| | 399 | |
| | 400 | -find Find the user's display using FINDDISPLAY. This |
| | 401 | is an alias for "-display WAIT:cmd=FINDDISPLAY". |
| | 402 | |
| | 403 | Note: if a -display occurs later on the command line |
| | 404 | it will override the -find setting. |
| | 405 | |
| | 406 | For this and the next few options see -display WAIT:... |
| | 407 | below for all of the details. |
| | 408 | |
| | 409 | -finddpy Run the FINDDISPLAY program, print out the found |
| | 410 | display (if any) and exit. Output is like: DISPLAY=:0.0 |
| | 411 | DISPLAY=:0.0,XPID=12345 or DISPLAY=:0.0,VT=7. XPID is |
| | 412 | the process ID of the found X server. VT is the Linux |
| | 413 | virtual terminal of the X server. |
| | 414 | -listdpy Have the FINDDISPLAY program list all of your displays |
| | 415 | (i.e. all the X displays on the local machine that you |
| | 416 | have access rights to). |
| | 417 | |
| | 418 | -findauth [disp] Apply the -find/-finddpy heuristics to try to guess |
| | 419 | the XAUTHORITY file for DISPLAY 'disp'. If 'disp' |
| | 420 | is not supplied, then the value in the -display on |
| | 421 | the cmdline is used; failing that $DISPLAY is used; |
| | 422 | and failing that ":0" is used. |
| | 423 | |
| | 424 | If nothing is printed out, that means no XAUTHORITY was |
| | 425 | found for 'disp'; i.e. failure. If "XAUTHORITY=" |
| | 426 | is printed out, that means use the default (i.e. do |
| | 427 | not set XAUTHORITY). If "XAUTHORITY=/path/to/file" |
| | 428 | is printed out, then use that file. |
| | 429 | |
| | 430 | XDM/GDM/KDM: if you are running x11vnc as root and want |
| | 431 | to find the XAUTHORITY before anyone has logged into an |
| | 432 | X session yet, use: x11vnc -env FD_XDM=1 -findauth ... |
| | 433 | (This will also find the XAUTHORITY if a user is already |
| | 434 | logged into the X session.) When running as root, |
| | 435 | FD_XDM=1 will be tried if the initial -findauth fails. |
| | 436 | |
| | 437 | -create First try to find the user's display using FINDDISPLAY, |
| | 438 | if that doesn't succeed create an X session via the |
| | 439 | FINDCREATEDISPLAY method. This is an alias for |
| | 440 | "-display WAIT:cmd=FINDCREATEDISPLAY-Xvfb". |
| | 441 | |
| | 442 | Note: if a -display occurs later on the command line |
| | 443 | it will override the -create setting. |
| | 444 | |
| | 445 | SSH NOTE: for both -find and -create you can (should!) |
| | 446 | add the "-localhost" option to force SSH tunnel access. |
| | 447 | |
| | 448 | -xdummy As in -create, except Xdummy instead of Xvfb. |
| | 449 | -xvnc As in -create, except Xvnc instead of Xvfb. |
| | 450 | -xvnc_redirect As in -create, except Xvnc.redirect instead of Xvfb. |
| | 451 | -xdummy_xvfb Sets WAIT:cmd=FINDCREATEDISPLAY-Xdummy,Xvfb |
| | 452 | |
| | 453 | -create_xsrv str Sets WAIT:cmd=FINDCREATEDISPLAY-<str> Can be on cmdline |
| | 454 | after anything that sets WAIT:.. and other things |
| | 455 | (e.g. -svc, -xdmsvc) to adjust the X server list. |
| | 456 | Example: -svc ... -create_xsrv Xdummy,X |
| | 457 | |
| | 458 | -svc Terminal services mode based on SSL access. Alias for |
| | 459 | -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb -unixpw -users |
| | 460 | unixpw= -ssl SAVE Also "-service". |
| | 461 | |
| | 462 | Note: if a -display, -unixpw, -users, or -ssl occurs |
| | 463 | later on the command line it will override the -svc |
| | 464 | setting. |
| | 465 | |
| | 466 | -svc_xdummy As -svc except Xdummy instead of Xvfb. |
| | 467 | -svc_xvnc As -svc except Xvnc instead of Xvfb. |
| | 468 | -svc_xdummy_xvfb As -svc with Xdummy,Xvfb. |
| | 469 | |
| | 470 | -xdmsvc Display manager Terminal services mode based on SSL. |
| | 471 | Alias for -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb.xdmcp |
| | 472 | -unixpw -users unixpw= -ssl SAVE Also "-xdm_service". |
| | 473 | |
