| | 1 | [[PageOutline]] |
| | 2 | |
| | 3 | * x11vnc: 0.9.10 lastmod: 2010-04-28 |
| | 4 | * $ x11vnc --help |
| | 5 | {{{ |
| | 6 | x11vnc: allow VNC connections to real X11 displays. 0.9.10 lastmod: 2010-04-28 |
| | 7 | |
| | 8 | (type "x11vnc -opts" to just list the options.) |
| | 9 | |
| | 10 | Typical usage is: |
| | 11 | |
| | 12 | Run this command in a shell on the remote machine "far-host" |
| | 13 | with X session you wish to view: |
| | 14 | |
| | 15 | x11vnc -display :0 |
| | 16 | |
| | 17 | Then run this in another window on the machine you are sitting at: |
| | 18 | |
| | 19 | vncviewer far-host:0 |
| | 20 | |
| | 21 | Once x11vnc establishes connections with the X11 server and starts listening |
| | 22 | as a VNC server it will print out a string: PORT=XXXX where XXXX is typically |
| | 23 | 5900 (the default VNC server port). One would next run something like |
| | 24 | this on the local machine: "vncviewer hostname:N" where "hostname" is |
| | 25 | the name of the machine running x11vnc and N is XXXX - 5900, i.e. usually |
| | 26 | "vncviewer hostname:0". |
| | 27 | |
| | 28 | By default x11vnc will not allow the screen to be shared and it will exit |
| | 29 | as soon as the client disconnects. See -shared and -forever below to override |
| | 30 | these protections. See the FAQ for details how to tunnel the VNC connection |
| | 31 | through an encrypted channel such as ssh(1). In brief: |
| | 32 | |
| | 33 | ssh -t -L 5900:localhost:5900 far-host 'x11vnc -localhost -display :0' |
| | 34 | |
| | 35 | vncviewer -encodings 'copyrect tight zrle hextile' localhost:0 |
| | 36 | |
| | 37 | Also, use of a VNC password (-rfbauth or -passwdfile) is strongly recommended. |
| | 38 | |
| | 39 | For additional info see: http://www.karlrunge.com/x11vnc/ |
| | 40 | and http://www.karlrunge.com/x11vnc/faq.html |
| | 41 | |
| | 42 | |
| | 43 | Config file support: if the file $HOME/.x11vncrc exists then each line in |
| | 44 | it is treated as a single command line option. Disable with -norc. For |
| | 45 | each option name, the leading character "-" is not required. E.g. a line |
| | 46 | that is either "forever" or "-forever" may be used and are equivalent. |
| | 47 | Likewise "wait 100" or "-wait 100" are acceptable and equivalent lines. |
| | 48 | The "#" character comments out to the end of the line in the usual way |
| | 49 | (backslash it for a literal). Leading and trailing whitespace is trimmed off. |
| | 50 | Lines may be continued with a "\" as the last character of a line (it |
| | 51 | becomes a space character). |
| | 52 | |
| | 53 | Options: |
| | 54 | |
| | 55 | -display disp X11 server display to connect to, usually :0. The X |
| | 56 | server process must be running on same machine and |
| | 57 | support MIT-SHM. Equivalent to setting the DISPLAY |
| | 58 | environment variable to "disp". |
| | 59 | |
| | 60 | See the description below of the "-display WAIT:..." |
| | 61 | extensions, where alias "-find" will find the user's |
| | 62 | display automatically, and "-create" will create a |
| | 63 | Xvfb session if no session is found. |
| | 64 | |
| | 65 | -auth file Set the X authority file to be "file", equivalent to |
| | 66 | setting the XAUTHORITY environment variable to "file" |
| | 67 | before startup. Same as -xauth file. See Xsecurity(7), |
| | 68 | xauth(1) man pages for more info. |
| | 69 | |
| | 70 | Use '-auth guess' to have x11vnc use its -findauth |
| | 71 | mechanism (described below) to try to guess the |
| | 72 | XAUTHORITY filename and use it. |
| | 73 | |
| | 74 | XDM/GDM/KDM: if you are running x11vnc as root and want |
| | 75 | to find the XAUTHORITY before anyone has logged into an |
| | 76 | X session yet, use: x11vnc -env FD_XDM=1 -auth guess ... |
