Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in
Toggle navigation
L
libvncserver
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
rasky
libvncserver
Commits
462c30db
Commit
462c30db
authored
Sep 17, 2006
by
runge
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Sync ETV.
parent
dba5e098
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
1007 additions
and
102 deletions
+1007
-102
ssl_tightvncviewer.tcl
.../enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl
+1007
-102
No files found.
x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl
View file @
462c30db
...
@@ -30,7 +30,7 @@ proc apply_bg {w} {
...
@@ -30,7 +30,7 @@ proc apply_bg {w} {
}
}
proc
scroll_text
{
fr
{
w 80
}
{
h 35
}}
{
proc
scroll_text
{
fr
{
w 80
}
{
h 35
}}
{
global help_font is_windows
global help_font is_windows
scroll_text_focus
catch
{
destroy
$fr
}
catch
{
destroy
$fr
}
...
@@ -45,7 +45,9 @@ proc scroll_text {fr {w 80} {h 35}} {
...
@@ -45,7 +45,9 @@ proc scroll_text {fr {w 80} {h 35}} {
pack
$fr.y
-side right -fill y
pack
$fr.y
-side right -fill y
pack
$fr.t
-side top -fill both -expand 1
pack
$fr.t
-side top -fill both -expand 1
if
{
$scroll
_text_focus
}
{
focus
$fr.t
focus
$fr.t
}
}
}
proc
scroll_text_dismiss
{
fr
{
w 80
}
{
h 35
}}
{
proc
scroll_text_dismiss
{
fr
{
w 80
}
{
h 35
}}
{
...
@@ -135,6 +137,13 @@ proc help {} {
...
@@ -135,6 +137,13 @@ proc help {} {
where it will print out its automatically generated certificate to
where it will print out its automatically generated certificate to
the screen and that can be safely copied to the viewer side.
the screen and that can be safely copied to the viewer side.
You can also use the
"Create Certificate"
feature of this program
under
"Certs ..."
. Just click on it and follow the instructions in
the dialog. Then copy the cert file to the VNC Server and specify the
other one in the
"Certs ..."
dialog. Alternatively you can use the
"Import Certificate"
action to paste in a certificate or read one in
from a file.
To set other Options, e.g. to use SSH instead of STUNNEL SSL,
To set other Options, e.g. to use SSH instead of STUNNEL SSL,
click on the
"Options ..."
button and read the Help there.
click on the
"Options ..."
button and read the Help there.
...
@@ -156,7 +165,7 @@ proc help {} {
...
@@ -156,7 +165,7 @@ proc help {} {
2) If you use
"user@hostname cmd=SHELL"
then
you get an SSH shell only:
2) If you use
"user@hostname cmd=SHELL"
then
you get an SSH shell only:
no VNC viewer will be launched. On Windows
"user@hostname cmd=PUTTY"
no VNC viewer will be launched. On Windows
"user@hostname cmd=PUTTY"
will try to use putty.exe
(
better terminal emulation than plink.exe
)
will try to use putty.exe
(
better terminal emulation than plink.exe
)
A shortcut for this is Ctrl-S.
A shortcut for this is Ctrl-S
as long as user@hostname is present
.
}
}
.h.f.t insert end
$msg
.h.f.t insert end
$msg
...
@@ -178,10 +187,22 @@ proc help_certs {} {
...
@@ -178,10 +187,22 @@ proc help_certs {} {
Only with SSL Certificate verification can Man In the Middle attacks be
Only with SSL Certificate verification can Man In the Middle attacks be
prevented. Otherwise, only passive snooping attacks are prevented with SSL.
prevented. Otherwise, only passive snooping attacks are prevented with SSL.
The SSL Certificate files described below can have been created externally
(
e.g. by x11vnc
)
, you can import it via
"Import Certificate"
if you like.
OR you can click on
"Create Certificate ..."
to use this program to generate a
Certificate + Private Key pair. In that case you will need to distribute one
of the generated files to the VNC Server.
Your Certificate + Key:
You can specify your own SSL certificate
(
PEM
)
file in
"MyCert"
in which case it
You can specify your own SSL certificate
(
PEM
)
file in
"MyCert"
in which case it
is used to authenticate you
(
the viewer
)
to the remote VNC Server. If this fails
is used to authenticate you
(
the viewer
)
to the remote VNC Server. If this fails
the remote VNC Server will drop the connection.
the remote VNC Server will drop the connection.
Server Certificates:
Server certs can be specified in one of two ways:
Server certs can be specified in one of two ways:
- A single certificate
(
PEM
)
file for a single server
- A single certificate
(
PEM
)
file for a single server
...
@@ -190,7 +211,6 @@ proc help_certs {} {
...
@@ -190,7 +211,6 @@ proc help_certs {} {
- A directory of certificate
(
PEM
)
files stored in
- A directory of certificate
(
PEM
)
files stored in
the special OpenSSL hash fashion.
the special OpenSSL hash fashion.
The former is set via
"ServerCert"
in this gui.
The former is set via
"ServerCert"
in this gui.
The latter is set via
"CertsDir"
in this gui.
The latter is set via
"CertsDir"
in this gui.
...
@@ -201,6 +221,11 @@ proc help_certs {} {
...
@@ -201,6 +221,11 @@ proc help_certs {} {
If the remote VNC Server fails to authenticate itself with respect to the specified
If the remote VNC Server fails to authenticate itself with respect to the specified
certificate
(
s
)
,
then
the VNC Viewer
(
your side
)
will drop the connection.
certificate
(
s
)
,
then
the VNC Viewer
(
your side
)
will drop the connection.
Select which file or directory by clicking on the appropriate
"Browse..."
button.
Once selected, if you click the Right Mouse button on the
"Browse..."
button
then
information about the certificate will be displayed.
If
"Use SSH instead"
has been selected
then
SSL certs are disabled.
If
"Use SSH instead"
has been selected
then
SSL certs are disabled.
See the x11vnc and STUNNEL documentation for how to create and use PEM
See the x11vnc and STUNNEL documentation for how to create and use PEM
...
@@ -209,6 +234,18 @@ proc help_certs {} {
...
@@ -209,6 +234,18 @@ proc help_certs {} {
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-ext
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-ext
http://www.karlrunge.com/x11vnc/ssl.html
http://www.karlrunge.com/x11vnc/ssl.html
http://www.stunnel.org
http://www.stunnel.org
A common way to create and use a VNC Server certificate is:
x11vnc -ssl SAVE ...
and
then
copy the Server certificate to the local
(
viewer-side
)
machine.
x11vnc prints out the the screen the Server certificate it generates.
You can set
"ServerCert"
to it directly or use the
"Import Certificate"
action to save it to a file.
x11vnc also has command line utilities to create server, client, and CA
(
Certificate Authority
)
certificates. See the above URLs.
}
}
.ch.f.t insert end
$msg
.ch.f.t insert end
$msg
...
@@ -261,7 +298,7 @@ set msg {
...
@@ -261,7 +298,7 @@ set msg {
Trick: If you use
"cmd=SHELL"
then
you get an SSH shell only:
Trick: If you use
"cmd=SHELL"
then
you get an SSH shell only:
no VNC viewer will be launched. On Windows
"cmd=PUTTY"
will
no VNC viewer will be launched. On Windows
"cmd=PUTTY"
will
try to use putty.exe
(
better terminal emulation than plink.exe
)
try to use putty.exe
(
better terminal emulation than plink.exe
)
Ctrl-S is a shortcut for this
.
A shortcut for this is Ctrl-S as long as user@hostname is present
.
Use SSH and SSL: Tunnel the SSL connection through a SSH tunnel. Use this
Use SSH and SSL: Tunnel the SSL connection through a SSH tunnel. Use this
if you want end-to-end SSL and must use a SSH gateway
(
e.g. to
if you want end-to-end SSL and must use a SSH gateway
(
e.g. to
...
@@ -1029,7 +1066,16 @@ proc launch_windows_ssh {hp file n} {
...
@@ -1029,7 +1066,16 @@ proc launch_windows_ssh {hp file n} {
catch
{
destroy .o
}
catch
{
destroy .o
}
catch
{
destroy .oa
}
catch
{
destroy .oa
}
do_port_knock
$ssh
_host
if
{
!