| | 474 | Note: if a -display, -unixpw, -users, or -ssl occurs |
| | 475 | later on the command line it will override the -xdmsvc |
| | 476 | setting. |
| | 477 | |
| | 478 | To create a session a user will have to first log in |
| | 479 | to the -unixpw dialog and then log in again to the |
| | 480 | XDM/GDM/KDM prompt. Subsequent re-connections will |
| | 481 | only require the -unixpw password. See the discussion |
| | 482 | under -display WAIT:... for more details about XDM, |
| | 483 | etc configuration. |
| | 484 | |
| | 485 | Remember to enable XDMCP in the xdm-config, gdm.conf, |
| | 486 | or kdmrc configuration file. See -display WAIT: for |
| | 487 | more info. |
| | 488 | |
| | 489 | (snip) |
| | 490 | |
| | 491 | -display WAIT:... A special usage mode for the normal -display option. |
| | 492 | Useful with -unixpw, but can be used independently |
| | 493 | of it. If the display string begins with WAIT: then |
| | 494 | x11vnc waits until a VNC client connects before opening |
| | 495 | the X display (or -rawfb device). |
| | 496 | |
| | 497 | This could be useful for delaying opening the display |
| | 498 | for certain usage modes (say if x11vnc is started at |
| | 499 | boot time and no X server is running or users logged |
| | 500 | in yet). |
| | 501 | |
| | 502 | If the string is, e.g. WAIT:0.0 or WAIT:1, i.e. "WAIT" |
| | 503 | in front of a normal X display, then that indicated |
| | 504 | display is used. |
| | 505 | |
| | 506 | One can also insert a geometry between colons, e.g. |
| | 507 | WAIT:1280x1024:... to set the size of the display the |
| | 508 | VNC client first attaches to since some VNC viewers |
| | 509 | will not automatically adjust to a new framebuffer size. |
| | 510 | |
| | 511 | A more interesting case is like this: |
| | 512 | |
| | 513 | WAIT:cmd=/usr/local/bin/find_display |
| | 514 | |
| | 515 | in which case the command after "cmd=" is run to |
| | 516 | dynamically work out the DISPLAY and optionally the |
| | 517 | XAUTHORITY data. The first line of the command output |
| | 518 | must be of the form DISPLAY=<xdisplay>. On Linux |
| | 519 | if the virtual terminal is known append ",VT=n" to |
| | 520 | this string and the chvt(1) program will also be run. |
| | 521 | Any remaining output is taken as XAUTHORITY data. |
| | 522 | It can be either of the form XAUTHORITY=<file> or raw |
| | 523 | xauthority data for the display. For example; |
| | 524 | |
| | 525 | xauth extract - $DISPLAY" |
| | 526 | |
| | 527 | In the case of -unixpw (and -unixpw_nis only if x11vnc |
| | 528 | is running as root), then the cmd= command is run |
| | 529 | as the user who just authenticated via the login and |
| | 530 | password prompt. |
| | 531 | |
| | 532 | In the case of -unixpw_cmd, the commands will also be |
| | 533 | run as the logged-in user, as long as the user-supplied |
| | 534 | helper program supports RFB_UNIXPW_CMD_RUN (see the |
| | 535 | -unixpw_cmd option.) |
| | 536 | |
| | 537 | Also in the case of -unixpw, the user logging in can |
| | 538 | place a colon at the end of her username and supply |
| | 539 | a few options: scale=, scale_cursor= (or sc=), solid |
| | 540 | (or so), id=, clear_mods (or cm), clear_keys (or |
| | 541 | ck), clear_all (or ca), repeat, speeds= (or sp=), |
| | 542 | readtimeout= (or rd=), viewonly (or vo), nodisplay= |
| | 543 | (or nd=), rotate= (or ro=), or noncache (or nc), |
| | 544 | all separated by commas if there is more than one. |
| | 545 | After the user logs in successfully, these options will |
| | 546 | be applied to the VNC screen. For example, |
| | 547 | |
| | 548 | login: fred:scale=3/4,sc=1,repeat |
| | 549 | Password: ... |
| | 550 | |
| | 551 | login: runge:sp=modem,rd=120,solid |
| | 552 | |
| | 553 | for convenience m/n implies scale= e.g. fred:3/4 If you |
| | 554 | type and enter your password incorrectly, to retrieve |