| | 77 | (This will also find the XAUTHORITY if a user is already |
| | 78 | logged into the X session.) When running as root, |
| | 79 | FD_XDM=1 will be tried if the initial -auth guess fails. |
| | 80 | |
| | 81 | (snip) |
| | 82 | |
| | 83 | -viewonly All VNC clients can only watch (default off). |
| | 84 | -shared VNC display is shared, i.e. more than one viewer can |
| | 85 | connect at the same time (default off). |
| | 86 | -once Exit after the first successfully connected viewer |
| | 87 | disconnects, opposite of -forever. This is the Default. |
| | 88 | -forever Keep listening for more connections rather than exiting |
| | 89 | as soon as the first client(s) disconnect. Same as -many |
| | 90 | |
| | 91 | -loop Create an outer loop restarting the x11vnc process |
| | 92 | whenever it terminates. -bg and -inetd are ignored |
| | 93 | in this mode (however see -loopbg below). |
| | 94 | |
| | 95 | Useful for continuing even if the X server terminates |
| | 96 | and restarts (at that moment the process will need |
| | 97 | permission to reconnect to the new X server of course). |
| | 98 | |
| | 99 | Use, e.g., -loop100 to sleep 100 millisecs between |
| | 100 | restarts, etc. Default is 2000ms (i.e. 2 secs) Use, |
| | 101 | e.g. -loop300,5 to sleep 300 ms and only loop 5 times. |
| | 102 | |
| | 103 | If -loopbg (plus any numbers) is specified instead, |
| | 104 | the "-bg" option is implied and the mode approximates |
| | 105 | inetd(8) usage to some degree. In this case when |
| | 106 | it goes into the background any listening sockets |
| | 107 | (i.e. ports 5900, 5800) are closed, so the next one |
| | 108 | in the loop can use them. This mode will only be of |
| | 109 | use if a VNC client (the only client for that process) |
| | 110 | is already connected before the process goes into the |
| | 111 | background, for example, usage of -display WAIT:.., |
| | 112 | -svc, and -connect can make use of this "poor man's" |
| | 113 | inetd mode. The default wait time is 500ms in this |
| | 114 | mode. This usage could use useful: -svc -bg -loopbg |
| | 115 | |
| | 116 | (snip) |
| | 117 | |
| | 118 | -inetd Launched by inetd(8): stdio instead of listening socket. |
| | 119 | Note: if you are not redirecting stderr to a log file |
| | 120 | (via shell 2> or -o option) you MUST also specify the -q |
| | 121 | option, otherwise the stderr goes to the viewer which |
| | 122 | will cause it to abort. Specifying both -inetd and -q |
| | 123 | and no -o will automatically close the stderr. |
| | 124 | |
| | 125 | (snip) |
| | 126 | |
| | 127 | -allow host1[,host2..] Only allow client connections from hosts matching |
| | 128 | the comma separated list of hostnames or IP addresses. |
| | 129 | Can also be a numerical IP prefix, e.g. "192.168.100." |
| | 130 | to match a simple subnet, for more control build |
| | 131 | LibVNCServer with libwrap support (See the FAQ). If the |
| | 132 | list contains a "/" it instead is a interpreted |
| | 133 | as a file containing addresses or prefixes that is |
| | 134 | re-read each time a new client connects. Lines can be |
| | 135 | commented out with the "#" character in the usual way. |
| | 136 | |
| | 137 | -allow applies in -ssl mode, but not in -stunnel mode. |
| | 138 | |
| | 139 | IPv6: as of x11vnc 0.9.10 a host can be specified |
| | 140 | in IPv6 numerical format, e.g. 2001:4860:b009::93. |
| | 141 | |
| | 142 | -localhost Basically the same as "-allow 127.0.0.1". |
| | 143 | |
| | 144 | Note: if you want to restrict which network interface |
| | 145 | x11vnc listens on, see the -listen option below. |
| | 146 | E.g. "-listen localhost" or "-listen 192.168.3.21". |
| | 147 | As a special case, the option "-localhost" implies |
| | 148 | "-listen localhost". |
| | 149 | |