[
do_port_knock
$ssh
_host
]}
{
catch
{
file
delete
$file
}
if
{
$file
_cmd !=
""
}
{
catch
{
file
delete
$file
_cmd
}
}
if
{
$file
_pre !=
""
}
{
catch
{
file
delete
$file
_pre
}
}
return 0
}
if
{
$is
_win9x
}
{
if
{
$is
_win9x
}
{
wm withdraw .
wm withdraw .
...
@@ -1314,7 +1360,9 @@ proc do_unix_pre {tag proxy hp pk_hp} {
...
@@ -1314,7 +1360,9 @@ proc do_unix_pre {tag proxy hp pk_hp} {
set c
"
$c
-sshargs '
$smb
_redir_0'"
set c
"
$c
-sshargs '
$smb
_redir_0'"
}
}
do_port_knock
$pk
_hp
if
{
!
[
do_port_knock
$pk
_hp
]}
{
return
}
set did_port_knock 1
set did_port_knock 1
if
{
$use
_smbmnt
}
{
if
{
$use
_smbmnt
}
{
...
@@ -1457,7 +1505,9 @@ proc launch_unix {hp} {
...
@@ -1457,7 +1505,9 @@ proc launch_unix {hp} {
set pk_hp
$hp
set pk_hp
$hp
}
}
if
{
!
$did
_port_knock
}
{
if
{
!
$did
_port_knock
}
{
do_port_knock
$pk
_hp
if
{
!
[
do_port_knock
$pk
_hp
]}
{
return
}
set did_port_knock 1
set did_port_knock 1
}
}
...
@@ -1562,7 +1612,10 @@ proc launch_unix {hp} {
...
@@ -1562,7 +1612,10 @@ proc launch_unix {hp} {
set pk_hp
$hp
set pk_hp
$hp
}
}
if
{
!
$did
_port_knock
}
{
if
{
!
$did
_port_knock
}
{
do_port_knock
$pk
_hp
if
{
!
[
do_port_knock
$pk
_hp
]}
{
wm deiconify .
return
}
set did_port_knock 1
set did_port_knock 1
}
}
...
@@ -1846,6 +1899,8 @@ proc launch {{hp ""}} {
...
@@ -1846,6 +1899,8 @@ proc launch {{hp ""}} {
after 1000
after 1000
}
}
set fail 0
set fh
[
open
$file
"w"
]
set fh
[
open
$file
"w"
]
puts
$fh
"client = yes"
puts
$fh
"client = yes"
...
@@ -1859,7 +1914,7 @@ proc launch {{hp ""}} {
...
@@ -1859,7 +1914,7 @@ proc launch {{hp ""}} {
if
{
!
[
file
exists
$mycert
]}
{
if
{
!
[
file
exists
$mycert
]}
{
mesg
"MyCert does not exist:
$mycert
"
mesg
"MyCert does not exist:
$mycert
"
bell
bell
return
set fail 1
}
}
puts
$fh
"cert =
$mycert
"
puts
$fh
"cert =
$mycert
"
}
}
...
@@ -1867,7 +1922,7 @@ proc launch {{hp ""}} {
...
@@ -1867,7 +1922,7 @@ proc launch {{hp ""}} {
if
{
!
[
file
exists
$svcert
]}
{
if
{
!
[
file
exists
$svcert
]}
{
mesg
"ServerCert does not exist:
$svcert
"
mesg
"ServerCert does not exist:
$svcert
"
bell
bell
return
set fail 1
}
}
puts
$fh
"CAfile =
$svcert
"
puts
$fh
"CAfile =
$svcert
"
puts
$fh
"verify = 2"
puts
$fh
"verify = 2"
...
@@ -1875,7 +1930,7 @@ proc launch {{hp ""}} {
...
@@ -1875,7 +1930,7 @@ proc launch {{hp ""}} {
if
{
!
[
file
exists
$crtdir
]}
{
if
{
!
[
file
exists
$crtdir
]}
{
mesg
"CertsDir does not exist:
$crtdir
"
mesg
"CertsDir does not exist:
$crtdir
"
bell
bell
return
set fail 1
}
}
puts
$fh
"CApath =
$crtdir
"
puts
$fh
"CApath =
$crtdir
"
puts
$fh
"verify = 2"
puts
$fh
"verify = 2"
...
@@ -1896,6 +1951,18 @@ proc launch {{hp ""}} {
...
@@ -1896,6 +1951,18 @@ proc launch {{hp ""}} {
puts
$fh
""
puts
$fh
""
close
$fh
close
$fh
if
{
!
$did
_port_knock
}
{
if
{
!
[
do_port_knock
$host
]}
{
set fail 1
}
set did_port_knock 1
}
if
{
$fail
}
{
catch
{
file
delete
$file
}
return
}
mesg
"Starting STUNNEL on port
$port2
..."
mesg
"Starting STUNNEL on port
$port2
..."
after 600
after 600
...
@@ -1917,11 +1984,6 @@ proc launch {{hp ""}} {
...
@@ -1917,11 +1984,6 @@ proc launch {{hp ""}} {
wm withdraw .
wm withdraw .
}
}
if
{
!
$did
_port_knock
}
{
do_port_knock
$host
set did_port_knock 1
}
do_viewer_windows
$n
do_viewer_windows
$n
del_launch_windows_ssh_files
del_launch_windows_ssh_files
...
@@ -1974,34 +2036,85 @@ proc get_idir {str} {
...
@@ -1974,34 +2036,85 @@ proc get_idir {str} {
}
}
}
}
}
}
if
{
$idir
==
""
}
{
global is_windows
if
{
$is
_windows
}
{
set idir
[
get_profiles_dir
]
}
if
{
$idir
==
""
}
{
if
{
$idir
==
""
}
{
set idir
[
pwd
]
set idir
[
pwd
]
}
}
}
return
$idir
return
$idir
}
}
proc
set_mycert
{}
{
proc
set_mycert
{}
{
global mycert
global mycert
set idir
[
get_idir
$mycert
]
set idir
[
get_idir
$mycert
]
set t
""
if
{
$idir
!=
""
}
{
if
{
$idir
!=
""
}
{
set
mycer
t
[
tk_getOpenFile -initialdir
$idir
]
set t
[
tk_getOpenFile -initialdir
$idir
]
}
else
{
}
else
{
set mycert
[
tk_getOpenFile
]
set t
[
tk_getOpenFile
]
}
if
{
$t
!=
""
}
{
set mycert
$t
}
}
catch
{
wm deiconify .c
}
catch
{
wm deiconify .c
}
update
update
}
}
proc
show_cert
{
crt
}
{
if
{
$crt
==
""
}
{
bell
return
}
if
{
!
[
file
exists
$crt
]}
{
bell
return
}
set info
""
catch
{
set
info
[
get_x509_info
$crt
]}
if
{
$info
==
""
}
{
bell
return
}
set w .show_certificate
catch
{
destroy
$w
}
toplevel
$w
scroll_text
$w.f
button
$w.b
-text Dismiss -command
"destroy
$w
"
bind
$w
<Escape>
"destroy
$w
"
$w.f.t
insert end
$info
pack
$w.b
-side bottom -fill x
pack
$w.f
-side top -fill both -expand 1
center_win
$w
catch
{
raise
$w
}
}
proc
show_mycert
{}
{
global mycert
show_cert
$mycert
}
proc
show_svcert
{}
{
global svcert
show_cert
$svcert
}
proc
set_svcert
{}
{
proc
set_svcert
{}
{
global svcert crtdir
global svcert crtdir
set idir
[
get_idir
$svcert
]
set idir
[
get_idir
$svcert
]
set t
""
if
{
$idir
!=
""
}
{
if
{
$idir
!=
""
}
{
set
svcer
t
[
tk_getOpenFile -initialdir
$idir
]
set t
[
tk_getOpenFile -initialdir
$idir
]
}
else
{
}
else
{
set
svcer
t
[
tk_getOpenFile
]
set t
[
tk_getOpenFile
]
}
}
if
{
$
svcer
t
!=
""
}
{
if
{
$t
!=
""
}
{
set crtdir
""
set crtdir
""
set svcert
$t
}
}
catch
{
wm deiconify .c
}
catch
{
wm deiconify .c
}
update
update
...
@@ -2010,18 +2123,768 @@ proc set_svcert {} {
...
