wiki:TipAndDoc/network/vnc/x11vnc

Version 1 (modified by mitty, 14 years ago) (diff)

--

  • x11vnc: 0.9.10 lastmod: 2010-04-28
  • $ x11vnc --help
    x11vnc: allow VNC connections to real X11 displays. 0.9.10 lastmod: 2010-04-28
    
    (type "x11vnc -opts" to just list the options.)
    
    Typical usage is:
    
       Run this command in a shell on the remote machine "far-host"
       with X session you wish to view:
    
           x11vnc -display :0
    
       Then run this in another window on the machine you are sitting at:
    
           vncviewer far-host:0
    
    Once x11vnc establishes connections with the X11 server and starts listening
    as a VNC server it will print out a string: PORT=XXXX where XXXX is typically
    5900 (the default VNC server port).  One would next run something like
    this on the local machine: "vncviewer hostname:N" where "hostname" is
    the name of the machine running x11vnc and N is XXXX - 5900, i.e. usually
    "vncviewer hostname:0".
    
    By default x11vnc will not allow the screen to be shared and it will exit
    as soon as the client disconnects.  See -shared and -forever below to override
    these protections.  See the FAQ for details how to tunnel the VNC connection
    through an encrypted channel such as ssh(1).  In brief:
    
           ssh -t -L 5900:localhost:5900 far-host 'x11vnc -localhost -display :0'
    
           vncviewer -encodings 'copyrect tight zrle hextile' localhost:0
    
    Also, use of a VNC password (-rfbauth or -passwdfile) is strongly recommended.
    
    For additional info see: http://www.karlrunge.com/x11vnc/
                        and  http://www.karlrunge.com/x11vnc/faq.html
    
    
    Config file support: if the file $HOME/.x11vncrc exists then each line in
    it is treated as a single command line option.  Disable with -norc.  For
    each option name, the leading character "-" is not required.  E.g. a line
    that is either "forever" or "-forever" may be used and are equivalent.
    Likewise "wait 100" or "-wait 100" are acceptable and equivalent lines.
    The "#" character comments out to the end of the line in the usual way
    (backslash it for a literal).  Leading and trailing whitespace is trimmed off.
    Lines may be continued with a "\" as the last character of a line (it
    becomes a space character).
    
    Options:
    
    -display disp          X11 server display to connect to, usually :0.  The X
                           server process must be running on same machine and
                           support MIT-SHM.  Equivalent to setting the DISPLAY
                           environment variable to "disp".
    
                           See the description below of the "-display WAIT:..."
                           extensions, where alias "-find" will find the user's
                           display automatically, and "-create" will create a
                           Xvfb session if no session is found.
    
    -auth file             Set the X authority file to be "file", equivalent to
                           setting the XAUTHORITY environment variable to "file"
                           before startup.  Same as -xauth file.  See Xsecurity(7),
                           xauth(1) man pages for more info.
    
                           Use '-auth guess' to have x11vnc use its -findauth
                           mechanism (described below) to try to guess the
                           XAUTHORITY filename and use it.
    
                           XDM/GDM/KDM: if you are running x11vnc as root and want
                           to find the XAUTHORITY before anyone has logged into an
                           X session yet, use: x11vnc -env FD_XDM=1 -auth guess ...
                           (This will also find the XAUTHORITY if a user is already
                           logged into the X session.)  When running as root,
                           FD_XDM=1 will be tried if the initial -auth guess fails.
    
    (snip)
    
    -viewonly              All VNC clients can only watch (default off).
    -shared                VNC display is shared, i.e. more than one viewer can
                           connect at the same time (default off).
    -once                  Exit after the first successfully connected viewer
                           disconnects, opposite of -forever. This is the Default.
    -forever               Keep listening for more connections rather than exiting
                           as soon as the first client(s) disconnect. Same as -many
    
    -loop                  Create an outer loop restarting the x11vnc process
                           whenever it terminates.  -bg and -inetd are ignored
                           in this mode (however see -loopbg below).
    