| | 150 | A rare case, but for non-localhost -listen usage, if |
| | 151 | you use the remote control mechanism (-R) to change |
| | 152 | the -listen interface you may need to manually adjust |
| | 153 | the -allow list (and vice versa) to avoid situations |
| | 154 | where no connections (or too many) are allowed. |
| | 155 | |
| | 156 | If you do not want x11vnc to listen on ANY interface |
| | 157 | (evidently you are using -connect or -connect_or_exit, |
| | 158 | or plan to use remote control: -R connect:host), use |
| | 159 | -rfbport 0 |
| | 160 | |
| | 161 | IPv6: if IPv6 is supported, this option automatically |
| | 162 | implies the IPv6 loopback address '::1' as well. |
| | 163 | |
| | 164 | (snip) |
| | 165 | |
| | 166 | -passwdfile filename Specify the LibVNCServer password via the first line |
| | 167 | of the file "filename" (instead of via -passwd on |
| | 168 | the command line where others might see it via ps(1)). |
| | 169 | |
| | 170 | See the descriptions below for how to supply multiple |
| | 171 | passwords, view-only passwords, to specify external |
| | 172 | programs for the authentication, and other features. |
| | 173 | |
| | 174 | If the filename is prefixed with "rm:" it will be |
| | 175 | removed after being read. Perhaps this is useful in |
| | 176 | limiting the readability of the file. In general, the |
| | 177 | password file should not be readable by untrusted users |
| | 178 | (BTW: neither should the VNC -rfbauth file: it is NOT |
| | 179 | encrypted, only obscured with a fixed key). |
| | 180 | |
| | 181 | If the filename is prefixed with "read:" it will |
| | 182 | periodically be checked for changes and reread. It is |
| | 183 | guaranteed to be reread just when a new client connects |
| | 184 | so that the latest passwords will be used. |
| | 185 | |
| | 186 | If "filename" is prefixed with "cmd:" then the |
| | 187 | string after the ":" is run as an external command: |
| | 188 | the output of the command will be interpreted as if it |
| | 189 | were read from a password file (see below). If the |
| | 190 | command does not exit with 0, then x11vnc terminates |
| | 191 | immediately. To specify more than 1000 passwords this |
| | 192 | way set X11VNC_MAX_PASSWDS before starting x11vnc. |
| | 193 | The environment variables are set as in -accept. |
| | 194 | |
| | 195 | Note that due to the VNC protocol only the first 8 |
| | 196 | characters of a password are used (DES key). |
| | 197 | |
| | 198 | If "filename" is prefixed with "custom:" then a |
| | 199 | custom password checker is supplied as an external |
| | 200 | command following the ":". The command will be run |
| | 201 | when a client authenticates. If the command exits with |
| | 202 | 0 the client is accepted, otherwise it is rejected. |
| | 203 | The environment variables are set as in -accept. |
| | 204 | |
| | 205 | The standard input to the custom command will be a |
| | 206 | decimal digit "len" followed by a newline. "len" |
| | 207 | specifies the challenge size and is usually 16 (the |
| | 208 | VNC spec). Then follows len bytes which is the random |
| | 209 | challenge string that was sent to the client. This is |
| | 210 | then followed by len more bytes holding the client's |
| | 211 | response (i.e. the challenge string encrypted via DES |
| | 212 | with the user password in the standard situation). |
| | 213 | |
| | 214 | The "custom:" scheme can be useful to implement |
| | 215 | dynamic passwords or to implement methods where longer |
| | 216 | passwords and/or different encryption algorithms |
| | 217 | are used. The latter will require customizing the VNC |
| | 218 | client as well. One could create an MD5SUM based scheme |
| | 219 | for example. |
| | 220 | |
| | 221 | File format for -passwdfile: |