| | 555 | your long "login:" line press the Up arrow once |
| | 556 | (before typing anything else). |
| | 557 | |
| | 558 | In the login panel, press F1 to get a list of the |
| | 559 | available options that you can add after the username. |
| | 560 | |
| | 561 | Another option is "geom=WxH" or "geom=WxHxD" (or |
| | 562 | ge=). This only has an effect in FINDCREATEDISPLAY |
| | 563 | mode when a virtual X server such as Xvfb is going |
| | 564 | to be created. It sets the width and height of |
| | 565 | the new display, and optionally the color depth as |
| | 566 | well. |
| | 567 | |
| | 568 | You can also supply "gnome", "kde", "twm", |
| | 569 | "fvwm", "mwm", "dtwm", "wmaker", "xfce", |
| | 570 | "lxde", "enlightenment", "Xsession", or |
| | 571 | "failsafe" (same as "xterm") to have the created |
| | 572 | display use that mode for the user session. |
| | 573 | |
| | 574 | Specify "tag=..." to set the unique FD_TAG desktop |
| | 575 | session tag described below. Note: this option will |
| | 576 | be ignored if the FD_TAG env. var. is already set or |
| | 577 | if the viewer-side supplied value is not completely |
| | 578 | composed of alphanumeric or '_' or '-' characters. |
| | 579 | |
| | 580 | To troubleshoot the FINDCREATEDISPLAY mechanism, |
| | 581 | set the following env. var. to an ouput log file, |
| | 582 | e.g -env CREATE_DISPLAY_OUTPUT=/tmp/mydebug.txt |
| | 583 | |
| | 584 | To disable the option setting set the environment |
| | 585 | variable X11VNC_NO_UNIXPW_OPTS=1 before starting x11vnc. |
| | 586 | To set any other options, the user can use the gui |
| | 587 | (x11vnc -gui connect) or the remote control method |
| | 588 | (x11vnc -R opt:val) during his VNC session. |
| | 589 | |
| | 590 | The combination of -display WAIT:cmd=... and -unixpw |
| | 591 | allows automatic pairing of an unix authenticated VNC |
| | 592 | user with his desktop. This could be very useful on |
| | 593 | SunRays and also any system where multiple users share |
| | 594 | a given machine. The user does not need to remember |
| | 595 | special ports or passwords set up for his desktop |
| | 596 | and VNC. |
| | 597 | |
| | 598 | A nice way to use WAIT:cmd=... is out of inetd(8) |
| | 599 | (it automatically forks a new x11vnc for each user). |
| | 600 | You can have the x11vnc inetd spawned process run as, |
| | 601 | say, root or nobody. When run as root (for either inetd |
| | 602 | or display manager), you can also supply the option |
| | 603 | "-users unixpw=" to have the x11vnc process switch to |
| | 604 | the user as well. Note: there will be a 2nd SSL helper |
| | 605 | process that will not switch, but it is only encoding |
| | 606 | and decoding the encrypted stream at that point. |
| | 607 | |
| | 608 | Automatic Finding of User X Sessions: |
| | 609 | |
| | 610 | As a special case, WAIT:cmd=FINDDISPLAY will run a |
| | 611 | script that works on most Unixes to determine a user's |
| | 612 | DISPLAY variable and xauthority data (see who(1)). |
| | 613 | |
| | 614 | The option "-find" is an alias for this mode. |
| | 615 | |
| | 616 | To have this default script printed to stdout (e.g. for |
| | 617 | customization) run with WAIT:cmd=FINDDISPLAY-print To |
| | 618 | have the script run to print what display it would find |
| | 619 | use "-finddpy" or WAIT:cmd=FINDDISPLAY-run |
| | 620 | |
| | 621 | The standard script runs xdpyinfo(1) run on potential |
| | 622 | displays. If your X server(s) have a login greeter |
| | 623 | that exclusively grabs the Xserver, then xdpyinfo |
| | 624 | blocks forever and this mode will not work. See |
| | 625 | www.karlrunge.com/x11vnc/faq.html#faq-display-manager |
| | 626 | for how to disable this for dtgreet on Solaris and |
| | 627 | possibly for other greeters. |
| | 628 | |
| | 629 | In -find/cmd=FINDDISPLAY mode, if you set FD_XDM=1, |