                           Useful for continuing even if the X server terminates
                           and restarts (at that moment the process will need
                           permission to reconnect to the new X server of course).
    
                           Use, e.g., -loop100 to sleep 100 millisecs between
                           restarts, etc.  Default is 2000ms (i.e. 2 secs) Use,
                           e.g. -loop300,5 to sleep 300 ms and only loop 5 times.
    
                           If -loopbg (plus any numbers) is specified instead,
                           the "-bg" option is implied and the mode approximates
                           inetd(8) usage to some degree.  In this case when
                           it goes into the background any listening sockets
                           (i.e. ports 5900, 5800) are closed, so the next one
                           in the loop can use them.  This mode will only be of
                           use if a VNC client (the only client for that process)
                           is already connected before the process goes into the
                           background, for example, usage of -display WAIT:..,
                           -svc, and -connect can make use of this "poor man's"
                           inetd mode.  The default wait time is 500ms in this
                           mode.  This usage could use useful:  -svc -bg -loopbg
    
    (snip)
    
    -inetd                 Launched by inetd(8): stdio instead of listening socket.
                           Note: if you are not redirecting stderr to a log file
                           (via shell 2> or -o option) you MUST also specify the -q
                           option, otherwise the stderr goes to the viewer which
                           will cause it to abort.  Specifying both -inetd and -q
                           and no -o will automatically close the stderr.
    
    (snip)
    
    -allow host1[,host2..] Only allow client connections from hosts matching
                           the comma separated list of hostnames or IP addresses.
                           Can also be a numerical IP prefix, e.g. "192.168.100."
                           to match a simple subnet, for more control build
                           LibVNCServer with libwrap support (See the FAQ).  If the
                           list contains a "/" it instead is a interpreted
                           as a file containing addresses or prefixes that is
                           re-read each time a new client connects.  Lines can be
                           commented out with the "#" character in the usual way.
    
                           -allow applies in -ssl mode, but not in -stunnel mode.
    
                           IPv6: as of x11vnc 0.9.10 a host can be specified
                           in IPv6 numerical format, e.g. 2001:4860:b009::93.
    
    -localhost             Basically the same as "-allow 127.0.0.1".
    
                           Note: if you want to restrict which network interface
                           x11vnc listens on, see the -listen option below.
                           E.g. "-listen localhost" or "-listen 192.168.3.21".
                           As a special case, the option "-localhost" implies
                           "-listen localhost".
    
                           A rare case, but for non-localhost -listen usage, if
                           you use the remote control mechanism (-R) to change
                           the -listen interface you may need to manually adjust
                           the -allow list (and vice versa) to avoid situations
                           where no connections (or too many) are allowed.
    
                           If you do not want x11vnc to listen on ANY interface
                           (evidently you are using -connect or -connect_or_exit,
                           or plan to use remote control: -R connect:host), use
                           -rfbport 0
    
                           IPv6: if IPv6 is supported, this option automatically
                           implies the IPv6 loopback address '::1' as well.
    
    (snip)
    
    -passwdfile filename   Specify the LibVNCServer password via the first line
                           of the file "filename" (instead of via -passwd on
                           the command line where others might see it via ps(1)).
    
                           See the descriptions below for how to supply multiple
                           passwords, view-only passwords, to specify external
                           programs for the authentication, and other features.
    
                           If the filename is prefixed with "rm:" it will be
                           removed after being read.  Perhaps this is useful in
                           limiting the readability of the file.  In general, the
                           password file should not be readable by untrusted users
                           (BTW: neither should the VNC -rfbauth file: it is NOT
                           encrypted, only obscured with a fixed key).
    
                           If the filename is prefixed with "read:" it will
                           periodically be checked for changes and reread.  It is
                           guaranteed to be reread just when a new client connects
                           so that the latest passwords will be used.
    
                           If "filename" is prefixed with "cmd:" then the
                           string after the ":" is run as an external command:
                           the output of the command will be interpreted as if it
                           were read from a password file (see below).  If the
                           command does not exit with 0, then x11vnc terminates
                           immediately.  To specify more than 1000 passwords this
                           way set X11VNC_MAX_PASSWDS before starting x11vnc.
                           The environment variables are set as in -accept.
    
