wiki:TipAndDoc/network/vnc/x11vnc

Version 3 (modified by mitty, 14 years ago) (diff)

--

  • x11vnc: 0.9.10 lastmod: 2010-04-28
  • $ x11vnc --help
    x11vnc: allow VNC connections to real X11 displays. 0.9.10 lastmod: 2010-04-28
    
    (type "x11vnc -opts" to just list the options.)
    
    Typical usage is:
    
       Run this command in a shell on the remote machine "far-host"
       with X session you wish to view:
    
           x11vnc -display :0
    
       Then run this in another window on the machine you are sitting at:
    
           vncviewer far-host:0
    
    Once x11vnc establishes connections with the X11 server and starts listening
    as a VNC server it will print out a string: PORT=XXXX where XXXX is typically
    5900 (the default VNC server port).  One would next run something like
    this on the local machine: "vncviewer hostname:N" where "hostname" is
    the name of the machine running x11vnc and N is XXXX - 5900, i.e. usually
    "vncviewer hostname:0".
    
    By default x11vnc will not allow the screen to be shared and it will exit
    as soon as the client disconnects.  See -shared and -forever below to override
    these protections.  See the FAQ for details how to tunnel the VNC connection
    through an encrypted channel such as ssh(1).  In brief:
    
           ssh -t -L 5900:localhost:5900 far-host 'x11vnc -localhost -display :0'
    
           vncviewer -encodings 'copyrect tight zrle hextile' localhost:0
    
    Also, use of a VNC password (-rfbauth or -passwdfile) is strongly recommended.
    
    For additional info see: http://www.karlrunge.com/x11vnc/
                        and  http://www.karlrunge.com/x11vnc/faq.html
    
    
    Config file support: if the file $HOME/.x11vncrc exists then each line in
    it is treated as a single command line option.  Disable with -norc.  For
    each option name, the leading character "-" is not required.  E.g. a line
    that is either "forever" or "-forever" may be used and are equivalent.
    Likewise "wait 100" or "-wait 100" are acceptable and equivalent lines.
    The "#" character comments out to the end of the line in the usual way
    (backslash it for a literal).  Leading and trailing whitespace is trimmed off.
    Lines may be continued with a "\" as the last character of a line (it
    becomes a space character).
    
    Options:
    
    -display disp          X11 server display to connect to, usually :0.  The X
                           server process must be running on same machine and
                           support MIT-SHM.  Equivalent to setting the DISPLAY
                           environment variable to "disp".
    
                           See the description below of the "-display WAIT:..."
                           extensions, where alias "-find" will find the user's
                           display automatically, and "-create" will create a
                           Xvfb session if no session is found.
    
    -auth file             Set the X authority file to be "file", equivalent to
                           setting the XAUTHORITY environment variable to "file"
                           before startup.  Same as -xauth file.  See Xsecurity(7),
                           xauth(1) man pages for more info.
    
                           Use '-auth guess' to have x11vnc use its -findauth
                           mechanism (described below) to try to guess the
                           XAUTHORITY filename and use it.
    
                           XDM/GDM/KDM: if you are running x11vnc as root and want
                           to find the XAUTHORITY before anyone has logged into an
                           X session yet, use: x11vnc -env FD_XDM=1 -auth guess ...
                           (This will also find the XAUTHORITY if a user is already
                           logged into the X session.)  When running as root,
                           FD_XDM=1 will be tried if the initial -auth guess fails.
    
    (snip)
    
    -viewonly              All VNC clients can only watch (default off).
    -shared                VNC display is shared, i.e. more than one viewer can
                           connect at the same time (default off).
    -once                  Exit after the first successfully connected viewer
                           disconnects, opposite of -forever. This is the Default.
    -forever               Keep listening for more connections rather than exiting
                           as soon as the first client(s) disconnect. Same as -many
    
    -loop                  Create an outer loop restarting the x11vnc process
                           whenever it terminates.  -bg and -inetd are ignored
                           in this mode (however see -loopbg below).
    
                           Useful for continuing even if the X server terminates
                           and restarts (at that moment the process will need
                           permission to reconnect to the new X server of course).
    
                           Use, e.g., -loop100 to sleep 100 millisecs between
                           restarts, etc.  Default is 2000ms (i.e. 2 secs) Use,
                           e.g. -loop300,5 to sleep 300 ms and only loop 5 times.
    
                           If -loopbg (plus any numbers) is specified instead,
                           the "-bg" option is implied and the mode approximates
                           inetd(8) usage to some degree.  In this case when
                           it goes into the background any listening sockets
                           (i.e. ports 5900, 5800) are closed, so the next one
                           in the loop can use them.  This mode will only be of
                           use if a VNC client (the only client for that process)
                           is already connected before the process goes into the
                           background, for example, usage of -display WAIT:..,
                           -svc, and -connect can make use of this "poor man's"
                           inetd mode.  The default wait time is 500ms in this
                           mode.  This usage could use useful:  -svc -bg -loopbg
    
    (snip)
    
    -inetd                 Launched by inetd(8): stdio instead of listening socket.
                           Note: if you are not redirecting stderr to a log file
                           (via shell 2> or -o option) you MUST also specify the -q
                           option, otherwise the stderr goes to the viewer which
                           will cause it to abort.  Specifying both -inetd and -q
                           and no -o will automatically close the stderr.
    
    (snip)
    
    -allow host1[,host2..] Only allow client connections from hosts matching
                           the comma separated list of hostnames or IP addresses.
                           Can also be a numerical IP prefix, e.g. "192.168.100."
                           to match a simple subnet, for more control build
                           LibVNCServer with libwrap support (See the FAQ).  If the
                           list contains a "/" it instead is a interpreted
                           as a file containing addresses or prefixes that is
                           re-read each time a new client connects.  Lines can be
                           commented out with the "#" character in the usual way.
    
                           -allow applies in -ssl mode, but not in -stunnel mode.
    
                           IPv6: as of x11vnc 0.9.10 a host can be specified
                           in IPv6 numerical format, e.g. 2001:4860:b009::93.
    
    -localhost             Basically the same as "-allow 127.0.0.1".
    
                           Note: if you want to restrict which network interface
                           x11vnc listens on, see the -listen option below.
                           E.g. "-listen localhost" or "-listen 192.168.3.21".
                           As a special case, the option "-localhost" implies
                           "-listen localhost".
    
                           A rare case, but for non-localhost -listen usage, if
                           you use the remote control mechanism (-R) to change
                           the -listen interface you may need to manually adjust
                           the -allow list (and vice versa) to avoid situations
                           where no connections (or too many) are allowed.
    
