Changes between Version 2 and Version 3 of TipAndDoc/network/vnc/x11vnc


Ignore:
Timestamp:
Mar 6, 2011 11:49:30 PM (9 years ago)
Author:
mitty
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TipAndDoc/network/vnc/x11vnc

    v2 v3  
    397397 
    398398(snip) 
     399 
     400-find                  Find the user's display using FINDDISPLAY. This 
     401                       is an alias for "-display WAIT:cmd=FINDDISPLAY". 
     402 
     403                       Note: if a -display occurs later on the command line 
     404                       it will override the -find setting. 
     405 
     406                       For this and the next few options see -display WAIT:... 
     407                       below for all of the details. 
     408 
     409-finddpy               Run the FINDDISPLAY program, print out the found 
     410                       display (if any) and exit.  Output is like: DISPLAY=:0.0 
     411                       DISPLAY=:0.0,XPID=12345 or DISPLAY=:0.0,VT=7.  XPID is 
     412                       the process ID of the found X server.  VT is the Linux 
     413                       virtual terminal of the X server. 
     414-listdpy               Have the FINDDISPLAY program list all of your displays 
     415                       (i.e. all the X displays on the local machine that you 
     416                       have access rights to). 
     417 
     418-findauth [disp]       Apply the -find/-finddpy heuristics to try to guess 
     419                       the XAUTHORITY file for DISPLAY 'disp'.  If 'disp' 
     420                       is not supplied, then the value in the -display on 
     421                       the cmdline is used; failing that $DISPLAY is used; 
     422                       and failing that ":0" is used. 
     423 
     424                       If nothing is printed out, that means no XAUTHORITY was 
     425                       found for 'disp'; i.e. failure.  If "XAUTHORITY=" 
     426                       is printed out, that means use the default (i.e. do 
     427                       not set XAUTHORITY).  If "XAUTHORITY=/path/to/file" 
     428                       is printed out, then use that file. 
     429 
     430                       XDM/GDM/KDM: if you are running x11vnc as root and want 
     431                       to find the XAUTHORITY before anyone has logged into an 
     432                       X session yet, use: x11vnc -env FD_XDM=1 -findauth ... 
     433                       (This will also find the XAUTHORITY if a user is already 
     434                       logged into the X session.)  When running as root, 
     435                       FD_XDM=1 will be tried if the initial -findauth fails. 
     436 
     437-create                First try to find the user's display using FINDDISPLAY, 
     438                       if that doesn't succeed create an X session via the 
     439                       FINDCREATEDISPLAY method.  This is an alias for 
     440                       "-display WAIT:cmd=FINDCREATEDISPLAY-Xvfb". 
     441 
     442                       Note: if a -display occurs later on the command line 
     443                       it will override the -create setting. 
     444 
     445                       SSH NOTE: for both -find and -create you can (should!) 
     446                       add the "-localhost" option to force SSH tunnel access. 
     447 
     448-xdummy                As in -create, except Xdummy instead of Xvfb. 
     449-xvnc                  As in -create, except Xvnc instead of Xvfb. 
     450-xvnc_redirect         As in -create, except Xvnc.redirect instead of Xvfb. 
     451-xdummy_xvfb           Sets WAIT:cmd=FINDCREATEDISPLAY-Xdummy,Xvfb 
     452 
     453-create_xsrv str       Sets WAIT:cmd=FINDCREATEDISPLAY-<str>  Can be on cmdline 
     454                       after anything that sets WAIT:.. and other things 
     455                       (e.g. -svc, -xdmsvc) to adjust the X server list. 
     456                       Example: -svc ... -create_xsrv Xdummy,X 
     457 
     458-svc                   Terminal services mode based on SSL access.  Alias for 
     459                       -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb -unixpw -users 
     460                       unixpw= -ssl SAVE   Also "-service". 
     461 
     462                       Note: if a -display, -unixpw, -users, or -ssl occurs 
     463                       later on the command line it will override the -svc 
     464                       setting. 