                           Note that due to the VNC protocol only the first 8
                           characters of a password are used (DES key).
    
                           If "filename" is prefixed with "custom:" then a
                           custom password checker is supplied as an external
                           command following the ":". The command will be run
                           when a client authenticates.  If the command exits with
                           0 the client is accepted, otherwise it is rejected.
                           The environment variables are set as in -accept.
    
                           The standard input to the custom command will be a
                           decimal digit "len" followed by a newline. "len"
                           specifies the challenge size and is usually 16 (the
                           VNC spec).  Then follows len bytes which is the random
                           challenge string that was sent to the client. This is
                           then followed by len more bytes holding the client's
                           response (i.e. the challenge string encrypted via DES
                           with the user password in the standard situation).
    
                           The "custom:" scheme can be useful to implement
                           dynamic passwords or to implement methods where longer
                           passwords and/or different encryption algorithms
                           are used.  The latter will require customizing the VNC
                           client as well.  One could create an MD5SUM based scheme
                           for example.
    
                           File format for -passwdfile:
    
                           If multiple non-blank lines exist in the file they are
                           all taken as valid passwords.  Blank lines are ignored.
                           Password lines may be "commented out" (ignored) if
                           they begin with the character "#" or the line contains
                           the string "__SKIP__".  Lines may be annotated by use
                           of the "__COMM__" string: from it to the end of the
                           line is ignored.  An empty password may be specified
                           via the "__EMPTY__" string on a line by itself (note
                           your viewer might not accept empty passwords).
    
                           If the string "__BEGIN_VIEWONLY__" appears on a
                           line by itself, the remaining passwords are used for
                           viewonly access.  For compatibility, as a special case
                           if the file contains only two password lines the 2nd
                           one is automatically taken as the viewonly password.
                           Otherwise the "__BEGIN_VIEWONLY__" token must be
                           used to have viewonly passwords.  (tip: make the 3rd
                           and last line be "__BEGIN_VIEWONLY__" to have 2
                           full-access passwords)
    
    (snip)
    
    -unixpw [list]         Use Unix username and password authentication.  x11vnc
                           will use the su(1) program to verify the user's
                           password.  [list] is an optional comma separated list
                           of allowed Unix usernames.  If the [list] string begins
                           with the character "!" then the entire list is taken
                           as an exclude list.  See below for per-user options
                           that can be applied.
    
                           A familiar "login:" and "Password:" dialog is
                           presented to the user on a black screen inside the
                           vncviewer.  The connection is dropped if the user fails
                           to supply the correct password in 3 tries or does not
                           send one before a 45 second timeout.  Existing clients
                           are view-only during this period.
    
                           If the first character received is "Escape" then the
                           unix username will not be displayed after "login:"
                           as it is typed.  This could be of use for VNC viewers
                           that automatically type the username and password.
    
                           Since the detailed behavior of su(1) can vary from
                           OS to OS and for local configurations, test the mode
                           before deployment to make sure it is working properly.
                           x11vnc will attempt to be conservative and reject a
                           login if anything abnormal occurs.
    
                           One case to note: FreeBSD and the other BSD's by
                           default it is impossible for the user running x11vnc to
                           validate his *own* password via su(1) (commenting out
                           the pam_self.so entry in /etc/pam.d/su eliminates this
                           behavior).  So the x11vnc login will always *FAIL* for
                           this case (even when the correct password is supplied).
    
                           A possible workaround for this on *BSD would be to
                           start x11vnc as root with the "-users +nobody" option
                           to immediately switch to user nobody where the su'ing
                           will proceed normally.
    
                           Another source of potential problems are PAM modules
                           that prompt for extra info, e.g. password aging modules.
                           These logins will fail as well even when the correct
                           password is supplied.
    