@@ -2010,18 +2123,768 @@ proc set_svcert {} {
proc
set_crtdir
{}
{
proc
set_crtdir
{}
{
global svcert crtdir
global svcert crtdir
set idir
[
get_idir
$crtdir
]
set idir
[
get_idir
$crtdir
]
set t
""
if
{
$idir
!=
""
}
{
if
{
$idir
!=
""
}
{
set
crtdir
[
tk_chooseDirectory -initialdir
$idir
]
set
t
[
tk_chooseDirectory -initialdir
$idir
]
}
else
{
}
else
{
set
crtdir
[
tk_chooseDirectory
]
set
t
[
tk_chooseDirectory
]
}
}
if
{
$
crtdir
!=
""
}
{
if
{
$
t
!=
""
}
{
set svcert
""
set svcert
""
set crtdir
$t
}
}
catch
{
wm deiconify .c
}
catch
{
wm deiconify .c
}
update
update
}
}
proc
set_createcert_file
{}
{
global ccert
if
{[
info
exists ccert
(
FILE
)]}
{
set idir
[
get_idir
$ccert
(
FILE
)]
}
if
{
$idir
!=
""
}
{
set t
[
tk_getSaveFile -defaultextension
".pem"
-initialdir
$idir
]
}
else
{
set t
[
tk_getSaveFile -defaultextension
".pem"
]
}
if
{
$t
!=
""
}
{
set ccert
(
FILE
)
$t
}
catch
{
raise .ccrt
}
update
}
proc
check_pp
{}
{
global ccert
if
{
$ccert
(
ENC
)}
{
catch
{
.ccrt.pf.e configure -state normal
}
catch
{
focus .ccrt.pf.e
}
catch
{
.ccrt.pf.e icursor end
}
}
else
{
catch
{
.ccrt.pf.e configure -state disabled
}
}
}
proc
get_openssl
{}
{
global is_windows
if
{
$is
_windows
}
{
set ossl
"util/openssl"
}
else
{
set ossl
"openssl"
}
}
proc
get_x509_info
{
crt
}
{
set ossl
[
get_openssl
]
set info
""
#puts
"
$ossl
x509 -text -in
\"
$crt
\"
"
set ph
[
open
"|
$ossl
x509 -text -in
\"
$crt
\"
"
"r"
]
while
{[
gets
$ph
line
]
> -1
}
{
#puts
"line:
$line
"
append info
"
$line
\n
"
}
close
$ph
return
$info
}
proc
do_oss_create
{}
{
global is_windows is_win9x
set cfg
{
[
req
]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_distinguished_name
[
req_distinguished_name
]
countryName = Country Name
(
2 letter code
)
countryName_default = %CO
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name
(
full name
)
stateOrProvinceName_default = %ST
localityName = Locality Name
(
eg, city
)
localityName_default = %LOC
0.organizationName = Organization Name
(
eg, company
)
0.organizationName_default = %ON
organizationalUnitName = Organizational Unit Name
(
eg, section
)
organizationalUnitName_default = %OUN
commonName = Common Name
(
eg, YOUR name
)
commonName_default = %CN
commonName_max = 64
emailAddress = Email Address
emailAddress_default = %EM
emailAddress_max = 64
}
global ccert
if
{
$ccert
(
FILE
)
==
""
}
{
catch
{
destroy .c
}
mesg
"No output cert file supplied"
bell
return
}
if
{
!
[
regexp
{
\.
pem$
}
$ccert
(
FILE
)]}
{
append ccert
(
FILE
)
".pem"
}
set pem
$ccert
(
FILE
)
regsub
{
\.
pem$
}
$ccert
(
FILE
)
".crt"
crt
if
{
$ccert
(
ENC
)}
{
if
{[
string
length
$ccert
(
PASS
)]
< 4
}
{
catch
{
destroy .c
}
mesg
"Passphrase must be at least 4 characters long."
bell
return
}
}
if
{[
string
length
$ccert
(
CO
)]
!= 2
}
{
catch
{
destroy .c
}
mesg
"Country Name must be at exactly 2 characters long."
bell
return
}
if
{[
string
length
$ccert
(
CN
)]
> 64
}
{
catch
{
destroy .c
}
mesg
"Common Name must be less than 65 characters long."
bell
return
}
if
{[
string
length
$ccert
(
EM
)]
> 64
}
{
catch
{
destroy .c
}
mesg
"Email Address must be less than 65 characters long."
bell
return
}
foreach t
{
EM CN OUN ON LOC ST CO
}
{
set val
$ccert
(
$t
)
if
{
$val
==
""
}
{
set val
"none"
}
regsub
"%
$t
"
$cfg
"
$val
"
cfg
}
global is_windows
if
{
$is
_windows
}
{
set tmp
"cert.cfg"
}
else
{
set tmp
"/tmp/cert.cfg."
append tmp
[
clock
clicks -milliseconds
]
catch
{
file
delete
$tmp
}
if
{[
file
exists
$tmp
]}
{
catch
{
destroy .c
}
mesg
"file still exists:
$tmp
"
bell
return
}
catch
{
set
fh
[
open
$tmp
"w"
]}
catch
{
exec
chmod 600
$tmp
}
if
{
!
[
file
exists
$tmp
]}
{
catch
{
destroy .c
}
mesg
"cannot create:
$tmp
"
bell
return
}
}
set fh
""
catch
{
set
fh
[
open
$tmp
"w"
]}
if
{
$fh
==
""
}
{
catch
{
destroy .c
}
mesg
"cannot create:
$tmp
"
bell
catch
{
file
delete
$tmp
}
return
}
puts
$fh
$cfg
close
$fh
set ossl
[
get_openssl
]
set cmd
"
$ossl
req -config
$tmp
-nodes -new -newkey rsa:2048 -x509 -batch"
if
{
$ccert
(
DAYS
)
!=
""
}
{
set cmd
"
$cmd
-days
$ccert
(DAYS)"
}
set cmd
"
$cmd
-keyout {
$pem
} -out {
$crt
}"
if
{
$is
_windows
}
{
set emess
""
if
{
$is
_win9x
}
{
catch
{
file
delete
$pem
}
catch
{
file
delete
$crt
}
eval exec
$cmd
&
catch
{
raise .
}
set sl 0
set max 100
#if
{
$ccert
(
ENC
)}
{
# set max 100
#
}
set maxms
[
expr
$max
* 1000
]
while
{
$sl
<
$maxms
}
{
set s2
[
expr
$sl
/ 1000
]
mesg
"running openssl ...
$s2
/
$max
"
if
{[
file
exists
$pem
]
&&
[
file
exists
$crt
]}
{
after 2000
break
}
after 500
set sl
[
expr
$sl
+ 500
]
}
mesg
""
}
else
{
set rc
[
catch
{
eval
exec
$cmd
}
emess
]
if
{
$rc
!= 0
}
{
tk_messageBox -type ok -icon error -message
$emess
-title
"OpenSSL req command failed"
return
}
}
}
else
{
set geometry
[
xterm_center_geometry
]
eval exec xterm -geometry
$geometry
-title Running_OpenSSL -e
$cmd
}
catch
{
file
delete
$tmp
}
set bad
""
if
{
!
[
file
exists
$pem
]}
{
set bad
"
$pem
"
}
if
{
!
[
file
exists
$crt
]}
{
set bad
"
$crt
"
}
if
{
$bad
!=
""
}
{
tk_messageBox -type ok -icon error -message
"Not created:
$bad
"
-title
"OpenSSL could not create cert"
catch
{
raise .c
}
return
}
if
{
$ccert
(
ENC
)
&&
$ccert
(
PASS
)
!=
""
}
{
set cmd
"
$ossl
rsa -in
\"
$pem
\"
-des3 -out
\"
$pem
\"
-passout stdin"
set ph
""
set emess
""
set rc
[
catch
{
set
ph
[
open
"|
$cmd
"
"w"
]}
emess
]
if
{
$rc
!= 0 ||
$ph
==
""
}
{
tk_messageBox -type ok -icon error -message
$emess
-title
"Count not encrypt private key"
catch
{
file
delete
$pem
}
catch
{
file
delete
$crt
}
return
}
puts
$ph
$ccert
(
PASS
)
set emess
""
set rc
[
catch
{
close
$ph
}
emess
]
#puts
$emess
#puts
$rc
}
set in
[
open
$crt
"r"
]
set out
[
open
$pem
"a"
]
while
{[
gets
$in
line
]
> -1
}
{
puts
$out
$line
}
close
$in
close
$out
catch
{
raise .c
}
set p .
if
[
winfo exists .c
]
{
set p .c
}
set reply
[
tk_messageBox -parent
$p
-type yesno -title
"View Cert"
-message
"View Certificate and Info?"