| | 222 | |
| | 223 | If multiple non-blank lines exist in the file they are |
| | 224 | all taken as valid passwords. Blank lines are ignored. |
| | 225 | Password lines may be "commented out" (ignored) if |
| | 226 | they begin with the character "#" or the line contains |
| | 227 | the string "__SKIP__". Lines may be annotated by use |
| | 228 | of the "__COMM__" string: from it to the end of the |
| | 229 | line is ignored. An empty password may be specified |
| | 230 | via the "__EMPTY__" string on a line by itself (note |
| | 231 | your viewer might not accept empty passwords). |
| | 232 | |
| | 233 | If the string "__BEGIN_VIEWONLY__" appears on a |
| | 234 | line by itself, the remaining passwords are used for |
| | 235 | viewonly access. For compatibility, as a special case |
| | 236 | if the file contains only two password lines the 2nd |
| | 237 | one is automatically taken as the viewonly password. |
| | 238 | Otherwise the "__BEGIN_VIEWONLY__" token must be |
| | 239 | used to have viewonly passwords. (tip: make the 3rd |
| | 240 | and last line be "__BEGIN_VIEWONLY__" to have 2 |
| | 241 | full-access passwords) |
| | 242 | |
| | 243 | (snip) |
| | 244 | |
| | 245 | -unixpw [list] Use Unix username and password authentication. x11vnc |
| | 246 | will use the su(1) program to verify the user's |
| | 247 | password. [list] is an optional comma separated list |
| | 248 | of allowed Unix usernames. If the [list] string begins |
| | 249 | with the character "!" then the entire list is taken |
| | 250 | as an exclude list. See below for per-user options |
| | 251 | that can be applied. |
| | 252 | |
| | 253 | A familiar "login:" and "Password:" dialog is |
| | 254 | presented to the user on a black screen inside the |
| | 255 | vncviewer. The connection is dropped if the user fails |
| | 256 | to supply the correct password in 3 tries or does not |
| | 257 | send one before a 45 second timeout. Existing clients |
| | 258 | are view-only during this period. |
| | 259 | |
| | 260 | If the first character received is "Escape" then the |
| | 261 | unix username will not be displayed after "login:" |
| | 262 | as it is typed. This could be of use for VNC viewers |
| | 263 | that automatically type the username and password. |
| | 264 | |
| | 265 | Since the detailed behavior of su(1) can vary from |
| | 266 | OS to OS and for local configurations, test the mode |
| | 267 | before deployment to make sure it is working properly. |
| | 268 | x11vnc will attempt to be conservative and reject a |
| | 269 | login if anything abnormal occurs. |
| | 270 | |
| | 271 | One case to note: FreeBSD and the other BSD's by |
| | 272 | default it is impossible for the user running x11vnc to |
| | 273 | validate his *own* password via su(1) (commenting out |
| | 274 | the pam_self.so entry in /etc/pam.d/su eliminates this |
| | 275 | behavior). So the x11vnc login will always *FAIL* for |
| | 276 | this case (even when the correct password is supplied). |
| | 277 | |
| | 278 | A possible workaround for this on *BSD would be to |
| | 279 | start x11vnc as root with the "-users +nobody" option |
| | 280 | to immediately switch to user nobody where the su'ing |
| | 281 | will proceed normally. |
| | 282 | |
| | 283 | Another source of potential problems are PAM modules |
| | 284 | that prompt for extra info, e.g. password aging modules. |
| | 285 | These logins will fail as well even when the correct |
| | 286 | password is supplied. |
| | 287 | |
| | 288 | **IMPORTANT**: to prevent the Unix password being sent |
| | 289 | in *clear text* over the network, one of two schemes |
| | 290 | will be enforced: 1) the -ssl builtin SSL mode, or 2) |
| | 291 | require both -localhost and -stunnel be enabled. |
| | 292 | |