                           If you do not want x11vnc to listen on ANY interface
                           (evidently you are using -connect or -connect_or_exit,
                           or plan to use remote control: -R connect:host), use
                           -rfbport 0
    
                           IPv6: if IPv6 is supported, this option automatically
                           implies the IPv6 loopback address '::1' as well.
    
    (snip)
    
    -passwdfile filename   Specify the LibVNCServer password via the first line
                           of the file "filename" (instead of via -passwd on
                           the command line where others might see it via ps(1)).
    
                           See the descriptions below for how to supply multiple
                           passwords, view-only passwords, to specify external
                           programs for the authentication, and other features.
    
                           If the filename is prefixed with "rm:" it will be
                           removed after being read.  Perhaps this is useful in
                           limiting the readability of the file.  In general, the
                           password file should not be readable by untrusted users
                           (BTW: neither should the VNC -rfbauth file: it is NOT
                           encrypted, only obscured with a fixed key).
    
                           If the filename is prefixed with "read:" it will
                           periodically be checked for changes and reread.  It is
                           guaranteed to be reread just when a new client connects
                           so that the latest passwords will be used.
    
                           If "filename" is prefixed with "cmd:" then the
                           string after the ":" is run as an external command:
                           the output of the command will be interpreted as if it
                           were read from a password file (see below).  If the
                           command does not exit with 0, then x11vnc terminates
                           immediately.  To specify more than 1000 passwords this
                           way set X11VNC_MAX_PASSWDS before starting x11vnc.
                           The environment variables are set as in -accept.
    
                           Note that due to the VNC protocol only the first 8
                           characters of a password are used (DES key).
    
                           If "filename" is prefixed with "custom:" then a
                           custom password checker is supplied as an external
                           command following the ":". The command will be run
                           when a client authenticates.  If the command exits with
                           0 the client is accepted, otherwise it is rejected.
                           The environment variables are set as in -accept.
    
                           The standard input to the custom command will be a
                           decimal digit "len" followed by a newline. "len"
                           specifies the challenge size and is usually 16 (the
                           VNC spec).  Then follows len bytes which is the random
                           challenge string that was sent to the client. This is
                           then followed by len more bytes holding the client's
                           response (i.e. the challenge string encrypted via DES
                           with the user password in the standard situation).
    
                           The "custom:" scheme can be useful to implement
                           dynamic passwords or to implement methods where longer
                           passwords and/or different encryption algorithms
                           are used.  The latter will require customizing the VNC
                           client as well.  One could create an MD5SUM based scheme
                           for example.
    
                           File format for -passwdfile:
    
                           If multiple non-blank lines exist in the file they are
                           all taken as valid passwords.  Blank lines are ignored.
                           Password lines may be "commented out" (ignored) if
                           they begin with the character "#" or the line contains
                           the string "__SKIP__".  Lines may be annotated by use
                           of the "__COMM__" string: from it to the end of the
                           line is ignored.  An empty password may be specified
                           via the "__EMPTY__" string on a line by itself (note
                           your viewer might not accept empty passwords).
    
                           If the string "__BEGIN_VIEWONLY__" appears on a
                           line by itself, the remaining passwords are used for
                           viewonly access.  For compatibility, as a special case
                           if the file contains only two password lines the 2nd
                           one is automatically taken as the viewonly password.
                           Otherwise the "__BEGIN_VIEWONLY__" token must be
                           used to have viewonly passwords.  (tip: make the 3rd
                           and last line be "__BEGIN_VIEWONLY__" to have 2
                           full-access passwords)
    
    (snip)
    
    -unixpw [list]         Use Unix username and password authentication.  x11vnc
                           will use the su(1) program to verify the user's
                           password.  [list] is an optional comma separated list
                           of allowed Unix usernames.  If the [list] string begins
                           with the character "!" then the entire list is taken
                           as an exclude list.  See below for per-user options
                           that can be applied.
    
                           A familiar "login:" and "Password:" dialog is
                           presented to the user on a black screen inside the
                           vncviewer.  The connection is dropped if the user fails
                           to supply the correct password in 3 tries or does not
                           send one before a 45 second timeout.  Existing clients
                           are view-only during this period.
    
                           If the first character received is "Escape" then the
                           unix username will not be displayed after "login:"
                           as it is typed.  This could be of use for VNC viewers
                           that automatically type the username and password.
    
                           Since the detailed behavior of su(1) can vary from
                           OS to OS and for local configurations, test the mode
                           before deployment to make sure it is working properly.
                           x11vnc will attempt to be conservative and reject a
                           login if anything abnormal occurs.
    
                           One case to note: FreeBSD and the other BSD's by
                           default it is impossible for the user running x11vnc to
                           validate his *own* password via su(1) (commenting out
                           the pam_self.so entry in /etc/pam.d/su eliminates this
                           behavior).  So the x11vnc login will always *FAIL* for
                           this case (even when the correct password is supplied).
    
                           A possible workaround for this on *BSD would be to
                           start x11vnc as root with the "-users +nobody" option
                           to immediately switch to user nobody where the su'ing
                           will proceed normally.
    
                           Another source of potential problems are PAM modules
                           that prompt for extra info, e.g. password aging modules.
                           These logins will fail as well even when the correct
                           password is supplied.
    
                           **IMPORTANT**: to prevent the Unix password being sent
                           in *clear text* over the network, one of two schemes
                           will be enforced: 1) the -ssl builtin SSL mode, or 2)
                           require both -localhost and -stunnel be enabled.
    
                           Method 1) ensures the traffic is encrypted between
                           viewer and server.  A PEM file will be required, see the
                           discussion under -ssl below (under some circumstances
                           a temporary one can be automatically generated).
    
                           Method 2) requires the viewer connection to appear
                           to come from the same machine x11vnc is running on
                           (e.g. from a ssh -L port redirection).  And that the
                           -stunnel SSL mode be used for encryption over the
                           network. (see the description of -stunnel below).
    
                           Note: as a convenience, if you ssh(1) in and start
                           x11vnc it will check if the environment variable
                           SSH_CONNECTION is set and appears reasonable.  If it
                           does, then the -ssl or -stunnel requirement will be
                           dropped since it is assumed you are using ssh for the
                           encrypted tunnelling.  -localhost is still enforced.
                           Use -ssl or -stunnel to force SSL usage even if
                           SSH_CONNECTION is set.
    
                           To override the above restrictions you can set
                           environment variables before starting x11vnc:
    
                           Set UNIXPW_DISABLE_SSL=1 to disable requiring either
                           -ssl or -stunnel (as under SSH_CONNECTION.)  Evidently
                           you will be using a different method to encrypt the
                           data between the vncviewer and x11vnc: perhaps ssh(1)
                           or an IPSEC VPN. -localhost is still enforced (however,
                           see the next paragraph.)
    
                           Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost
                           requirement in -unixpw modes.  One should never do this
                           (i.e. allow the Unix passwords to be sniffed on the
                           network.)  This also disables the localhost requirement
                           for reverse connections (see below.)
    
                           Note that use of -localhost with ssh(1) (and no -unixpw)
                           is roughly the same as requiring a Unix user login
                           (since a Unix password or the user's public key
                           authentication is used by sshd on the machine where
                           x11vnc runs and only local connections from that machine
                           are accepted).
    
                           Regarding reverse connections (e.g. -R connect:host
                           and -connect host), when the -localhost constraint is
                           in effect then reverse connections can only be used
                           to connect to the same machine x11vnc is running on
                           (default port 5500).  Please use a ssh or stunnel port
                           redirection to the viewer machine to tunnel the reverse
                           connection over an encrypted channel.
    
                           In -inetd mode the Method 1) will be enforced (not
                           Method 2).  With -ssl in effect reverse connections
                           are disabled.  If you override this via env. var, be
                           sure to also use encryption from the viewer to inetd.
                           Tip: you can also have your own stunnel spawn x11vnc
                           in -inetd mode (thereby bypassing inetd).  See the FAQ
                           for details.
    
                           The user names in the comma separated [list] may have
                           per-user options after a ":", e.g. "fred:opts"
                           where "opts" is a "+" separated list of
                           "viewonly", "fullaccess", "input=XXXX", or
                           "deny", e.g. "karl,wally:viewonly,boss:input=M".
                           For "input=" it is the K,M,B,C described under -input.
    
                           If an item in the list is "*" that means those
                           options apply to all users.  It ALSO implies all users
                           are allowed to log in after supplying a valid password.
                           Use "deny" to explicitly deny some users if you use
                           "*" to set a global option.  If [list] begins with the
                           "!" character then "*" is ignored for checking if
                           the user is allowed, but the option values associated
                           with it do apply as normal.
    
                           There are also some utilities for checking passwords
                           if [list] starts with the "%" character.  See the
                           quick_pw() function for more details.  Description:
                           "%-" or "%stdin" means read one line from stdin.
                           "%env" means it is in $UNIXPW env var.  A leading
                           "%/" or "%." means read the first line from the
                           filename that follows after the % character. % by
                           itself means prompt for the username and password.
                           Otherwise: %user:pass   E.g. -unixpw %fred:swordfish
                           For the other cases user:pass is read from the indicated
                           source.  If the password is correct 'Y user' is printed
                           and the program exit code is 0.  If the password is
                           incorrect it prints 'N user' and the exit code is 1.
                           If there is some other error the exit code is 2.
                           This feature enables x11vnc to be a general unix user
                           password checking tool; it could be used from scripts
                           or other programs.  These % password checks also apply
                           to the -unixpw_nis and -unixpw_cmd options.
    
                           For the % password check, if the env. var. UNIXPW_CMD
                           is set to a command then it is run as the user (assuming
                           the password is correct.)  The output of the command is
                           not printed, the program or script must manage that by
                           some other means.  The exit code of x11vnc will depend
                           on the exit code of the command that is run.
    
                           Use -nounixpw to disable unixpw mode if it was enabled
                           earlier in the cmd line (e.g. -svc mode)
    
    (snip)
    
    -find                  Find the user's display using FINDDISPLAY. This
                           is an alias for "-display WAIT:cmd=FINDDISPLAY".
    
                           Note: if a -display occurs later on the command line
                           it will override the -find setting.
    
                           For this and the next few options see -display WAIT:...
                           below for all of the details.
    
    -finddpy               Run the FINDDISPLAY program, print out the found
                           display (if any) and exit.  Output is like: DISPLAY=:0.0
                           DISPLAY=:0.0,XPID=12345 or DISPLAY=:0.0,VT=7.  XPID is
                           the process ID of the found X server.  VT is the Linux
                           virtual terminal of the X server.
    -listdpy               Have the FINDDISPLAY program list all of your displays
                           (i.e. all the X displays on the local machine that you
                           have access rights to).
    
    -findauth [disp]       Apply the -find/-finddpy heuristics to try to guess
                           the XAUTHORITY file for DISPLAY 'disp'.  If 'disp'
                           is not supplied, then the value in the -display on
                           the cmdline is used; failing that $DISPLAY is used;
                           and failing that ":0" is used.
    
                           If nothing is printed out, that means no XAUTHORITY was
                           found for 'disp'; i.e. failure.  If "XAUTHORITY="
                           is printed out, that means use the default (i.e. do
                           not set XAUTHORITY).  If "XAUTHORITY=/path/to/file"
                           is printed out, then use that file.
    
                           XDM/GDM/KDM: if you are running x11vnc as root and want
                           to find the XAUTHORITY before anyone has logged into an
                           X session yet, use: x11vnc -env FD_XDM=1 -findauth ...
                           (This will also find the XAUTHORITY if a user is already
                           logged into the X session.)  When running as root,
                           FD_XDM=1 will be tried if the initial -findauth fails.
    
    -create                First try to find the user's display using FINDDISPLAY,
                           if that doesn't succeed create an X session via the
                           FINDCREATEDISPLAY method.  This is an alias for
                           "-display WAIT:cmd=FINDCREATEDISPLAY-Xvfb".
    
                           Note: if a -display occurs later on the command line
                           it will override the -create setting.
    
                           SSH NOTE: for both -find and -create you can (should!)
                           add the "-localhost" option to force SSH tunnel access.
    
    -xdummy                As in -create, except Xdummy instead of Xvfb.
    -xvnc                  As in -create, except Xvnc instead of Xvfb.
    -xvnc_redirect         As in -create, except Xvnc.redirect instead of Xvfb.
    -xdummy_xvfb           Sets WAIT:cmd=FINDCREATEDISPLAY-Xdummy,Xvfb
    
    -create_xsrv str       Sets WAIT:cmd=FINDCREATEDISPLAY-<str>  Can be on cmdline
                           after anything that sets WAIT:.. and other things
                           (e.g. -svc, -xdmsvc) to adjust the X server list.
                           Example: -svc ... -create_xsrv Xdummy,X
    
    -svc                   Terminal services mode based on SSL access.  Alias for
                           -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb -unixpw -users
                           unixpw= -ssl SAVE   Also "-service".
    
                           Note: if a -display, -unixpw, -users, or -ssl occurs
                           later on the command line it will override the -svc
                           setting.
    
    -svc_xdummy            As -svc except Xdummy instead of Xvfb.
    -svc_xvnc              As -svc except Xvnc instead of Xvfb.
    -svc_xdummy_xvfb       As -svc with Xdummy,Xvfb.
    
    -xdmsvc                Display manager Terminal services mode based on SSL.
                           Alias for -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb.xdmcp
                           -unixpw -users unixpw= -ssl SAVE  Also "-xdm_service".
    
                           Note: if a -display, -unixpw, -users, or -ssl occurs
                           later on the command line it will override the -xdmsvc
                           setting.
    
                           To create a session a user will have to first log in
                           to the -unixpw dialog and then log in again to the
                           XDM/GDM/KDM prompt.  Subsequent re-connections will
                           only require the -unixpw password.  See the discussion
                           under -display WAIT:... for more details about XDM,
                           etc configuration.
    
                           Remember to enable XDMCP in the xdm-config, gdm.conf,
                           or kdmrc configuration file.  See -display WAIT: for
                           more info.
    
    (snip)
    
    -display WAIT:...      A special usage mode for the normal -display option.
                           Useful with -unixpw, but can be used independently
                           of it.  If the display string begins with WAIT: then
                           x11vnc waits until a VNC client connects before opening
                           the X display (or -rawfb device).
    
                           This could be useful for delaying opening the display
                           for certain usage modes (say if x11vnc is started at
                           boot time and no X server is running or users logged
                           in yet).
    
                           If the string is, e.g. WAIT:0.0 or WAIT:1, i.e. "WAIT"
                           in front of a normal X display, then that indicated
                           display is used.
    
                           One can also insert a geometry between colons, e.g.
                           WAIT:1280x1024:... to set the size of the display the
                           VNC client first attaches to since some VNC viewers
                           will not automatically adjust to a new framebuffer size.
    
                           A more interesting case is like this:
    
                                WAIT:cmd=/usr/local/bin/find_display
    
                           in which case the command after "cmd=" is run to
                           dynamically work out the DISPLAY and optionally the
                           XAUTHORITY data.  The first line of the command output
                           must be of the form DISPLAY=<xdisplay>.  On Linux
                           if the virtual terminal is known append ",VT=n" to
                           this string and the chvt(1) program will also be run.
                           Any remaining output is taken as XAUTHORITY data.
                           It can be either of the form XAUTHORITY=<file> or raw
                           xauthority data for the display. For example;
    
                                xauth extract - $DISPLAY"
    
                           In the case of -unixpw (and -unixpw_nis only if x11vnc
                           is running as root), then the cmd= command is run
                           as the user who just authenticated via the login and
                           password prompt.
    
                           In the case of -unixpw_cmd, the commands will also be
                           run as the logged-in user, as long as the user-supplied
                           helper program supports RFB_UNIXPW_CMD_RUN (see the
                           -unixpw_cmd option.)
    
                           Also in the case of -unixpw, the user logging in can
                           place a colon at the end of her username and supply
                           a few options: scale=, scale_cursor= (or sc=), solid
                           (or so), id=, clear_mods (or cm), clear_keys (or
                           ck), clear_all (or ca), repeat, speeds= (or sp=),
                           readtimeout= (or rd=), viewonly (or vo), nodisplay=
                           (or nd=), rotate= (or ro=), or noncache (or nc),
                           all separated by commas if there is more than one.
                           After the user logs in successfully, these options will
                           be applied to the VNC screen.  For example,
    
                              login: fred:scale=3/4,sc=1,repeat
                              Password: ...
    
                              login: runge:sp=modem,rd=120,solid
    
                           for convenience m/n implies scale= e.g. fred:3/4  If you
                           type and enter your password incorrectly, to retrieve
                           your long "login:" line press the Up arrow once
                           (before typing anything else).
    
                           In the login panel, press F1 to get a list of the
                           available options that you can add after the username.
    
                           Another option is "geom=WxH" or "geom=WxHxD" (or
                           ge=). This only has an effect in FINDCREATEDISPLAY
                           mode when a virtual X server such as Xvfb is going
                           to be created.  It sets the width and height of
                           the new display, and optionally the color depth as
                           well.
    
                           You can also supply "gnome", "kde", "twm",
                           "fvwm", "mwm", "dtwm", "wmaker", "xfce",
                           "lxde", "enlightenment", "Xsession", or
                           "failsafe" (same as "xterm") to have the created
                           display use that mode for the user session.
    
                           Specify "tag=..." to set the unique FD_TAG desktop
                           session tag described below.  Note: this option will
                           be ignored if the FD_TAG env. var. is already set or
                           if the viewer-side supplied value is not completely
                           composed of alphanumeric or '_' or '-' characters.
    
                           To troubleshoot the FINDCREATEDISPLAY mechanism,
                           set the following env. var. to an ouput log file,
                           e.g -env CREATE_DISPLAY_OUTPUT=/tmp/mydebug.txt
    
                           To disable the option setting set the environment
                           variable X11VNC_NO_UNIXPW_OPTS=1 before starting x11vnc.
                           To set any other options, the user can use the gui
                           (x11vnc -gui connect) or the remote control method
                           (x11vnc -R opt:val) during his VNC session.
    
                           The combination of -display WAIT:cmd=... and -unixpw
                           allows automatic pairing of an unix authenticated VNC
                           user with his desktop.  This could be very useful on
                           SunRays and also any system where multiple users share
                           a given machine.  The user does not need to remember
                           special ports or passwords set up for his desktop
                           and VNC.
    
                           A nice way to use WAIT:cmd=... is out of inetd(8)
                           (it automatically forks a new x11vnc for each user).
                           You can have the x11vnc inetd spawned process run as,
                           say, root or nobody.  When run as root (for either inetd
                           or display manager), you can also supply the option
                           "-users unixpw=" to have the x11vnc process switch to
                           the user as well.  Note: there will be a 2nd SSL helper
                           process that will not switch, but it is only encoding
                           and decoding the encrypted stream at that point.
    
                           Automatic Finding of User X Sessions:
    
                           As a special case, WAIT:cmd=FINDDISPLAY will run a
                           script that works on most Unixes to determine a user's
                           DISPLAY variable and xauthority data (see who(1)).
    
                           The option "-find" is an alias for this mode.
    
                           To have this default script printed to stdout (e.g. for
                           customization) run with WAIT:cmd=FINDDISPLAY-print To
                           have the script run to print what display it would find
                           use "-finddpy" or WAIT:cmd=FINDDISPLAY-run
    
                           The standard script runs xdpyinfo(1) run on potential
                           displays.  If your X server(s) have a login greeter
                           that exclusively grabs the Xserver, then xdpyinfo
                           blocks forever and this mode will not work.  See
                           www.karlrunge.com/x11vnc/faq.html#faq-display-manager
                           for how to disable this for dtgreet on Solaris and
                           possibly for other greeters.
    
                           In -find/cmd=FINDDISPLAY mode, if you set FD_XDM=1,
                           e.g. 'x11vnc -env FD_XDM=1 -find ...' and x11vnc is
                           running as root (e.g. inetd) then it will try to find
                           the XAUTHORITY file of a running XDM/GDM/KDM login
                           greeter (i.e. no user has logged into an X session yet.)
    
                           As another special case, WAIT:cmd=HTTPONCE will allow
                           x11vnc to service one http request and then exit.
                           This is usually done in -inetd mode to run on, say,
                           port 5800 and allow the Java vncviewer to be downloaded
                           by client web browsers.  For example:
    
                            5815 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc \
                              -inetd -q -http_ssl -prog /.../x11vnc \
                              -display WAIT:cmd=HTTPONCE
    
                           Where /.../x11vnc is the full path to x11vnc.
                           It is used in the Apache SSL-portal example (see FAQ).
    
                           In this mode you can set X11VNC_SKIP_DISPLAY to a
                           comma separated list of displays (e.g. ":0,:1") to
                           ignore in the finding process.  The ":" is optional.
                           Ranges n-m e.g. 0-20 can also be supplied. This string
                           can also be set by the connecting user via "nd="
                           using "+" instead of ","  If "nd=all" or you set
                           X11VNC_SKIP_DISPLAY=all then all display finding fails
                           as if you set X11VNC_FINDDISPLAY_ALWAYS_FAILS=1 (below.)
    
                           Automatic Creation of User X Sessions:
    
                           An interesting option is WAIT:cmd=FINDCREATEDISPLAY
                           that is like FINDDISPLAY in that is uses the same method
                           to find an existing display.  However, if it does not
                           find one it will try to *start* up an X server session
                           for the user.  This is the only time x11vnc tries to
                           actually start up an X server.
    
                           The option "-create" is an alias for this mode.
    
                           It will start looking for an open display number at :20
                           Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n
    
                           By default FINDCREATEDISPLAY will try Xvfb and then
                           Xdummy:
    
                           The Xdummy wrapper is part of the x11vnc source code
                           (x11vnc/misc/Xdummy)  It should be available in PATH
                           and have run "Xdummy -install" once to create the
                           shared library.  Xdummy only works on Linux.  As of
                           12/2009 it no longer needs to be run as root, and the
                           default is to not run as root.  In some circumstances
                           permissions may require running it as root, in these
                           cases specify FD_XDUMMY_RUN_AS_ROOT=1, this is the same
                           as supplying -root to the Xdummy cmdline.
    
                           Xvfb is available on most platforms and does not
                           require root.
    
                           An advantage of Xdummy over Xvfb is that Xdummy supports
                           RANDR dynamic screen resizing.
    
                           When x11vnc exits (i.e. user disconnects) the X
                           server session stays running in the background.
                           The FINDDISPLAY will find it directly next time.
                           The user must exit the X session in the usual way for
                           it to terminate (or kill the X server process if all
                           else fails).
    
                           So this is a somewhat odd mode for x11vnc in that it
                           will start up and poll virtual X servers!  This can
                           be used from, say, inetd(8) to provide a means of
                           definitely getting a desktop (either real or virtual)
                           on the machine.  E.g. a desktop service:
    
                             5900 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc
                              -inetd -q -http -ssl SAVE -unixpw -users unixpw=\
                              -passwd secret -prog /.../x11vnc \
                              -display WAIT:cmd=FINDCREATEDISPLAY
    
                           Where /.../x11vnc is the full path to x11vnc.
    
                           See the -svc/-service option alias above.
    
                           If for some reason you do not want x11vnc to ever
                           try to find an existing display set the env. var
                           X11VNC_FINDDISPLAY_ALWAYS_FAILS=1 (also -env ...)
                           This is the same as setting X11VNC_SKIP_DISPLAY=all or
                           supplying "nd=all" after "username:"
    
                           Use WAIT:cmd=FINDCREATEDISPLAY-print to print out the
                           script that is used for this.
    
                           You can specify the preferred X server order via e.g.,
                           WAIT:cmd=FINDCREATEDISPLAY-Xdummy,Xvfb,X  and/or leave
                           out ones you do not want.  The the case "X" means try
                           to start up a real, hardware X server using xinit(1)
                           or startx(1).  If there is already an X server running
                           the X case may only work on Linux (see startx(1)).
    
                           "Xvnc" will start up a VNC X server (real-
                           or tight-vnc, e.g. use if Xvfb is not available).
                           "Xsrv" will start up the server program in the
                           variable "FD_XSRV" if it is non-empty. You can make
                           this be a wrapper script if you like (it must handle :N,
                           -geometry, and -depth and other X server options).
    
                           You can set the environment variable FD_GEOM (or
                           X11VNC_CREATE_GEOM) to WxH or WxHxD to set the width
                           and height and optionally the color depth of the
                           created display.  You can also set FD_SESS to be the
                           session (short name of the windowmanager: kde, gnome,
                           twm, failsafe, etc.). FD_OPTS contains extra options
                           to pass to the X server. You can also set FD_PROG to
                           be the full path to the session/windowmanager program.
    
                           More FD tricks:  FD_CUPS=port or FD_CUPS=host:port
                           will set the cups printing environment.  Similarly for
                           FD_ESD=port or FD_ESD=host:port for esddsp sound
                           redirection.  Set FD_EXTRA to a command to be run a
                           few seconds after the X server starts up.  Set FD_TAG
                           to be a unique name for the session, it is set as an
                           X property, that makes FINDDISPLAY only find sessions
                           with that tag value.
    
                           Set FD_XDMCP_IF to the network interface that the
                           display manager is running on; default is 'localhost'
                           but you may need to set it to '::1' on some IPv6 only
                           systems or misconfigured display managers.
    
                           If you want the FINDCREATEDISPLAY session to contact an
                           XDMCP login manager (xdm/gdm/kdm) on the same machine,
                           then use "Xvfb.xdmcp" instead of "Xvfb", etc.
                           The user will have to supply his username and password
                           one more time (but he gets to select his desktop type
                           so that can be useful).  For this to work, you will
                           need to enable localhost XDMCP (udp port 177) for the
                           display manager.  This seems to be:
    
                            for gdm in gdm.conf:   Enable=true in section [xdmcp]
                            for kdm in kdmrc:      Enable=true in section [Xdmcp]
                            for xdm in xdm-config: DisplayManager.requestPort: 177
    
                           See the shorthand options above "-svc", "-xdmsvc"
                           and "-sshxdmsvc" that specify the above options for
                           some useful cases.
    
                           If you set the env. var WAITBG=1 x11vnc will go into
                           the background once listening in wait mode.
    
                           Another special mode is FINDCREATEDISPLAY-Xvnc.redirect,
                           (or FINDDISPLAY-Xvnc.redirect).  In this case it will
                           start up Xvnc as above if needed, but instead of
                           polling it in its normal way, it simply does a socket
                           redirection of the connected VNC viewer to the Xvnc.
    
                           So in Xvnc.redirect x11vnc does no VNC but merely
                           transfers the data back and forth.  This should be
                           faster then x11vnc's polling method, but not as fast
                           as connecting directly to the Xvnc with the VNC Viewer.
                           The idea here is to take advantage of x11vnc's display
                           finding/creating scheme, SSL, and perhaps a few others.
                           Most of x11vnc's options do not apply in this mode.
    
                           Xvnc.redirect should also work for the vnc.so X server
                           module for the h/w display however it will work only
                           for finding the display and the user must already be
                           logged into the X console.
    
    (snip)
    
    -nossl                 Disable the -ssl option (see below). Since -ssl is off
                           by default -nossl would only be used on the commandline
                           to unset any *earlier* -ssl option (or -svc...)
    
    -ssl [pem]             Use the openssl library (www.openssl.org) to provide a
                           built-in encrypted SSL/TLS tunnel between VNC viewers
                           and x11vnc.  This requires libssl support to be
                           compiled into x11vnc at build time.  If x11vnc is not
                           built with libssl support it will exit immediately when
                           -ssl is prescribed.  See the -stunnel option below for
                           an alternative.
    
                           The VNC Viewer-side needs to support SSL/TLS as well.
                           See this URL and also the discussion below for
                           ideas on how to enable SSL support for the viewer:
                           http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tun
                           nel-viewers .  x11vnc provides an SSL enabled Java
                           viewer applet in the classes/ssl directory (-http or
                           -httpdir options.)  The SSVNC viewer package supports
                           SSL tunnels too.
    
                           If the VNC Viewer supports VeNCrypt or ANONTLS (vino's
                           encryption mode) they are also supported by the -ssl
                           mode (see the -vencrypt and -anontls options for more
                           info; use -sslonly to disable both of them.)
    
                           Use "-ssl /path/to/mycert.pem" to specify an SSL
                           certificate file in PEM format to use to identify and
                           provide a key for this server.  See openssl(1) for more
                           info about PEMs and the -sslGenCert and "-ssl SAVE"
                           options below for how to create them.
    
                           The connecting VNC viewer SSL tunnel can (at its option)
                           authenticate this server if it has the public key part
                           of the certificate (or a common certificate authority,
                           CA, is a more sophisticated way to verify this server's
                           cert, see -sslGenCA below).  This authentication is
                           done to prevent Man-In-The-Middle attacks.  Otherwise,
                           if the VNC viewer simply accepts this server's key
                           WITHOUT verification, the traffic is protected from
                           passive sniffing on the network, but *NOT* from
                           Man-In-The-Middle attacks. There are hacker tools
                           like dsniff/webmitm and cain that implement SSL
                           Man-In-The-Middle attacks.
    
                           If [pem] is empty or the string "SAVE" then the
                           openssl(1) command must be available to generate the
                           certificate the first time.  A self-signed certificate
                           is generated (see -sslGenCA and -sslGenCert for use
                           of a Certificate Authority.)  It will be saved to the
                           file ~/.vnc/certs/server.pem.  On subsequent calls if
                           that file already exists it will be used directly.
    
                           Use "SAVE_NOPROMPT" to avoid being prompted to
                           protect the generated key with a passphrase.  However in
                           -inetd and -bg modes there will be no prompting for a
                           passphrase in either case.
    
                           If [pem] is "SAVE_PROMPT" the server.pem certificate
                           will be created based on your answers to its prompts for
                           all info such as OrganizationalName, CommonName, etc.
    
                           Use "SAVE-<string>" and "SAVE_PROMPT-<string>"
                           to refer to the file ~/.vnc/certs/server-<string>.pem
                           instead (it will be generated if it does not already
                           exist).  E.g. "SAVE-charlie" will store to the file
                           ~/.vnc/certs/server-charlie.pem
    
                           Examples: x11vnc -ssl SAVE -display :0 ...
                                     x11vnc -ssl SAVE-someother -display :0 ...
    
                           If [pem] is "TMP" and the openssl(1) utility
                           command exists in PATH, then a temporary, self-signed
                           certificate will be generated for this session.  If
                           openssl(1) cannot be used to generate a temporary
                           certificate x11vnc exits immediately.  The temporary
                           cert will be discarded when x11vnc exits.
    
                           If successful in using openssl(1) to generate a
                           temporary certificate in "SAVE" or "TMP" creation
                           modes, the public part of it will be displayed to stderr
                           (e.g. one could copy it to the client-side to provide
                           authentication of the server to VNC viewers.)
    
                           NOTE: In "TMP" mode, unless you safely copy the
                           public part of the temporary Cert to the viewer for
                           authenticate *every time* (unlikely...), then only
                           passive sniffing attacks are prevented and you are
                           still open to Man-In-The-Middle attacks.  This is
                           why the default "SAVE" mode is preferred (and more
                           sophisticated CA mode too).  Only with saved keys AND
                           the VNC viewer authenticating them (via the public
                           certificate), are Man-In-The-Middle attacks prevented.
    
                           If [pem] is "ANON" then the Diffie-Hellman anonymous
                           key exchange method is used.  In this mode there
                           are *no* SSL certificates and so it is not possible
                           to authenticate either the VNC server or VNC client.
                           Thus only passive network sniffing attacks are avoided:
                           the "ANON" method is susceptible to Man-In-The-Middle
                           attacks.  "ANON" is not recommended; instead use
                           a SSL PEM you created or the default "SAVE" method.
    
                           See -ssldir below to use a directory besides the
                           default ~/.vnc/certs
    
                           If your x11vnc binary was not compiled with OpenSSL
                           library support, use of the -ssl option will induce an
                           immediate failure and exit.  For such binaries, consider
                           using the -stunnel option for SSL encrypted connections.
    
                           Misc Info: In temporary cert creation mode "TMP", set
                           the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print
                           out the entire certificate, including the PRIVATE KEY
                           part, to stderr.  There are better ways to get/save this
                           info.  See "SAVE" above and "-sslGenCert" below.
    
    (snip)
    
    -usepw                 If no other password method was supplied on the command
                           line, first look for ~/.vnc/passwd and if found use it
                           with -rfbauth; next, look for ~/.vnc/passwdfile and
                           use it with -passwdfile; otherwise, prompt the user
                           for a password to create ~/.vnc/passwd and use it with
                           the -rfbauth option.  If none of these succeed x11vnc
                           exits immediately.
    
    -storepasswd pass file Store password "pass" as the VNC password in the
                           file "file".  Once the password is stored the
                           program exits.  Use the password via "-rfbauth file"
    
                           If called with no arguments, "x11vnc -storepasswd",
                           the user is prompted for a password and it is stored
                           in the file ~/.vnc/passwd.  Called with one argument,
                           that will be the file to store the prompted password in.
    
    -nopw                  Disable the big warning message when you use x11vnc
                           without some sort of password.
    
    (snip)
    
    -users list            If x11vnc is started as root (say from inetd(8) or from
                           display managers xdm(1), gdm(1), etc), then as soon
                           as possible after connections to the X display are
                           established try to switch to one of the users in the
                           comma separated "list".  If x11vnc is not running as
                           root this option is ignored.
    
                           Why use this option?  In general it is not needed since
                           x11vnc is already connected to the X display and can
                           perform its primary functions.  The option was added
                           to make some of the *external* utility commands x11vnc
                           occasionally runs work properly.  In particular under
                           GNOME and KDE to implement the "-solid color" feature
                           external commands (gconftool-2 and dcop) unfortunately
                           must be run as the user owning the desktop session.
                           Since this option switches userid it also affects the
                           userid used to run the processes for the -accept and
                           -gone options.  It also affects the ability to read
                           files for options such as -connect, -allow, and -remap
                           and also the ultra and tight filetransfer feature if
                           enabled.  Note that the -connect file is also sometimes
                           written to.
    
                           So be careful with this option since in some situations
                           its use can decrease security.
    
                           In general the switch to a user will only take place
                           if the display can still be successfully opened as that
                           user (this is primarily to try to guess the actual owner
                           of the session). Example: "-users fred,wilma,betty".
                           Note that a malicious local user "barney" by
                           quickly using "xhost +" when logging in may possibly
                           get the x11vnc process to switch to user "fred".
                           What happens next?
    
                           Under display managers it may be a long time before
                           the switch succeeds (i.e. a user logs in).  To instead
                           make it switch immediately regardless if the display
                           can be reopened prefix the username with the "+"
                           character. E.g. "-users +bob" or "-users +nobody".
    
                           The latter (i.e. switching immediately to user
                           "nobody") is the only obvious use of the -users option
                           that increases security.
    
                           Use the following notation to associate a group with
                           a user: user1.group1,user2.group2,...  Note that
                           initgroups(2) will still be called first to try to
                           switch to ALL of a user's groups (primary and additional
                           groups).  Only if that fails or it is not available
                           then the single group specified as above (or the user's
                           primary group if not specified) is switched to with
                           setgid(2).  Use -env X11VNC_SINGLE_GROUP=1 to prevent
                           trying initgroups(2) and only switch to the single
                           group.  This sort of setting is only really needed to
                           make the ultra or tight filetransfer permissions work
                           properly. This format applies to any comma separated list
                           of users, even the special "=" modes described below.
    
                           In -unixpw mode, if "-users unixpw=" is supplied
                           then after a user authenticates himself via the
                           -unixpw mechanism, x11vnc will try to switch to that
                           user as though "-users +username" had been supplied.
                           If you want to limit which users this will be done for,
                           provide them as a comma separated list after "unixpw="
                           Groups can also be specified as described above.
    
                           Similarly, in -ssl mode, if "-users sslpeer=" is
                           supplied then after an SSL client authenticates with his
                           cert (the -sslverify option is required for this) x11vnc
                           will extract a UNIX username from the "emailAddress"
                           field (username@hostname.com) of the "Subject" of the
                           x509 SSL cert and then try to switch to that user as
                           though "-users +username" had been supplied.  If you
                           want to limit which users this will be done for, provide
                           them as a comma separated list after "sslpeer=".
                           Set the env. var X11VNC_SSLPEER_CN to use the Common
                           Name (normally a hostname) instead of the Email field.
    
                           NOTE: for sslpeer= mode the x11vnc administrator must
                           take care that any client certs he adds to -sslverify
                           have the intended UNIX username in the "emailAddress"
                           field of the cert.  Otherwise a user may be able to
                           log in as another.  This command can be of use in
                           checking: "openssl x509 -text -in file.crt", see the
                           "Subject:" line.  Also, along with the normal RFB_*
                           env. vars. (see -accept) passed to external cmd=
                           commands, RFB_SSL_CLIENT_CERT will be set to the
                           client's x509 certificate string.
    
                           The sslpeer= mode can aid finding X sessions via the
                           FINDDISPLAY and FINDCREATEDISPLAY mechanisms.
    
                           To immediately switch to a user *before* connections
                           to the X display are made or any files opened use the
                           "=" character: "-users =bob".  That user needs to
                           be able to open the X display and any files of course.
    
                           The special user "guess=" means to examine the utmpx
                           database (see who(1)) looking for a user attached to
                           the display number (from DISPLAY or -display option)
                           and try him/her.  To limit the list of guesses, use:
                           "-users guess=bob,betty".
    
                           Even more sinister is the special user "lurk="
                           that means to try to guess the DISPLAY from the utmpx
                           login database as well.  So it "lurks" waiting for
                           anyone to log into an X session and then connects to it.
                           Specify a list of users after the = to limit which users
                           will be tried.  To enable a different searching mode, if
                           the first user in the list is something like ":0" or
                           ":0-2" that indicates a range of DISPLAY numbers that
                           will be tried (regardless of whether they are in the
                           utmpx database) for all users that are logged in.  Also
                           see the "-display WAIT:..." functionality.  Examples:
                           "-users lurk=" and also "-users lurk=:0-1,bob,mary"
    
                           Be especially careful using the "guess=" and "lurk="
                           modes.  They are not recommended for use on machines
                           with untrustworthy local users.
    