]
catch
{
raise .c
}
if
{
$reply
==
"yes"
}
{
set w .view_cert
catch
{
destroy
$w
}
toplevel
$w
scroll_text
$w.f
set cert
""
set fh
""
catch
{
set
fh
[
open
$crt
"r"
]}
if
{
$fh
!=
""
}
{
while
{[
gets
$fh
line
]
> -1
}
{
append cert
"
$line
\n
"
}
catch
{
close
$fh
}
}
global yegg
set yegg
""
button
$w.b
-text Dismiss -command
"destroy
$w
; set yegg 1"
pack
$w.b
-side bottom -fill x
bind
$w
<Escape>
"destroy
$w
; set yegg 1"
$w.f.t
insert end
"
\n
"
$w.f.t
insert end
"
$crt:
\n
"
$w.f.t
insert end
"
\n
"
$w.f.t
insert end
$cert
$w.f.t
insert end
"
\n
"
set info
[
get_x509_info
$crt
]
$w.f.t
insert end
$info
pack
$w.f
-side top -fill both -expand 1
center_win
$w
catch
{
raise
$w
}
vwait yegg
catch
{
raise .c
}
}
set p .
if
[
winfo exists .c
]
{
set p .c
}
set reply
[
tk_messageBox -parent
$p
-type yesno -title
"View Private Key"
-message
"View Private Key?"
]
catch
{
raise .c
}
if
{
$reply
==
"yes"
}
{
set w .view_key
catch
{
destroy
$w
}
toplevel
$w
scroll_text
$w.f
set key
""
set fh
[
open
$pem
"r"
]
while
{[
gets
$fh
line
]
> -1
}
{
append key
"
$line
\n
"
}
close
$fh
global yegg
set yegg
""
button
$w.b
-text Dismiss -command
"destroy
$w
; set yegg 1"
pack
$w.b
-side bottom -fill x
bind
$w
<Escape>
"destroy
$w
; set yegg 1"
$w.f.t
insert end
"
\n
"
$w.f.t
insert end
"
$pem:
\n
"
$w.f.t
insert end
"
\n
"
$w.f.t
insert end
$key
$w.f.t
insert end
"
\n
"
pack
$w.f
-side top -fill both -expand 1
center_win
$w
catch
{
raise
$w
}
vwait yegg
catch
{
raise .c
}
}
}
proc create_cert
{}
{
catch
{
destroy .ccrt
}
toplevel .ccrt
wm title .ccrt
"Create SSL Certificate"
scroll_text .ccrt.f 80 30
set msg
{
This dialog helps you to create a simple self-signed SSL certificate.
On Unix the openssl
(
1
)
program must be installed and in $PATH.
On Windows, a copy of the openssl program is provided for convenience.
The resulting certificate files can be used for either:
1) authenticating yourself
(
VNC Viewer
)
to a VNC Server
or 2) your verifying the identity of a remote VNC Server.
In either case you will need to safely copy one of the generated
certificate files to the remote VNC Server and have the VNC Server use
it. Or you could send it to the system administrator of the VNC Server.
We assume below that the filename selected in the
"Save to file"
entry
is
"vnccert.pem"
. That file will be generated and so will
"vnccert.crt"
.
"vnccert.pem"
contains both the Private Key and the Public Certificate.
"vnccert.crt"
only contains the Public Certificate.
For case 1) you would copy
"vnccert.crt"
to the VNC Server side and
instruct the server to use it. For x11vnc it would be for example:
x11vnc -sslverify /path/to/vnccert.crt -ssl SAVE ...
(
it is also possible to handle many client certs at once in a directory,
see the -sslverify documentation
)
. Then you would use
"vnccert.pem"
as the MyCert entry in the Set SSL Certificates dialog.
For case 2) you would copy
"vnccert.pem"
to the VNC Server side and
instruct the server to use it. For x11vnc it would be for example:
x11vnc -ssl /path/to/vnccert.pem
Then you would use
"vnccert.crt"
as the as the ServerCert entry in the
"Set SSL Certificates"
dialog.
Creating the Certificate:
Choose a output filename
(
ending in .pem
)
in the
"Save to file"
entry.
Then fill in the identification information
(
Country, State or Province,
etc
)
.
The click on
"Create"
to generate the certificate files.
Encrypting the Private Key: It is a very good idea to encrypt the
Private Key that goes in the
"vnccert.pem"
. The downside is that
whenever that key is used
(
e.g. starting up x11vnc using it
)
then
the passphrase will need to be created. If you do not encrypt it and
somebody steals a copy of the
"vnccert.pem"
file
then
they can pretend
to be you.
After you have created the certificate files, you must copy and import
either
"vnccert.pem"
or
"vnccert.pem"
to the remote VNC Server and
also select the other file in the
"Set SSL Certificates"
dialog.
See the description above.
For more information see:
http://www.karlrunge.com/x11vnc/ssl.html
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-int
The first one describes how to use x11vnc to create Certificate
Authority
(
CA
)
certificates in addition to self-signed ones.
Tip: if you choose the
"Common Name"
to be the internet hostname
(
e.g. gateway.mydomain.com
)
that connections will be made to or
from that will avoid many dialogs when connecting mentioning that
the hostname does not match the Common Name.
}
.ccrt.f.t insert end
$msg
global ccert ccert_init tcert
if
{
!
[
info
exists ccert_init
]}
{
set ccert_init 1
set ccert
(
CO
)
"US"
set ccert
(
ST
)
"Massachusetts"
set ccert
(
LOC
)
"Boston"
set ccert
(
ON
)
"My Company"
set ccert
(
OUN
)
"Product Development"
set ccert
(
CN
)
"www.nowhere.none"
set ccert
(
EM
)
"admin@nowhere.none"
set ccert
(
DAYS
)
"365"
set ccert
(
FILE
)
""
}
set ccert
(
ENC
)
0
set ccert
(
PASS
)
""
set tcert
(
CO
)
"Country Name (2 letter code):"
set tcert
(
ST
)
"State or Province Name (full name):"
set tcert
(
LOC
)
"Locality Name (eg, city):"
set tcert
(
ON
)
"Organization Name (eg, company):"
set tcert
(
OUN
)
"Organizational Unit Name (eg, section):"
set tcert
(
CN
)
"Common Name (eg, YOUR name):"
set tcert
(
EM
)
"Email Address:"
set tcert
(
DAYS
)
"Days until expiration:"
if
{
$ccert
(
FILE
)
==
""
}
{
global is_windows
if
{
$is
_windows
}
{
set pdir
[
get_profiles_dir
]
set ccert
(
FILE
)
"
$pdir
/vnccert.pem"
}
else
{
set idir
[
get_idir
""
]
set ccert
(
FILE
)
"
$idir
/vnccert.pem"
}
}
button .ccrt.cancel -text
"Cancel"
-command
{
destroy .ccrt
;
catch
{
raise .c
}}
bind .ccrt <Escape>
{
destroy .ccrt
;
catch
{
raise .c
}}
button .ccrt.create -text
"Generate Cert"
-command
{
destroy .ccrt
;
catch
{
raise .c
};
do_oss_create
}
pack .ccrt.cancel .ccrt.create -side bottom -fill x
set ew 40
set w .ccrt.pf
frame
$w
checkbutton
$w.check
-anchor w -variable ccert
(
ENC
)
-text
\
"Encrypt Key with Passphrase"
-command
{
check_pp
}
entry
$w.e
-width
$ew
-textvariable ccert
(
PASS
)
-state disabled
\
-show *
pack
$w.e
-side right
pack
$w.check
-side left -expand 1 -fill x
pack
$w
-side bottom -fill x
set w .ccrt.fl
frame
$w
label
$w.l
-anchor w -text
"Save to file:"
entry
$w.e
-width
$ew
-textvariable ccert
(
FILE
)
button
$w.b
-text
"Browse..."
