie\" will store to the file\n" " ~/.vnc/certs/server-charlie.pem\n" "\n" +" Examples: x11vnc -ssl SAVE -display :0 ...\n" +" x11vnc -ssl SAVE-other -display :0 ...\n" +"\n" " See -ssldir below to use a directory besides the\n" " default ~/.vnc/certs\n" "\n" -" Example: x11vnc -ssl SAVE -display :0 ...\n" -"\n" -" Your VNC viewer will need to be able to connect\n" -" via SSL. See the discussion below under -stunnel and\n" -" http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers\n" -" for how this might be achieved. E.g. on Unix it is\n" -" easy to write a shell script that starts up stunnel\n" -" and then vncviewer. Also in the x11vnc source a SSL\n" -" enabled Java VNC Viewer applet is provided in the\n" -" classes/ssl directory.\n" +" Misc Info: In temporary cert creation mode, set the\n" +" env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print out\n" +" the entire certificate, including the PRIVATE KEY part,\n" +" to stderr. There are better ways to get/save this info.\n" +" See \"SAVE\" above and \"-sslGenCert\" below.\n" "\n" "-ssltimeout n Set SSL read timeout to n seconds. In some situations\n" " (i.e. an iconified viewer in Windows) the viewer stops\n" @@ -1454,6 +1549,35 @@ void print_help(int mode) { " Control Panel. stunnel can also use these files (see\n" " the ss_vncviewer example script in the FAQ.)\n" "\n" +"-sslCRL path Set the Certificate Revocation Lists (CRL) to \"path\".\n" +"\n" +" If path is a file, the file contains one more more CRLs\n" +" in PEM format. If path is a directory, it contains\n" +" hash named files of CRLs in the usual OpenSSL manner.\n" +" See the OpenSSL and stunnel(8) documentation for\n" +" more info.\n" +"\n" +" This option only applies if -sslverify has been\n" +" supplied: it checks for revocation along the\n" +" certificate chain used to verify the VNC client.\n" +" The -sslCRL setting will be ignored when -sslverify is\n" +" not specified.\n" +"\n" +" Only rarely will one's x11vnc -ssl infrastructure be so\n" +" large that this option would be useful (since normally\n" +" maintaining the contents of the -sslverify file or\n" +" directory should be enough.) However, when using\n" +" x11vnc with a Certificate Authority (see -sslGenCA)\n" +" to authenticate Clients via SSL/TLS, the -sslCRL option\n" +" can be useful to revoke users' certs whose private SSL\n" +" keys were lost or stolen (e.g. laptop.) This way a new\n" +" CA cert+key does not need to be created and new signed\n" +" client keys generated and distributed to all users.\n" +"\n" +" To create a CRL file with revoked certificates the\n" +" commands 'openssl ca -revoke ...' and 'openssl ca\n" +" -gencrl ...' are useful. (Run them in ~/.vnc/certs)\n" +"\n" "-sslGenCA [dir] Generate your own Certificate Authority private key,\n" " certificate, and other files in directory [dir].\n" "\n" @@ -1901,7 +2025,6 @@ void print_help(int mode) { " mode when using an SSH tunnel as well as for router\n" " port redirections.\n" "\n" -#endif "-ssh user@host:disp Create a remote listening port on machine \"host\"\n" " via a SSH tunnel using the -R rport:localhost:lport\n" " method. lport will be the local x11vnc listening port,\n" @@ -2301,9 +2424,13 @@ void print_help(int mode) { " to handle all subsequent resizes (e.g. under -xrandr,\n" " -remote id:windowid, rescaling, etc.)\n" "\n" -"-o logfile Write stderr messages to file \"logfile\" instead of\n" -" to the terminal. Same as \"-logfile file\". To append\n" +"-o logfile Write stderr messages to file \"logfile\" instead of to\n" +" the terminal. Same as \"-logfile file\". To append\n" " to the file use \"-oa file\" or \"-logappend file\".\n" +" If \"logfile\" contains the string \"%%VNCDISPLAY\"\n" +" it is expanded to the vnc display (the name may need\n" +" to be guessed at.) \"%%HOME\" works too.\n" +"\n" "-flag file Write the \"PORT=NNNN\" (e.g. PORT=5900) string to\n" " \"file\" in addition to stdout. This option could be\n" " useful by wrapper script to detect when x11vnc is ready.\n" @@ -3229,6 +3356,9 @@ void print_help(int mode) { " has been recent user input (pointer or keyboard).\n" " Improves response, but increases the load whenever you\n" " are moving the mouse or typing. Default: %.2f\n" +"-setdefer n When the -wait_ui mechanism cuts down the wait time ms,\n" +" set the defer time to the same ms value. n=1 to enable,\n" +" 0 to disable, and -1 to set defer to 0 (no delay).\n" "-nowait_bog Do not detect if the screen polling is \"bogging down\"\n" " and sleep more. Some activities with no user input can\n" " slow things down a lot: consider a large terminal window\n" @@ -4028,6 +4158,8 @@ void print_help(int mode) { " noavahi disable avahi service advertising.\n" " mdns enable avahi service advertising.\n" " nomdns disable avahi service advertising.\n" +" zeroconf enable avahi service advertising.\n" +" nozeroconf disable avahi service advertising.\n" /* access, filename */ " connect:host do reverse connection to host, \"host\"\n" " may be a comma separated list of hosts\n" @@ -4352,13 +4484,13 @@ void print_help(int mode) { " viewonly noviewonly shared noshared forever noforever\n" " once timeout tightfilexfer notightfilexfer ultrafilexfer\n" " noultrafilexfer rfbversion deny lock nodeny unlock\n" -" avahi mdns noavahi nomdns connect proxy allowonce\n" -" allow localhost nolocalhost listen lookup nolookup\n" -" accept afteraccept gone shm noshm flipbyteorder\n" -" noflipbyteorder onetile noonetile solid_color solid\n" -" nosolid blackout xinerama noxinerama xtrap noxtrap\n" -" xrandr noxrandr xrandr_mode rotate padgeom quiet\n" -" q noquiet modtweak nomodtweak xkb noxkb capslock\n" +" avahi mdns zeroconf noavahi nomdns nozeroconf connect\n" +" proxy allowonce allow localhost nolocalhost listen\n" +" lookup nolookup accept afteraccept gone shm noshm\n" +" flipbyteorder noflipbyteorder onetile noonetile\n" +" solid_color solid nosolid blackout xinerama noxinerama\n" +" xtrap noxtrap xrandr noxrandr xrandr_mode rotate padgeom\n" +" quiet q noquiet modtweak nomodtweak xkb noxkb capslock\n" " nocapslock skip_lockkeys noskip_lockkeys skip_keycodes\n" " sloppy_keys nosloppy_keys skip_dups noskip_dups\n" " add_keysyms noadd_keysyms clear_mods noclear_mods\n" @@ -4502,6 +4634,7 @@ void print_help(int mode) { "-deny_all For use with -remote nodeny: start out denying all\n" " incoming clients until \"-remote nodeny\" is used to\n" " let them in.\n" +"\n" "%s\n" "\n" "These options are passed to libvncserver:\n" -- cgit v1.2.3