| | 630 | e.g. 'x11vnc -env FD_XDM=1 -find ...' and x11vnc is |
| | 631 | running as root (e.g. inetd) then it will try to find |
| | 632 | the XAUTHORITY file of a running XDM/GDM/KDM login |
| | 633 | greeter (i.e. no user has logged into an X session yet.) |
| | 634 | |
| | 635 | As another special case, WAIT:cmd=HTTPONCE will allow |
| | 636 | x11vnc to service one http request and then exit. |
| | 637 | This is usually done in -inetd mode to run on, say, |
| | 638 | port 5800 and allow the Java vncviewer to be downloaded |
| | 639 | by client web browsers. For example: |
| | 640 | |
| | 641 | 5815 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc \ |
| | 642 | -inetd -q -http_ssl -prog /.../x11vnc \ |
| | 643 | -display WAIT:cmd=HTTPONCE |
| | 644 | |
| | 645 | Where /.../x11vnc is the full path to x11vnc. |
| | 646 | It is used in the Apache SSL-portal example (see FAQ). |
| | 647 | |
| | 648 | In this mode you can set X11VNC_SKIP_DISPLAY to a |
| | 649 | comma separated list of displays (e.g. ":0,:1") to |
| | 650 | ignore in the finding process. The ":" is optional. |
| | 651 | Ranges n-m e.g. 0-20 can also be supplied. This string |
| | 652 | can also be set by the connecting user via "nd=" |
| | 653 | using "+" instead of "," If "nd=all" or you set |
| | 654 | X11VNC_SKIP_DISPLAY=all then all display finding fails |
| | 655 | as if you set X11VNC_FINDDISPLAY_ALWAYS_FAILS=1 (below.) |
| | 656 | |
| | 657 | Automatic Creation of User X Sessions: |
| | 658 | |
| | 659 | An interesting option is WAIT:cmd=FINDCREATEDISPLAY |
| | 660 | that is like FINDDISPLAY in that is uses the same method |
| | 661 | to find an existing display. However, if it does not |
| | 662 | find one it will try to *start* up an X server session |
| | 663 | for the user. This is the only time x11vnc tries to |
| | 664 | actually start up an X server. |
| | 665 | |
| | 666 | The option "-create" is an alias for this mode. |
| | 667 | |
| | 668 | It will start looking for an open display number at :20 |
| | 669 | Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n |
| | 670 | |
| | 671 | By default FINDCREATEDISPLAY will try Xvfb and then |
| | 672 | Xdummy: |
| | 673 | |
| | 674 | The Xdummy wrapper is part of the x11vnc source code |
| | 675 | (x11vnc/misc/Xdummy) It should be available in PATH |
| | 676 | and have run "Xdummy -install" once to create the |
| | 677 | shared library. Xdummy only works on Linux. As of |
| | 678 | 12/2009 it no longer needs to be run as root, and the |
| | 679 | default is to not run as root. In some circumstances |
| | 680 | permissions may require running it as root, in these |
| | 681 | cases specify FD_XDUMMY_RUN_AS_ROOT=1, this is the same |
| | 682 | as supplying -root to the Xdummy cmdline. |
| | 683 | |
| | 684 | Xvfb is available on most platforms and does not |
| | 685 | require root. |
| | 686 | |
| | 687 | An advantage of Xdummy over Xvfb is that Xdummy supports |
| | 688 | RANDR dynamic screen resizing. |
| | 689 | |
| | 690 | When x11vnc exits (i.e. user disconnects) the X |
| | 691 | server session stays running in the background. |
| | 692 | The FINDDISPLAY will find it directly next time. |
| | 693 | The user must exit the X session in the usual way for |
| | 694 | it to terminate (or kill the X server process if all |
| | 695 | else fails). |
| | 696 | |
| | 697 | So this is a somewhat odd mode for x11vnc in that it |
| | 698 | will start up and poll virtual X servers! This can |
| | 699 | be used from, say, inetd(8) to provide a means of |
| | 700 | definitely getting a desktop (either real or virtual) |
| | 701 | on the machine. E.g. a desktop service: |
| | 702 | |
| | 703 | 5900 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc |
| | 704 | -inetd -q -http -ssl SAVE -unixpw -users unixpw=\ |
| | 705 | -passwd secret -prog /.../x11vnc \ |
| | 706 | -display WAIT:cmd=FINDCREATEDISPLAY |