-command
{
set_createcert_file
;
catch
{
raise .ccrt
}}
pack
$w.e
-side right
pack
$w.b
-side right
pack
$w.l
-side left -expand 1 -fill x
pack
$w
-side bottom -fill x
set i 0
foreach t
{
DAYS EM CN OUN ON LOC ST CO
}
{
set w .ccrt.f$i
frame
$w
label
$w.l
-anchor w -text
"
$tcert
(
$t
)"
entry
$w.e
-width
$ew
-textvariable ccert
(
$t
)
pack
$w.e
-side right
pack
$w.l
-side left -expand 1 -fill x
pack
$w
-side bottom -fill x
incr i
}
pack .ccrt.f -side top -fill both -expand 1
center_win .ccrt
}
proc
import_check_mode
{
w
}
{
global import_mode
if
{
$import
_mode ==
"paste"
}
{
$w.mf.b
configure -state disabled
$w.mf.e
configure -state disabled
$w.plab
configure -state normal
$w.paste.t
configure -state normal
}
else
{
$w.mf.b
configure -state normal
$w.mf.e
configure -state normal
$w.plab
configure -state disabled
$w.paste.t
configure -state disabled
}
}
proc import_browse
{}
{
global import_file
set idir
""
if
{
$import
_file !=
""
}
{
set idir
[
get_idir
$import
_file
]
}
if
{
$idir
!=
""
}
{
set t
[
tk_getOpenFile -initialdir
$idir
]
}
else
{
set t
[
tk_getOpenFile
]
}
if
{
$t
!=
""
}
{
set import_file
$t
}
catch
{
raise .icrt
}
update
}
proc
import_save_browse
{}
{
global import_save_file
set idir
""
if
{
$import
_save_file !=
""
}
{
set idir
[
get_idir
$import
_save_file
]
}
if
{
$idir
==
""
}
{
global is_windows
if
{
$is
_windows
}
{
set idir
[
get_profiles_dir
]
}
else
{
set idir
[
get_idir
""
]
}
}
if
{
$idir
!=
""
}
{
set t
[
tk_getSaveFile -defaultextension
".crt"
-initialdir
$idir
]
}
else
{
set t
[
tk_getSaveFile -defaultextension
".crt"
]
}
if
{
$t
!=
""
}
{
set import_save_file
$t
}
catch
{
raise .icrt
}
update
}
proc
do_save
{}
{
global import_mode import_file import_save_file
if
{
$import
_save_file ==
""
}
{
tk_messageBox -parent .icrt -type ok -icon error
\
-message
"No Save File supplied"
-title
"Save File"
return
}
set str
""
if
{
$import
_mode ==
"paste"
}
{
set str
[
.icrt.paste.t get 1.0 end
]
}
else
{
if
{
!
[
file
exists
$import
_file
]}
{
tk_messageBox -parent .icrt -type ok -icon error
\
-message
"Input file
\"
$import
_file
\"
does not exist."
-title
"Import File"
return
}
set fh
""
set emess
""
set rc
[
catch
{
set
fh
[
open
$import
_file
"r"
]}
emess
]
if
{
$rc
!= 0 ||
$fh
==
""
}
{
tk_messageBox -parent .icrt -type ok -icon error
\
-message
$emess
-title
"Import File:
$import
_file"
return
}
while
{[
gets
$fh
line
]
> -1
}
{
append str
"
$line
\n
"
}
close
$fh
}
if
{
!
[
regexp
{
BEGIN CERTIFICATE
}
$str
]}
{
tk_messageBox -parent .icrt -type ok -icon error
\
-message
"Import Text does not contain
\"
BEGIN CERTIFICATE
\"
"
-title
"Imported Text"
return
}
if
{
!
[
regexp
{
END CERTIFICATE
}
$str
]}
{
tk_messageBox -parent .icrt -type ok -icon error
\
-message
"Import Text does not contain
\"
END CERTIFICATE
\"
"
-title
"Imported Text"
return
}
set fh
""
set emess
""
set rc
[
catch
{
set
fh
[
open
$import
_save_file
"w"
]}
emess
]
if
{
$rc
!= 0 ||
$fh
==
""
}
{
tk_messageBox -parent .icrt -type ok -icon error
\
-message
$emess
-title
"Save File:
$import
_save_file"
return
}
puts -nonewline
$fh
$str
close
$fh
catch
{
destroy .icrt
}
catch
{
raise .c
}
tk_messageBox -parent .c -type ok -icon info
\
-message
"Saved to file:
$import
_save_file"
-title
"Save File:
$import
_save_file"
}
proc
import_cert
{}
{
catch
{
destroy .icrt
}
toplevel .icrt
wm title .icrt
"Import SSL Certificate"
global scroll_text_focus
set scroll_text_focus 0
scroll_text .icrt.f 90 16
set scroll_text_focus 1
set msg
{
This dialog lets you import a SSL Certificate by either pasting one in or by
loading from another file. Choose which input mode you want to use by the toggle
"Paste / Read from File"
.
There are two types of files we use 1) Certificate only, and 2) Private Key
and Certificate.
Type 1) would be used to verify the identity of a remote VNC Server, whereas
type 2) would be used to authenticate ourselves to the remote VNC Server.
A type 1) by convention ends with file suffix
".crt"
and looks like:
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIJALKypfV8BItCMA0GCSqGSIb3DQEBBAUAMIGgMQswCQYD
...
TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam
-----END CERTIFICATE-----
where
"..."
means similarly looking lines.
A type 2) by convention ends with file suffix
".pem"
and looks like:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA4sApd7WaPKQRWnFe9T04D4pglQB0Ti0/dCVHxg8WEVQ8OdcW
...
9kBmNotUiTpvRM+e7E/zRemhvY9qraFooqMWzi9JrgYfeLfSvvFfGw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIJALKypfV8BItCMA0GCSqGSIb3DQEBBAUAMIGgMQswCQYD
...
TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam
-----END CERTIFICATE-----
You do not need to use the
".crt"
or
".pem"
convention if you do not want to.
First, either paste in the text or set the
"Read from File"
filename.
Next, set the
"Save to File"
name to the file where the imported certificate
will be saved.
Then, click on
"Save"
to save the imported Certificate.
After you have imported the Certificate
(
or Key + Certificate
)
, select it to
use for a connection via the
"MyCert"
or
"ServerCert"
dialog.
}
.icrt.f.t insert end
$msg
global icert import_mode
set import_mode
"paste"
set w .icrt.mf
frame
$w
radiobutton
$w.p
-pady 1 -anchor w -variable import_mode -value paste
\
-text
"Paste"
-command
"import_check_mode .icrt"
radiobutton
$w.f
-pady 1 -anchor w -variable import_mode -value file
\
-text
"Read from File:"
-command
"import_check_mode .icrt"
global import_file
set import_file
""
entry
$w.e
-width 40 -textvariable import_file
button
$w.b
-pady 1 -anchor w -text
"Browse..."
-command import_browse
pack
$w.b
-side right
pack
$w.p
$w.f
-side left
pack
$w.e
-side left -expand 1 -fill x
$w.b
configure -state disabled
$w.e
configure -state disabled
label .icrt.plab -anchor w -text
"Paste Certificate here:"
scroll_text .icrt.paste 90 25
button .icrt.cancel -text
"Cancel"
-command
{
destroy .icrt
;
catch
{
raise .c
}}
bind .icrt <Escape>
{
destroy .icrt
;
catch
{
raise .c
}}
button .icrt.save -text
"Save"
-command
{
do_save
}
set w .icrt.sf
frame
$w
label
$w.l
-text
"Save to File:"
-anchor w
global import_save_file
set import_save_file
""
entry
$w.e
-width 40 -textvariable import_save_file
button
$w.b
-pady 1 -anchor w -text
"Browse..."
-command import_save_browse
pack
$w.b
-side right
pack
$w.l
-side left
pack
$w.e
-side left -expand 1 -fill x
pack .icrt.cancel .icrt.save .icrt.sf .icrt.mf -side bottom -fill x
pack .icrt.paste .icrt.plab -side bottom -fill x
pack .icrt.f -side top -fill both -expand 1
.icrt.paste.t insert end
""
focus .icrt.paste.t
center_win .icrt
}
proc
getcerts
{}
{
proc
getcerts
{}
{
global mycert svcert crtdir
global mycert svcert crtdir
global use_ssh use_sshssl
global use_ssh use_sshssl
...
@@ -2041,6 +2904,11 @@ proc getcerts {} {
...
@@ -2041,6 +2904,11 @@ proc getcerts {} {
button .c.mycert.b -text
"Browse..."
-command
{
set_mycert
;
catch
{
raise .c
}}
button .c.mycert.b -text
"Browse..."
-command
{
set_mycert
;
catch
{
raise .c
}}
button .c.svcert.b -text
"Browse..."