| | 293 | Method 1) ensures the traffic is encrypted between |
| | 294 | viewer and server. A PEM file will be required, see the |
| | 295 | discussion under -ssl below (under some circumstances |
| | 296 | a temporary one can be automatically generated). |
| | 297 | |
| | 298 | Method 2) requires the viewer connection to appear |
| | 299 | to come from the same machine x11vnc is running on |
| | 300 | (e.g. from a ssh -L port redirection). And that the |
| | 301 | -stunnel SSL mode be used for encryption over the |
| | 302 | network. (see the description of -stunnel below). |
| | 303 | |
| | 304 | Note: as a convenience, if you ssh(1) in and start |
| | 305 | x11vnc it will check if the environment variable |
| | 306 | SSH_CONNECTION is set and appears reasonable. If it |
| | 307 | does, then the -ssl or -stunnel requirement will be |
| | 308 | dropped since it is assumed you are using ssh for the |
| | 309 | encrypted tunnelling. -localhost is still enforced. |
| | 310 | Use -ssl or -stunnel to force SSL usage even if |
| | 311 | SSH_CONNECTION is set. |
| | 312 | |
| | 313 | To override the above restrictions you can set |
| | 314 | environment variables before starting x11vnc: |
| | 315 | |
| | 316 | Set UNIXPW_DISABLE_SSL=1 to disable requiring either |
| | 317 | -ssl or -stunnel (as under SSH_CONNECTION.) Evidently |
| | 318 | you will be using a different method to encrypt the |
| | 319 | data between the vncviewer and x11vnc: perhaps ssh(1) |
| | 320 | or an IPSEC VPN. -localhost is still enforced (however, |
| | 321 | see the next paragraph.) |
| | 322 | |
| | 323 | Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost |
| | 324 | requirement in -unixpw modes. One should never do this |
| | 325 | (i.e. allow the Unix passwords to be sniffed on the |
| | 326 | network.) This also disables the localhost requirement |
| | 327 | for reverse connections (see below.) |
| | 328 | |
| | 329 | Note that use of -localhost with ssh(1) (and no -unixpw) |
| | 330 | is roughly the same as requiring a Unix user login |
| | 331 | (since a Unix password or the user's public key |
| | 332 | authentication is used by sshd on the machine where |
| | 333 | x11vnc runs and only local connections from that machine |
| | 334 | are accepted). |
| | 335 | |
| | 336 | Regarding reverse connections (e.g. -R connect:host |
| | 337 | and -connect host), when the -localhost constraint is |
| | 338 | in effect then reverse connections can only be used |
| | 339 | to connect to the same machine x11vnc is running on |
| | 340 | (default port 5500). Please use a ssh or stunnel port |
| | 341 | redirection to the viewer machine to tunnel the reverse |
| | 342 | connection over an encrypted channel. |
| | 343 | |
| | 344 | In -inetd mode the Method 1) will be enforced (not |
| | 345 | Method 2). With -ssl in effect reverse connections |
| | 346 | are disabled. If you override this via env. var, be |
| | 347 | sure to also use encryption from the viewer to inetd. |
| | 348 | Tip: you can also have your own stunnel spawn x11vnc |
| | 349 | in -inetd mode (thereby bypassing inetd). See the FAQ |
| | 350 | for details. |
| | 351 | |
| | 352 | The user names in the comma separated [list] may have |
| | 353 | per-user options after a ":", e.g. "fred:opts" |
| | 354 | where "opts" is a "+" separated list of |
| | 355 | "viewonly", "fullaccess", "input=XXXX", or |
| | 356 | "deny", e.g. "karl,wally:viewonly,boss:input=M". |
| | 357 | For "input=" it is the K,M,B,C described under -input. |
| | 358 | |
| | 359 | If an item in the list is "*" that means those |
| | 360 | options apply to all users. It ALSO implies all users |
| | 361 | are allowed to log in after supplying a valid password. |
| | 362 | Use "deny" to explicitly deny some users if you use |
| | 363 | "*" to set a global option. If [list] begins with the |
| | 364 | "!" character then "*" is ignored for checking if |
| | 365 | the user is allowed, but the option values associated |
| | 366 | with it do apply as normal. |
| | 367 | |
| | 368 | There are also some utilities for checking passwords |
| | 369 | if [list] starts with the "%" character. See the |
| | 370 | quick_pw() function for more details. Description: |
| | 371 | "%-" or "%stdin" means read one line from stdin. |
| | 372 | "%env" means it is in $UNIXPW env var. A leading |
| | 373 | "%/" or "%." means read the first line from the |
| | 374 | filename that follows after the % character. % by |
| | 375 | itself means prompt for the username and password. |
| | 376 | Otherwise: %user:pass E.g. -unixpw %fred:swordfish |
| | 377 | For the other cases user:pass is read from the indicated |
| | 378 | source. If the password is correct 'Y user' is printed |
| | 379 | and the program exit code is 0. If the password is |
| | 380 | incorrect it prints 'N user' and the exit code is 1. |
| | 381 | If there is some other error the exit code is 2. |
| | 382 | This feature enables x11vnc to be a general unix user |
| | 383 | password checking tool; it could be used from scripts |
| | 384 | or other programs. These % password checks also apply |
| | 385 | to the -unixpw_nis and -unixpw_cmd options. |
| | 386 | |
| | 387 | For the % password check, if the env. var. UNIXPW_CMD |
| | 388 | is set to a command then it is run as the user (assuming |
| | 389 | the password is correct.) The output of the command is |
| | 390 | not printed, the program or script must manage that by |
| | 391 | some other means. The exit code of x11vnc will depend |
| | 392 | on the exit code of the command that is run. |
| | 393 | |
| | 394 | Use -nounixpw to disable unixpw mode if it was enabled |
| | 395 | earlier in the cmd line (e.g. -svc mode) |
| | 396 | |
| | 397 | (snip) |
| | 398 | |
| | 399 | -storepasswd pass file Store password "pass" as the VNC password in the |
| | 400 | file "file". Once the password is stored the |
| | 401 | program exits. Use the password via "-rfbauth file" |
| | 402 | |
| | 403 | If called with no arguments, "x11vnc -storepasswd", |
| | 404 | the user is prompted for a password and it is stored |
| | 405 | in the file ~/.vnc/passwd. Called with one argument, |
| | 406 | that will be the file to store the prompted password in. |
| | 407 | |
| | 408 | -nopw Disable the big warning message when you use x11vnc |
| | 409 | without some sort of password. |
| | 410 | |
| | 411 | (snip) |
| | 412 | |
| | 413 | -users list If x11vnc is started as root (say from inetd(8) or from |
| | 414 | display managers xdm(1), gdm(1), etc), then as soon |
| | 415 | as possible after connections to the X display are |
| | 416 | established try to switch to one of the users in the |
| | 417 | comma separated "list". If x11vnc is not running as |
| | 418 | root this option is ignored. |
| | 419 | |
| | 420 | Why use this option? In general it is not needed since |
| | 421 | x11vnc is already connected to the X display and can |
| | 422 | perform its primary functions. The option was added |
| | 423 | to make some of the *external* utility commands x11vnc |
| | 424 | occasionally runs work properly. In particular under |
| | 425 | GNOME and KDE to implement the "-solid color" feature |
| | 426 | external commands (gconftool-2 and dcop) unfortunately |
| | 427 | must be run as the user owning the desktop session. |
| | 428 | Since this option switches userid it also affects the |
| | 429 | userid used to run the processes for the -accept and |
| | 430 | -gone options. It also affects the ability to read |
| | 431 | files for options such as -connect, -allow, and -remap |