| | 707 | |
| | 708 | Where /.../x11vnc is the full path to x11vnc. |
| | 709 | |
| | 710 | See the -svc/-service option alias above. |
| | 711 | |
| | 712 | If for some reason you do not want x11vnc to ever |
| | 713 | try to find an existing display set the env. var |
| | 714 | X11VNC_FINDDISPLAY_ALWAYS_FAILS=1 (also -env ...) |
| | 715 | This is the same as setting X11VNC_SKIP_DISPLAY=all or |
| | 716 | supplying "nd=all" after "username:" |
| | 717 | |
| | 718 | Use WAIT:cmd=FINDCREATEDISPLAY-print to print out the |
| | 719 | script that is used for this. |
| | 720 | |
| | 721 | You can specify the preferred X server order via e.g., |
| | 722 | WAIT:cmd=FINDCREATEDISPLAY-Xdummy,Xvfb,X and/or leave |
| | 723 | out ones you do not want. The the case "X" means try |
| | 724 | to start up a real, hardware X server using xinit(1) |
| | 725 | or startx(1). If there is already an X server running |
| | 726 | the X case may only work on Linux (see startx(1)). |
| | 727 | |
| | 728 | "Xvnc" will start up a VNC X server (real- |
| | 729 | or tight-vnc, e.g. use if Xvfb is not available). |
| | 730 | "Xsrv" will start up the server program in the |
| | 731 | variable "FD_XSRV" if it is non-empty. You can make |
| | 732 | this be a wrapper script if you like (it must handle :N, |
| | 733 | -geometry, and -depth and other X server options). |
| | 734 | |
| | 735 | You can set the environment variable FD_GEOM (or |
| | 736 | X11VNC_CREATE_GEOM) to WxH or WxHxD to set the width |
| | 737 | and height and optionally the color depth of the |
| | 738 | created display. You can also set FD_SESS to be the |
| | 739 | session (short name of the windowmanager: kde, gnome, |
| | 740 | twm, failsafe, etc.). FD_OPTS contains extra options |
| | 741 | to pass to the X server. You can also set FD_PROG to |
| | 742 | be the full path to the session/windowmanager program. |
| | 743 | |
| | 744 | More FD tricks: FD_CUPS=port or FD_CUPS=host:port |
| | 745 | will set the cups printing environment. Similarly for |
| | 746 | FD_ESD=port or FD_ESD=host:port for esddsp sound |
| | 747 | redirection. Set FD_EXTRA to a command to be run a |
| | 748 | few seconds after the X server starts up. Set FD_TAG |
| | 749 | to be a unique name for the session, it is set as an |
| | 750 | X property, that makes FINDDISPLAY only find sessions |
| | 751 | with that tag value. |
| | 752 | |
| | 753 | Set FD_XDMCP_IF to the network interface that the |
| | 754 | display manager is running on; default is 'localhost' |
| | 755 | but you may need to set it to '::1' on some IPv6 only |
| | 756 | systems or misconfigured display managers. |
| | 757 | |
| | 758 | If you want the FINDCREATEDISPLAY session to contact an |
| | 759 | XDMCP login manager (xdm/gdm/kdm) on the same machine, |
| | 760 | then use "Xvfb.xdmcp" instead of "Xvfb", etc. |
| | 761 | The user will have to supply his username and password |
| | 762 | one more time (but he gets to select his desktop type |
| | 763 | so that can be useful). For this to work, you will |
| | 764 | need to enable localhost XDMCP (udp port 177) for the |
| | 765 | display manager. This seems to be: |
| | 766 | |
| | 767 | for gdm in gdm.conf: Enable=true in section [xdmcp] |
| | 768 | for kdm in kdmrc: Enable=true in section [Xdmcp] |
| | 769 | for xdm in xdm-config: DisplayManager.requestPort: 177 |
| | 770 | |
| | 771 | See the shorthand options above "-svc", "-xdmsvc" |
| | 772 | and "-sshxdmsvc" that specify the above options for |
| | 773 | some useful cases. |
| | 774 | |
| | 775 | If you set the env. var WAITBG=1 x11vnc will go into |
| | 776 | the background once listening in wait mode. |
| | 777 | |
| | 778 | Another special mode is FINDCREATEDISPLAY-Xvnc.redirect, |
| | 779 | (or FINDDISPLAY-Xvnc.redirect). In this case it will |
| | 780 | start up Xvnc as above if needed, but instead of |