-command
{
set_svcert
;
catch
{
raise .c
}}
button .c.svcert.b -text
"Browse..."
-command
{
set_svcert
;
catch
{
raise .c
}}
button .c.crtdir.b -text
"Browse..."
-command
{
set_crtdir
;
catch
{
raise .c
}}
button .c.crtdir.b -text
"Browse..."
-command
{
set_crtdir
;
catch
{
raise .c
}}
bind .c.mycert.b <B3-ButtonRelease>
"show_mycert"
bind .c.svcert.b <B3-ButtonRelease>
"show_svcert"
button .c.create -text
"Create Certificate ..."
-command
{
create_cert
}
button .c.import -text
"Import Certificate ..."
-command
{
import_cert
}
frame .c.b
frame .c.b
button .c.b.done -text
"Done"
-command
{
catch
{
destroy .c
}}
button .c.b.done -text
"Done"
-command
{
catch
{
destroy .c
}}
...
@@ -2060,7 +2928,7 @@ proc getcerts {} {
...
@@ -2060,7 +2928,7 @@ proc getcerts {} {
}
}
}
}
pack .c.mycert .c.svcert .c.crtdir .c.b -side top -fill x
pack .c.mycert .c.svcert .c.crtdir .c.
create .c.import .c.
b -side top -fill x
center_win .c
center_win .c
wm resizable .c 1 0
wm resizable .c 1 0
...
@@ -2980,8 +3848,8 @@ proc cups_dialog {} {
...
@@ -2980,8 +3848,8 @@ proc cups_dialog {} {
This method requires working CUPS software setups on both the remote
This method requires working CUPS software setups on both the remote
and local sides of the connection.
and local sides of the connection.
(
See Method #1 below for perhaps the easiest way to get applications
(
See Method #1 below for perhaps the easiest way to get applications
to
to print through the tunnel
;
it requires
admin privileges however
)
.
print through the tunnel
;
it requires printing
admin privileges however
)
.
You choose an actual remote CUPS port below under
"Use Remote CUPS
You choose an actual remote CUPS port below under
"Use Remote CUPS
Port:"
(
6631 is just our default and used in the examples below
)
.
Port:"
(
6631 is just our default and used in the examples below
)
.
...
@@ -3029,7 +3897,8 @@ proc cups_dialog {} {
...
@@ -3029,7 +3897,8 @@ proc cups_dialog {} {
Method #2: Restarting individual applications with the IPP_PORT
Method #2: Restarting individual applications with the IPP_PORT
set will enable redirected printing for them, e.g.:
set will enable redirected printing for them, e.g.:
"env IPP_PORT=6631 firefox"
env IPP_PORT=6631 firefox
Windows/SMB Printers: Under
"Local SMB Print Server"
you can set
Windows/SMB Printers: Under
"Local SMB Print Server"
you can set
a port redirection for a Windows
(
non-CUPS
)
SMB printer. E.g. port
a port redirection for a Windows
(
non-CUPS
)
SMB printer. E.g. port
...
@@ -3069,28 +3938,28 @@ proc cups_dialog {} {
...
@@ -3069,28 +3938,28 @@ proc cups_dialog {} {
}
}
frame .cups.serv
frame .cups.serv
label .cups.serv.l -text
"Local CUPS Server: "
label .cups.serv.l -
anchor w -
text
"Local CUPS Server: "
entry .cups.serv.e -width 40 -textvariable cups_local_server
entry .cups.serv.e -width 40 -textvariable cups_local_server
pack .cups.serv.
l -side lef
t
pack .cups.serv.
e -side righ
t
pack .cups.serv.
e
-side left -expand 1 -fill x
pack .cups.serv.
l
-side left -expand 1 -fill x
frame .cups.port
frame .cups.port
label .cups.port.l -text
"Use Remote CUPS Port:"
label .cups.port.l -
anchor w -
text
"Use Remote CUPS Port:"
entry .cups.port.e -width 40 -textvariable cups_remote_port
entry .cups.port.e -width 40 -textvariable cups_remote_port
pack .cups.port.
l -side lef
t
pack .cups.port.
e -side righ
t
pack .cups.port.
e
-side left -expand 1 -fill x
pack .cups.port.
l
-side left -expand 1 -fill x
frame .cups.smbs
frame .cups.smbs
label .cups.smbs.l -text
"Local SMB Print Server: "
label .cups.smbs.l -
anchor w -
text
"Local SMB Print Server: "
entry .cups.smbs.e -width 40 -textvariable cups_local_smb_server
entry .cups.smbs.e -width 40 -textvariable cups_local_smb_server
pack .cups.smbs.
l -side lef
t
pack .cups.smbs.
e -side righ
t
pack .cups.smbs.
e
-side left -expand 1 -fill x
pack .cups.smbs.
l
-side left -expand 1 -fill x
frame .cups.smbp
frame .cups.smbp
label .cups.smbp.l -text
"Use Remote SMB Print Port:"
label .cups.smbp.l -
anchor w -
text
"Use Remote SMB Print Port:"
entry .cups.smbp.e -width 40 -textvariable cups_remote_smb_port
entry .cups.smbp.e -width 40 -textvariable cups_remote_smb_port
pack .cups.smbp.
l -side lef
t
pack .cups.smbp.
e -side righ
t
pack .cups.smbp.
e
-side left -expand 1 -fill x
pack .cups.smbp.
l
-side left -expand 1 -fill x
checkbutton .cups.cupsrc -anchor w -variable cups_manage_rcfile -text
\
checkbutton .cups.cupsrc -anchor w -variable cups_manage_rcfile -text
\
"Manage ServerName in the remote
\$
HOME/.cups/client.conf file for me"
"Manage ServerName in the remote
\$
HOME/.cups/client.conf file for me"
...
@@ -3118,14 +3987,15 @@ proc sound_dialog {} {
...
@@ -3118,14 +3987,15 @@ proc sound_dialog {} {
scroll_text .snd.f 80 30
scroll_text .snd.f 80 30
set msg
{
set msg
{
Sound daemon tunnelling requires SSH be used to set up the service
Sound tunnelling to a sound daemon requires SSH be used to set up the
port redirection. This will be either of the
"Use SSH instead"
or
"Use
service port redirection. This will be either of the
"Use SSH instead"
SSH and SSL"
modes under
"Options"
. Pure SSL tunnelling will not work.
or
"Use SSH and SSL"
modes under
"Options"
. Pure SSL tunnelling will
not work.
This method requires working Sound daemon
(
e.g. ESD or ARTSD
)
software
This method requires working Sound daemon
(
e.g. ESD or ARTSD
)
software
setups on both the remote and local sides of the connection.
setups on both the remote and local sides of the connection.
Often this means you want to run your ENTIRE remote desktop with
all
Often this means you want to run your ENTIRE remote desktop with
ALL
applications instructed to use the sound daemon's network port. E.g.
applications instructed to use the sound daemon's network port. E.g.
esddsp -s localhost:16001 startkde
esddsp -s localhost:16001 startkde
...
@@ -3163,14 +4033,13 @@ proc sound_dialog {} {
...
@@ -3163,14 +4033,13 @@ proc sound_dialog {} {
So you may need to supply TWO SSH PASSWORDS, unless you are using
So you may need to supply TWO SSH PASSWORDS, unless you are using
something like ssh-agent
(
1
)
, the Putty PW setting, etc.
something like ssh-agent
(
1
)
, the Putty PW setting, etc.
You will also need to supply the remote and local sound ports for the
You will also need to supply the remote and local sound ports for
SSH redirs
(
even though in principle the could be guessed from the
the SSH redirs. For esd the default port is 16001, but you can choose
daemon commands...
)
For esd the default port is 16001, but you can
another one if you prefer.
choose another one if you prefer.
For
"Local Sound Port"
you can also supply
"host:port"
instead of just
For
"Local Sound Port"
you can also supply
"host:port"
instead of just
a numerical port to specify non-localhost connections, e.g. to another
a numerical port to specify non-localhost connections, e.g. to another
machine.
nearby
machine.
For more info see: http://www.karlrunge.com/x11vnc/#faq-sound
For more info see: http://www.karlrunge.com/x11vnc/#faq-sound
}
}
...
@@ -3196,28 +4065,28 @@ proc sound_dialog {} {
...