     465 
     466-svc_xdummy            As -svc except Xdummy instead of Xvfb. 
     467-svc_xvnc              As -svc except Xvnc instead of Xvfb. 
     468-svc_xdummy_xvfb       As -svc with Xdummy,Xvfb. 
     469 
     470-xdmsvc                Display manager Terminal services mode based on SSL. 
     471                       Alias for -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb.xdmcp 
     472                       -unixpw -users unixpw= -ssl SAVE  Also "-xdm_service". 
     473 
     474                       Note: if a -display, -unixpw, -users, or -ssl occurs 
     475                       later on the command line it will override the -xdmsvc 
     476                       setting. 
     477 
     478                       To create a session a user will have to first log in 
     479                       to the -unixpw dialog and then log in again to the 
     480                       XDM/GDM/KDM prompt.  Subsequent re-connections will 
     481                       only require the -unixpw password.  See the discussion 
     482                       under -display WAIT:... for more details about XDM, 
     483                       etc configuration. 
     484 
     485                       Remember to enable XDMCP in the xdm-config, gdm.conf, 
     486                       or kdmrc configuration file.  See -display WAIT: for 
     487                       more info. 
     488 
     489(snip) 
     490 
     491-display WAIT:...      A special usage mode for the normal -display option. 
     492                       Useful with -unixpw, but can be used independently 
     493                       of it.  If the display string begins with WAIT: then 
     494                       x11vnc waits until a VNC client connects before opening 
     495                       the X display (or -rawfb device). 
     496 
     497                       This could be useful for delaying opening the display 
     498                       for certain usage modes (say if x11vnc is started at 
     499                       boot time and no X server is running or users logged 
     500                       in yet). 
     501 
     502                       If the string is, e.g. WAIT:0.0 or WAIT:1, i.e. "WAIT" 
     503                       in front of a normal X display, then that indicated 
     504                       display is used. 
     505 
     506                       One can also insert a geometry between colons, e.g. 
     507                       WAIT:1280x1024:... to set the size of the display the 
     508                       VNC client first attaches to since some VNC viewers 
     509                       will not automatically adjust to a new framebuffer size. 
     510 
     511                       A more interesting case is like this: 
     512 
     513                            WAIT:cmd=/usr/local/bin/find_display 
     514 
     515                       in which case the command after "cmd=" is run to 
     516                       dynamically work out the DISPLAY and optionally the 
     517                       XAUTHORITY data.  The first line of the command output 
     518                       must be of the form DISPLAY=<xdisplay>.  On Linux 
     519                       if the virtual terminal is known append ",VT=n" to 
     520                       this string and the chvt(1) program will also be run. 
     521                       Any remaining output is taken as XAUTHORITY data. 
     522                       It can be either of the form XAUTHORITY=<file> or raw 
     523                       xauthority data for the display. For example; 
     524 
     525                            xauth extract - $DISPLAY" 
     526 
     527                       In the case of -unixpw (and -unixpw_nis only if x11vnc 
     528                       is running as root), then the cmd= command is run 
     529                       as the user who just authenticated via the login and 
     530                       password prompt. 
     531 
     532                       In the case of -unixpw_cmd, the commands will also be 
     533                       run as the logged-in user, as long as the user-supplied 
     534                       helper program supports RFB_UNIXPW_CMD_RUN (see the 
     535                       -unixpw_cmd option.) 
     536 
     537                       Also in the case of -unixpw, the user logging in can 
     538                       place a colon at the end of her username and supply 
     539                       a few options: scale=, scale_cursor= (or sc=), solid 
     540                       (or so), id=, clear_mods (or cm), clear_keys (or 
     541                       ck), clear_all (or ca), repeat, speeds= (or sp=), 
     542                       readtimeout= (or rd=), viewonly (or vo), nodisplay= 
     543                       (or nd=), rotate= (or ro=), or noncache (or nc), 
     544                       all separated by commas if there is more than one. 