                           **IMPORTANT**: to prevent the Unix password being sent
                           in *clear text* over the network, one of two schemes
                           will be enforced: 1) the -ssl builtin SSL mode, or 2)
                           require both -localhost and -stunnel be enabled.
    
                           Method 1) ensures the traffic is encrypted between
                           viewer and server.  A PEM file will be required, see the
                           discussion under -ssl below (under some circumstances
                           a temporary one can be automatically generated).
    
                           Method 2) requires the viewer connection to appear
                           to come from the same machine x11vnc is running on
                           (e.g. from a ssh -L port redirection).  And that the
                           -stunnel SSL mode be used for encryption over the
                           network. (see the description of -stunnel below).
    
                           Note: as a convenience, if you ssh(1) in and start
                           x11vnc it will check if the environment variable
                           SSH_CONNECTION is set and appears reasonable.  If it
                           does, then the -ssl or -stunnel requirement will be
                           dropped since it is assumed you are using ssh for the
                           encrypted tunnelling.  -localhost is still enforced.
                           Use -ssl or -stunnel to force SSL usage even if
                           SSH_CONNECTION is set.
    
                           To override the above restrictions you can set
                           environment variables before starting x11vnc:
    
                           Set UNIXPW_DISABLE_SSL=1 to disable requiring either
                           -ssl or -stunnel (as under SSH_CONNECTION.)  Evidently
                           you will be using a different method to encrypt the
                           data between the vncviewer and x11vnc: perhaps ssh(1)
                           or an IPSEC VPN. -localhost is still enforced (however,
                           see the next paragraph.)
    
                           Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost
                           requirement in -unixpw modes.  One should never do this
                           (i.e. allow the Unix passwords to be sniffed on the
                           network.)  This also disables the localhost requirement
                           for reverse connections (see below.)
    
                           Note that use of -localhost with ssh(1) (and no -unixpw)
                           is roughly the same as requiring a Unix user login
                           (since a Unix password or the user's public key
                           authentication is used by sshd on the machine where
                           x11vnc runs and only local connections from that machine
                           are accepted).
    
                           Regarding reverse connections (e.g. -R connect:host
                           and -connect host), when the -localhost constraint is
                           in effect then reverse connections can only be used
                           to connect to the same machine x11vnc is running on
                           (default port 5500).  Please use a ssh or stunnel port
                           redirection to the viewer machine to tunnel the reverse
                           connection over an encrypted channel.
    
                           In -inetd mode the Method 1) will be enforced (not
                           Method 2).  With -ssl in effect reverse connections
                           are disabled.  If you override this via env. var, be
                           sure to also use encryption from the viewer to inetd.
                           Tip: you can also have your own stunnel spawn x11vnc
                           in -inetd mode (thereby bypassing inetd).  See the FAQ
                           for details.
    
                           The user names in the comma separated [list] may have
                           per-user options after a ":", e.g. "fred:opts"
                           where "opts" is a "+" separated list of
                           "viewonly", "fullaccess", "input=XXXX", or
                           "deny", e.g. "karl,wally:viewonly,boss:input=M".
                           For "input=" it is the K,M,B,C described under -input.
    
                           If an item in the list is "*" that means those
                           options apply to all users.  It ALSO implies all users
                           are allowed to log in after supplying a valid password.
                           Use "deny" to explicitly deny some users if you use
                           "*" to set a global option.  If [list] begins with the
                           "!" character then "*" is ignored for checking if
                           the user is allowed, but the option values associated
                           with it do apply as normal.
    
                           There are also some utilities for checking passwords
                           if [list] starts with the "%" character.  See the
                           quick_pw() function for more details.  Description:
                           "%-" or "%stdin" means read one line from stdin.
                           "%env" means it is in $UNIXPW env var.  A leading
                           "%/" or "%." means read the first line from the
                           filename that follows after the % character. % by
                           itself means prompt for the username and password.
                           Otherwise: %user:pass   E.g. -unixpw %fred:swordfish
                           For the other cases user:pass is read from the indicated
                           source.  If the password is correct 'Y user' is printed
                           and the program exit code is 0.  If the password is
                           incorrect it prints 'N user' and the exit code is 1.
                           If there is some other error the exit code is 2.
                           This feature enables x11vnc to be a general unix user
                           password checking tool; it could be used from scripts
                           or other programs.  These % password checks also apply
                           to the -unixpw_nis and -unixpw_cmd options.
    