    (snip)
    
    -ping n                Send a 1x1 framebuffer update to all clients every n
                           seconds (e.g. to try to keep a network connection alive)
    
    (snip)
    
    These options are passed to LibVNCServer:
    
    -rfbport port          TCP port for RFB protocol
    -rfbwait time          max time in ms to wait for RFB client
    -rfbauth passwd-file   use authentication on RFB protocol
                           (use 'storepasswd' to create a password file)
    -rfbversion 3.x        Set the version of the RFB we choose to advertise
    -permitfiletransfer    permit file transfer support
    -passwd plain-password use authentication 
                           (use plain-password as password, USE AT YOUR RISK)
    -deferupdate time      time in ms to defer updates (default 40)
    -deferptrupdate time   time in ms to defer pointer updates (default none)
    -desktop name          VNC desktop name (default "LibVNCServer")
    -alwaysshared          always treat new clients as shared
    -nevershared           never treat new clients as shared
    -dontdisconnect        don't disconnect existing clients when a new non-shared
                           connection comes in (refuse new connection instead)
    -httpdir dir-path      enable http server using dir-path home
    -httpport portnum      use portnum for http connection
    -enablehttpproxy       enable http proxy support
    -progressive height    enable progressive updating for slow links
    -listen ipaddr         listen for connections only on network interface with
                           addr ipaddr. '-listen localhost' and hostname work too.
    
    libvncserver-tight-extension options:
    -disablefiletransfer   disable file transfer
    -ftproot string        set ftp root
    
  • $ sudo x11vnc
    ###############################################################
    #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
    #@                                                           @#
    #@  **  WARNING  **  WARNING  **  WARNING  **  WARNING  **   @#
    #@                                                           @#
    #@        YOU ARE RUNNING X11VNC WITHOUT A PASSWORD!!        @#
    #@                                                           @#
    #@  This means anyone with network access to this computer   @#
    #@  may be able to view and control your desktop.            @#
    #@                                                           @#
    #@ >>> If you did not mean to do this Press CTRL-C now!! <<< @#
    #@                                                           @#
    #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
    #@                                                           @#
    #@  You can create an x11vnc password file by running:       @#
    #@                                                           @#
    #@       x11vnc -storepasswd password /path/to/passfile      @#
    #@  or   x11vnc -storepasswd /path/to/passfile               @#
    #@  or   x11vnc -storepasswd                                 @#
    #@                                                           @#
    #@  (the last one will use ~/.vnc/passwd)                    @#
    #@                                                           @#
    #@  and then starting x11vnc via:                            @#
    #@                                                           @#
    #@      x11vnc -rfbauth /path/to/passfile                    @#
    #@                                                           @#
    #@  an existing ~/.vnc/passwd file from another VNC          @#
    #@  application will work fine too.                          @#
    #@                                                           @#
    #@  You can also use the -passwdfile or -passwd options.     @#
    #@  (note -passwd is unsafe if local users are not trusted)  @#
    #@                                                           @#
    #@  Make sure any -rfbauth and -passwdfile password files    @#
    #@  cannot be read by untrusted users.                       @#
    #@                                                           @#
    #@  Use x11vnc -usepw to automatically use your              @#
    #@  ~/.vnc/passwd or ~/.vnc/passwdfile password files.       @#
    #@  (and prompt you to create ~/.vnc/passwd if neither       @#
    #@  file exists.)  Under -usepw, x11vnc will exit if it      @#
    #@  cannot find a password to use.                           @#
    #@                                                           @#
    #@                                                           @#
    #@  Even with a password, the subsequent VNC traffic is      @#
    #@  sent in the clear.  Consider tunnelling via ssh(1):      @#
    #@                                                           @#
    #@    http://www.karlrunge.com/x11vnc/#tunnelling            @#
    #@                                                           @#
    #@  Or using the x11vnc SSL options: -ssl and -stunnel       @#
    #@                                                           @#
    #@  Please Read the documention for more info about          @#
    #@  passwords, security, and encryption.                     @#
    #@                                                           @#
    #@    http://www.karlrunge.com/x11vnc/faq.html#faq-passwd    @#
    #@                                                           @#
    #@  To disable this warning use the -nopw option, or put     @#
    #@  the setting in your ~/.x11vncrc file.                    @#
    #@                                                           @#
    #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
    ###############################################################
    
    (snip)
    
    
    Some tips and guidelines:
    
    ** An X server (the one you wish to view) must be running before x11vnc is
       started: x11vnc does not start the X server.  (however, see the -create
       option if that is what you really want).
    
    ** You must use -display <disp>, -OR- set and export your $DISPLAY
       environment variable to refer to the display of the desired X server.
     - Usually the display is simply ":0" (in fact x11vnc uses this if you forget
       to specify it), but in some multi-user situations it could be ":1", ":2",
       or even ":137".  Ask your administrator or a guru if you are having
       difficulty determining what your X DISPLAY is.
    
    ** Next, you need to have sufficient permissions (Xauthority)
       to connect to the X DISPLAY.   Here are some Tips:
    
     - Often, you just need to run x11vnc as the user logged into the X session.
       So make sure to be that user when you type x11vnc.
     - Being root is usually not enough because the incorrect MIT-MAGIC-COOKIE
       file may be accessed.  The cookie file contains the secret key that
       allows x11vnc to connect to the desired X DISPLAY.
     - You can explicitly indicate which MIT-MAGIC-COOKIE file should be used
       by the -auth option, e.g.:
           x11vnc -auth /home/someuser/.Xauthority -display :0
           x11vnc -auth /tmp/.gdmzndVlR -display :0
       you must have read permission for the auth file.
       See also '-auth guess' and '-findauth' discussed below.
    
    ** If NO ONE is logged into an X session yet, but there is a greeter login
       program like "gdm", "kdm", "xdm", or "dtlogin" running, you will need
       to find and use the raw display manager MIT-MAGIC-COOKIE file.
       Some examples for various display managers:
    
         gdm:     -auth /var/gdm/:0.Xauth
                  -auth /var/lib/gdm/:0.Xauth
         kdm:     -auth /var/lib/kdm/A:0-crWk72
                  -auth /var/run/xauth/A:0-crWk72
         xdm:     -auth /var/lib/xdm/authdir/authfiles/A:0-XQvaJk
         dtlogin: -auth /var/dt/A:0-UgaaXa
    
       Sometimes the command "ps wwwwaux | grep auth" can reveal the file location.
    
       Starting with x11vnc 0.9.9 you can have it try to guess by using:
    
                  -auth guess
    
       (see also the x11vnc -findauth option.)
    
       Only root will have read permission for the file, and so x11vnc must be run
       as root (or copy it).  The random characters in the filenames will of course
       change and the directory the cookie file resides in is system dependent.
    
    See also: http://www.karlrunge.com/x11vnc/faq.html