     545                       After the user logs in successfully, these options will 
     546                       be applied to the VNC screen.  For example, 
     547 
     548                          login: fred:scale=3/4,sc=1,repeat 
     549                          Password: ... 
     550 
     551                          login: runge:sp=modem,rd=120,solid 
     552 
     553                       for convenience m/n implies scale= e.g. fred:3/4  If you 
     554                       type and enter your password incorrectly, to retrieve 
     555                       your long "login:" line press the Up arrow once 
     556                       (before typing anything else). 
     557 
     558                       In the login panel, press F1 to get a list of the 
     559                       available options that you can add after the username. 
     560 
     561                       Another option is "geom=WxH" or "geom=WxHxD" (or 
     562                       ge=). This only has an effect in FINDCREATEDISPLAY 
     563                       mode when a virtual X server such as Xvfb is going 
     564                       to be created.  It sets the width and height of 
     565                       the new display, and optionally the color depth as 
     566                       well. 
     567 
     568                       You can also supply "gnome", "kde", "twm", 
     569                       "fvwm", "mwm", "dtwm", "wmaker", "xfce", 
     570                       "lxde", "enlightenment", "Xsession", or 
     571                       "failsafe" (same as "xterm") to have the created 
     572                       display use that mode for the user session. 
     573 
     574                       Specify "tag=..." to set the unique FD_TAG desktop 
     575                       session tag described below.  Note: this option will 
     576                       be ignored if the FD_TAG env. var. is already set or 
     577                       if the viewer-side supplied value is not completely 
     578                       composed of alphanumeric or '_' or '-' characters. 
     579 
     580                       To troubleshoot the FINDCREATEDISPLAY mechanism, 
     581                       set the following env. var. to an ouput log file, 
     582                       e.g -env CREATE_DISPLAY_OUTPUT=/tmp/mydebug.txt 
     583 
     584                       To disable the option setting set the environment 
     585                       variable X11VNC_NO_UNIXPW_OPTS=1 before starting x11vnc. 
     586                       To set any other options, the user can use the gui 
     587                       (x11vnc -gui connect) or the remote control method 
     588                       (x11vnc -R opt:val) during his VNC session. 
     589 
     590                       The combination of -display WAIT:cmd=... and -unixpw 
     591                       allows automatic pairing of an unix authenticated VNC 
     592                       user with his desktop.  This could be very useful on 
     593                       SunRays and also any system where multiple users share 
     594                       a given machine.  The user does not need to remember 
     595                       special ports or passwords set up for his desktop 
     596                       and VNC. 
     597 
     598                       A nice way to use WAIT:cmd=... is out of inetd(8) 
     599                       (it automatically forks a new x11vnc for each user). 
     600                       You can have the x11vnc inetd spawned process run as, 
     601                       say, root or nobody.  When run as root (for either inetd 
     602                       or display manager), you can also supply the option 
     603                       "-users unixpw=" to have the x11vnc process switch to 
     604                       the user as well.  Note: there will be a 2nd SSL helper 
     605                       process that will not switch, but it is only encoding 
     606                       and decoding the encrypted stream at that point. 
     607 
     608                       Automatic Finding of User X Sessions: 
     609 
     610                       As a special case, WAIT:cmd=FINDDISPLAY will run a 
     611                       script that works on most Unixes to determine a user's 
     612                       DISPLAY variable and xauthority data (see who(1)). 
     613 
     614                       The option "-find" is an alias for this mode. 
     615 
     616                       To have this default script printed to stdout (e.g. for 
     617                       customization) run with WAIT:cmd=FINDDISPLAY-print To 
     618                       have the script run to print what display it would find 
     619                       use "-finddpy" or WAIT:cmd=FINDDISPLAY-run 
     620 
     621                       The standard script runs xdpyinfo(1) run on potential 
     622                       displays.  If your X server(s) have a login greeter 
     623                       that exclusively grabs the Xserver, then xdpyinfo 
     624                       blocks forever and this mode will not work.  See 
     625                       www.karlrunge.com/x11vnc/faq.html#faq-display-manager 
     626                       for how to disable this for dtgreet on Solaris and 
     627                       possibly for other greeters. 
     628 
     629                       In -find/cmd=FINDDISPLAY mode, if you set FD_XDM=1, 
     630                       e.g. 'x11vnc -env FD_XDM=1 -find ...' and x11vnc is 
     631                       running as root (e.g. inetd) then it will try to find 
     632                       the XAUTHORITY file of a running XDM/GDM/KDM login 
     633                       greeter (i.e. no user has logged into an X session yet.) 
     634 
     635                       As another special case, WAIT:cmd=HTTPONCE will allow 
     636                       x11vnc to service one http request and then exit. 
     637                       This is usually done in -inetd mode to run on, say, 
     638                       port 5800 and allow the Java vncviewer to be downloaded 
     639                       by client web browsers.  For example: 
     640 
     641                        5815 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc \ 
     642                          -inetd -q -http_ssl -prog /.../x11vnc \ 
     643                          -display WAIT:cmd=HTTPONCE 
     644 
     645                       Where /.../x11vnc is the full path to x11vnc. 
     646                       It is used in the Apache SSL-portal example (see FAQ). 
     647 
     648                       In this mode you can set X11VNC_SKIP_DISPLAY to a 
     649                       comma separated list of displays (e.g. ":0,:1") to 
     650                       ignore in the finding process.  The ":" is optional. 
     651                       Ranges n-m e.g. 0-20 can also be supplied. This string 
     652                       can also be set by the connecting user via "nd=" 
     653                       using "+" instead of ","  If "nd=all" or you set 
     654                       X11VNC_SKIP_DISPLAY=all then all display finding fails 
     655                       as if you set X11VNC_FINDDISPLAY_ALWAYS_FAILS=1 (below.) 
     656 
     657                       Automatic Creation of User X Sessions: 
     658 
     659                       An interesting option is WAIT:cmd=FINDCREATEDISPLAY 
     660                       that is like FINDDISPLAY in that is uses the same method 
     661                       to find an existing display.  However, if it does not 
     662                       find one it will try to *start* up an X server session 
     663                       for the user.  This is the only time x11vnc tries to 
     664                       actually start up an X server. 
     665 
     666                       The option "-create" is an alias for this mode. 
     667 
     668                       It will start looking for an open display number at :20 
     669                       Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n 
     670 
     671                       By default FINDCREATEDISPLAY will try Xvfb and then 
     672                       Xdummy: 
     673 
     674                       The Xdummy wrapper is part of the x11vnc source code 
     675                       (x11vnc/misc/Xdummy)  It should be available in PATH 
     676                       and have run "Xdummy -install" once to create the 
     677                       shared library.  Xdummy only works on Linux.  As of 
     678                       12/2009 it no longer needs to be run as root, and the 
     679                       default is to not run as root.  In some circumstances 
     680                       permissions may require running it as root, in these 
     681                       cases specify FD_XDUMMY_RUN_AS_ROOT=1, this is the same 
     682                       as supplying -root to the Xdummy cmdline. 
     683 
     684                       Xvfb is available on most platforms and does not 
     685                       require root. 
     686 
     687                       An advantage of Xdummy over Xvfb is that Xdummy supports 
     688                       RANDR dynamic screen resizing. 
     689 
     690                       When x11vnc exits (i.e. user disconnects) the X 
     691                       server session stays running in the background. 
     692                       The FINDDISPLAY will find it directly next time. 
     693                       The user must exit the X session in the usual way for 
     694                       it to terminate (or kill the X server process if all 
     695                       else fails). 
     696 
     697                       So this is a somewhat odd mode for x11vnc in that it 
     698                       will start up and poll virtual X servers!  This can 
     699                       be used from, say, inetd(8) to provide a means of 
     700                       definitely getting a desktop (either real or virtual) 
     701                       on the machine.  E.g. a desktop service: 
     702 
     703                         5900 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc 
     704                          -inetd -q -http -ssl SAVE -unixpw -users unixpw=\ 
     705                          -passwd secret -prog /.../x11vnc \ 
     706                          -display WAIT:cmd=FINDCREATEDISPLAY 
     707 
     708                       Where /.../x11vnc is the full path to x11vnc. 
     709 
     710                       See the -svc/-service option alias above. 
     711 
     712                       If for some reason you do not want x11vnc to ever 
     713                       try to find an existing display set the env. var 
     714                       X11VNC_FINDDISPLAY_ALWAYS_FAILS=1 (also -env ...) 
     715                       This is the same as setting X11VNC_SKIP_DISPLAY=all or 
     716                       supplying "nd=all" after "username:" 
     717 
     718                       Use WAIT:cmd=FINDCREATEDISPLAY-print to print out the 
     719                       script that is used for this. 
     720 
     721                       You can specify the preferred X server order via e.g., 
     722                       WAIT:cmd=FINDCREATEDISPLAY-Xdummy,Xvfb,X  and/or leave 
     723                       out ones you do not want.  The the case "X" means try 
     724                       to start up a real, hardware X server using xinit(1) 
     725                       or startx(1).  If there is already an X server running 
     726                       the X case may only work on Linux (see startx(1)). 
     727 
     728                       "Xvnc" will start up a VNC X server (real- 
     729                       or tight-vnc, e.g. use if Xvfb is not available). 
     730                       "Xsrv" will start up the server program in the 
     731                       variable "FD_XSRV" if it is non-empty. You can make 
     732                       this be a wrapper script if you like (it must handle :N, 
     733                       -geometry, and -depth and other X server options). 
     734 
     735                       You can set the environment variable FD_GEOM (or 
     736                       X11VNC_CREATE_GEOM) to WxH or WxHxD to set the width 
     737                       and height and optionally the color depth of the 
     738                       created display.  You can also set FD_SESS to be the 
     739                       session (short name of the windowmanager: kde, gnome, 
     740                       twm, failsafe, etc.). FD_OPTS contains extra options 
     741                       to pass to the X server. You can also set FD_PROG to 
     742                       be the full path to the session/windowmanager program. 
     743 
     744                       More FD tricks:  FD_CUPS=port or FD_CUPS=host:port 
     745                       will set the cups printing environment.  Similarly for 
     746                       FD_ESD=port or FD_ESD=host:port for esddsp sound 
     747                       redirection.  Set FD_EXTRA to a command to be run a 
     748                       few seconds after the X server starts up.  Set FD_TAG 
     749                       to be a unique name for the session, it is set as an 
     750                       X property, that makes FINDDISPLAY only find sessions 
     751                       with that tag value. 
     752 
     753                       Set FD_XDMCP_IF to the network interface that the 
     754                       display manager is running on; default is 'localhost' 
     755                       but you may need to set it to '::1' on some IPv6 only 
     756                       systems or misconfigured display managers. 
     757 
     758                       If you want the FINDCREATEDISPLAY session to contact an 
     759                       XDMCP login manager (xdm/gdm/kdm) on the same machine, 
     760                       then use "Xvfb.xdmcp" instead of "Xvfb", etc. 
     761                       The user will have to supply his username and password 
     762                       one more time (but he gets to select his desktop type 
     763                       so that can be useful).  For this to work, you will 
     764                       need to enable localhost XDMCP (udp port 177) for the 
     765                       display manager.  This seems to be: 
     766 
     767                        for gdm in gdm.conf:   Enable=true in section [xdmcp] 
     768                        for kdm in kdmrc:      Enable=true in section [Xdmcp] 
     769                        for xdm in xdm-config: DisplayManager.requestPort: 177 
     770 
     771                       See the shorthand options above "-svc", "-xdmsvc" 
     772                       and "-sshxdmsvc" that specify the above options for 
     773                       some useful cases. 
     774 
     775                       If you set the env. var WAITBG=1 x11vnc will go into 
     776                       the background once listening in wait mode. 
     777 
     778                       Another special mode is FINDCREATEDISPLAY-Xvnc.redirect, 
     779                       (or FINDDISPLAY-Xvnc.redirect).  In this case it will 
     780                       start up Xvnc as above if needed, but instead of 
     781                       polling it in its normal way, it simply does a socket 
     782                       redirection of the connected VNC viewer to the Xvnc. 
     783 
     784                       So in Xvnc.redirect x11vnc does no VNC but merely 
     785                       transfers the data back and forth.  This should be 
     786                       faster then x11vnc's polling method, but not as fast 
     787                       as connecting directly to the Xvnc with the VNC Viewer. 
     788                       The idea here is to take advantage of x11vnc's display 
     789                       finding/creating scheme, SSL, and perhaps a few others. 
     790                       Most of x11vnc's options do not apply in this mode. 
     791 
     792                       Xvnc.redirect should also work for the vnc.so X server 
     793                       module for the h/w display however it will work only 
     794                       for finding the display and the user must already be 
     795                       logged into the X console. 
     796 
     797(snip) 
     798 
     799-nossl                 Disable the -ssl option (see below). Since -ssl is off 
     800                       by default -nossl would only be used on the commandline 
     801                       to unset any *earlier* -ssl option (or -svc...) 
     802 
     803-ssl [pem]             Use the openssl library (www.openssl.org) to provide a 
     804                       built-in encrypted SSL/TLS tunnel between VNC viewers 
     805                       and x11vnc.  This requires libssl support to be 
     806                       compiled into x11vnc at build time.  If x11vnc is not 
     807                       built with libssl support it will exit immediately when 
     808                       -ssl is prescribed.  See the -stunnel option below for 
     809                       an alternative. 
     810 
     811                       The VNC Viewer-side needs to support SSL/TLS as well. 
     812                       See this URL and also the discussion below for 
     813                       ideas on how to enable SSL support for the viewer: 
     814                       http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tun 
     815                       nel-viewers .  x11vnc provides an SSL enabled Java 
     816                       viewer applet in the classes/ssl directory (-http or 
     817                       -httpdir options.)  The SSVNC viewer package supports 
     818                       SSL tunnels too. 
     819 
     820                       If the VNC Viewer supports VeNCrypt or ANONTLS (vino's 
     821                       encryption mode) they are also supported by the -ssl 
     822                       mode (see the -vencrypt and -anontls options for more 
     823                       info; use -sslonly to disable both of them.) 
     824 
     825                       Use "-ssl /path/to/mycert.pem" to specify an SSL 
     826                       certificate file in PEM format to use to identify and 
     827                       provide a key for this server.  See openssl(1) for more 
     828                       info about PEMs and the -sslGenCert and "-ssl SAVE" 
     829                       options below for how to create them. 
     830 
     831                       The connecting VNC viewer SSL tunnel can (at its option) 
     832                       authenticate this server if it has the public key part 
     833                       of the certificate (or a common certificate authority, 
     834                       CA, is a more sophisticated way to verify this server's 
     835                       cert, see -sslGenCA below).  This authentication is 
     836                       done to prevent Man-In-The-Middle attacks.  Otherwise, 
     837                       if the VNC viewer simply accepts this server's key 
     838                       WITHOUT verification, the traffic is protected from 
     839                       passive sniffing on the network, but *NOT* from 
     840                       Man-In-The-Middle attacks. There are hacker tools 
     841                       like dsniff/webmitm and cain that implement SSL 
     842                       Man-In-The-Middle attacks. 
     843 
     844                       If [pem] is empty or the string "SAVE" then the 
     845                       openssl(1) command must be available to generate the 
     846                       certificate the first time.  A self-signed certificate 
     847                       is generated (see -sslGenCA and -sslGenCert for use 
     848                       of a Certificate Authority.)  It will be saved to the 
     849                       file ~/.vnc/certs/server.pem.  On subsequent calls if 
     850                       that file already exists it will be used directly. 
     851 
     852                       Use "SAVE_NOPROMPT" to avoid being prompted to 
     853                       protect the generated key with a passphrase.  However in 
     854                       -inetd and -bg modes there will be no prompting for a 
     855                       passphrase in either case. 
     856 
     857                       If [pem] is "SAVE_PROMPT" the server.pem certificate 
     858                       will be created based on your answers to its prompts for 
     859                       all info such as OrganizationalName, CommonName, etc. 
     860 
     861                       Use "SAVE-<string>" and "SAVE_PROMPT-<string>" 
     862                       to refer to the file ~/.vnc/certs/server-<string>.pem 
     863                       instead (it will be generated if it does not already 
     864                       exist).  E.g. "SAVE-charlie" will store to the file 
     865                       ~/.vnc/certs/server-charlie.pem 
     866 
     867                       Examples: x11vnc -ssl SAVE -display :0 ... 
     868                                 x11vnc -ssl SAVE-someother -display :0 ... 
     869 
     870                       If [pem] is "TMP" and the openssl(1) utility 
     871                       command exists in PATH, then a temporary, self-signed 
     872                       certificate will be generated for this session.  If 
     873                       openssl(1) cannot be used to generate a temporary 
     874                       certificate x11vnc exits immediately.  The temporary 
     875                       cert will be discarded when x11vnc exits. 
     876 
     877                       If successful in using openssl(1) to generate a 
     878                       temporary certificate in "SAVE" or "TMP" creation 
     879                       modes, the public part of it will be displayed to stderr 
     880                       (e.g. one could copy it to the client-side to provide 
     881                       authentication of the server to VNC viewers.) 
     882 
     883                       NOTE: In "TMP" mode, unless you safely copy the 
     884                       public part of the temporary Cert to the viewer for 
     885                       authenticate *every time* (unlikely...), then only 
     886                       passive sniffing attacks are prevented and you are 
     887                       still open to Man-In-The-Middle attacks.  This is 
     888                       why the default "SAVE" mode is preferred (and more 
     889                       sophisticated CA mode too).  Only with saved keys AND 
     890                       the VNC viewer authenticating them (via the public 
     891                       certificate), are Man-In-The-Middle attacks prevented. 
     892 
     893                       If [pem] is "ANON" then the Diffie-Hellman anonymous 
     894                       key exchange method is used.  In this mode there 
     895                       are *no* SSL certificates and so it is not possible 
     896                       to authenticate either the VNC server or VNC client. 
     897                       Thus only passive network sniffing attacks are avoided: 
     898                       the "ANON" method is susceptible to Man-In-The-Middle 
     899                       attacks.  "ANON" is not recommended; instead use 
     900                       a SSL PEM you created or the default "SAVE" method. 
     901 
     902                       See -ssldir below to use a directory besides the 
     903                       default ~/.vnc/certs 
     904 
     905                       If your x11vnc binary was not compiled with OpenSSL 
     906                       library support, use of the -ssl option will induce an 
     907                       immediate failure and exit.  For such binaries, consider 
     908                       using the -stunnel option for SSL encrypted connections. 
     909 
     910                       Misc Info: In temporary cert creation mode "TMP", set 
     911                       the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print 
     912                       out the entire certificate, including the PRIVATE KEY 
     913                       part, to stderr.  There are better ways to get/save this 
     914                       info.  See "SAVE" above and "-sslGenCert" below. 
     915 
     916(snip) 
     917 
     918-usepw                 If no other password method was supplied on the command 
     919                       line, first look for ~/.vnc/passwd and if found use it 
     920                       with -rfbauth; next, look for ~/.vnc/passwdfile and 
     921                       use it with -passwdfile; otherwise, prompt the user 
     922                       for a password to create ~/.vnc/passwd and use it with 
     923                       the -rfbauth option.  If none of these succeed x11vnc 
     924                       exits immediately. 
    399925 
    400926-storepasswd pass file Store password "pass" as the VNC password in the