                           For the % password check, if the env. var. UNIXPW_CMD
                           is set to a command then it is run as the user (assuming
                           the password is correct.)  The output of the command is
                           not printed, the program or script must manage that by
                           some other means.  The exit code of x11vnc will depend
                           on the exit code of the command that is run.
    
                           Use -nounixpw to disable unixpw mode if it was enabled
                           earlier in the cmd line (e.g. -svc mode)
    
    (snip)
    
    -storepasswd pass file Store password "pass" as the VNC password in the
                           file "file".  Once the password is stored the
                           program exits.  Use the password via "-rfbauth file"
    
                           If called with no arguments, "x11vnc -storepasswd",
                           the user is prompted for a password and it is stored
                           in the file ~/.vnc/passwd.  Called with one argument,
                           that will be the file to store the prompted password in.
    
    -nopw                  Disable the big warning message when you use x11vnc
                           without some sort of password.
    
    (snip)
    
    -users list            If x11vnc is started as root (say from inetd(8) or from
                           display managers xdm(1), gdm(1), etc), then as soon
                           as possible after connections to the X display are
                           established try to switch to one of the users in the
                           comma separated "list".  If x11vnc is not running as
                           root this option is ignored.
    
                           Why use this option?  In general it is not needed since
                           x11vnc is already connected to the X display and can
                           perform its primary functions.  The option was added
                           to make some of the *external* utility commands x11vnc
                           occasionally runs work properly.  In particular under
                           GNOME and KDE to implement the "-solid color" feature
                           external commands (gconftool-2 and dcop) unfortunately
                           must be run as the user owning the desktop session.
                           Since this option switches userid it also affects the
                           userid used to run the processes for the -accept and
                           -gone options.  It also affects the ability to read
                           files for options such as -connect, -allow, and -remap
                           and also the ultra and tight filetransfer feature if
                           enabled.  Note that the -connect file is also sometimes
                           written to.
    
                           So be careful with this option since in some situations
                           its use can decrease security.
    
                           In general the switch to a user will only take place
                           if the display can still be successfully opened as that
                           user (this is primarily to try to guess the actual owner
                           of the session). Example: "-users fred,wilma,betty".
                           Note that a malicious local user "barney" by
                           quickly using "xhost +" when logging in may possibly
                           get the x11vnc process to switch to user "fred".
                           What happens next?
    
                           Under display managers it may be a long time before
                           the switch succeeds (i.e. a user logs in).  To instead
                           make it switch immediately regardless if the display
                           can be reopened prefix the username with the "+"
                           character. E.g. "-users +bob" or "-users +nobody".
    
                           The latter (i.e. switching immediately to user
                           "nobody") is the only obvious use of the -users option
                           that increases security.
    
                           Use the following notation to associate a group with
                           a user: user1.group1,user2.group2,...  Note that
                           initgroups(2) will still be called first to try to
                           switch to ALL of a user's groups (primary and additional
                           groups).  Only if that fails or it is not available
                           then the single group specified as above (or the user's
                           primary group if not specified) is switched to with
                           setgid(2).  Use -env X11VNC_SINGLE_GROUP=1 to prevent
                           trying initgroups(2) and only switch to the single
                           group.  This sort of setting is only really needed to
                           make the ultra or tight filetransfer permissions work
                           properly. This format applies to any comma separated list
                           of users, even the special "=" modes described below.
    
                           In -unixpw mode, if "-users unixpw=" is supplied
                           then after a user authenticates himself via the
                           -unixpw mechanism, x11vnc will try to switch to that
                           user as though "-users +username" had been supplied.
                           If you want to limit which users this will be done for,
                           provide them as a comma separated list after "unixpw="
                           Groups can also be specified as described above.
    
                           Similarly, in -ssl mode, if "-users sslpeer=" is
                           supplied then after an SSL client authenticates with his
                           cert (the -sslverify option is required for this) x11vnc
                           will extract a UNIX username from the "emailAddress"
                           field (username@hostname.com) of the "Subject" of the
                           x509 SSL cert and then try to switch to that user as
                           though "-users +username" had been supplied.  If you
                           want to limit which users this will be done for, provide
                           them as a comma separated list after "sslpeer=".
                           Set the env. var X11VNC_SSLPEER_CN to use the Common
                           Name (normally a hostname) instead of the Email field.
    
                           NOTE: for sslpeer= mode the x11vnc administrator must
                           take care that any client certs he adds to -sslverify
                           have the intended UNIX username in the "emailAddress"
                           field of the cert.  Otherwise a user may be able to
                           log in as another.  This command can be of use in
                           checking: "openssl x509 -text -in file.crt", see the
                           "Subject:" line.  Also, along with the normal RFB_*
                           env. vars. (see -accept) passed to external cmd=
                           commands, RFB_SSL_CLIENT_CERT will be set to the
                           client's x509 certificate string.
    
                           The sslpeer= mode can aid finding X sessions via the
                           FINDDISPLAY and FINDCREATEDISPLAY mechanisms.
    
                           To immediately switch to a user *before* connections
                           to the X display are made or any files opened use the
                           "=" character: "-users =bob".  That user needs to
                           be able to open the X display and any files of course.
    
                           The special user "guess=" means to examine the utmpx
                           database (see who(1)) looking for a user attached to
                           the display number (from DISPLAY or -display option)
                           and try him/her.  To limit the list of guesses, use:
                           "-users guess=bob,betty".
    
                           Even more sinister is the special user "lurk="
                           that means to try to guess the DISPLAY from the utmpx
                           login database as well.  So it "lurks" waiting for
                           anyone to log into an X session and then connects to it.
                           Specify a list of users after the = to limit which users
                           will be tried.  To enable a different searching mode, if
                           the first user in the list is something like ":0" or
                           ":0-2" that indicates a range of DISPLAY numbers that
                           will be tried (regardless of whether they are in the
                           utmpx database) for all users that are logged in.  Also
                           see the "-display WAIT:..." functionality.  Examples:
                           "-users lurk=" and also "-users lurk=:0-1,bob,mary"
    
                           Be especially careful using the "guess=" and "lurk="
                           modes.  They are not recommended for use on machines
                           with untrustworthy local users.
    
    (snip)
    
    -ping n                Send a 1x1 framebuffer update to all clients every n
                           seconds (e.g. to try to keep a network connection alive)
    
    (snip)
    
    These options are passed to LibVNCServer:
    
    -rfbport port          TCP port for RFB protocol
    -rfbwait time          max time in ms to wait for RFB client
    -rfbauth passwd-file   use authentication on RFB protocol
                           (use 'storepasswd' to create a password file)
    -rfbversion 3.x        Set the version of the RFB we choose to advertise
    -permitfiletransfer    permit file transfer support
    -passwd plain-password use authentication 
                           (use plain-password as password, USE AT YOUR RISK)
    -deferupdate time      time in ms to defer updates (default 40)
    -deferptrupdate time   time in ms to defer pointer updates (default none)
    -desktop name          VNC desktop name (default "LibVNCServer")
    -alwaysshared          always treat new clients as shared
    -nevershared           never treat new clients as shared
    -dontdisconnect        don't disconnect existing clients when a new non-shared
                           connection comes in (refuse new connection instead)
    -httpdir dir-path      enable http server using dir-path home
    -httpport portnum      use portnum for http connection
    -enablehttpproxy       enable http proxy support
    -progressive height    enable progressive updating for slow links
    -listen ipaddr         listen for connections only on network interface with
                           addr ipaddr. '-listen localhost' and hostname work too.
    
    libvncserver-tight-extension options:
    -disablefiletransfer   disable file transfer
    -ftproot string        set ftp root