| | 781 | polling it in its normal way, it simply does a socket |
| | 782 | redirection of the connected VNC viewer to the Xvnc. |
| | 783 | |
| | 784 | So in Xvnc.redirect x11vnc does no VNC but merely |
| | 785 | transfers the data back and forth. This should be |
| | 786 | faster then x11vnc's polling method, but not as fast |
| | 787 | as connecting directly to the Xvnc with the VNC Viewer. |
| | 788 | The idea here is to take advantage of x11vnc's display |
| | 789 | finding/creating scheme, SSL, and perhaps a few others. |
| | 790 | Most of x11vnc's options do not apply in this mode. |
| | 791 | |
| | 792 | Xvnc.redirect should also work for the vnc.so X server |
| | 793 | module for the h/w display however it will work only |
| | 794 | for finding the display and the user must already be |
| | 795 | logged into the X console. |
| | 796 | |
| | 797 | (snip) |
| | 798 | |
| | 799 | -nossl Disable the -ssl option (see below). Since -ssl is off |
| | 800 | by default -nossl would only be used on the commandline |
| | 801 | to unset any *earlier* -ssl option (or -svc...) |
| | 802 | |
| | 803 | -ssl [pem] Use the openssl library (www.openssl.org) to provide a |
| | 804 | built-in encrypted SSL/TLS tunnel between VNC viewers |
| | 805 | and x11vnc. This requires libssl support to be |
| | 806 | compiled into x11vnc at build time. If x11vnc is not |
| | 807 | built with libssl support it will exit immediately when |
| | 808 | -ssl is prescribed. See the -stunnel option below for |
| | 809 | an alternative. |
| | 810 | |
| | 811 | The VNC Viewer-side needs to support SSL/TLS as well. |
| | 812 | See this URL and also the discussion below for |
| | 813 | ideas on how to enable SSL support for the viewer: |
| | 814 | http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tun |
| | 815 | nel-viewers . x11vnc provides an SSL enabled Java |
| | 816 | viewer applet in the classes/ssl directory (-http or |
| | 817 | -httpdir options.) The SSVNC viewer package supports |
| | 818 | SSL tunnels too. |
| | 819 | |
| | 820 | If the VNC Viewer supports VeNCrypt or ANONTLS (vino's |
| | 821 | encryption mode) they are also supported by the -ssl |
| | 822 | mode (see the -vencrypt and -anontls options for more |
| | 823 | info; use -sslonly to disable both of them.) |
| | 824 | |
| | 825 | Use "-ssl /path/to/mycert.pem" to specify an SSL |
| | 826 | certificate file in PEM format to use to identify and |
| | 827 | provide a key for this server. See openssl(1) for more |
| | 828 | info about PEMs and the -sslGenCert and "-ssl SAVE" |
| | 829 | options below for how to create them. |
| | 830 | |
| | 831 | The connecting VNC viewer SSL tunnel can (at its option) |
| | 832 | authenticate this server if it has the public key part |
| | 833 | of the certificate (or a common certificate authority, |
| | 834 | CA, is a more sophisticated way to verify this server's |
| | 835 | cert, see -sslGenCA below). This authentication is |
| | 836 | done to prevent Man-In-The-Middle attacks. Otherwise, |
| | 837 | if the VNC viewer simply accepts this server's key |
| | 838 | WITHOUT verification, the traffic is protected from |
| | 839 | passive sniffing on the network, but *NOT* from |
| | 840 | Man-In-The-Middle attacks. There are hacker tools |
| | 841 | like dsniff/webmitm and cain that implement SSL |
| | 842 | Man-In-The-Middle attacks. |
| | 843 | |
| | 844 | If [pem] is empty or the string "SAVE" then the |
| | 845 | openssl(1) command must be available to generate the |
| | 846 | certificate the first time. A self-signed certificate |
| | 847 | is generated (see -sslGenCA and -sslGenCert for use |
| | 848 | of a Certificate Authority.) It will be saved to the |
| | 849 | file ~/.vnc/certs/server.pem. On subsequent calls if |
| | 850 | that file already exists it will be used directly. |
| | 851 | |