| | 432 | and also the ultra and tight filetransfer feature if |
| | 433 | enabled. Note that the -connect file is also sometimes |
| | 434 | written to. |
| | 435 | |
| | 436 | So be careful with this option since in some situations |
| | 437 | its use can decrease security. |
| | 438 | |
| | 439 | In general the switch to a user will only take place |
| | 440 | if the display can still be successfully opened as that |
| | 441 | user (this is primarily to try to guess the actual owner |
| | 442 | of the session). Example: "-users fred,wilma,betty". |
| | 443 | Note that a malicious local user "barney" by |
| | 444 | quickly using "xhost +" when logging in may possibly |
| | 445 | get the x11vnc process to switch to user "fred". |
| | 446 | What happens next? |
| | 447 | |
| | 448 | Under display managers it may be a long time before |
| | 449 | the switch succeeds (i.e. a user logs in). To instead |
| | 450 | make it switch immediately regardless if the display |
| | 451 | can be reopened prefix the username with the "+" |
| | 452 | character. E.g. "-users +bob" or "-users +nobody". |
| | 453 | |
| | 454 | The latter (i.e. switching immediately to user |
| | 455 | "nobody") is the only obvious use of the -users option |
| | 456 | that increases security. |
| | 457 | |
| | 458 | Use the following notation to associate a group with |
| | 459 | a user: user1.group1,user2.group2,... Note that |
| | 460 | initgroups(2) will still be called first to try to |
| | 461 | switch to ALL of a user's groups (primary and additional |
| | 462 | groups). Only if that fails or it is not available |
| | 463 | then the single group specified as above (or the user's |
| | 464 | primary group if not specified) is switched to with |
| | 465 | setgid(2). Use -env X11VNC_SINGLE_GROUP=1 to prevent |
| | 466 | trying initgroups(2) and only switch to the single |
| | 467 | group. This sort of setting is only really needed to |
| | 468 | make the ultra or tight filetransfer permissions work |
| | 469 | properly. This format applies to any comma separated list |
| | 470 | of users, even the special "=" modes described below. |
| | 471 | |
| | 472 | In -unixpw mode, if "-users unixpw=" is supplied |
| | 473 | then after a user authenticates himself via the |
| | 474 | -unixpw mechanism, x11vnc will try to switch to that |
| | 475 | user as though "-users +username" had been supplied. |
| | 476 | If you want to limit which users this will be done for, |
| | 477 | provide them as a comma separated list after "unixpw=" |
| | 478 | Groups can also be specified as described above. |
| | 479 | |
| | 480 | Similarly, in -ssl mode, if "-users sslpeer=" is |
| | 481 | supplied then after an SSL client authenticates with his |
| | 482 | cert (the -sslverify option is required for this) x11vnc |
| | 483 | will extract a UNIX username from the "emailAddress" |
| | 484 | field (username@hostname.com) of the "Subject" of the |
| | 485 | x509 SSL cert and then try to switch to that user as |
| | 486 | though "-users +username" had been supplied. If you |
| | 487 | want to limit which users this will be done for, provide |
| | 488 | them as a comma separated list after "sslpeer=". |
| | 489 | Set the env. var X11VNC_SSLPEER_CN to use the Common |
| | 490 | Name (normally a hostname) instead of the Email field. |
| | 491 | |
| | 492 | NOTE: for sslpeer= mode the x11vnc administrator must |
| | 493 | take care that any client certs he adds to -sslverify |
| | 494 | have the intended UNIX username in the "emailAddress" |
| | 495 | field of the cert. Otherwise a user may be able to |
| | 496 | log in as another. This command can be of use in |
| | 497 | checking: "openssl x509 -text -in file.crt", see the |
