ss_vncviewer 43.1 KB
Newer Older
runge's avatar
runge committed
1 2
#!/bin/sh
#
runge's avatar
runge committed
3 4
# ss_vncviewer:  wrapper for vncviewer to use an stunnel SSL tunnel
#                or an SSH tunnel.
runge's avatar
runge committed
5
#
6
# Copyright (c) 2006-2008 by Karl J. Runge <runge@karlrunge.com>
runge's avatar
runge committed
7 8 9 10 11 12 13 14 15 16
#
# You must have stunnel(8) installed on the system and in your PATH
# (however, see the -ssh option below, in which case you will need ssh(1)
# installed)  Note: stunnel is usually installed in an "sbin" subdirectory.
#
# You should have "x11vnc -ssl ..." or "x11vnc -stunnel ..." 
# already running as the VNC server on the remote machine.
# (or use stunnel on the server side for any other VNC server)
#
#
runge's avatar
runge committed
17
# Usage: ss_vncviewer [cert-args] host:display <vncviewer-args>
runge's avatar
runge committed
18
#
runge's avatar
runge committed
19 20
# e.g.:  ss_vncviewer snoopy:0
#        ss_vncviewer snoopy:0 -encodings "copyrect tight zrle hextile"
runge's avatar
runge committed
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
#
# [cert-args] can be:
#
#	-verify /path/to/cacert.pem		
#	-mycert /path/to/mycert.pem		
#	-proxy  host:port
#
# -verify specifies a CA cert PEM file (or a self-signed one) for
#         authenticating the VNC server.
#
# -mycert specifies this client's cert+key PEM file for the VNC server to
#	  authenticate this client. 
#
# -proxy  try host:port as a Web proxy to use the CONNECT method
#         to reach the VNC server (e.g. your firewall requires a proxy).
#
#         For the "double proxy" case use -proxy host1:port1,host2:port2
#         (the first CONNECT is done through host1:port1 to host2:port2
#         and then a 2nd CONNECT to the destination VNC server.)
#
41
#         Use socks://host:port, socks4://host:port, or socks5://host,port
42
#         to force usage of a SOCKS proxy.  Also repeater://host:port.
43
#
runge's avatar
runge committed
44 45 46
# -showcert  Only fetch the certificate using the 'openssl s_client'
#            command (openssl(1) must in installed).
#
runge's avatar
runge committed
47 48 49 50 51
#    See http://www.karlrunge.com/x11vnc/#faq-ssl-ca for details on SSL
#    certificates with VNC.
#
# A few other args (not related to SSL and certs):
#
52 53
# -2nd    Run the vncviewer a 2nd time if the first connections fails.
#
runge's avatar
runge committed
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
# -ssh    Use ssh instead of stunnel SSL.  ssh(1) must be installed and you
#         must be able to log into the remote machine via ssh.
#
#         In this case "host:display" may be of the form "user@host:display"
#         where "user@host" is used for the ssh login (see ssh(1) manpage).
#
#         If -proxy is supplied it can be of the forms: "gwhost" "gwhost:port"
#         "user@gwhost" or "user@gwhost:port".  "gwhost" is an incoming ssh 
#         gateway machine (the VNC server is not running there), an ssh -L
#         redir is used to "host" in "host:display" from "gwhost". Any "user@"
#         part must be in the -proxy string (not in "host:display").
#
#         Under -proxy use "gwhost:port" if connecting to any ssh port
#         other than the default (22).  (even for the non-gateway case,
#         -proxy must be used to specify a non-standard ssh port)
#
#         A "double ssh" can be specified via a -proxy string with the two
#         hosts separated by a comma:
#
#             [user1@]host1[:port1],[user2@]host2[:port2]
#
#         in which case a ssh to host1 and thru it via a -L redir a 2nd
#         ssh is established to host2.  
#
#         Examples:
#
runge's avatar
runge committed
80 81
#         ss_vncviewer -ssh bob@bobs-home.net:0
#         ss_vncviewer -ssh -sshcmd 'x11vnc -localhost' bob@bobs-home.net:0
runge's avatar
runge committed
82
#
runge's avatar
runge committed
83 84
#         ss_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0
#         ss_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0
runge's avatar
runge committed
85
#
runge's avatar
runge committed
86
#         ss_vncviewer -ssh -proxy fred@gw-host,fred@peecee localhost:0
runge's avatar
runge committed
87 88 89 90 91 92 93 94 95 96 97 98 99
#
# -sshcmd cmd   Run "cmd" via ssh instead of the default "sleep 15"
#               e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900'
#
# -sshargs "args"  pass "args" to the ssh process, e.g. -L/-R port redirs.
#
# -sshssl Tunnel the SSL connection thru a SSH connection.  The tunnel as
#         under -ssh is set up and the SSL connection goes thru it.  Use
#         this if you want to have and end-to-end SSL connection but must
#         go thru a SSH gateway host (e.g. not the vnc server).  Or use
#         this if you need to tunnel additional services via -R and -L 
#         (see -sshargs above).
#
runge's avatar
runge committed
100
#         ss_vncviewer -sshssl -proxy fred@mygate.com mymachine:0
runge's avatar
runge committed
101
#
102
# -listen (or -reverse) set up a reverse connection.
runge's avatar
runge committed
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119
#
# -alpha  turn on cursor alphablending hack if you are using the
#         enhanced tightvnc vncviewer.
#
# -grab   turn on XGrabServer hack if you are using the enhanced tightvnc
#         vncviewer (e.g. for fullscreen mode in some windowmanagers like
#         fvwm that do not otherwise work in fullscreen mode)
#
#
# set VNCVIEWERCMD to whatever vncviewer command you want to use.
#
VNCIPCMD=${VNCVIEWERCMD:-vncip}
VNCVIEWERCMD=${VNCVIEWERCMD:-vncviewer}
#
# Same for STUNNEL, e.g. set it to /path/to/stunnel or stunnel4, etc.
#

120
# turn on verbose debugging output
runge's avatar
runge committed
121 122 123
if [ "X$SS_DEBUG" != "X" ]; then
	set -xv 
fi
124

runge's avatar
runge committed
125 126
PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH

127
# work out which stunnel t use (debian installs as stunnel4)
runge's avatar
runge committed
128 129 130 131 132 133 134 135 136 137
if [ "X$STUNNEL" = "X" ]; then
	type stunnel4 > /dev/null 2>&1
	if [ $? = 0 ]; then
		STUNNEL=stunnel4
	else
		STUNNEL=stunnel
	fi
fi

help() {
138
	tail -n +2 "$0" | sed -e '/^$/ q'
runge's avatar
runge committed
139 140
}

141
secondtry=""
runge's avatar
runge committed
142 143 144 145 146
gotalpha=""
use_ssh=""
use_sshssl=""
direct_connect=""
ssh_sleep=15
147 148

# sleep longer in -listen mode:
149 150 151
if echo "$*" | grep '.*-listen' > /dev/null; then
	ssh_sleep=1800
fi
152 153


154
ssh_cmd=""
155
# env override of ssh_cmd:
runge's avatar
runge committed
156 157
if [ "X$SS_VNCVIEWER_SSH_CMD" != "X" ]; then
	ssh_cmd="$SS_VNCVIEWER_SSH_CMD"
runge's avatar
runge committed
158
fi
159

runge's avatar
runge committed
160
ssh_args=""
runge's avatar
runge committed
161
showcert=""
162
reverse=""
runge's avatar
runge committed
163

runge's avatar
runge committed
164
if [ "X$1" = "X-viewerflavor" ]; then
165 166
	# special case, try to guess which viewer:
	#
runge's avatar
runge committed
167 168 169 170
	if echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then
		echo "unknown"
		exit 0
	fi
runge's avatar
runge committed
171 172 173 174
	if echo "$VNCVIEWERCMD" | grep -i chicken.of > /dev/null; then
		echo "cotvnc"
		exit 0
	fi
runge's avatar
runge committed
175 176 177 178
	if echo "$VNCVIEWERCMD" | grep -i ultra > /dev/null; then
		echo "ultravnc"
		exit 0
	fi
179
	# OK, run it for help output...
180
	str=`$VNCVIEWERCMD -h 2>&1 | head -n 5`
runge's avatar
runge committed
181 182 183 184 185 186 187 188 189 190 191 192
	if echo "$str" | grep -i 'TightVNC.viewer' > /dev/null; then
		echo "tightvnc"
	elif echo "$str" | grep -i 'RealVNC.Ltd' > /dev/null; then
		echo "realvnc4"
	elif echo "$str" | grep -i 'VNC viewer version 3' > /dev/null; then
		echo "realvnc3"
	else
		echo "unknown"
	fi
	exit 0
fi

193
# maxconn is something we added to stunnel, this disables it:
runge's avatar
runge committed
194 195 196 197 198 199
if [ "X$SS_VNCVIEWER_NO_MAXCONN" != "X" ]; then
	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
elif echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then
	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
fi

runge's avatar
runge committed
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220
# grab our cmdline options:
while [ "X$1" != "X" ]
do
    case $1 in 
	"-verify")	shift; verify="$1"
                ;;
	"-mycert")	shift; mycert="$1"
                ;;
	"-proxy")	shift; proxy="$1"
                ;;
	"-ssh")		use_ssh=1
                ;;
	"-sshssl")	use_ssh=1
			use_sshssl=1
                ;;
	"-sshcmd")	shift; ssh_cmd="$1"
                ;;
	"-sshargs")	shift; ssh_args="$1"
                ;;
	"-alpha")	gotalpha=1
                ;;
runge's avatar
runge committed
221 222
	"-showcert")	showcert=1
                ;;
223 224 225 226
	"-listen")	reverse=1
                ;;
	"-reverse")	reverse=1
                ;;
227 228
	"-2nd")		secondtry=1
                ;;
runge's avatar
runge committed
229 230 231 232 233 234 235 236 237 238 239 240
	"-grab")	VNCVIEWER_GRAB_SERVER=1; export VNCVIEWER_GRAB_SERVER
                ;;
	"-h"*)	help; exit 0
                ;;
	"--h"*)	help; exit 0
                ;;
	*)	break
                ;;
    esac
    shift
done

241
# this is the -t ssh option (gives better keyboard responsd thru SSH tunnel)
242 243 244 245 246
targ="-t"
if [ "X$SS_VNCVIEWER_NO_T" != "X" ]; then
	targ=""
fi

247
# set the alpha blending env. hack: 
runge's avatar
runge committed
248 249 250 251
if [ "X$gotalpha" = "X1" ]; then
	VNCVIEWER_ALPHABLEND=1
	export VNCVIEWER_ALPHABLEND
else
runge's avatar
runge committed
252 253 254
	NO_ALPHABLEND=1
	export NO_ALPHABLEND
fi
255

256 257 258
if [ "X$reverse" != "X" ]; then
	ssh_sleep=1800
	if [ "X$proxy" != "X" ]; then
259
		# check proxy usage under reverse connection:
260 261
		if [ "X$use_ssh" = "X" -a "X$use_sshssl" = "X" ]; then
			echo ""
262 263 264 265 266 267
			if echo "$proxy" | egrep "repeater://" > /dev/null; then
				:
			else
				echo "*Warning*: SSL -listen and a Web proxy does not make sense."
				sleep 3
			fi
268 269 270 271 272 273 274 275 276 277
		elif echo "$proxy" | grep "," > /dev/null; then
			:
		else
			echo ""
			echo "*Warning*: -listen and a single proxy/gateway does not make sense."
			sleep 3
		fi
	fi
fi
if [ "X$ssh_cmd" = "X" ]; then
278
	# if no remote ssh cmd, sleep a bit:
279 280
	ssh_cmd="sleep $ssh_sleep"
fi
runge's avatar
runge committed
281

282 283
# this should be a host:display:
#
runge's avatar
runge committed
284 285 286
orig="$1"
shift

287
# check -ssh and -mycert/-verify conflict:
runge's avatar
runge committed
288 289 290 291 292 293 294
if [ "X$use_ssh" = "X1" -a "X$use_sshssl" = "X" ]; then
	if [ "X$mycert" != "X" -o "X$verify" != "X" ]; then
		echo "-mycert and -verify cannot be used in -ssh mode" 
		exit 1
	fi
fi

295 296
# direct mode Vnc:// means show no warnings.
# direct mode vnc:// will show warnings.
297 298 299 300 301 302
if echo "$orig" | grep '^V[Nn][Cc]://' > /dev/null; then
	SSVNC_NO_ENC_WARN=1
	export SSVNC_NO_ENC_WARN
	orig=`echo "$orig" | sed -e 's/^...:/vnc:/'`
fi

303
# interprest the pseudo URL proto:// strings:
runge's avatar
runge committed
304 305 306 307 308 309 310
if echo "$orig" | grep '^vnc://' > /dev/null; then
	orig=`echo "$orig" | sed -e 's,vnc://,,'`
	verify=""
	mycert=""
	use_ssh=""
	use_sshssl=""
	direct_connect=1
311 312
elif echo "$orig" | grep '^vncs://' > /dev/null; then
	orig=`echo "$orig" | sed -e 's,vncs://,,'`
runge's avatar
runge committed
313 314
elif echo "$orig" | grep '^vncssl://' > /dev/null; then
	orig=`echo "$orig" | sed -e 's,vncssl://,,'`
315 316
elif echo "$orig" | grep '^vnc+ssl://' > /dev/null; then
	orig=`echo "$orig" | sed -e 's,vnc.ssl://,,'`
runge's avatar
runge committed
317 318 319
elif echo "$orig" | grep '^vncssh://' > /dev/null; then
	orig=`echo "$orig" | sed -e 's,vncssh://,,'`
	use_ssh=1
320 321 322
elif echo "$orig" | grep '^vnc+ssh://' > /dev/null; then
	orig=`echo "$orig" | sed -e 's,vnc.ssh://,,'`
	use_ssh=1
runge's avatar
runge committed
323
fi
324 325

# (possibly) tell the vncviewer to only listen on lo: 
runge's avatar
runge committed
326 327 328
if [ "X$reverse" != "X" -a "X$direct_connect" = "X" ]; then
	VNCVIEWER_LISTEN_LOCALHOST=1
	export VNCVIEWER_LISTEN_LOCALHOST
runge's avatar
runge committed
329 330
fi

331
# rsh mode is an internal/secret thing only I use.
332 333 334 335 336 337 338 339 340 341 342
rsh=""
if echo "$orig" | grep '^rsh://' > /dev/null; then
	use_ssh=1
	rsh=1
	orig=`echo "$orig" | sed -e 's,rsh://,,'`
elif echo "$orig" | grep '^rsh:' > /dev/null; then
	use_ssh=1
	rsh=1
	orig=`echo "$orig" | sed -e 's,rsh:,,'`
fi

runge's avatar
runge committed
343 344 345 346
# play around with host:display port:
if echo "$orig" | grep ':' > /dev/null; then
	:
else
347
	# add or assume :0 if no ':'
348 349
	if [ "X$reverse" = "X" ]; then
		orig="$orig:0"
runge's avatar
runge committed
350 351
	elif [ "X$orig" = "X" ]; then
		orig=":0"
352
	fi
runge's avatar
runge committed
353 354
fi

355
# extract host and disp number:
runge's avatar
runge committed
356 357 358 359 360
host=`echo "$orig" | awk -F: '{print $1}'`
disp=`echo "$orig" | awk -F: '{print $2}'`
if [ "X$host" = "X" ]; then
	host=localhost
fi
361 362 363
if [ "X$disp" = "X" ]; then
	port=""	# probably -listen mode.
elif [ $disp -lt 0 ]; then
364
	# negative means use |n| without question:
365 366
	port=`expr 0 - $disp`
elif [ $disp -lt 200 ]; then
367
	# less than 200 means 5900+n
368 369 370 371 372
	if [ "X$reverse" = "X" ]; then
		port=`expr $disp + 5900`
	else
		port=`expr $disp + 5500`
	fi
runge's avatar
runge committed
373
else
374
	# otherwise use the number directly, e.g. 443, 2345
runge's avatar
runge committed
375 376 377 378 379 380 381 382 383
	port=$disp
fi

# try to find an open listening port via netstat(1):
inuse=""
if uname | grep Linux > /dev/null; then
	inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'`
elif uname | grep SunOS > /dev/null; then
	inuse=`netstat -an -f inet -P tcp | grep LISTEN | awk '{print $1}' | sed 's/^.*\.//'`
384 385
elif uname | grep -i bsd > /dev/null; then
	inuse=`netstat -ant -f inet | grep LISTEN | awk '{print $4}' | sed 's/^.*\.//'`
runge's avatar
runge committed
386 387 388
# add others...
fi

389
# this is a crude attempt for unique ports tags, etc.
runge's avatar
runge committed
390 391
date_sec=`date +%S`

392 393
# these are special cases of no vnc, e.g. sleep or xmessage.
# these are for using ssvnc as a general port redirector.
runge's avatar
runge committed
394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409
if echo "$VNCVIEWERCMD" | grep '^sleep[ 	][ 	]*[0-9][0-9]*' > /dev/null; then
	if [ "X$SS_VNCVIEWER_LISTEN_PORT" = "X" ]; then
		p=`echo "$VNCVIEWERCMD" | awk '{print $3}'`
		if [ "X$p" != "X" ]; then
			SS_VNCVIEWER_LISTEN_PORT=$p
		fi
	fi
	p2=`echo "$VNCVIEWERCMD" | awk '{print $2}'`
	VNCVIEWERCMD="eval sleep $p2; echo Local "
elif echo "$VNCVIEWERCMD" | grep '^xmessage[ 	][ 	]*[0-9][0-9]*' > /dev/null; then
	if [ "X$SS_VNCVIEWER_LISTEN_PORT" = "X" ]; then
		p=`echo "$VNCVIEWERCMD" | awk '{print $2}'`
		SS_VNCVIEWER_LISTEN_PORT=$p
	fi
fi

410
# utility to find a free port to listen on.
runge's avatar
runge committed
411 412 413 414 415
findfree() {
	try0=$1
	try=$try0
	use0=""

runge's avatar
runge committed
416 417 418 419
	if [ "X$SS_VNCVIEWER_LISTEN_PORT" != "X" ]; then
		echo "$SS_VNCVIEWER_LISTEN_PORT"
		return	
	fi
420 421 422 423 424
	if [ $try -ge 6000 ]; then
		fmax=`expr $try + 1000`
	else
		fmax=6000
	fi
runge's avatar
runge committed
425

426
	while [ $try -lt $fmax ]
runge's avatar
runge committed
427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445
	do
		if [ "X$inuse" = "X" ]; then
			break
		fi
		if echo "$inuse" | grep -w $try > /dev/null; then
			:
		else
			use0=$try
			break
		fi
		try=`expr $try + 1`
	done
	if [ "X$use0" = "X" ]; then
		use0=`expr $date_sec + $try0`
	fi

	echo $use0
}

446 447
# utility for exiting; kills some helper processes,
# removes files, etc.
448 449
final() {
	echo ""
450 451 452
	if [ "X$tmp_cfg" != "X" ]; then
		rm -f $tmp_cfg
	fi
453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474
	if [ "X$SS_VNCVIEWER_RM" != "X" ]; then
		rm -f $SS_VNCVIEWER_RM 2>/dev/null
	fi
	if [ "X$tcert" != "X" ]; then
		rm -f $tcert
	fi
	if [ "X$pssh" != "X" ]; then
		echo "Terminating background ssh process"
		echo kill -TERM "$pssh"
		kill -TERM "$pssh" 2>/dev/null
		sleep 1
		kill -KILL "$pssh" 2>/dev/null
		pssh=""
	fi
	if [ "X$stunnel_pid" != "X" ]; then
		echo "Terminating background stunnel process"
		echo kill -TERM "$stunnel_pid"
		kill -TERM "$stunnel_pid" 2>/dev/null
		sleep 1
		kill -KILL "$stunnel_pid" 2>/dev/null
		stunnel_pid=""
	fi
475 476 477
	if [ "X$tail_pid" != "X" ]; then
		kill -TERM $tail_pid
	fi
478
}
runge's avatar
runge committed
479

480
if [ "X$reverse" = "X" ]; then
481
	# normal connections try 5930-5999:
482 483 484 485 486 487
	use=`findfree 5930`
	if [ $use -ge 5900 ]; then
		N=`expr $use - 5900`
	else
		N=$use
	fi
runge's avatar
runge committed
488
else
489
	# reverse connections:
490 491 492 493 494 495 496
	p2=`expr $port + 30`
	use=`findfree $p2`
	if [ $use -ge 5500 ]; then
		N=`expr $use - 5500`
	else
		N=$use
	fi
runge's avatar
runge committed
497 498
fi

499
# this is for my special use of ss_vncip -> vncip viewer.
runge's avatar
runge committed
500 501 502 503
if echo "$0" | grep vncip > /dev/null; then
	VNCVIEWERCMD="$VNCIPCMD"
fi

504
rchk() {
505
	# a kludge to set $RANDOM if we are not bash:
506 507 508 509 510 511
	if [ "X$BASH_VERSION" = "X" ]; then
		RANDOM=`date +%S``sh -c 'echo $$'``ps -elf 2>&1 | sum 2>&1 | awk '{print $1}'`
	fi
}
rchk

512 513 514 515 516
dL="-L"
if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then
	dL="-h"
fi

517
# a portable, but not absolutely safe, tmp file creator
518 519 520 521 522 523
mytmp() {
	tf=$1
	rm -rf "$tf" || exit 1
	if [ -d "$tf" ]; then
		echo "tmp file $tf still exists as a directory."
		exit 1
524
	elif [ $dL "$tf" ]; then
525 526 527 528 529 530 531 532 533 534 535
		echo "tmp file $tf still exists as a symlink."
		exit 1
	elif [ -f "$tf" ]; then
		echo "tmp file $tf still exists."
		exit 1
	fi
	touch "$tf" || exit 1
	chmod 600 "$tf" || exit 1
	rchk
}

536
# trick for the undocumented rsh://host:port method.
537 538 539 540 541 542 543 544 545 546 547
rsh_setup() {
	if echo "$ssh_host" | grep '@' > /dev/null; then
		ul=`echo "$ssh_host" | awk -F@ '{print $1}'`
		ul="-l $ul"
		ssh_host=`echo "$ssh_host" | awk -F@ '{print $2}'`
	else
		ul=""
	fi
	ssh_cmd=`echo "$ssh_cmd" | sed -e 's/ -localhost/ /g'`
}

548
# trick for the undocumented rsh://host:port method.
549 550 551 552 553 554 555 556 557 558 559 560 561
rsh_viewer() {
	trap "final" 0 2 15
	if [ "X$PORT" = "X" ]; then
		exit 1
	elif [ $PORT -ge 5900 ]; then
		vdpy=`expr $PORT - 5900`
	else
		vdpy=":$PORT"
	fi
	stty sane
	echo "$VNCVIEWERCMD" "$@" $ssh_host:$vdpy
	echo ""
	$VNCVIEWERCMD "$@" $ssh_host:$vdpy
562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578
	if [ $? != 0 ]; then
		sleep 2
		$VNCVIEWERCMD "$@" $ssh_host:$vdpy
	fi
}

# this is the PPROXY tool.  used only here for now... 
pcode() {
	tf=$1
	PPROXY_PROXY=$proxy; export PPROXY_PROXY
	PPROXY_DEST="$host:$port"; export PPROXY_DEST
	cod='#!/usr/bin/perl

# A hack to glue stunnel to a Web proxy or SOCKS for client connections.

use IO::Socket::INET;

579 580 581 582
if (exists $ENV{PPROXY_SLEEP}) {
	print STDERR "PPROXY_PID: $$\n";
	sleep $ENV{PPROXY_SLEEP};
}
583

584 585 586 587 588 589 590 591 592 593 594 595 596
foreach my $var (qw(PPROXY_PROXY PPROXY_SOCKS PPROXY_DEST PPROXY_LISTEN
    PPROXY_REVERSE PPROXY_REPEATER PPROXY_REMOVE PPROXY_KILLPID PPROXY_SLEEP)) {
	if (0 || $ENV{SS_DEBUG}) {
		print STDERR "$var: $ENV{$var}\n";
	}
} 

if ($ENV{PPROXY_SOCKS} ne "" && $ENV{PPROXY_PROXY} !~ m,^socks5?://,i) {
	if ($ENV{PPROXY_SOCKS} eq "5") {
		$ENV{PPROXY_PROXY} = "socks5://$ENV{PPROXY_PROXY}";
	} else {
		$ENV{PPROXY_PROXY} = "socks://$ENV{PPROXY_PROXY}";
	}
597 598
}

599 600 601 602 603
my ($first, $second, $third) = split(/,/, $ENV{PPROXY_PROXY}, 3);
my ($mode_1st, $mode_2nd, $mode_3rd) = ("", "", "");

($first, $mode_1st) = url_parse($first);

604 605 606 607
my ($proxy_host, $proxy_port) = split(/:/, $first);
my $connect = $ENV{PPROXY_DEST};

if ($second ne "") {
608
	($second, $mode_2nd) = url_parse($second);
609 610 611
}

if ($third ne "") {
612
	($third, $mode_3rd) = url_parse($third);
613 614
}

615

616 617 618 619 620 621 622
print STDERR "\n";
print STDERR "PPROXY v0.2: a tool for Web proxies and SOCKS connections.\n";
print STDERR "proxy_host:       $proxy_host\n";
print STDERR "proxy_port:       $proxy_port\n";
print STDERR "proxy_connect:    $connect\n";
print STDERR "pproxy_params:    $ENV{PPROXY_PROXY}\n";
print STDERR "pproxy_listen:    $ENV{PPROXY_LISTEN}\n";
623
print STDERR "pproxy_reverse:   $ENV{PPROXY_REVERSE}\n";
624
print STDERR "\n";
625 626 627 628 629 630
if (1) {
	print STDERR "pproxy 1st: $first\t- $mode_1st\n";
	print STDERR "pproxy 2nd: $second\t- $mode_2nd\n";
	print STDERR "pproxy 3rd: $third\t- $mode_3rd\n";
	print STDERR "\n";
}
631 632

my $listen_handle = "";
633 634 635 636 637 638 639 640 641 642 643 644 645
if ($ENV{PPROXY_REVERSE} ne "") {
	my ($rhost, $rport) = split(/:/, $ENV{PPROXY_REVERSE});
	$rport = 5900 unless $rport;
	$listen_handle = IO::Socket::INET->new(
		PeerAddr => $rhost,
		PeerPort => $rport,
		Proto => "tcp"
	);
	if (! $listen_handle) {
		die "pproxy: $! -- PPROXY_REVERSE\n";
	}
	print STDERR "PPROXY_REVERSE: connected to $rhost $rport\n";
} elsif ($ENV{PPROXY_LISTEN} ne "") {
646 647 648 649 650 651 652
	my $listen_sock = IO::Socket::INET->new(
		Listen    => 2,
		LocalAddr => "localhost",
		LocalPort => $ENV{PPROXY_LISTEN},
		Proto     => "tcp"
	);
	if (! $listen_sock) {
653
		die "pproxy: $! -- PPROXY_LISTEN\n";
654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673
	}
	my $ip;
	($listen_handle, $ip) = $listen_sock->accept();
	if (! $listen_handle) {
		die "pproxy: $!\n";
	}
}

my $sock = IO::Socket::INET->new(
	PeerAddr => $proxy_host,
	PeerPort => $proxy_port,
	Proto => "tcp"
);

if (! $sock) {
	my $err = $!;
	unlink($0) if $ENV{PPROXY_REMOVE};
	die "pproxy: $err\n";
}

674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779
unlink($0) if $ENV{PPROXY_REMOVE};

$cur_proxy = $first;
setmode($mode_1st);

if ($second ne "") {
	connection($second, 1);

	setmode($mode_2nd);
	$cur_proxy = $second;

	if ($third ne "") {
		connection($third, 2);
		setmode($mode_3rd);
		$cur_proxy = $third;
		connection($connect, 3);
	} else {
		connection($connect, 2);
	}
} else {
	connection($connect, 1);
}

$parent = $$;
$child = fork;
if (! defined $child) {
	kill "TERM", $ENV{PPROXY_KILLPID} if $ENV{PPROXY_KILLPID};
	exit 1;
}

if ($child) {
	print STDERR "pproxy parent\[$$]  STDIN -> socket\n";
	if ($listen_handle) {
		xfer($listen_handle, $sock);
	} else {
		xfer(STDIN, $sock);
	}
	select(undef, undef, undef, 0.25);
	if (kill 0, $child) {
		select(undef, undef, undef, 1.5);
		#print STDERR "pproxy\[$$]: kill TERM $child\n";
		kill "TERM", $child;
	}
} else {
	print STDERR "pproxy child \[$$]  socket -> STDOUT\n";
	if ($listen_handle) {
		xfer($sock, $listen_handle);
	} else {
		xfer($sock, STDOUT);
	}
	select(undef, undef, undef, 0.25);
	if (kill 0, $parent) {
		select(undef, undef, undef, 1.5);
		#print STDERR "pproxy\[$$]: kill TERM $parent\n";
		kill "TERM", $parent;
	}
}
if ($ENV{PPROXY_KILLPID} ne "") {
	if ($ENV{PPROXY_KILLPID} =~ /^(\+|-)/) {
		$ENV{PPROXY_KILLPID} = $$ + $ENV{PPROXY_KILLPID};
	}
	print STDERR "kill TERM, $ENV{PPROXY_KILLPID}\n";
	kill "TERM", $ENV{PPROXY_KILLPID};
}
exit;

sub url_parse {
	my $hostport = shift;
	my $mode = "http";
	if ($hostport =~ m,^socks4?://(\S*)$,i) {
		$mode = "socks4";
		$hostport = $1;
	} elsif ($hostport =~ m,^socks5://(\S*)$,i) {
		$mode = "socks5";
		$hostport = $1;
	} elsif ($hostport =~ m,^https?://(\S*)$,i) {
		$mode = "http";
		$hostport = $1;
	} elsif ($hostport =~ m,^repeater://(\S*)\+(\S*)$,i) {
		# ultravnc repeater proxy.
		$hostport = $1;
		$mode = "repeater:$2";
		if ($hostport !~ /:\d+/) {
			$hostport .= ":5900";
		}
	}
	return ($hostport, $mode);
}

sub setmode {
	my $mode = shift;
	$ENV{PPROXY_REPEATER} = "";
	if ($mode =~ /^socks/) {
		if ($mode =~ /^socks5/) {
			$ENV{PPROXY_SOCKS} = 5;
		} else {
			$ENV{PPROXY_SOCKS} = 1;
		}
	} elsif ($mode =~ /^repeater:(.*)/) {
		$ENV{PPROXY_REPEATER} = $1;
		$ENV{PPROXY_SOCKS} = "";
	} else {
		$ENV{PPROXY_SOCKS} = "";
	}
}

780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903
sub connection {
	my ($CONNECT, $w) = @_;

	my $con = "";
	my $msg = "";

	if ($ENV{PPROXY_SOCKS} eq "5") {
		# SOCKS5
		my ($h, $p) = split(/:/, $CONNECT);
		$con .= pack("C", 0x05);
		$con .= pack("C", 0x01);
		$con .= pack("C", 0x00);

		$msg = "SOCKS5 via $cur_proxy to $h:$p\n\n";
		print STDERR "proxy_request$w: $msg";

		syswrite($sock, $con, length($con));

		my ($n1, $n2, $n3, $n4, $n5, $n6);
		my ($r1, $r2, $r3, $r4, $r5, $r6);
		my ($s1, $s2, $s3, $s4, $s5, $s6);

		$n1 = sysread($sock, $r1, 1);
		$n2 = sysread($sock, $r2, 1);

		$s1 = unpack("C", $r1);
		$s2 = unpack("C", $r2);
		if ($s1 != 0x05 || $s2 != 0x00) {
			print STDERR "SOCKS5 fail s1=$s1 s2=$s2 n1=$n1 n2=$n2\n";
			close $sock;
			exit(1);
		}

		$con = "";
		$con .= pack("C", 0x05);
		$con .= pack("C", 0x01);
		$con .= pack("C", 0x00);
		$con .= pack("C", 0x03);
		$con .= pack("C", length($h));
		$con .= $h;
		$con .= pack("C", $p >> 8);
		$con .= pack("C", $p & 0xff);

		syswrite($sock, $con, length($con));

		$n1 = sysread($sock, $r1, 1);
		$n2 = sysread($sock, $r2, 1);
		$n3 = sysread($sock, $r3, 1);
		$n4 = sysread($sock, $r4, 1);
		$s1 = unpack("C", $r1);
		$s2 = unpack("C", $r2);
		$s3 = unpack("C", $r3);
		$s4 = unpack("C", $r4);

		if ($s4 == 0x1) {
			sysread($sock, $r5, 4 + 2);
		} elsif ($s4 == 0x3) {
			sysread($sock, $r5, 1);
			$s5 = unpack("C", $r5);
			sysread($sock, $r6, $s5 + 2);
		} elsif ($s4 == 0x4) {
			sysread($sock, $r5, 16 + 2);
		}

		if ($s1 != 0x5 || $s2 != 0x0 || $s3 != 0x0) {
			print STDERR "SOCKS5 failed: s1=$s1 s2=$s2 s3=$s3 s4=$s4 n1=$n1 n2=$n2 n3=$n3 n4=$n4\n";
			close $sock;
			exit(1);
		}

	} elsif ($ENV{PPROXY_SOCKS} ne "") {
		# SOCKS4 SOCKS4a
		my ($h, $p) = split(/:/, $CONNECT);
		$con .= pack("C", 0x04);
		$con .= pack("C", 0x01);
		$con .= pack("n", $p);

		my $SOCKS_4a = 0;
		if ($h eq "localhost" || $h eq "127.0.0.1") {
			$con .= pack("C", 127);
			$con .= pack("C", 0);
			$con .= pack("C", 0);
			$con .= pack("C", 1);
		} elsif ($h =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
			$con .= pack("C", $1);
			$con .= pack("C", $2);
			$con .= pack("C", $3);
			$con .= pack("C", $4);
		} else {
			$con .= pack("C", 0);
			$con .= pack("C", 0);
			$con .= pack("C", 0);
			$con .= pack("C", 3);
			$SOCKS_4a = 1;
		}

		$con .= "nobody";
		$con .= pack("C", 0);

		$msg = "SOCKS4 via $cur_proxy to $h:$p\n\n";
		if ($SOCKS_4a) {
			$con .= $h;
			$con .= pack("C", 0);
			$msg =~ s/SOCKS4/SOCKS4a/;
		}
		print STDERR "proxy_request$w: $msg";
		syswrite($sock, $con, length($con));

		my $ok = 1;
		for (my $i = 0; $i < 8; $i++) {
			my $c;
			sysread($sock, $c, 1);
			my $s = unpack("C", $c);
			if ($i == 0) {
				$ok = 0 if $s != 0x0;
			} elsif ($i == 1) {
				$ok = 0 if $s != 0x5a;
			}
		}
		if (! $ok) {
			print STDERR "SOCKS4 failed.\n";
			close $sock;
			exit(1);
		}
904 905 906 907 908 909 910 911 912 913 914 915
	} elsif ($ENV{PPROXY_REPEATER} ne "") {
		my $rep = $ENV{PPROXY_REPEATER};
		print STDERR "repeater: $rep\n";
		$rep .= pack("x") x 250;
		syswrite($sock, $rep, 250);

		my $ok = 1;
		for (my $i = 0; $i < 12; $i++) {
			my $c;
			sysread($sock, $c, 1);
			print STDERR $c;
		}
916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983

	} else {
		# Web Proxy:
		$con = "CONNECT $CONNECT HTTP/1.1\r\n";
		$con   .= "Host: $CONNECT\r\n";
		$con   .= "Connection: close\r\n\r\n";
		$msg = $con;

		print STDERR "proxy_request$w: via $cur_proxy:\n$msg";
		syswrite($sock, $con, length($con));

		my $rep = "";
		my $n = 0;
		while ($rep !~ /\r\n\r\n/ && $n < 30000) {
			my $c;
			sysread($sock, $c, 1);
			print STDERR $c;
			$rep .= $c;
			$n++;
		}
		if ($rep !~ m,HTTP/.* 200,) {
			print STDERR "HTTP CONNECT failed.\n";
			close $sock;
			exit(1);
		}
	}
}

sub xfer {
	my($in, $out) = @_;
	$RIN = $WIN = $EIN = "";
	$ROUT = "";
	vec($RIN, fileno($in), 1) = 1;
	vec($WIN, fileno($in), 1) = 1;
	$EIN = $RIN | $WIN;

	while (1) {
		my $nf = 0;
		while (! $nf) {
			$nf = select($ROUT=$RIN, undef, undef, undef);
		}
		my $len = sysread($in, $buf, 8192);
		if (! defined($len)) {
			next if $! =~ /^Interrupted/;
			print STDERR "pproxy\[$$]: $!\n";
			last;
		} elsif ($len == 0) {
			print STDERR "pproxy\[$$]: Input is EOF.\n";
			last;
		}
		my $offset = 0;
		my $quit = 0;
		while ($len) {
			my $written = syswrite($out, $buf, $len, $offset);
			if (! defined $written) {
				print STDERR "pproxy\[$$]: Output is EOF. $!\n";
				$quit = 1;
				last;
			}
			$len -= $written;
			$offset += $written;
		}
		last if $quit;
	}
	close($in);
	close($out);
}
'
984 985 986 987 988
	# xpg_echo will expand \n \r, etc.
	# try to unset and then test for it.
	shopt -u xpg_echo >/dev/null 2>&1
	v='print STDOUT "abc\n";'
	echo "$v" > $tf
989
	chmod 700 $tf
990 991 992 993 994 995 996 997

	lc=`wc -l $tf | awk '{print $1}'`
	if [ "X$lc" = "X1" ]; then
		echo "$cod" > $tf
	else
		printf "%s" "$cod" > $tf
		echo "" >> $tf
	fi
998 999 1000 1001 1002 1003 1004 1005
	# prime perl
	perl -e 'use IO::Socket::INET; select(undef, undef, undef, 0.01)' >/dev/null 2>&1
}

Kecho() {
	if [ "X$USER" = "Xrunge" ]; then
		echo "dbg: $*"
	fi
1006 1007
}

runge's avatar
runge committed
1008
if [ "X$use_ssh" = "X1" ]; then
1009 1010 1011
	#
	# USING SSH
	#
runge's avatar
runge committed
1012 1013 1014
	ssh_port="22"
	ssh_host="$host"
	vnc_host="localhost"
1015
	# let user override ssh via $SSH
runge's avatar
runge committed
1016
	ssh=${SSH:-"ssh -x"}
1017

1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035
	if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
		SSVNC_LIM_ACCEPT_PRELOAD="$SSVNC_BASEDIR/$SSVNC_UNAME/$SSVNC_LIM_ACCEPT_PRELOAD"
	fi
	if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
		echo ""
		echo "SSVNC_LIM_ACCEPT_PRELOAD=$SSVNC_LIM_ACCEPT_PRELOAD"
	fi

	if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" -a -f "$SSVNC_LIM_ACCEPT_PRELOAD" ]; then
		plvar=LD_PRELOAD
		if uname | grep Darwin >/dev/null; then
			plvar="DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES"
		fi
		ssh="env $plvar=$SSVNC_LIM_ACCEPT_PRELOAD $ssh"
	else
		SSVNC_LIM_ACCEPT_PRELOAD=""
	fi

1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140
	if echo "$proxy" | egrep '(http|https|socks|socks4|socks5)://' > /dev/null; then
		# Handle Web or SOCKS proxy(ies) for the initial connect.
Kecho host=$host
Kecho port=$port
		pproxy=""
		sproxy1=""
		sproxy_rest=""
		for part in `echo "$proxy" | tr ',' ' '`
		do
			Kecho proxy_part=$part
			if [ "X$part" = "X" ]; then
				continue
			elif echo "$part" | egrep -i '^(http|https|socks|socks4|socks5)://' > /dev/null; then
				pproxy="$pproxy,$part"
			else
				if [ "X$sproxy1" = "X" ]; then
					sproxy1="$part"
				else
					sproxy_rest="$sproxy_rest,$part"
				fi
			fi
		done
		pproxy=`echo "$pproxy" | sed -e 's/^,,*//' -e 's/,,*/,/g'`
		sproxy_rest=`echo "$sproxy_rest" | sed -e 's/^,,*//' -e 's/,,*/,/g'`
Kecho pproxy=$pproxy
Kecho sproxy1=$sproxy1
Kecho sproxy_rest=$sproxy_rest

		sproxy1_host=""
		sproxy1_port=""
		sproxy1_user=""

		if [ "X$sproxy1" != "X" ]; then
			sproxy1_host=`echo "$sproxy1" | awk -F: '{print $1}'`
			sproxy1_user=`echo "$sproxy1_host" | awk -F@ '{print $1}'`
			sproxy1_host=`echo "$sproxy1_host" | awk -F@ '{print $2}'`
			if [ "X$sproxy1_host" = "X" ]; then
				sproxy1_host=$sproxy1_user
				sproxy1_user=""
			else
				sproxy1_user="${sproxy1_user}@"
			fi
			sproxy1_port=`echo "$sproxy1" | awk -F: '{print $2}'`
			if [ "X$sproxy1_port" = "X" ]; then
				sproxy1_port="22"
			fi
		else
			sproxy1_host=`echo "$host" | awk -F: '{print $1}'`
			sproxy1_user=`echo "$sproxy1_host" | awk -F@ '{print $1}'`
			sproxy1_host=`echo "$sproxy1_host" | awk -F@ '{print $2}'`
			if [ "X$sproxy1_host" = "X" ]; then
				sproxy1_host=$sproxy1_user
				sproxy1_user=""
			else
				sproxy1_user="${sproxy1_user}@"
			fi
			sproxy1_port=`echo "$host" | awk -F: '{print $2}'`
			if [ "X$sproxy1_port" = "X" ]; then
				sproxy1_port="22"
			fi
		fi

Kecho sproxy1_host=$sproxy1_host
Kecho sproxy1_port=$sproxy1_port
Kecho sproxy1_user=$sproxy1_user

		ptmp="/tmp/ss_vncviewer${RANDOM}.$$.pl"
		mytmp "$ptmp"
		PPROXY_REMOVE=1; export PPROXY_REMOVE
		proxy=$pproxy
		port_save=$port
		host_save=$host
		if [ "X$sproxy1_host" != "X" ]; then
			host=$sproxy1_host
		fi
		if [ "X$sproxy1_port" != "X" ]; then
			port=$sproxy1_port
		fi
		host=`echo "$host" | sed -e 's/^.*@//'`
		port=`echo "$port" | sed -e 's/^.*://'`
		pcode "$ptmp"
		port=$port_save
		host=$host_save

		nd=`findfree 6700`
		PPROXY_LISTEN=$nd; export PPROXY_LISTEN
		$ptmp &
		sleep 2
		ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes"
		if [ "X$sproxy1" = "X" ]; then
			u=""
			if echo "$host" | grep '@' > /dev/null; then
				u=`echo "$host" | sed -e 's/@.*$/@/'`
			fi
			
			proxy="${u}localhost:$nd"
		else
			proxy="${sproxy1_user}localhost:$nd"
		fi
		if [ "X$sproxy_rest" != "X" ]; then
			proxy="$proxy,$sproxy_rest"
		fi
Kecho proxy=$proxy
	fi

runge's avatar
runge committed
1141
	if echo "$proxy" | grep "," > /dev/null; then
1142

runge's avatar
runge committed
1143 1144
		proxy1=`echo "$proxy" | awk -F, '{print $1}'`
		proxy2=`echo "$proxy" | awk -F, '{print $2}'`
1145

runge's avatar
runge committed
1146 1147 1148
		# user1@gw1.com:port1,user2@ws2:port2
		ssh_host1=`echo "$proxy1" | awk -F: '{print $1}'`
		ssh_port1=`echo "$proxy1" | awk -F: '{print $2}'`
1149
		if [ "X$ssh_port1" != "X" ]; then
1150
			ssh_port1="-p $ssh_port1"
runge's avatar
runge committed
1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167
		fi
		ssh_host2=`echo "$proxy2" | awk -F: '{print $1}'`
		ssh_user2=`echo "$ssh_host2" | awk -F@ '{print $1}'`
		ssh_host2=`echo "$ssh_host2" | awk -F@ '{print $2}'`
		if [ "X$ssh_host2" = "X" ]; then
			ssh_host2=$ssh_user2
			ssh_user2=""
		else
			ssh_user2="${ssh_user2}@"
		fi
		ssh_port2=`echo "$proxy2" | awk -F: '{print $2}'`
		if [ "X$ssh_port2" = "X" ]; then
			ssh_port2="22"
		fi
		proxport=`findfree 3500`
		echo
		echo "Running 1st ssh proxy:"
1168 1169 1170
		echo "$ssh -f -x $ssh_port1 $targ -e none -o NoHostAuthenticationForLocalhost=yes -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 \"sleep 30\""
		echo ""
		      $ssh -f -x $ssh_port1 $targ -e none -o NoHostAuthenticationForLocalhost=yes -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 "sleep 30"
runge's avatar
runge committed
1171 1172 1173 1174 1175
		ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes"
		sleep 1
		stty sane
		proxy="${ssh_user2}localhost:$proxport"
	fi
1176

runge's avatar
runge committed
1177 1178 1179 1180 1181 1182 1183 1184
	if [ "X$proxy" != "X" ]; then
		ssh_port=`echo "$proxy" | awk -F: '{print $2}'`
		if [ "X$ssh_port" = "X" ]; then
			ssh_port="22"
		fi
		ssh_host=`echo "$proxy" | awk -F: '{print $1}'`
		vnc_host="$host"
	fi
1185

runge's avatar
runge committed
1186 1187 1188
	echo ""
	echo "Running ssh:"
	sz=`echo "$ssh_cmd" | wc -c`
1189
	if [ "$sz" -gt 300 ]; then
runge's avatar
runge committed
1190 1191 1192 1193 1194 1195
		info="..."
	else
		info="$ssh_cmd"
	fi

	C=""
runge's avatar
runge committed
1196
	if [ "X$SS_VNCVIEWER_USE_C" != "X" ]; then
runge's avatar
runge committed
1197 1198
		C="-C"
	fi
1199 1200

	getport=""
1201
	teeport=""
1202 1203
	if echo "$ssh_cmd" | egrep "^(PORT=|P=)" > /dev/null; then
		getport=1
1204 1205 1206 1207
		if echo "$ssh_cmd" | egrep "^P=" > /dev/null; then
			teeport=1
		fi

1208 1209 1210 1211 1212 1213 1214 1215 1216 1217
		PORT=""
		ssh_cmd=`echo "$ssh_cmd" | sed -e 's/^PORT=[ 	]*//' -e 's/^P=//'`
		SSVNC_NO_ENC_WARN=1
		if [ "X$use_sshssl" = "X" ]; then
			direct_connect=1
		fi
	fi
	if [ "X$getport" != "X" ]; then
		ssh_redir="-D ${use}"
	elif [ "X$reverse" = "X" ]; then
1218 1219 1220 1221 1222
		ssh_redir="-L ${use}:${vnc_host}:${port}"
	else
		ssh_redir="-R ${port}:${vnc_host}:${use}"
	fi
	pmark=`sh -c 'echo $$'`
1223

runge's avatar
runge committed
1224
	# the -t option actually speeds up typing response via VNC!!
1225 1226 1227 1228 1229
	if [ "X$ssh_port" = "X22" ]; then
		ssh_port=""
	else
		ssh_port="-p $ssh_port"
	fi
1230

runge's avatar
runge committed
1231
	if [ "X$SS_VNCVIEWER_SSH_ONLY" != "X" ]; then
1232
		echo "$ssh -x $ssh_port $targ $C $ssh_args $ssh_host \"$info\""
runge's avatar
runge committed
1233
		echo ""
1234
		$ssh -x $ssh_port $targ $C $ssh_args $ssh_host "$ssh_cmd"
runge's avatar
runge committed
1235
		exit $?
1236

runge's avatar
runge committed
1237
	elif [ "X$SS_VNCVIEWER_NO_F" != "X" ]; then
1238
		echo "$ssh -x $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
runge's avatar
runge committed
1239
		echo ""
1240
		$ssh -x $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd"
1241 1242 1243 1244 1245
		rc=$?

	elif [ "X$getport" != "X" ]; then
		tport=/tmp/tport${RANDOM}.$$
		mytmp $tport
1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272

		if [ "X$rsh" != "X1" ]; then
			if echo "$ssh_cmd" | grep -w sudo > /dev/null; then
				echo ""
				echo "Initial ssh with 'sudo id' to prime sudo so hopefully the next one"
				echo "will require no password..."
				echo ""
				targ="-t"
				$ssh -x $ssh_port $targ $ssh_args $ssh_host "sudo id; tty"
				echo ""
			fi
			echo "$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
			echo ""
			$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" > $tport 
			if [ "X$teeport" = "X1" ]; then
				tail -f $tport 1>&2 &
				tail_pid=$!
			fi
			rc=$?
		else
			rsh_setup
			echo "rsh $ul $ssh_host \"$ssh_cmd\""
			echo ""
			rsh $ul $ssh_host "$ssh_cmd" > $tport &
			sleep 1
			rc=0
		fi
1273

1274
		if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
1275
			echo "sleep $SSVNC_EXTRA_SLEEP"
1276 1277 1278
			sleep $SSVNC_EXTRA_SLEEP
		fi

1279 1280
		stty sane
		i=0
1281 1282 1283 1284 1285 1286 1287 1288 1289 1290
		if type perl > /dev/null 2>&1; then
			imax=50
			sleepit="perl -e 'select(undef, undef, undef, 0.20)'"
		else
			imax=10
			sleepit="sleep 1"
		fi
		while [ $i -lt $imax ]; do
			#echo $sleepit
			eval $sleepit
1291
			PORT=`grep "^PORT=" $tport | head -n 1 | sed -e 's/PORT=//' -e 's/\r//g'`
1292 1293 1294
			if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
				break
			fi
1295
			vnss=`sed -e 's/\r//g' $tport | egrep -i '^(New.* desktop is|A VNC server is already running).*:[0-9[0-9]*$' | head -n 1 | awk '{print $NF}'`
1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310
			if [ "X$vnss" != "X" ]; then
				PORT=`echo "$vnss" | awk -F: '{print $2}'`
				if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
					if [ $PORT -lt 100 ]; then
						PORT=`expr $PORT + 5900`
					fi
				fi
				if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
					break
				fi
			fi
			i=`expr $i + 1`
		done

		echo "PORT=$PORT" 1>&2
1311 1312 1313 1314 1315
		rm -f $tport
		if [ "X$rsh" = "X1" ]; then
			rsh_viewer "$@"
			exit $?
		fi
1316
		PPROXY_SOCKS=1
1317 1318 1319
		if [ "X$SSVNC_SOCKS5" != "X" ]; then
			PPROXY_SOCKS=5
		fi
1320 1321 1322 1323 1324
		export PPROXY_SOCKS
		host="localhost"
		port="$PORT"
		proxy="localhost:$use"

runge's avatar
runge committed
1325
	else
1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340
		if [ "X$rsh" != "X1" ]; then
			echo "$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
			echo ""
			$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd"
			rc=$?
		else
			rsh_setup
			echo "rsh $ul $ssh_host \"$ssh_cmd\""
			echo ""
			rsh $ul $ssh_host "$ssh_cmd" &
			sleep 1
			PORT=$port
			rsh_viewer "$@"
			exit $?
		fi
runge's avatar
runge committed
1341
	fi
1342 1343

	if [ "$rc" != "0" ]; then
runge's avatar
runge committed
1344 1345 1346 1347
		echo ""
		echo "ssh to $ssh_host failed."
		exit 1
	fi
1348 1349 1350 1351
	stty sane

	c=0
	pssh=""
1352
	mssh=`echo "$ssh" | sed -e 's/^env.*ssh/ssh/'`
1353 1354 1355
	while [ $c -lt 30 ]
	do
		p=`expr $pmark + $c`
1356
		if ps -p "$p" 2>&1 | grep "$mssh" > /dev/null; then
1357 1358 1359 1360 1361
			pssh=$p
			break
		fi
		c=`expr $c + 1`
	done
1362 1363
	if [ "X$getport" != "X" ]; then
		:
1364 1365
	elif [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ] ; then
		sleep 2
1366
	elif [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then
1367
		#echo T sleep 1
runge's avatar
runge committed
1368
		sleep 1
1369 1370 1371
	elif echo "$ssh_cmd" | grep '^sleep ' >/dev/null; then
		#echo T sleep 2
		sleep 2
runge's avatar
runge committed
1372 1373
	else
		# let any command get started a bit.
1374
		#echo T sleep 5
runge's avatar
runge committed
1375 1376 1377
		sleep 5
	fi
	echo ""
1378 1379
	#reset
	stty sane
1380
	if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
1381
		echo "sleep $SSVNC_EXTRA_SLEEP"
1382 1383
		sleep $SSVNC_EXTRA_SLEEP
	fi
1384
	#echo "pssh=\"$pssh\""
1385
	if [ "X$use_sshssl" = "X" -a "X$getport" = "X" ]; then
runge's avatar
runge committed
1386
		echo "Running viewer:"
1387 1388 1389 1390 1391 1392

		trap "final" 0 2 15
		if [ "X$reverse" = "X" ]; then
			echo "$VNCVIEWERCMD" "$@" localhost:$N
			echo ""
			$VNCVIEWERCMD "$@" localhost:$N
1393 1394 1395 1396 1397 1398 1399
			if [ $? != 0 ]; then
				echo "vncviewer command failed: $?"
				if [ "X$secondtry" = "X1" ]; then
					sleep 2
					$VNCVIEWERCMD "$@" localhost:$N
				fi
			fi
1400 1401 1402 1403 1404 1405 1406 1407
		else
			echo ""
			echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode."
			echo ""
			echo "$VNCVIEWERCMD" "$@" -listen $N
			echo ""
			$VNCVIEWERCMD "$@" -listen $N
		fi
runge's avatar
runge committed
1408 1409 1410 1411 1412 1413 1414 1415 1416 1417

		exit $?
	else
		use2=`findfree 5960`
		host0=$host
		port0=$port
		host=localhost
		port=$use
		use=$use2
		N=`expr $use - 5900`
1418 1419 1420 1421 1422 1423
		if [ "X$getport" != "X" ]; then
			host="$host0"
			port="$port0"
		else
			proxy=""
		fi
runge's avatar
runge committed
1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442
	fi
fi

# create the stunnel config file:
if [ "X$verify" != "X" ]; then
	if [ -d $verify ]; then
		verify="CApath = $verify"
	else
		verify="CAfile = $verify"
	fi
	verify="$verify
verify = 2"
fi
if [ "X$mycert" != "X" ]; then
	cert="cert = $mycert"
fi

ptmp=""
if [ "X$proxy" != "X" ]; then
runge's avatar
runge committed
1443
	ptmp="/tmp/ss_vncviewer${RANDOM}.$$.pl"
runge's avatar
runge committed
1444
	mytmp "$ptmp"
1445
	PPROXY_REMOVE=1; export PPROXY_REMOVE
runge's avatar
runge committed
1446
	pcode "$ptmp"
runge's avatar
runge committed
1447
	if [ "X$showcert" != "X1" -a "X$direct_connect" = "X" ]; then
1448
		if uname | egrep 'Darwin|SunOS' >/dev/null; then
1449 1450
			# on mac we need to listen on socket instead of stdio:
			nd=`findfree 6700`
1451 1452
			PPROXY_LISTEN=$nd
			export PPROXY_LISTEN
1453 1454 1455 1456
			if [ "X$reverse" = "X" ]; then
				#$ptmp 2>/dev/null &
				$ptmp &
			fi
1457 1458
			#sleep 3
			sleep 2
runge's avatar
runge committed
1459 1460 1461 1462
			host="localhost"
			port="$nd"
			connect="connect = localhost:$nd"
		else
1463
			# otherwise on unix we can exec it:
runge's avatar
runge committed
1464 1465 1466 1467 1468
			connect="exec = $ptmp"
		fi
	else
		connect="exec = $ptmp"
	fi
runge's avatar
runge committed
1469 1470 1471 1472
else
	connect="connect = $host:$port"
fi

runge's avatar
runge committed
1473 1474
if [ "X$showcert" = "X1" ]; then
	if [ "X$proxy" != "X" ]; then
1475 1476
		PPROXY_LISTEN=$use
		export PPROXY_LISTEN
runge's avatar
runge committed
1477
		$ptmp 2>/dev/null &
1478
		sleep 1
runge's avatar
runge committed
1479 1480 1481 1482 1483 1484 1485
		host="localhost"
		port="$use"
	fi
	openssl s_client -connect $host:$port 2>&1 < /dev/null
	exit $?
fi

runge's avatar
runge committed
1486
if [ "X$direct_connect" != "X" ]; then
1487 1488 1489 1490 1491 1492 1493
	if [ "X$getport" = "X" ]; then
		echo ""
		echo "Running viewer for direct connection:"
		echo ""
		echo "** NOTE: THERE WILL BE NO SSL OR SSH ENCRYPTION **"
		echo ""
	fi
1494
	x=""
1495
	if [ "X$SSVNC_NO_ENC_WARN" != "X" ]; then
1496 1497 1498
		if [ "X$getport" = "X" ]; then
			sleep 1
		fi
1499
	elif type printf > /dev/null 2>&1; then
runge's avatar
runge committed
1500
		printf  "Are you sure you want to continue? [y]/n "
1501
		read x
runge's avatar
runge committed
1502 1503
	else
		echo -n "Are you sure you want to continue? [y]/n "
1504
		read x
runge's avatar
runge committed
1505 1506 1507 1508 1509 1510
	fi
	if [ "X$x" = "Xn" ]; then
		exit 1
	fi
	echo ""
	if [ "X$ptmp" != "X" ]; then
1511 1512
		PPROXY_LISTEN=$use
		export PPROXY_LISTEN
runge's avatar
runge committed
1513
		$ptmp &
1514
		if [ "X$reverse" = "X" ]; then
1515 1516 1517
			#sleep 2
			#echo T sleep 1
			sleep 1
1518
		fi
runge's avatar
runge committed
1519 1520 1521
		host="localhost"
		disp="$N"
	fi
1522
	if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
1523
		echo "T sleep $SSVNC_EXTRA_SLEEP"
1524 1525
		sleep $SSVNC_EXTRA_SLEEP
	fi
1526 1527 1528 1529 1530
	if [ "X$reverse" = "X" ]; then
		echo "$VNCVIEWERCMD" "$@" $host:$disp
		trap "final" 0 2 15
		echo ""
		$VNCVIEWERCMD "$@" $host:$disp
1531 1532 1533 1534 1535 1536 1537
		if [ $? != 0 ]; then
			echo "vncviewer command failed: $?"
			if [ "X$secondtry" = "X1" ]; then
				sleep 2
				$VNCVIEWERCMD "$@" $host:$disp
			fi
		fi
1538 1539 1540 1541
	else
		echo ""
		echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode."
		echo ""
runge's avatar
runge committed
1542
		echo "$VNCVIEWERCMD" "$@" -listen $disp
1543 1544
		trap "final" 0 2 15
		echo ""
runge's avatar
runge committed
1545
		$VNCVIEWERCMD "$@" -listen $disp
1546
	fi
runge's avatar
runge committed
1547 1548 1549
	exit $?
fi

1550 1551
tmp_cfg=/tmp/ss_vncviewer${RANDOM}.$$
mytmp "$tmp_cfg"
runge's avatar
runge committed
1552

1553 1554
# make_tcert is no longer invoked via the ssvnc gui (Listen mode).
# make_tcert is for testing only now via -mycert BUILTIN
1555 1556 1557
make_tcert() {
	tcert="/tmp/tcert${RANDOM}.$$"
	cat > $tcert <<END
1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvkfXxb0wcxgrjV2ziFikjII+ze8iKcTBt47L0GM/c21efelN
+zZpJUUXLu4zz8Ryq8Q+sQgfNy7uTOpN9bUUaOk1TnD7gaDQnQWiNHmqbW2kL+DS
OKngJVPo9dETAS8hf7+D1e1DBZxjTc1a4RQqWJixwpYj99ixWzu8VC2m/xXsjvOs
jp4+DLBB490nbkwvstmhmiWm1CmI5O5xOkgioVNQqHvQMdVKOSz9PpbjvZiRX1Uo
qoMrk+2NOqwP90TB35yPASXb9zXKpO7DLhkube+yYGf+yk46aD707L07Eb7cosFP
S84vNZ9gX7rQ0UOwm5rYA/oZTBskgaqhtIzkLwIDAQABAoIBAD4ot/sXt5kRn0Ca
CIkU9AQWlC+v28grR2EQW9JiaZrqcoDNUzUqbCTJsi4ZkIFh2lf0TsqELbZYNW6Y
6AjJM7al4E0UqYSKJTv2WCuuRxdiRs2BMwthqyBmjeanev7bB6V0ybt7u3Y8xU/o
MrTuYnr4vrEjXPKdLirwk7AoDbKsRXHSIiHEIBOq1+dUQ32t36ukdnnza4wKDLZc
PKHiCdCk/wOGhuDlxD6RspqUAlRnJ8/aEhrgWxadFXw1hRhRsf/v1shtB0T3DmTe
Jchjwyiw9mryb9JZAcKxW+fUc4EVvj6VdQGqYInQJY5Yxm5JAlVQUJicuuJEvn6A
rj5osQECgYEA552CaHpUiFlB4HGkjaH00kL+f0+gRF4PANCPk6X3UPDVYzKnzmuu
yDvIdEETGFWBwoztUrOOKqVvPEQ+kBa2+DWWYaERZLtg2cI5byfDJxQ3ldzilS3J
1S3WgCojqcsG/hlxoQJ1dZFanUy/QhUZ0B+wlC+Zp1Q8AyuGQvhHp68CgYEA0lBI
eqq2GGCdJuNHMPFbi8Q0BnX55LW5C1hWjhuYiEkb3hOaIJuJrqvayBlhcQa2cGqp
uP34e9UCfoeLgmoCQ0b4KpL2NGov/mL4i8bMgog4hcoYuIi3qxN18vVR14VKEh4U
RLk0igAYPU+IK2QByaQlBo9OSaKkcfm7U1/pK4ECgYAxr6VpGk0GDvfF2Tsusv6d
GIgV8ZP09qSLTTJvvxvF/lQYeqZq7sjI5aJD5i3de4JhpO/IXQJzfZfWOuGc8XKA
3qYK/Y2IqXXGYRcHFGWV/Y1LFd55mCADHlk0l1WdOBOg8P5iRu/Br9PbiLpCx9oI
vrOXpnp03eod1/luZmqguwKBgQCWFRSj9Q7ddpSvG6HCG3ro0qsNsUMTI1tZ7UBX
SPogx4tLf1GN03D9ZUZLZVFUByZKMtPLX/Hi7K9K/A9ikaPrvsl6GEX6QYzeTGJx
3Pw0amFrmDzr8ySewNR6/PXahxPEuhJcuI31rPufRRI3ZLah3rFNbRbBFX+klkJH
zTnoAQKBgDbUK/aQFGduSy7WUT7LlM3UlGxJ2sA90TQh4JRQwzur0ACN5GdYZkqM
YBts4sBJVwwJoxD9OpbvKu3uKCt41BSj0/KyoBzjT44S2io2tj1syujtlVUsyyBy
/ca0A7WBB8lD1D7QMIhYUm2O9kYtSCLlUTHt5leqGaRG38DqlX36
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDzDCCArQCCQDSzxzxqhyqLzANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcTBkJvc3RvbjETMBEG
A1UEChMKTXkgQ29tcGFueTEcMBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDEZ
MBcGA1UEAxMQd3d3Lm5vd2hlcmUubm9uZTEhMB8GCSqGSIb3DQEJARYSYWRtaW5A
bm93aGVyZS5ub25lMB4XDTA3MDMyMzE4MDc0NVoXDTI2MDUyMjE4MDc0NVowgacx
CzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQHEwZC
b3N0b24xEzARBgNVBAoTCk15IENvbXBhbnkxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2
ZWxvcG1lbnQxGTAXBgNVBAMTEHd3dy5ub3doZXJlLm5vbmUxITAfBgkqhkiG9w0B
CQEWEmFkbWluQG5vd2hlcmUubm9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL5H18W9MHMYK41ds4hYpIyCPs3vIinEwbeOy9BjP3NtXn3pTfs2aSVF
Fy7uM8/EcqvEPrEIHzcu7kzqTfW1FGjpNU5w+4Gg0J0FojR5qm1tpC/g0jip4CVT
6PXREwEvIX+/g9XtQwWcY03NWuEUKliYscKWI/fYsVs7vFQtpv8V7I7zrI6ePgyw
QePdJ25ML7LZoZolptQpiOTucTpIIqFTUKh70DHVSjks/T6W472YkV9VKKqDK5Pt
jTqsD/dEwd+cjwEl2/c1yqTuwy4ZLm3vsmBn/spOOmg+9Oy9OxG+3KLBT0vOLzWf
YF+60NFDsJua2AP6GUwbJIGqobSM5C8CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEA
vGomHEp6TVU83X2EBUgnbOhzKJ9u3fOI/Uf5L7p//Vxqow7OR1cguzh/YEzmXOIL
ilMVnzX9nj/bvcLAuqEP7MR1A8f4+E807p/L/Sf49BiCcwQq5I966sGKYXjkve+T
2GTBNwMSq+5kLSf6QY8VZI+qnrAudEQMeJByQhTZZ0dH8Njeq8EGl9KUio+VWaiW
CQK6xJuAvAHqa06OjLmwu1fYD4GLGSrOIiRVkSXV8qLIUmzxdJaIRznkFWsrCEKR
wAH966SAOvd2s6yOHMvyDRIL7WHxfESB6rDHsdIW/yny1fBePjv473KrxyXtbz7I
dMw1yW09l+eEo4A7GzwOdw==
-----END CERTIFICATE-----
END
1609 1610 1611 1612
	chmod 600 $tcert
	echo "$tcert"
}

1613 1614 1615 1616 1617
stunnel_exec=""
if echo $STUNNEL_EXTRA_SVC_OPTS | grep '#stunnel-exec' > /dev/null; then
	stunnel_exec="#"
fi

1618 1619 1620
if [ "X$reverse" = "X" ]; then

	if echo "$proxy" | grep repeater:// > /dev/null; then
1621
		if [ "X$cert" = "XBUILTIN" ]; then
1622 1623 1624
			ttcert=`make_tcert`
			cert="cert = $ttcert"
		fi
1625 1626
		# Note for listen mode, an empty cert will cause stunnel to fail.
		# The ssvnc gui will have already taken care of this.
1627 1628
	fi

1629
	cat > "$tmp_cfg" <<END
1630 1631 1632 1633 1634
foreground = yes
pid =
client = yes
debug = 6
$STUNNEL_EXTRA_OPTS
1635
$STUNNEL_EXTRA_OPTS_USER
1636 1637 1638
$verify
$cert

1639 1640
${stunnel_exec}[vnc_stunnel]
${stunnel_exec}accept = localhost:$use
1641
$connect
1642 1643
$STUNNEL_EXTRA_SVC_OPTS
$STUNNEL_EXTRA_SVC_OPTS_USER
1644 1645 1646

END
else
1647
	stunnel_exec=""	# doesn't work for listening.
1648 1649 1650

	p2=`expr 5500 + $N`
	connect="connect = localhost:$p2"
1651
	if [ "X$cert" = "XBUILTIN" ]; then
1652 1653
		ttcert=`make_tcert`
		cert="cert = $ttcert"
1654
	fi
1655 1656
	# Note for listen mode, an empty cert will cause stunnel to fail.
	# The ssvnc gui will have already taken care of this.
1657 1658 1659 1660 1661 1662 1663

	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`

	hloc=""
	if [ "X$use_ssh" = "X1" ]; then
		hloc="localhost:"
	fi
1664
	cat > "$tmp_cfg" <<END
1665 1666 1667 1668 1669
foreground = yes
pid =
client = no
debug = 6
$STUNNEL_EXTRA_OPTS
1670
$STUNNEL_EXTRA_OPTS_USER
1671 1672 1673 1674 1675 1676
$verify
$cert

[vnc_stunnel]
accept = $hloc$port
$connect
1677 1678
$STUNNEL_EXTRA_SVC_OPTS
$STUNNEL_EXTRA_SVC_OPTS_USER
1679

runge's avatar
runge committed
1680
END
1681 1682
fi

runge's avatar
runge committed
1683 1684 1685
echo ""
echo "Using this stunnel configuration:"
echo ""
1686
cat "$tmp_cfg" | uniq
runge's avatar
runge committed
1687 1688 1689
echo ""
sleep 1

1690
if [ "X$stunnel_exec" = "X" ]; then
1691
	echo ""
1692 1693 1694 1695 1696 1697
	echo "Running stunnel:"
	echo "$STUNNEL $tmp_cfg"
	st=`echo "$STUNNEL" | awk '{print $1}'`
	$st -help > /dev/null 2>&1
	$STUNNEL "$tmp_cfg" < /dev/tty > /dev/tty &
	stunnel_pid=$!
1698
	echo ""
1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711

	# pause here to let the user supply a possible passphrase for the
	# mycert key:
	if [ "X$mycert" != "X" ]; then
		sleep 1
		echo ""
		echo "(pausing for possible certificate passphrase dialog)"
		echo ""
		sleep 4
	fi
	#echo T sleep 1
	sleep 1
	rm -f "$tmp_cfg"
runge's avatar
runge committed
1712 1713
fi

1714

runge's avatar
runge committed
1715
echo ""
1716
if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
1717
	echo "sleep $SSVNC_EXTRA_SLEEP"
1718 1719
	sleep $SSVNC_EXTRA_SLEEP
fi
runge's avatar
runge committed
1720
echo "Running viewer:"
1721
if [ "X$reverse" = "X" ]; then
1722 1723 1724 1725 1726
	vnc_hp=localhost:$N
	if [ "X$stunnel_exec" != "X" ]; then
		vnc_hp="exec=$STUNNEL $tmp_cfg"
	fi
	echo "$VNCVIEWERCMD" "$@" "$vnc_hp"
1727 1728
	trap "final" 0 2 15
	echo ""
1729
	$VNCVIEWERCMD "$@" "$vnc_hp"
1730 1731 1732 1733
	if [ $? != 0 ]; then
		echo "vncviewer command failed: $?"
		if [ "X$secondtry" = "X1" ]; then
			sleep 2
1734
			$VNCVIEWERCMD "$@" "$vnc_hp"
1735 1736
		fi
	fi
1737 1738 1739 1740 1741 1742 1743
else
	echo ""
	echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode."
	echo ""
	echo "$VNCVIEWERCMD" "$@" -listen $N
	trap "final" 0 2 15
	echo ""
1744 1745 1746 1747 1748 1749
	if [ "X$proxy" != "X" ]; then
		PPROXY_REVERSE="localhost:$port"; export PPROXY_REVERSE
		PPROXY_SLEEP=1; export PPROXY_SLEEP;
		PPROXY_KILLPID=+1; export PPROXY_KILLPID;
		$ptmp &
	fi
1750 1751
	$VNCVIEWERCMD "$@" -listen $N
fi
runge's avatar
runge committed
1752 1753

sleep 1