| | 852 | Use "SAVE_NOPROMPT" to avoid being prompted to |
| | 853 | protect the generated key with a passphrase. However in |
| | 854 | -inetd and -bg modes there will be no prompting for a |
| | 855 | passphrase in either case. |
| | 856 | |
| | 857 | If [pem] is "SAVE_PROMPT" the server.pem certificate |
| | 858 | will be created based on your answers to its prompts for |
| | 859 | all info such as OrganizationalName, CommonName, etc. |
| | 860 | |
| | 861 | Use "SAVE-<string>" and "SAVE_PROMPT-<string>" |
| | 862 | to refer to the file ~/.vnc/certs/server-<string>.pem |
| | 863 | instead (it will be generated if it does not already |
| | 864 | exist). E.g. "SAVE-charlie" will store to the file |
| | 865 | ~/.vnc/certs/server-charlie.pem |
| | 866 | |
| | 867 | Examples: x11vnc -ssl SAVE -display :0 ... |
| | 868 | x11vnc -ssl SAVE-someother -display :0 ... |
| | 869 | |
| | 870 | If [pem] is "TMP" and the openssl(1) utility |
| | 871 | command exists in PATH, then a temporary, self-signed |
| | 872 | certificate will be generated for this session. If |
| | 873 | openssl(1) cannot be used to generate a temporary |
| | 874 | certificate x11vnc exits immediately. The temporary |
| | 875 | cert will be discarded when x11vnc exits. |
| | 876 | |
| | 877 | If successful in using openssl(1) to generate a |
| | 878 | temporary certificate in "SAVE" or "TMP" creation |
| | 879 | modes, the public part of it will be displayed to stderr |
| | 880 | (e.g. one could copy it to the client-side to provide |
| | 881 | authentication of the server to VNC viewers.) |
| | 882 | |
| | 883 | NOTE: In "TMP" mode, unless you safely copy the |
| | 884 | public part of the temporary Cert to the viewer for |
| | 885 | authenticate *every time* (unlikely...), then only |
| | 886 | passive sniffing attacks are prevented and you are |
| | 887 | still open to Man-In-The-Middle attacks. This is |
| | 888 | why the default "SAVE" mode is preferred (and more |
| | 889 | sophisticated CA mode too). Only with saved keys AND |
| | 890 | the VNC viewer authenticating them (via the public |
| | 891 | certificate), are Man-In-The-Middle attacks prevented. |
| | 892 | |
| | 893 | If [pem] is "ANON" then the Diffie-Hellman anonymous |
| | 894 | key exchange method is used. In this mode there |
| | 895 | are *no* SSL certificates and so it is not possible |
| | 896 | to authenticate either the VNC server or VNC client. |
| | 897 | Thus only passive network sniffing attacks are avoided: |
| | 898 | the "ANON" method is susceptible to Man-In-The-Middle |
| | 899 | attacks. "ANON" is not recommended; instead use |
| | 900 | a SSL PEM you created or the default "SAVE" method. |
| | 901 | |
| | 902 | See -ssldir below to use a directory besides the |
| | 903 | default ~/.vnc/certs |
| | 904 | |
| | 905 | If your x11vnc binary was not compiled with OpenSSL |
| | 906 | library support, use of the -ssl option will induce an |
| | 907 | immediate failure and exit. For such binaries, consider |
| | 908 | using the -stunnel option for SSL encrypted connections. |
| | 909 | |
| | 910 | Misc Info: In temporary cert creation mode "TMP", set |
| | 911 | the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print |
| | 912 | out the entire certificate, including the PRIVATE KEY |
| | 913 | part, to stderr. There are better ways to get/save this |
| | 914 | info. See "SAVE" above and "-sslGenCert" below. |
| | 915 | |
| | 916 | (snip) |
| | 917 | |
| | 918 | -usepw If no other password method was supplied on the command |
| | 919 | line, first look for ~/.vnc/passwd and if found use it |
| | 920 | with -rfbauth; next, look for ~/.vnc/passwdfile and |
| | 921 | use it with -passwdfile; otherwise, prompt the user |
| | 922 | for a password to create ~/.vnc/passwd and use it with |
| | 923 | the -rfbauth option. If none of these succeed x11vnc |
| | 924 | exits immediately. |