@@ -3196,28 +4065,28 @@ proc sound_dialog {} {
frame .snd.remote
frame .snd.remote
label .snd.remote.l -text
"Remote Sound daemon cmd: "
label .snd.remote.l -
anchor w -
text
"Remote Sound daemon cmd: "
entry .snd.remote.e -width 4
0
-textvariable sound_daemon_remote_cmd
entry .snd.remote.e -width 4
5
-textvariable sound_daemon_remote_cmd
pack .snd.remote.
l -side lef
t
pack .snd.remote.
e -side righ
t
pack .snd.remote.
e
-side left -expand 1 -fill x
pack .snd.remote.
l
-side left -expand 1 -fill x
frame .snd.local
frame .snd.local
label .snd.local.l -text
"Local Sound daemon cmd: "
label .snd.local.l -
anchor w -
text
"Local Sound daemon cmd: "
entry .snd.local.e -width 4
0
-textvariable sound_daemon_local_cmd
entry .snd.local.e -width 4
5
-textvariable sound_daemon_local_cmd
pack .snd.local.
l -side lef
t
pack .snd.local.
e -side righ
t
pack .snd.local.
e
-side left -expand 1 -fill x
pack .snd.local.
l
-side left -expand 1 -fill x
frame .snd.rport
frame .snd.rport
label .snd.rport.l -text
"Remote Sound Port: "
label .snd.rport.l -
anchor w -
text
"Remote Sound Port: "
entry .snd.rport.e -width 4
0
-textvariable sound_daemon_remote_port
entry .snd.rport.e -width 4
5
-textvariable sound_daemon_remote_port
pack .snd.rport.
l -side lef
t
pack .snd.rport.
e -side righ
t
pack .snd.rport.
e
-side left -expand 1 -fill x
pack .snd.rport.
l
-side left -expand 1 -fill x
frame .snd.lport
frame .snd.lport
label .snd.lport.l -text
"Local Sound Port: "
label .snd.lport.l -
anchor w -
text
"Local Sound Port: "
entry .snd.lport.e -width 4
0
-textvariable sound_daemon_local_port
entry .snd.lport.e -width 4
5
-textvariable sound_daemon_local_port
pack .snd.lport.
l -side lef
t
pack .snd.lport.
e -side righ
t
pack .snd.lport.
e
-side left -expand 1 -fill x
pack .snd.lport.
l
-side left -expand 1 -fill x
checkbutton .snd.sdk -anchor w -variable sound_daemon_kill -text
\
checkbutton .snd.sdk -anchor w -variable sound_daemon_kill -text
\
...
@@ -3879,10 +4748,11 @@ proc smb_dialog {} {
...
@@ -3879,10 +4748,11 @@ proc smb_dialog {} {
side of the connection
(
VNC server
)
and existing Samba or Windows file
side of the connection
(
VNC server
)
and existing Samba or Windows file
server
(
s
)
on the local side
(
VNC viewer
)
.
server
(
s
)
on the local side
(
VNC viewer
)
.
The smbmount
(
8
)
program MUST be installed on the remote side.
The smbmount
(
8
)
program MUST be installed on the remote side. This
This evidently limits the mounting to Linux systems. Let us know
evidently limits the mounting to Linux systems. Let us know of similar
of similar utilities on other Unixes. Mounting onto remote Windows
utilities on other Unixes. Mounting onto remote Windows machines is
machines is currently not supported
(
our SSH mode only works to Unix
)
.
currently not supported
(
our SSH mode with services setup only works
to Unix
)
.
Depending on how smbmount is configured you may be able to run it
Depending on how smbmount is configured you may be able to run it
as a regular user, or it may require running under su
(
1
)
or sudo
(
8
)
as a regular user, or it may require running under su
(
1
)
or sudo
(
8
)
...
@@ -3902,7 +4772,7 @@ proc smb_dialog {} {
...
@@ -3902,7 +4772,7 @@ proc smb_dialog {} {
%WIN
%WIN
To indicate the Windows/Samba shares to mount enter them one per line
To indicate the Windows/Samba shares to mount enter them one per line
in
either
one of the forms:
in one of the forms:
//machine1/share ~/Desktop/my-mount1
//machine1/share ~/Desktop/my-mount1
//machine2/fubar /var/tmp/my-foobar2 192.168.100.53:3456
//machine2/fubar /var/tmp/my-foobar2 192.168.100.53:3456
...
@@ -3928,7 +4798,8 @@ proc smb_dialog {} {
...
@@ -3928,7 +4798,8 @@ proc smb_dialog {} {
server:port combination
)
. A fixed one is preferred: choose a free
server:port combination
)
. A fixed one is preferred: choose a free
remote port.
remote port.
The standard SMB ports are 445 and 139. 139 is used by this application.
The standard SMB service ports
(
local side
)
are 445 and 139. 139 is
used by this application.
Sometimes
"localhost"
will not work on Windows machines for a share
Sometimes
"localhost"
will not work on Windows machines for a share
hostname, and you will have to specify a different network interface
hostname, and you will have to specify a different network interface
...
@@ -4022,7 +4893,7 @@ proc help_advanced_opts {} {
...
@@ -4022,7 +4893,7 @@ proc help_advanced_opts {} {
SMB mount tunnelling: redirect localhost:1139
(
say
)
on the VNC
SMB mount tunnelling: redirect localhost:1139
(
say
)
on the VNC
server and through that mount SMB file shares from your local
server and through that mount SMB file shares from your local
server. The remote machine must be Linux.
server. The remote machine must be Linux
with smbmount installed
.
Change vncviewer: specify a non-bundled VNC Viewer
(
e.g.
Change vncviewer: specify a non-bundled VNC Viewer
(
e.g.
UltraVNC or RealVNC
)
to run instead of the bundled TightVNC Viewer.
UltraVNC or RealVNC
)
to run instead of the bundled TightVNC Viewer.
...
@@ -4071,7 +4942,7 @@ proc change_vncviewer_dialog {} {
...
@@ -4071,7 +4942,7 @@ proc change_vncviewer_dialog {} {
Note that due to incompatibilities with respect to command line options
Note that due to incompatibilities with respect to command line options
there may be issues, especially if many command line options are supplied.
there may be issues, especially if many command line options are supplied.
You can specify your own command line options below if you like
(
and try to
You can specify your own command line options below if you like
(
and try to
avoid setting any others in this GUI
)
.
avoid setting any others in this GUI
under
"Options"
)
.
If the path to the program name has any spaces it in, please surround it with
If the path to the program name has any spaces it in, please surround it with
double quotes, e.g.
"C:
\P
rogram Files
\M
y Vnc Viewer
\V
NCVIEWER.EXE"
double quotes, e.g.
"C:
\P
rogram Files
\M
y Vnc Viewer
\V
NCVIEWER.EXE"
...
@@ -4269,10 +5140,10 @@ proc do_port_knock {hp} {
...
@@ -4269,10 +5140,10 @@ proc do_port_knock {hp} {
global is_windows
global is_windows
if
{
!
$use
_port_knocking
}
{
if
{
!
$use
_port_knocking
}
{
return
return
1
}
}
if
{
$port
_knocking_list ==
""
}
{
if
{
$port
_knocking_list ==
""
}
{
return
return
1
}
}
set default_delay 0
set default_delay 0
...
@@ -4285,7 +5156,7 @@ proc do_port_knock {hp} {
...
@@ -4285,7 +5156,7 @@ proc do_port_knock {hp} {
if
{
$host0
==
""
}
{
if
{
$host0
==
""
}
{
bell
bell
mesg
"No host:
$hp
"
mesg
"No host:
$hp
"
return
return
0
}
}
if
[
regexp
{
PAD=
([
^
\n
]
+
)}
$port
_knocking_list mv padfile
]
{
if
[
regexp
{
PAD=
([
^
\n
]
+
)}
$port
_knocking_list mv padfile
]
{
set tlist
[
read_from_pad
$padfile
]
set tlist
[
read_from_pad
$padfile
]
...
@@ -4294,7 +5165,7 @@ proc do_port_knock {hp} {
...
@@ -4294,7 +5165,7 @@ proc do_port_knock {hp} {
tk_messageBox -type ok -icon error
\
tk_messageBox -type ok -icon error
\
-message
"Failed to read entry from
$padfile
"
\
-message
"Failed to read entry from
$padfile
"
\
-title
"Error: Padfile
$padfile
"
-title
"Error: Padfile
$padfile
"
return
return
0
}
}
regsub -all
{
PAD=
([
^
\n
]
+
)}
$port
_knocking_list
$tlist
list
regsub -all
{
PAD=
([
^
\n
]
+
)}
$port
_knocking_list
$tlist
list
}
else
{
}
else
{
...