| | 498 | "Subject:" line. Also, along with the normal RFB_* |
| | 499 | env. vars. (see -accept) passed to external cmd= |
| | 500 | commands, RFB_SSL_CLIENT_CERT will be set to the |
| | 501 | client's x509 certificate string. |
| | 502 | |
| | 503 | The sslpeer= mode can aid finding X sessions via the |
| | 504 | FINDDISPLAY and FINDCREATEDISPLAY mechanisms. |
| | 505 | |
| | 506 | To immediately switch to a user *before* connections |
| | 507 | to the X display are made or any files opened use the |
| | 508 | "=" character: "-users =bob". That user needs to |
| | 509 | be able to open the X display and any files of course. |
| | 510 | |
| | 511 | The special user "guess=" means to examine the utmpx |
| | 512 | database (see who(1)) looking for a user attached to |
| | 513 | the display number (from DISPLAY or -display option) |
| | 514 | and try him/her. To limit the list of guesses, use: |
| | 515 | "-users guess=bob,betty". |
| | 516 | |
| | 517 | Even more sinister is the special user "lurk=" |
| | 518 | that means to try to guess the DISPLAY from the utmpx |
| | 519 | login database as well. So it "lurks" waiting for |
| | 520 | anyone to log into an X session and then connects to it. |
| | 521 | Specify a list of users after the = to limit which users |
| | 522 | will be tried. To enable a different searching mode, if |
| | 523 | the first user in the list is something like ":0" or |
| | 524 | ":0-2" that indicates a range of DISPLAY numbers that |
| | 525 | will be tried (regardless of whether they are in the |
| | 526 | utmpx database) for all users that are logged in. Also |
| | 527 | see the "-display WAIT:..." functionality. Examples: |
| | 528 | "-users lurk=" and also "-users lurk=:0-1,bob,mary" |
| | 529 | |
| | 530 | Be especially careful using the "guess=" and "lurk=" |
| | 531 | modes. They are not recommended for use on machines |
| | 532 | with untrustworthy local users. |
| | 533 | |
| | 534 | (snip) |
| | 535 | |
| | 536 | -ping n Send a 1x1 framebuffer update to all clients every n |
| | 537 | seconds (e.g. to try to keep a network connection alive) |
| | 538 | |
| | 539 | (snip) |
| | 540 | |
| | 541 | These options are passed to LibVNCServer: |
| | 542 | |
| | 543 | -rfbport port TCP port for RFB protocol |
| | 544 | -rfbwait time max time in ms to wait for RFB client |
| | 545 | -rfbauth passwd-file use authentication on RFB protocol |
| | 546 | (use 'storepasswd' to create a password file) |
| | 547 | -rfbversion 3.x Set the version of the RFB we choose to advertise |
| | 548 | -permitfiletransfer permit file transfer support |
| | 549 | -passwd plain-password use authentication |
| | 550 | (use plain-password as password, USE AT YOUR RISK) |
| | 551 | -deferupdate time time in ms to defer updates (default 40) |
| | 552 | -deferptrupdate time time in ms to defer pointer updates (default none) |
| | 553 | -desktop name VNC desktop name (default "LibVNCServer") |
| | 554 | -alwaysshared always treat new clients as shared |
| | 555 | -nevershared never treat new clients as shared |
| | 556 | -dontdisconnect don't disconnect existing clients when a new non-shared |
| | 557 | connection comes in (refuse new connection instead) |
| | 558 | -httpdir dir-path enable http server using dir-path home |
| | 559 | -httpport portnum use portnum for http connection |
| | 560 | -enablehttpproxy enable http proxy support |
| | 561 | -progressive height enable progressive updating for slow links |
| | 562 | -listen ipaddr listen for connections only on network interface with |
| | 563 | addr ipaddr. '-listen localhost' and hostname work too. |
| | 564 | |
| | 565 | libvncserver-tight-extension options: |
| | 566 | -disablefiletransfer disable file transfer |
| | 567 | -ftproot string set ftp root |
| | 568 | }}} |