@@ -4362,10 +5233,10 @@ proc do_port_knock {hp} {
...
@@ -4362,10 +5233,10 @@ proc do_port_knock {hp} {
set udp 0
set udp 0
if
[
regexp
-nocase
{
/udp
}
$line
]
{
if
[
regexp
-nocase
{
/udp
}
$line
]
{
set udp 1
set udp 1
regsub -all -nocase
{
/udp
}
$line
""
line
regsub -all -nocase
{
/udp
}
$line
"
"
line
set line
[
string
trim
$line
]
set line
[
string
trim
$line
]
}
}
regsub -all -nocase
{
/tcp
}
$line
""
line
regsub -all -nocase
{
/tcp
}
$line
"
"
line
set line
[
string
trim
$line
]
set line
[
string
trim
$line
]
set delay 0
set delay 0
...
@@ -4388,8 +5259,23 @@ proc do_port_knock {hp} {
...
@@ -4388,8 +5259,23 @@ proc do_port_knock {hp} {
if
{
$port
==
""
}
{
if
{
$port
==
""
}
{
bell
bell
mesg
"No port:
$line0
"
mesg
"No port found:
\"
$line0
\"
"
continue
return 0
}
if
{
!
[
regexp
{
^
[
0-9
][
0-9
]
*$
}
$port
]}
{
bell
mesg
"Invalid port:
\"
$port
\"
"
return 0
}
if
{[
regexp
{[
\t
]}
$host
]}
{
bell
mesg
"Invalid host:
\"
$host
\"
"
return 0
}
if
{
!
[
regexp
{
^
[
-A-z0-9_.
][
-A-z0-9_.
]
*$
}
$host
]}
{
bell
mesg
"Invalid host:
\"
$host
\"
"
return 0
}
}
set nc
""
set nc
""
...
@@ -4485,6 +5371,7 @@ proc do_port_knock {hp} {
...
@@ -4485,6 +5371,7 @@ proc do_port_knock {hp} {
if
{
$is
_windows
}
{
if
{
$is
_windows
}
{
catch
{
file
delete
"nc_in.txt"
}
catch
{
file
delete
"nc_in.txt"
}
}
}
return 1
}
}
proc
port_knocking_dialog
{}
{
proc
port_knocking_dialog
{}
{
...
@@ -4528,49 +5415,65 @@ proc port_knocking_dialog {} {
...
@@ -4528,49 +5415,65 @@ proc port_knocking_dialog {} {
for a VNC tunnel,
then
specify something like
"user@hostname cmd=SHELL"
for a VNC tunnel,
then
specify something like
"user@hostname cmd=SHELL"
(
or
"user@hostname cmd=PUTTY"
on Windows
)
in the VNC Server entry box
(
or
"user@hostname cmd=PUTTY"
on Windows
)
in the VNC Server entry box
on the main panel. This will do everything short of starting the viewer.
on the main panel. This will do everything short of starting the viewer.
A shortcut for this is Ctrl-S.
A shortcut for this is Ctrl-S
as long as user@hostname is present
.
In the text area below put in the pattern of
"knocks"
needed for this
connection. You can separate the knocks by commas or put them one per line.
Specifying the Knocks:
Whitespace is trimmed.
In the text area below
"Supply port knocking pattern"
you put in the pattern
of
"knocks"
needed for this connection. You can separate the knocks by
commas or put them one per line.
Each
"knock"
is of this form:
Each
"knock"
is of this form:
[
host:
]
port
[
/udp
]
[
delay
]
[
host:
]
port
[
/udp
]
[
delay
]
In the simplest form just a numerical port, e.g. 5433, is supplied.
In the simplest form just a numerical port, e.g. 5433, is supplied.
Items inside
[
...
]
are optional and described below.
The packet is sent to the same host that the VNC
(
or SSH
)
connection will
The packet is sent to the same host that the VNC
(
or SSH
)
connection will
be made to. If you want it to go to a different host or IP use the
[
host:
]
be made to. If you want it to go to a different host or IP use the
[
host:
]
prefix. It can be either a hostname or numerical IP.
prefix. It can be either a hostname or numerical IP.
TCP is assumed
by default.
A TCP packet is sent
by default.
If you need to send a UDP packet, the netcat
(
aka
"nc"
)
program must be
If you need to send a UDP packet, the netcat
(
aka
"nc"
)
program must be
installed on Unix
(
tcl/tk does not support udp connections
)
. Indicate this
installed on Unix
(
tcl/tk does not support udp connections
)
. Indicate this
with
"/udp"
following the port number
(
you can also use
"/tcp"
, but since
with
"/udp"
following the port number
(
you can also use
"/tcp"
, but since
it
i
t is the default it is not necessary
)
. For convenience a Windows netcat
i
s the default it is not necessary
)
. See the example below. For convenience
binary is supplied.
a Windows netcat
binary is supplied.
Because an external program must be launched for each packet udp knocking will
The last field,
[
delay
]
, is an optional number of milliseconds to delay
be
somewhat slower and less reliable. ICMP
(
ping
)
is currently not supported
.
be
fore continuing on to the next knock
.
The last field is the number of milliseconds to delay before continuing.
Examples:
Examples:
5433,
12321,
1661
5433,
12321,
1661
fw.example.com:5433, 12321/udp 3000,1661 2000
fw.example.com:5433, 12321/udp 3000,
1661 2000
fw.example.com:5433
fw.example.com:5433
12321/udp 3000
12321/udp 3000
1661 2000
1661 2000
Note how the first two examples separate their knocks via commas
","
.
The 3rd example is equivalent to the 2nd and splits them up by new lines.
Note for each knock any second number
(
e.g. the
"2000"
in
"1661 2000"
)
is
a DELAY in milliseconds, not a port number. If you had a comma separating
them:
"1661, 2000"
that would mean two separate knocks: one to port 1661
followed by one to 2000
(
with basically no delay between them
)
.
In examples 2 and 3,
"fw.example.com"
represents some machine other than
the VNC/SSH host. By default, the VNC/SSH host is the one the packet is
sent to.
Advanced port knock actions:
Alternate actions: If the string in the text field contains anywhere the
If the string in the text field contains anywhere the strings
"CMD="
,
"CMDX="
,
strings
"CMD="
,
"CMDX="
, or
"SEND="
,
then
splitting on commas is not done:
or
"SEND="
,
then
splitting on commas is not done: it is only split on lines.
it is only split on lines.
Then, if a line begins CMD=... the string after the = is run as an
Then, if a line begins CMD=... the string after the = is run as an
external command. The command could be anything you want, e.g. it could
external command. The command could be anything you want, e.g. it could
...
@@ -4602,8 +5505,8 @@ proc port_knocking_dialog {} {
...
@@ -4602,8 +5505,8 @@ proc port_knocking_dialog {} {
Examples:
Examples:
CMD=port_knock_client -pass wombat33
CMD=port_knock_client -pass
word
wombat33
CMDX=port_knock_client -pass wombat33 -host %HOST -src %NAT
CMDX=port_knock_client -pass
word
wombat33 -host %HOST -src %NAT
fw.example.com:5433/udp SEND=ASDLFKSJDF
fw.example.com:5433/udp SEND=ASDLFKSJDF
...
@@ -4615,7 +5518,7 @@ proc port_knocking_dialog {} {
...
@@ -4615,7 +5518,7 @@ proc port_knocking_dialog {} {
CMD=... items or at the very end of the knocks to wait
)
.
CMD=... items or at the very end of the knocks to wait
)
.
If a knock entry matches
"delay N"
the default delay is set to
If a knock entry matches
"delay N"
the default delay is set to
N milliseconds.
N milliseconds
(
it is 0 initially
)
.
One Time Pads:
One Time Pads:
...
@@ -4973,6 +5876,8 @@ if {[regexp -nocase {Windows.9} $tcl_platform(os)]} {
...
@@ -4973,6 +5876,8 @@ if {[regexp -nocase {Windows.9} $tcl_platform(os)]} {
set
putty_pw
""
set
putty_pw
""
global
scroll_text_focus
set
scroll_text_focus 1
wm title .
"SSL VNC Viewer"
wm title .
"SSL VNC Viewer"
wm resizable . 1 0
wm resizable . 1 0
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment