Skip to content

L
libvncserver
Commit 4af738e0 authored by runge's avatar runge
Browse files
Options

Changes for ETV, double SSL/SSH.

parent 6f47809a
Hide whitespace changes
Inline Side-by-side
Showing with 781 additions and 149 deletions
classes/ssl/ssl_vncviewer
View file @ 4af738e0
......@@ -33,7 +33,10 @@
#
# -proxy try host:port as a Web proxy to use the CONNECT method
# to reach the VNC server (e.g. your firewall requires a proxy).
#
# For the "double proxy" case use -proxy host1:port1,host2:port2
# (the first CONNECT is done through host1:port1 to host2:port2
# and then a 2nd CONNECT to the destination VNC server.)
#
# See http://www.karlrunge.com/x11vnc/#faq-ssl-ca for details on SSL
# certificates with VNC.
......@@ -56,6 +59,14 @@
# other than the default (22). (even for the non-gateway case,
# -proxy must be used to specify a non-standard ssh port)
#
# A "double ssh" can be specified via a -proxy string with the two
# hosts separated by a comma:
#
# [user1@]host1[:port1],[user2@]host2[:port2]
#
# in which case a ssh to host1 and thru it via a -L redir a 2nd
# ssh is established to host2.
#
# Examples:
#
# ssl_vncviewer -ssh bob@bobs-home.net:0
......@@ -64,6 +75,8 @@
# ssl_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0
# ssl_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0
#
# ssl_vncviewer -ssh -proxy fred@gw-host,fred@peecee localhost:0
#
# -sshcmd cmd Run "cmd" via ssh instead of the default "sleep 15"
# e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900'
#
......@@ -95,7 +108,6 @@ VNCVIEWERCMD=${VNCVIEWERCMD:-vncviewer}
# Same for STUNNEL, e.g. set it to /path/to/stunnel or stunnel4, etc.
#
PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH
if [ "X$STUNNEL" = "X" ]; then
......@@ -240,6 +252,38 @@ if [ "X$use_ssh" = "X1" ]; then
ssh_host="$host"
vnc_host="localhost"
ssh=${SSH:-"ssh -x"}
if echo "$proxy" | grep "," > /dev/null; then
proxy1=`echo "$proxy" | awk -F, '{print $1}'`
proxy2=`echo "$proxy" | awk -F, '{print $2}'`
# user1@gw1.com:port1,user2@ws2:port2
ssh_host1=`echo "$proxy1" | awk -F: '{print $1}'`
ssh_port1=`echo "$proxy1" | awk -F: '{print $2}'`
if [ "X$ssh_port1" = "X" ]; then
ssh_port1="22"
fi
ssh_host2=`echo "$proxy2" | awk -F: '{print $1}'`
ssh_user2=`echo "$ssh_host2" | awk -F@ '{print $1}'`
ssh_host2=`echo "$ssh_host2" | awk -F@ '{print $2}'`
if [ "X$ssh_host2" = "X" ]; then
ssh_host2=$ssh_user2
ssh_user2=""
else
ssh_user2="${ssh_user2}@"
fi
ssh_port2=`echo "$proxy2" | awk -F: '{print $2}'`
if [ "X$ssh_port2" = "X" ]; then
ssh_port2="22"
fi
proxport=`findfree 3500`
echo
echo "Running 1st ssh proxy:"
echo "$ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 \"sleep 30\""
$ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 "sleep 30"
ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes"
sleep 1
stty sane
proxy="${ssh_user2}localhost:$proxport"
fi
if [ "X$proxy" != "X" ]; then
ssh_port=`echo "$proxy" | awk -F: '{print $2}'`
if [ "X$ssh_port" = "X" ]; then
......
x11vnc/README
View file @ 4af738e0
x11vnc README file Date: Sat Sep 23 19:30:26 EDT 2006
x11vnc README file Date: Sat Oct 7 10:35:03 EDT 2006
The following information is taken from these URLs:
......@@ -35,11 +35,11 @@ x11vnc: a VNC server for real X displays
impossible to build on Solaris and had poor performance. The primary
x0rfbserver build problems centered around esoteric C++ toolkits.
x11vnc is written in plain C and uses only standard libraries and so
should work on nearly all Unixes. I also added a some enhancements to
should work on nearly all Unixes. I also added some enhancements to
improve the interactive response, add many esoteric features, etc.
This page and the [14]FAQ contain a lot of information [15][*] and
solutions to many problems and interesting applications, but
This page and the [14]FAQ contain a lot of information [15][*],
solutions to many problems, and interesting applications, but
nevertheless please feel free to [16]contact me if you have problems
or questions.
......@@ -3892,6 +3892,9 @@ ied)
* Turn off Anti-aliased fonts on your system, web browser, terminal
windows, etc. AA fonts do not compress as well as traditional
fonts (sometimes 10X less).
* On Firefox/Mozilla (and anything else) turn off "Smooth Scroll"
animations. In Firefox put in the URL "about:config" and set
general.smoothScroll to false.
* On XFree86 turn on the Shadow Framebuffer to speed up reading.
(Option "ShadowFB" "true" in the Device section of
/etc/X11/XF86Config) This disables 2D acceleration on the physical
......@@ -7358,13 +7361,17 @@ http://www.karlrunge.com/x11vnc/ssl-portal.html:
-t -L 5900:myworkstation:5900 user@gateway) to set up the encrypted
channel that VNC is then tunneled through. Next he starts up the VNC
viewer on the machine where he is sitting directed to the local tunnel
port.
The SSH scheme is nice because it is a common and well tested login
technique for users connecting to machines inside their company or
home firewall. It is a bit awkward, however, because SSH needs to be
installed on the Viewer machine and the user usually has to rig up his
own port redirection plumbing.
port (e.g. localhost:0).
The SSH scheme is nice because it is a widely used and well tested
login technique for users connecting to machines inside their company
or home firewall. For VNC access it is a bit awkward, however, because
SSH needs to be installed on the Viewer machine and the user usually
has to rig up his own port redirection plumbing. Also, some users have
restrictive work environments where SSH and similar applications are
prohibited (i.e. only outgoing connections to standard WWW ports are
allowed, perhaps mediated by a proxy server) and have used the method
described below for remote access.
With the SSL support in x11vnc and the SSL enabled Java VNC viewer
applet, a convenient and secure alternative exists that uses the
......@@ -7372,17 +7379,19 @@ http://www.karlrunge.com/x11vnc/ssl-portal.html:
connection is already running apache as a web server (either SSL or
non-SSL) and we add to it the ability to act as a gateway for SSL VNC
connections. The only thing needed on the Viewer side is a Java
enabled Web Browser. The stunnel VNC viewer wrapper script provided
enabled Web Browser: the user enters a URL that starts the VNC
connection process. The stunnel VNC viewer wrapper script provided
(ssl_vncviewer) can also take advantage of the method described here.
The apache solution may be overkill for you (e.g. home system) see
[1]below for some simpler setups.
There are numerous ways to do this. We present the simplest one here.
Important: these schemes allow incoming connections from anywhere on
the Internet to specific ports on machines inside the firewall. Care
must be taken to implement and test thoroughly. If one is paranoid one
can (and should) add extra layers of protection. (e.g. extra
passwords, packet filtering, SSL certificate verification, etc).
This apache solution may be overkill for you (e.g. home system) see
[1]below for some simpler setups that avoid using SSH.
There are numerous ways to achieve this with Apache. We present the
simplest one here. Important: these schemes allow incoming connections
from anywhere on the Internet to fixed ports on machines inside the
firewall. Care must be taken to implement and test thoroughly. If one
is paranoid one can (and should) add extra layers of protection. (e.g.
extra passwords, packet filtering, SSL certificate verification, etc).
The scheme described here sets up apache on the firewall/gateway as a
regular Web proxy into the intranet and allows connections to a fixed
......@@ -7398,9 +7407,10 @@ http://www.karlrunge.com/x11vnc/ssl-portal.html:
We choose 563 because it is the rarely used SNEWS port that is usually
allowed by Web proxies for the CONNECT method. The idea is the user
may be coming out of another firewall using a proxy (not the one we
describe here, that is, the case when two proxies are involved; the
"double proxy" problem) and using port 563 simplifies things because
CONNECT's to it are usually allowed by default.
describe here, that is, the case when two proxies are involved, e.g.
one at work and another, Apache at home redirecting into our firewall;
the "double proxy" problem) and using port 563 simplifies things
because CONNECT's to it are usually allowed by default.
We also assume all of the x11vnc servers on the internal machines are
all listening on port 5915 ("-rfbport 5915") instead of the default
......@@ -7470,10 +7480,11 @@ t:563/
into the browser:
http://www.gateway.east:563/vnc/mach2
to connect to internal workstation mach2, etc. There will be a number
of SSL certificate, etc, dialogs he will have to respond to in
addition to any passwords he is required to provide (this depends on
how you set up user authentication for x11vnc).
to connect to internal workstation mach2, etc. (Important: do not put
a trailing "/" on the URL, since that will defeat the RewriteRules.)
There will be a number of SSL certificate, etc, dialogs he will have
to respond to in addition to any passwords he is required to provide
(this depends on how you set up user authentication for x11vnc).
If a second Web proxy is involved (i.e. the user's browser is inside
another firewall that requires proxying) then use this URL:
......@@ -7499,7 +7510,8 @@ t:563/
Next, the "ProxyRequests On" and "AllowCONNECT 5915" enable the web
server to forward proxy requests to port 5915 (and only this port)
INSIDE the firewall. Test this carefully.
INSIDE the firewall. Research the implications of this thoroughly and
test it carefully.
The "ProxyPass /vnc/mach1/ ..." lines forward the initial page (e.g.
index.vnc) and Java applet JAR file (e.g. VncViewer.jar) requests to
......@@ -7534,18 +7546,33 @@ t:563/
Web browser's acceptance of the certificate.
Unfortunately the applet currently is not able to save its own list of
Certificates (e.g. the user says trust this certificate always). As an
applet it cannot open local files, etc. Sadly, the applet cannot even
remember certificates in the same browser session because it is
completely reinitialized for each connection.
Certificates (e.g. the user says trust this VNC certificate 'always').
This is because an applet it cannot open local files, etc. Sadly, the
applet cannot even remember certificates in the same browser session
because it is completely reinitialized for each connection.
Problems:
One user reported that the ProxyRemoteMatch did not work for his
Apache setup and had to use something like this:
<ProxyMatch ^(?!(http://mach1|mach1:))>
Order deny,allow
Deny from all
</ProxyMatch>
in the global config section.
Some Ideas for adding extra authentication, etc. for the paranoid:
* VNC passwords: [6]-rfbauth, [7]-passwdfile, or [8]-usepw. Even
adding a company-wide VNC password helps block unwanted access.
adding a simple company-wide VNC password helps block unwanted
access.
* Unix passwords: [9]-unixpw
* SSL Client certificates: [10]-sslverify
* Apache AuthUserFile directive: .htaccess, etc.
* Use Port-knocking on your firewall as described in: [11]Enhanced
TightVNC Viewer.
* Add proxy password authentication (requires Viewer changes?)
* Run a separate instance of Apache that provides this VNC service
so it can be brought up and down independently of the normal web
......@@ -7555,14 +7582,14 @@ t:563/
Using non-Java viewers with this scheme:
The [11]ssl_vncviewer stunnel wrapper script for VNC viewers has the
The [12]ssl_vncviewer stunnel wrapper script for VNC viewers has the
-proxy option that can take advantage of this method. For the case of
the "double proxy" situation (see below) supply both separated by a
comma.
ssl_vncviewer -proxy www.gateway.east:563 mach1:15
ssl_vncviewer -proxy proxy1.foobar.com:8080,www.gateway.east:563 mach1:15
For the [12]Enhanced TightVNC Viewer GUI (it uses ssl_vncviewer on
For the [13]Enhanced TightVNC Viewer GUI (it uses ssl_vncviewer on
Unix) enter these into the 'VNC Server' entry box:
mach1:15 www.gateway.east:563
mach1:15 proxy1.foobar.com:8080,www.gateway.east:563
......@@ -7573,20 +7600,21 @@ t:563/
Downloading the Java applet via HTTPS:
To have the Java applet downloaded to the user's Web Browswer via an
To have the Java applet downloaded to the user's Web Browser via an
encrypted (and evidently safer) SSL connection the Apache webserver
should be configured for SSL via [13]mod_ssl (this is probably not
should be configured for SSL via [14]mod_ssl (this is probably not
absolutely necessary; show us how you did it).
It is actually possible to use the x11vnc [14]Key Management utility
"[15]-sslGenCert" to generate your Apache/SSL .crt and .key files. (In
It is actually possible to use the x11vnc [15]Key Management utility
"[16]-sslGenCert" to generate your Apache/SSL .crt and .key files. (In
brief, run something like "x11vnc -sslGenCert server self:apache" then
copy the resulting self:apache.crt file to conf/ssl.crt/server.crt and
extract the private key part from self:apache.pem and paste it into
conf/ssl.key/server.key). Setting the env var REQ_ARGS='-days 730'
will bump up the expiration date (2 years in this case). Or you can
use the standard methods described in the Apache mod_ssl
documentation.
documentation. Then restart Apache, usually something like "apachectl
startssl".
In addition to the above sections in httpd.conf one should add the
following to ssl.conf:
......@@ -7612,6 +7640,7 @@ RT=563&forceProxy=yes [R,NE]
ProxyPass /vnc/mach2/ http://mach2:5815/
ProxyPass /vnc/mach3/ http://mach3:5815/
ProxyPass /vnc/mach4/ http://mach4:5815/
# single port VNC+HTTPS:
ProxyPass /vncs/mach1/ https://mach1:5915/
ProxyPass /vncs/mach2/ https://mach2:5915/
ProxyPass /vncs/mach3/ https://mach3:5915/
......@@ -7625,7 +7654,8 @@ RT=563&forceProxy=yes [R,NE]
or
https://www.gateway.east/vnc/proxy/mach2
for the "double proxy" case.
for the "double proxy" case. (Important: do not put a trailing "/" on
the URL, since that will defeat the RewriteRules.)
Note that inside the firewall the Java applet download traffic is not
encrypted (only over the Internet is SSL used) for these cases:
......@@ -7637,19 +7667,22 @@ RT=563&forceProxy=yes [R,NE]
the Java applet download is encrypted via SSL for both legs. Note that
the two legs are two separate SSL sessions. So the data is decrypted
inside an apache process and reencrypted for the 2nd SSL session
inside the same apache process (a very small gap one might overlook).
inside an apache process and reencrypted by the apache process for the
2nd SSL session inside the same apache process (a very small gap one
might overlook).
In all of the above cases the VNC traffic from Viewer to x11vnc is
encrypted end-to-end in a single SSL session, even for the "double
proxy" case. This is the important part to have encrypted.
proxy" case because the CONNECT method is used (there are actually two
CONNECT's for the "double proxy" case). This part (the VNC traffic) is
the important part to have encrypted.
Note that the Certificate dialogs the user has in his web browser will
be for the Apache Certificate, while for the Java applet it will be
the x11vnc certificate.
Note also that you can have Apache serve up the Jar file VncViewer.jar
instead of each x11vnc if you want to.
and/or index.vnc/proxy.vnc instead of each x11vnc if you want to.
INETD automation:
......@@ -7701,7 +7734,7 @@ RT=563&forceProxy=yes [R,NE]
-inetd -oa /var/log/x11vnc-15.log -http_ssl -display WAIT:cmd=HTTPONCE
where the long inetd.conf line has been split. Note how the
[16]-http_ssl tries to automatically find the .../classes/ssl
[17]-http_ssl tries to automatically find the .../classes/ssl
subdirectory.
Also note the use of "-ssl SAVE" above. This way a saved server.pem is
......@@ -7826,7 +7859,7 @@ Certs=yes [R,NE]
the first time you connect carefully check the Certificate and then
tell your Browser and Java Virtual Machine to trust the certificate
'Always'. Then if you later get an unexpected dialog, you know
something is wrong. Nearly always it is just an changed or expired
something is wrong. Nearly always it is just a changed or expired
certificate, but better safe than sorry...
References
......@@ -7841,12 +7874,13 @@ References
8. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-usepw
9. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-unixpw
10. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-sslverify
11. http://www.karlrunge.com/x11vnc/index.html#ssl_vncviewer
12. http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html
13. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
14. http://www.karlrunge.com/x11vnc/ssl.html
15. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-sslGenCert
16. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-http_ssl
11. http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html
12. http://www.karlrunge.com/x11vnc/index.html#ssl_vncviewer
13. http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html
14. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
15. http://www.karlrunge.com/x11vnc/ssl.html
16. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-sslGenCert
17. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-http_ssl
=======================================================================
http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html:
......@@ -7856,17 +7890,22 @@ http://www.karlrunge.com/x11vnc/enhanced_tightvnc_viewer.html:
Enhanced TightVNC Viewer
The Enhanced TightVNC Viewer package is a project to add some patches
to the long neglected Unix TightVNC Viewer.
The Enhanced TightVNC Viewer package started as a project to add some
patches to the long neglected Unix TightVNC Viewer.
It now also adds a front-end GUI for Windows and Unix that
automatically starts up a STUNNEL SSL tunnel for SSL connections to
[1]x11vnc (or any other VNC Server also running an SSL tunnel, such as
STUNNEL, at their end), and then launches the TightVNC Viewer. The
front-end program can also be used to set up SSH tunnelled connections
instead. And many additional features (see below for a list).
It also adds a front-end GUI for Windows and Unix that automatically
starts up a STUNNEL SSL tunnel for SSL connections to [1]x11vnc (or
any other VNC Server also running an SSL tunnel, such as STUNNEL, at
their end), and then launches the TightVNC Viewer. The front-end
program can also be used to set up SSH tunnelled connections instead.
It is a self-contained package, you could carry it around on, say, a
USB memory stick for secure VNC viewing from almost any machine, Unix
or Windows.
Patches were created for the TightVNC 1.3dev7 vnc_unixsrc tree (and
various wrappers written) to add these features:
various wrappers and a tcl/tk GUI written) to add these features:
* SSL support for connections using the co-bundled stunnel program.
* Automatic SSH connections from the GUI (system ssh is used on
Unix; co-bundled plink is used on Windows)
......@@ -7930,15 +7969,15 @@ Enhanced TightVNC Viewer
(and there should be kinks to work out).
This package can be downloaded here:
[8]enhanced_tightvnc_viewer-1.0.4.zip All Unix and Windows
binaries and source. (~6MB)
[9]enhanced_tightvnc_viewer-1.0.4.tar.gz All Unix and Windows
binaries and source. (~6MB)
[10]enhanced_tightvnc_viewer_all-1.0.4.zip All Unix and Windows
binaries and source and full archives in zip dir. (~9MB)
[11]enhanced_tightvnc_viewer_windows_only-1.0.4.zip Only the Windows bin
aries. (~4MB)
[12]enhanced_tightvnc_viewer_no_windows-1.0.4.tar.gz No Windows binaries.
[8]enhanced_tightvnc_viewer-1.0.5.zip All Unix and Windows
binaries and source. (~8MB)
[9]enhanced_tightvnc_viewer-1.0.5.tar.gz All Unix and Windows
binaries and source. (~8MB)
[10]enhanced_tightvnc_viewer_all-1.0.5.zip All Unix and Windows
binaries and source and full archives in zip dir. (~11MB)
[11]enhanced_tightvnc_viewer_windows_only-1.0.5.zip Only the Windows bin
aries. (~6MB)
[12]enhanced_tightvnc_viewer_no_windows-1.0.5.tar.gz No Windows binaries.
(~2MB)
Sorry for the inconvenience of lumping all the Unix binaries and
......@@ -7971,7 +8010,7 @@ aries. (~4MB)
[17]http://www.chiark.greenend.org.uk/~sgtatham/putty/
It is my belief (but I cannot be absolutely sure) that the bundle
enhanced_tightvnc_viewer_no_windows-1.0.4.tar.gz contains no
enhanced_tightvnc_viewer_no_windows-1.0.5.tar.gz contains no
cryptographic software (again, if your situation warrants, you will
need to check). This "no_windows" tarball only contains software (from
the above URL's and elsewhere) that will use cryptographic software
......@@ -8027,6 +8066,9 @@ Also, a Windows SSL wrapper for the co-bundled TightVNC binary and other
utilities are provided. (Launch ssl_tightvncviewer.exe in the
Windows subdirectory).
It is a self-contained package, you could carry it around on, say,
a USB memory stick for secure VNC viewing from almost any machine,
Unix or Windows.
Features:
--------
......@@ -8076,7 +8118,7 @@ If you need to Build:
--------------------
If your OS/arch is not included, the script "build.unix" may be able to
successfully build on for you and deposit the binaries down in ./bin/...
successfully build one for you and deposit the binaries down in ./bin/...
using the included source code.
You must run the build.unix script from this directory (that this toplevel
......@@ -8232,11 +8274,11 @@ References
5. http://www.karlrunge.com/x11vnc/index.html#faq-smb-shares
6. http://www.karlrunge.com/x11vnc/index.html#faq-cups
7. http://www.karlrunge.com/x11vnc/index.html#faq-sound
8. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.4.zip
9. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.4.tar.gz
10. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_all-1.0.4.zip
11. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_windows_only-1.0.4.zip
12. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_no_windows-1.0.4.tar.gz
8. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.5.zip
9. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer-1.0.5.tar.gz
10. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_all-1.0.5.zip
11. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_windows_only-1.0.5.zip
12. http://www.karlrunge.com/x11vnc/etv/enhanced_tightvnc_viewer_no_windows-1.0.5.tar.gz
13. http://www.tightvnc.com/
14. http://www.realvnc.com/
15. http://www.stunnel.org/
......@@ -8254,7 +8296,7 @@ x11vnc: a VNC server for real X displays
Here are all of x11vnc command line options:
% x11vnc -opts (see below for -help long descriptions)
x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-23
x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-10-07
x11vnc options:
-display disp -auth file -id windowid
......@@ -8355,7 +8397,7 @@ libvncserver-tight-extension options:
% x11vnc -help
x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-23
x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-10-07
(type "x11vnc -opts" to just list the options.)
......
x11vnc/misc/enhanced_tightvnc_viewer/README
View file @ 4af738e0
......@@ -17,6 +17,7 @@ by others. See these sites and related ones for more information:
http://www.tightvnc.com
http://www.realvnc.com
http://www.stunnel.org
http://stunnel.mirt.net
http://www.openssl.org
http://www.chiark.greenend.org.uk/~sgtatham/putty/
......@@ -46,6 +47,9 @@ Also, a Windows SSL wrapper for the co-bundled TightVNC binary and other
utilities are provided. (Launch ssl_tightvncviewer.exe in the
Windows subdirectory).
It is a self-contained package, you could carry it around on, say,
a USB memory stick for secure VNC viewing from almost any machine,
Unix or Windows.
Features:
--------
......@@ -215,6 +219,7 @@ See also:
x11vnc -h | more
http://www.stunnel.org
http://stunnel.mirt.net
http://www.openssl.org
http://www.tightvnc.com
http://www.realvnc.com
......
x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl 0 → 100755
View file @ 4af738e0
#!/usr/bin/wish
global env
set proxy1 ""
set proxy2 ""
set client_fh ""
set server_fh ""
set debug 0
if {$debug} {
if {! [info exists env(SSL_VNC_DEST)]} {
set env(SSL_VNC_DEST) "haystack:2037"
}
if {! [info exists env(SSL_VNC_PROXY)]} {
set env(SSL_VNC_PROXY) "haystack:2037"
}
if {! [info exists env(SSL_VNC_LISTEN)]} {
set env(SSL_VNC_LISTEN) "6789"
}
}
set dest $env(SSL_VNC_DEST)
if [regexp {,} $env(SSL_VNC_PROXY)] {
set s [split $env(SSL_VNC_PROXY) ","]
set proxy1 [lindex $s 0]
set proxy2 [lindex $s 1]
} else {
set proxy1 $env(SSL_VNC_PROXY)
}
set s [split $proxy1 ":"]
set proxy1_host [lindex $s 0]
set proxy1_port [lindex $s 1]
if {$proxy2 != ""} {
set s [split $proxy2 ":"]
set proxy2_host [lindex $s 0]
set proxy2_port [lindex $s 1]
}
set lport $env(SSL_VNC_LISTEN)
set got_connection 0
set lsock [socket -myaddr 127.0.0.1 -server handle_connection $lport]
if {1} {
wm withdraw .
}
button .b -text "CONNECT_BR" -command {destroy .}
pack .b
after 1000 check_callback
proc check_callback {} {
global debug
if {$debug} {
puts stderr "."
}
check_closed
after 1000 check_callback
}
proc check_closed {} {
global client_fh server_fh debug
global got_connection
if {! $got_connection} {
return
}
set delay 100
if {$client_fh != "" && [eof $client_fh]} {
if {$debug} {
puts stderr "client_fh EOF"
}
catch {flush $client_fh}
after $delay
catch {close $client_fh}
after $delay
catch {flush $server_fh}
after $delay
catch {close $server_fh}
destroy .
exit
}
if {$server_fh != "" && [eof $server_fh]} {
if {$debug} {
puts stderr "server_fh EOF"
}
catch {flush $server_fh}
after $delay
catch {close $server_fh}
after $delay
catch {flush $client_fh}
after $delay
catch {close $client_fh}
destroy .
exit
}
}
proc xfer_in_to_out {} {
global client_fh server_fh debug
if {$client_fh != "" && ![eof $client_fh]} {
set str [read $client_fh 4096]
if {$debug} {
puts stderr "xfer_in_to_out: $str"
}
if {$server_fh != ""} {
puts -nonewline $server_fh $str
flush $server_fh
}
}
check_closed
}
proc xfer_out_to_in {} {
global client_fh server_fh debug
if {$server_fh != "" && ![eof $server_fh]} {
set str [read $server_fh 4096]
if {$debug} {
puts stderr "xfer_out_to_in: $str"
}
if {$client_fh != ""} {
puts -nonewline $client_fh $str
flush $client_fh
}
}
check_closed
}
proc handle_connection {fh host port} {
global proxy1_host proxy1_port
global proxy2_host proxy2_port
global proxy1 proxy2
global dest
global debug
global got_connection
if {$got_connection} {
catch {close $fh}
return
}
set got_connection 1
if {$debug} {
puts stderr "connection from: $host $port"
puts stderr "socket $proxy1_host $proxy1_port"
}
set sock [socket $proxy1_host $proxy1_port]
global client_fh server_fh
set client_fh $fh
set server_fh $sock
fconfigure $fh -translation binary -blocking 0
fconfigure $sock -translation binary -blocking 0
set con ""
if {$proxy2 != ""} {
append con "CONNECT $proxy2 HTTP/1.1\r\n"
append con "Host: $proxy2\r\n\r\n"
} else {
append con "CONNECT $dest HTTP/1.1\r\n"
append con "Host: $dest\r\n\r\n"
}
puts -nonewline $sock $con
flush $sock
set r ""
set cnt 0
while {1} {
set c [read $sock 1]
if {$c == ""} {
check_closed
after 20
}
incr cnt
if {$debug} {
.b configure -text "A $cnt -- $c"
update
}
append r $c
if {[regexp "\r\n\r\n" $r] || [regexp "a--no--\n\n" $r]} {
break
}
if {$cnt > 3000} {
break
}
}
if {! [regexp {HTTP/.* 200} $r]} {
puts stderr "did not find HTTP 200 #1"
if {1} {
destroy .
exit 1
}
}
if {$proxy2 != ""} {
set con ""
append con "CONNECT $dest HTTP/1.1\r\n"
append con "Host: $dest\r\n\r\n"
puts -nonewline $sock $con
flush $sock
set r ""
set cnt 0
while {1} {
set c [read $sock 1]
if {$c == ""} {
check_closed
after 20
}
incr cnt
if {$debug} {
.b configure -text "B $cnt -- $c"
update
}
append r $c
if {[regexp "\r\n\r\n" $r] || [regexp "a--no--\n\n" $r]} {
break
}
if {$cnt > 3000} {
break
}
}
if {! [regexp {HTTP/.* 200} $r]} {
puts stderr "did not find HTTP 200 #2"
destroy .
exit 1
}
}
fileevent $fh readable xfer_in_to_out
fileevent $sock readable xfer_out_to_in
}
x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/info/stunnel/location.url
View file @ 4af738e0
http://www.stunnel.org/download/binaries.html
http://stunnel.mirt.net/
x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_tightvncviewer.tcl
View file @ 4af738e0
......@@ -108,11 +108,16 @@ proc help {} {
Proxies: If an intermediate proxy is needed to make the SSL connection
(e.g. web gateway out of a firewall), supply both hosts separated
by spaces (with the proxy 2nd):
by spaces (with the proxy second):
host:number gwhost:port
E.g.: far-way.east:0 mygateway.com:8080
E.g.: far-away.east:0 mygateway.com:8080
If the "double proxy" case is required (e.g. coming out of a web
proxied firewall environment), separate them via a comma, e.g.:
far-away:0 local-proxy:8080,mygateway.com:443
See the ssl_vncviewer description and x11vnc FAQ for info on proxies:
......@@ -164,8 +169,15 @@ proc help {} {
2) If you use "user@hostname cmd=SHELL" then you get an SSH shell only:
no VNC viewer will be launched. On Windows "user@hostname cmd=PUTTY"
will try to use putty.exe (better terminal emulation than plink.exe)
A shortcut for this is Ctrl-S as long as user@hostname is present.
will try to use putty.exe (better terminal emulation than
plink.exe). A shortcut for this is Ctrl-S as long as user@hostname
is present in the entry box.
3) If you use "user@hostname cmd=KNOCK" then only the port-knocking
is performed. A shortcut for this is Ctrl-P as long as hostname
is present in the entry box. If it matches cmd=KNOCKF, i.e. an
extra "F", then the port-knocking "FINISH" sequence is sent, if any.
A shortcut for this Shift-Ctrl-P as long as hostname is present.
}
.h.f.t insert end $msg
......@@ -265,18 +277,18 @@ set msg {
tunnel. You must be able to log in via ssh to the remote host.
On Unix the cmdline ssh(1) program will be run in an xterm
for authentication, etc. On Windows the cmdline plink.exe
program will be launched in a Windows Console window.
for passphrase authentication, etc. On Windows the cmdline
plink.exe program will be launched in a Windows Console window.
You can set the "VNC Server" to "user@host:disp" to indicate
ssh should log in as "user" on "host". On Windows you must
You can set the "VNC Server" to "user@host:disp" to indicate ssh
should log in as "user" on "host". NOTE: On Windows you MUST
always supply the "user@" part (due to a plink deficiency). E.g.:
fred@far-away.east:0
If a gateway machine must be used (e.g. to enter a firewall;
the VNC Server is not running on it), put something like this
in the "VNC Server" entry box:
If an intermediate gateway machine must be used (e.g. to enter
a firewall; the VNC Server is not running on it), put something
like this in the "VNC Server" entry box:
workstation:0 user@gateway-host:port
......@@ -285,6 +297,16 @@ set msg {
":port" is optional, use it if the gateway-host SSH port is
not the default value 22.
One can also do a "double ssh", i.e. a first SSH to the
gateway login machine then a 2nd ssh to the destination machine
(presumably it is running the vnc server). Unlike the above
example, the "last leg" (gateway-host -> workstation) is also
encrypted by SSH this way. Do this by splitting the gateway
in two with a comma, the part before it is the first SSH:
:0 user@gateway-host:port,user@workstation:port
At the very end of the entry box, you can also append a
cmd=... string to indicate that command should be run via ssh
on the remote machine instead of the default "sleep 15". E.g.:
......@@ -293,6 +315,7 @@ set msg {
(if a gateway is also needed, put it just before the cmd=...)
Trick: If you use "cmd=SHELL" then you get an SSH shell only:
no VNC viewer will be launched. On Windows "cmd=PUTTY" will
try to use putty.exe (better terminal emulation than plink.exe)
......@@ -345,18 +368,14 @@ set msg {
with Load Profile. Use the Browse... button to select
the filename via the GUI.
Include: Profile template(s) to load before loading a profile
(see Load Profile above). For example if you Save
a profile called "globals" that has some settings
you use often, then just supply "Include: globals"
to have them applied.
You may supply a comma or space separated list of
templates to include. They can be full path names or
basenames relative to the profiles directory. You do
not need to supply the .vnc suffix. The non-default
settings in them will be applied first, and then any
values then in the loaded Profile will override them.
Note: On Windows since the TightVNC Viewer will save
its own settings in the registry, some unexpected
behavior is possible because the viewer is nearly
always directed to the VNC host "localhost:30". E.g. if
you specify "View Only" in this gui once but not next
time the Windows VNC Viewer may remember the setting.
Unfortunately there is not a /noreg option for the Viewer.
Clear Options: Set all options to their defaults (i.e. unset).
......@@ -880,6 +899,24 @@ proc make_plink {} {
update
}
proc ssh_split {str} {
if {! [regexp {:} $str]} {
append str ":22"
}
regsub {:.*$} $str "" ssh_host
regsub {^.*:} $str "" ssh_port
if {$ssh_port == ""} {
set ssh_port 22
}
if [regexp {@} $ssh_host] {
regsub {@.*$} $ssh_host "" ssh_user
regsub {^.*@} $ssh_host "" ssh_host
} else {
set ssh_user ""
}
return [list $ssh_user $ssh_host $ssh_port]
}
proc launch_windows_ssh {hp file n} {
global is_win9x env
global use_sshssl use_ssh putty_pw
......@@ -918,16 +955,65 @@ proc launch_windows_ssh {hp file n} {
set ssh_host $hpnew
regsub {:.*$} $ssh_host "" ssh_host
set double_ssh ""
set p_port ""
if {$proxy != ""} {
set ssh_host $proxy
if [regexp {,} $proxy] {
if {$is_win9x} {
mesg "Double proxy does not work on Win9x"
bell
return 0
}
# user1@gateway:port1,user2@workstation:port2
set proxy1 ""
set proxy2 ""
set s [split $proxy ","]
set proxy1 [lindex $s 0]
set proxy2 [lindex $s 1]
set p_port [expr 3000 + 1000 * rand()]
set p_port [expr round($p_port)]
set s [ssh_split $proxy1]
set ssh_user1 [lindex $s 0]
set ssh_host1 [lindex $s 1]
set ssh_port1 [lindex $s 2]
set s [ssh_split $proxy2]
set ssh_user2 [lindex $s 0]
set ssh_host2 [lindex $s 1]
set ssh_port2 [lindex $s 2]
set u1 ""
if {$ssh_user1 != ""} {
set u1 "${ssh_user1}@"
}
set u2 ""
if {$ssh_user2 != ""} {
set u2 "${ssh_user2}@"
}
set double_ssh "-L $p_port:$ssh_host2:$ssh_port2 -P $ssh_port1 $u1$ssh_host1"
set proxy_use "${u2}localhost:$p_port"
} else {
# user1@gateway:port1
set proxy_use $proxy
}
set ssh_host $proxy_use
regsub {:.*$} $ssh_host "" ssh_host
set ssh_port $proxy
set ssh_port $proxy_use
regsub {^.*:} $ssh_port "" ssh_port
if {$ssh_port == ""} {
set ssh_port 22
}
set vnc_host $hpnew
regsub {:.*$} $vnc_host "" vnc_host
if {$vnc_host == ""} {
set vnc_host "localhost"
}
}
if {![regexp {^[^ ][^ ]*@} $ssh_host]} {
......@@ -974,6 +1060,8 @@ proc launch_windows_ssh {hp file n} {
set tag [contag]
set file_double ""
set file_pre ""
set file_pre_cmd ""
if {$do_pre} {
......@@ -1077,6 +1165,10 @@ proc launch_windows_ssh {hp file n} {
append extra_redirs [get_additional_redir]
}
if {$vnc_host == ""} {
set vnc_host "localhost"
}
set plink_str "plink.exe -ssh -P $ssh_port $verb -L $use:$vnc_host:$vnc_port $extra_redirs -t"
if {$extra_redirs != ""} {
regsub {exe} $plink_str "exe -C" plink_str
......@@ -1125,6 +1217,41 @@ proc launch_windows_ssh {hp file n} {
return 0
}
if {$double_ssh != ""} {
set plink_str_double_ssh "plink.exe -ssh -t $pw $double_ssh \"echo sleep 60 ...; sleep 60; echo done.\""
regsub {\.bat} $file "dob.bat" file_double
set fhdouble [open $file_double "w"]
puts $fhdouble $plink_str_double_ssh
puts $fhdouble "del $file_double"
close $fhdouble
set com "cmd.exe"
if [info exists env(COMSPEC)] {
set com $env(COMSPEC)
}
exec $com /c $file_double &
set waited 0
set gotit 0
while {$waited < 30000} {
after 500
update
set ns [get_netstat]
set re ":$p_port"
append re {[ ][ ]*[0:.][0:.]*[ ][ ]*LISTEN}
if [regexp $re $ns] {
set gotit 1
break
}
set waited [expr "$waited + 500"]
}
if {! $gotit} {
after 5000
}
}
if {$is_win9x} {
wm withdraw .
update
......@@ -1282,6 +1409,9 @@ proc launch_windows_ssh {hp file n} {
if {$file_pre_cmd != ""} {
catch {file delete $file_pre_cmd}
}
if {$file_double != ""} {
catch {file delete $file_double}
}
global sound_daemon_local_kill
if {! $is_win9x && $use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} {
......@@ -1453,6 +1583,35 @@ proc do_unix_pre {tag proxy hp pk_hp} {
}
}
proc port_knock_only {hp {mode KNOCK}} {
if {$hp == ""} {
global vncdisplay
set hp $vncdisplay
if {$hp == ""} {
mesg "No host port found"
bell
return
}
}
set hpnew [get_ssh_hp $hp]
set proxy [get_ssh_proxy $hp]
set sshcmd [get_ssh_cmd $hp]
set hp $hpnew
set pk_hp ""
if {$proxy != ""} {
set pk_hp $proxy
}
if {$pk_hp == ""} {
set pk_hp $hp
}
if {$mode == "KNOCK"} {
do_port_knock $pk_hp start
} elseif {$mode == "FINISH"} {
do_port_knock $pk_hp finish
}
}
proc launch_unix {hp} {
global smb_redir_0 smb_mounts env
......@@ -1823,6 +1982,7 @@ proc launch {{hp ""}} {
global vncdisplay tcl_platform is_windows
global mycert svcert crtdir
global pids_before pids_after pids_new
global env
global use_ssh use_sshssl
set debug 0
......@@ -1844,6 +2004,16 @@ proc launch {{hp ""}} {
mesg "Using: $hp"
after 600
set sc [get_ssh_cmd $hp]
if {[regexp {^KNOCK} $sc]} {
if [regexp {^KNOCKF} $sc] {
port_knock_only $hp "FINISH"
} else {
port_knock_only $hp "KNOCK"
}
return
}
if {$debug} {
mesg "\"$tcl_platform(os)\" | \"$tcl_platform(osVersion)\""
after 1000
......@@ -1896,6 +2066,11 @@ proc launch {{hp ""}} {
set n2 ""
set now [clock seconds]
set proxy [get_ssh_proxy $hp]
if {$use_sshssl} {
set proxy ""
}
for {set i 30} {$i < 90} {incr i} {
set try "$prefix-$i.$suffix"
if {[file exists $try]} {
......@@ -1907,7 +2082,7 @@ proc launch {{hp ""}} {
}
}
if {! [file exists $try]} {
if {$use_sshssl} {
if {$use_sshssl || $proxy != ""} {
if {$file != ""} {
set file2 $try
set n2 $i
......@@ -1916,7 +2091,7 @@ proc launch {{hp ""}} {
}
set file $try
set n $i
if {! $use_sshssl} {
if {! $use_sshssl && $proxy == ""} {
break
}
}
......@@ -1947,23 +2122,13 @@ proc launch {{hp ""}} {
return
}
if [regexp {[ ]} $hp] {
# proxy or cmd case (should not happen? yet?)
regsub {[ ].*$} $hp "" hp2
} else {
set list [split $hp ":"]
set host [lindex $list 0]
set disp [lindex $list 1]
set disp [string trim $disp]
regsub { .*$} $disp "" disp
if {$disp == ""} {
set disp 0
}
set port [expr "$disp + 5900"]
}
set list [split $hp ":"]
set host [lindex $list 0]
if {$host == ""} {
set host "localhost"
}
set disp [lindex $list 1]
set disp [string trim $disp]
regsub { .*$} $disp "" disp
......@@ -1972,6 +2137,12 @@ proc launch {{hp ""}} {
}
set port [expr "$disp + 5900"]
if {$proxy != ""} {
set env(SSL_VNC_PROXY) $proxy
set env(SSL_VNC_LISTEN) [expr "$n2 + 5900"]
set env(SSL_VNC_DEST) "$host:$port"
}
if {$debug} {
mesg "file: $file"
after 1000
......@@ -2024,7 +2195,7 @@ proc launch {{hp ""}} {
set port2 [expr "$n + 5900"]
puts $fh "accept = localhost:$port2"
if {$use_sshssl} {
if {$use_sshssl || $proxy != ""} {
set port [expr "$n2 + 5900"]
puts $fh "connect = localhost:$port"
} else {
......@@ -2047,6 +2218,16 @@ proc launch {{hp ""}} {
return
}
set proxy_pid ""
if {$proxy != ""} {
mesg "Starting TCP helper on port $port ..."
after 600
set proxy_pid [exec "connect_br.exe" &]
unset -nocomplain env(SSL_VNC_PROXY)
unset -nocomplain env(SSL_VNC_LISTEN)
unset -nocomplain env(SSL_VNC_DEST)
}
mesg "Starting STUNNEL on port $port2 ..."
after 600
......@@ -2158,6 +2339,7 @@ proc set_mycert {} {
set mycert $t
}
catch {wm deiconify .c}
v_mycert
update
}
......@@ -2192,6 +2374,26 @@ proc show_cert {crt} {
catch {raise $w}
}
proc v_svcert {} {
global svcert
if {$svcert == "" || ! [file exists $svcert]} {
catch {.c.svcert.i configure -state disabled}
} else {
catch {.c.svcert.i configure -state normal}
}
return 1
}
proc v_mycert {} {
global mycert
if {$mycert == "" || ! [file exists $mycert]} {
catch {.c.mycert.i configure -state disabled}
} else {
catch {.c.mycert.i configure -state normal}
}
return 1
}
proc show_mycert {} {
global mycert
show_cert $mycert
......@@ -2216,6 +2418,7 @@ proc set_svcert {} {
set svcert $t
}
catch {wm deiconify .c}
v_svcert
update
}
......@@ -2452,6 +2655,8 @@ emailAddress_max = 64
set geometry [xterm_center_geometry]
update
eval exec xterm -geometry $geometry -title Running_OpenSSL -e $cmd
catch {file attributes $pem -permissions go-rw}
catch {file attributes $crt -permissions go-w}
}
catch {file delete $tmp}
......@@ -2851,6 +3056,13 @@ proc do_save {} {
-message $emess -title "Save File: $import_save_file"
return
}
global is_windows
if {! $is_windows} {
catch {file attributes $import_save_file -permissions go-w}
if {[regexp {PRIVATE} $str] || [regexp {\.pem$} $import_save_file]} {
catch {file attributes $import_save_file -permissions go-rw}
}
}
puts -nonewline $fh $str
close $fh
catch {destroy .icrt}
......@@ -2988,12 +3200,22 @@ proc getcerts {} {
label .c.svcert.l -anchor w -width 12 -text "ServerCert:"
label .c.crtdir.l -anchor w -width 12 -text "CertsDir:"
entry .c.mycert.e -width 32 -textvariable mycert
entry .c.svcert.e -width 32 -textvariable svcert
entry .c.mycert.e -width 32 -textvariable mycert -vcmd v_mycert
entry .c.svcert.e -width 32 -textvariable svcert -vcmd v_svcert
bind .c.mycert.e <Enter> {.c.mycert.e validate}
bind .c.mycert.e <Leave> {.c.mycert.e validate}
bind .c.svcert.e <Enter> {.c.svcert.e validate}
bind .c.svcert.e <Leave> {.c.svcert.e validate}
entry .c.crtdir.e -width 32 -textvariable crtdir
button .c.mycert.b -text "Browse..." -command {set_mycert; catch {raise .c}}
button .c.svcert.b -text "Browse..." -command {set_svcert; catch {raise .c}}
button .c.crtdir.b -text "Browse..." -command {set_crtdir; catch {raise .c}}
button .c.mycert.i -text "Info" -command {show_mycert}
button .c.svcert.i -text "Info" -command {show_svcert}
button .c.crtdir.i -text "Info" -command {}
.c.mycert.i configure -state disabled
.c.svcert.i configure -state disabled
.c.crtdir.i configure -state disabled
bind .c.mycert.b <B3-ButtonRelease> "show_mycert"
bind .c.svcert.b <B3-ButtonRelease> "show_svcert"
......@@ -3010,6 +3232,7 @@ proc getcerts {} {
pack .c.$w.l -side left
pack .c.$w.e -side left -expand 1 -fill x
pack .c.$w.b -side left
pack .c.$w.i -side left
bind .c.$w.e <Return> ".c.$w.b invoke"
if {$use_ssh} {
.c.$w.l configure -state disabled
......@@ -3722,19 +3945,21 @@ set cmd(5) {
if [ "$rc" = 0 ]; then
if [ "X$have_perl_done" = "X1" -o 1 = 1 ] ; then
echo
echo "Your SMB shares will be be unmounted when the VNC connection"
echo "closes. If that fails follow these instructions:"
echo "Your SMB shares will be unmounted when the VNC connection closes,"
echo "*As Long As* No Applications have any of the share files opened or are"
echo "cd-ed into any of the share directories."
echo
echo "Try to make sure nothing is accessing the SMB shares before disconnecting"
echo "the VNC session. If you fail to do that follow these instructions:"
fi
echo
echo "To unmount your SMB shares make sure no applications are still using"
echo "any of the files and no shells are still cd-ed into the share area,"
echo "then type:"
echo "To unmount your SMB shares make sure no applications are still using any of"
echo "the files and no shells are still cd-ed into the share area, then type:"
echo
echo " rm -f $smb_script"
echo
echo "(to avoid a 2nd ssh, try to do this before terminating the VNC Viewer)"
echo
echo "In the worst case run: smbumount /path/to/mount/point for each mount."
echo "In the worst case run: smbumount /path/to/mount/point for each mount as root"
echo "Even with the remote redirection gone the kernel should umount after a timeout."
else
echo
if [ "$DO_SMB_SU" = "1" ]; then
......@@ -3819,7 +4044,6 @@ set cmd(6) {
fi
echo
#FINMSG
echo
echo "--vnc-helper-exiting--"
......@@ -4927,7 +5151,7 @@ proc smb_dialog {} {
VERY IMPORTANT: Before terminating the VNC Connection, make sure no
applications are using any of the SMB shares (or shells are cd-ed
into the share). This way the shares will be automatically umounted.
into the share). This way the shares will be automatically unmounted.
Otherwise you will need to log in again, stop processes from using
the share, become root and umount the shares manually ("smbumount
/path/to/share", etc.)
......@@ -5022,7 +5246,18 @@ proc help_advanced_opts {} {
firewall ports in a certain way to open the door for SSH or SSL.
The port can also be closed when the encrypted VNC connection
finishes.
Include: Profile template(s) to load before loading a profile
(see Load Profile under "Options"). For example if you Save a
profile called "globals" that has some settings you use often,
then just supply "Include: globals" to have them applied.
You may supply a comma or space separated list of templates
to include. They can be full path names or basenames relative
to the profiles directory. You do not need to supply the .vnc
suffix. The non-default settings in them will be applied first,
and then any values in the loaded Profile will override them.
About the CheckButtons:
Ahem, Well...., yes quite a klunky UI: you have to toggle the
......@@ -5268,6 +5503,7 @@ proc do_port_knock {hp mode} {
if {$mode == "finish"} {
if {! [regexp {FINISH} $list]} {
mesg "PortKnock(finish): done"
return 1
} else {
regsub {^.*FINISH} $list "" list
......@@ -5407,6 +5643,7 @@ proc do_port_knock {hp mode} {
mesg $m
return 0
}
regsub {,.*$} $host "" host
if {[regexp {[ \t]} $host]} {
bell
set m "PortKnock: Invalid host: \"$host\""
......@@ -5520,7 +5757,11 @@ proc do_port_knock {hp mode} {
if {$m != ""} {
set m "$m,"
}
mesg "PortKnock: done"
if {$mode == "finish"} {
mesg "PortKnock(finish): done"
} else {
mesg "PortKnock: done"
}
return 1
}
......@@ -5699,6 +5940,16 @@ proc port_knocking_dialog {} {
delay 1000
PAD=C:\My Pads\work-pad1.txt
sleep 4000
Port knock only:
If, in the 'VNC Server' entry box, you use "user@hostname cmd=KNOCK"
then only the port-knocking is performed. A shortcut for this is
Ctrl-P as long as hostname is present in the entry box. If it
matches cmd=KNOCKF, i.e. an extra "F", then the port-knocking
"FINISH" sequence is sent, if any. A shortcut for this Shift-Ctrl-P
as long as hostname is present.
}
.pk.f.t insert end $msg
......@@ -5761,6 +6012,15 @@ proc set_advanced_options {} {
-command {if {$use_port_knocking} {port_knocking_dialog}}
incr i
global include_list
frame .oa.b$i
label .oa.b$i.l -text "Include:"
entry .oa.b$i.e -width 10 -textvariable include_list
pack .oa.b$i.l -side left
pack .oa.b$i.e -side right -expand 1 -fill x
incr i
for {set j 1} {$j < $i} {incr j} {
pack .oa.b$j -side top -fill x
}
......@@ -5995,20 +6255,13 @@ proc set_options {} {
pack .o.sa -side top -fill x
}
global include_list
frame .o.inc
label .o.inc.l -text "Include:"
entry .o.inc.e -width 10 -textvariable include_list
pack .o.inc.l -side left
pack .o.inc.e -side right -expand 1 -fill x
button .o.s_prof -text "Save Profile ..." -command {save_profile; raise .o}
button .o.l_prof -text " Load Profile ..." -command {load_profile; raise .o}
button .o.advanced -text "Advanced ..." -command set_advanced_options
button .o.clear -text "Clear Options" -command set_defaults
pack .o.s_prof -side top -fill x
pack .o.l_prof -side top -fill x
pack .o.inc -side top -fill x
#pack .o.inc -side top -fill x
pack .o.clear -side top -fill x
pack .o.advanced -side top -fill x
......@@ -6091,6 +6344,8 @@ if {[info exists env(SSL_VNC_GUI_CMD)]} {
bind . <Control-q> "destroy .; exit"
bind . <Shift-Escape> "destroy .; exit"
bind . <Control-s> "launch_shell_only"
bind . <Control-p> {port_knock_only "" "KNOCK"}
bind . <Control-P> {port_knock_only "" "FINISH"}
global entered_gui_top button_gui_top
set entered_gui_top 0
......
x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssl_vncviewer
View file @ 4af738e0
......@@ -33,7 +33,10 @@
#
# -proxy try host:port as a Web proxy to use the CONNECT method
# to reach the VNC server (e.g. your firewall requires a proxy).
#
# For the "double proxy" case use -proxy host1:port1,host2:port2
# (the first CONNECT is done through host1:port1 to host2:port2
# and then a 2nd CONNECT to the destination VNC server.)
#
# See http://www.karlrunge.com/x11vnc/#faq-ssl-ca for details on SSL
# certificates with VNC.
......@@ -56,6 +59,14 @@
# other than the default (22). (even for the non-gateway case,
# -proxy must be used to specify a non-standard ssh port)
#
# A "double ssh" can be specified via a -proxy string with the two
# hosts separated by a comma:
#
# [user1@]host1[:port1],[user2@]host2[:port2]
#
# in which case a ssh to host1 and thru it via a -L redir a 2nd
# ssh is established to host2.
#
# Examples:
#
# ssl_vncviewer -ssh bob@bobs-home.net:0
......@@ -64,6 +75,8 @@
# ssl_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0
# ssl_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0
#
# ssl_vncviewer -ssh -proxy fred@gw-host,fred@peecee localhost:0
#
# -sshcmd cmd Run "cmd" via ssh instead of the default "sleep 15"
# e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900'
#
......@@ -239,6 +252,38 @@ if [ "X$use_ssh" = "X1" ]; then
ssh_host="$host"
vnc_host="localhost"
ssh=${SSH:-"ssh -x"}
if echo "$proxy" | grep "," > /dev/null; then
proxy1=`echo "$proxy" | awk -F, '{print $1}'`
proxy2=`echo "$proxy" | awk -F, '{print $2}'`
# user1@gw1.com:port1,user2@ws2:port2
ssh_host1=`echo "$proxy1" | awk -F: '{print $1}'`
ssh_port1=`echo "$proxy1" | awk -F: '{print $2}'`
if [ "X$ssh_port1" = "X" ]; then
ssh_port1="22"
fi
ssh_host2=`echo "$proxy2" | awk -F: '{print $1}'`
ssh_user2=`echo "$ssh_host2" | awk -F@ '{print $1}'`
ssh_host2=`echo "$ssh_host2" | awk -F@ '{print $2}'`
if [ "X$ssh_host2" = "X" ]; then
ssh_host2=$ssh_user2
ssh_user2=""
else
ssh_user2="${ssh_user2}@"
fi
ssh_port2=`echo "$proxy2" | awk -F: '{print $2}'`
if [ "X$ssh_port2" = "X" ]; then
ssh_port2="22"
fi
proxport=`findfree 3500`
echo
echo "Running 1st ssh proxy:"
echo "$ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 \"sleep 30\""
$ssh -f -p $ssh_port1 -t -e none -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 "sleep 30"
ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes"
sleep 1
stty sane
proxy="${ssh_user2}localhost:$proxport"
fi
if [ "X$proxy" != "X" ]; then
ssh_port=`echo "$proxy" | awk -F: '{print $2}'`
if [ "X$ssh_port" = "X" ]; then
......
x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle
View file @ 4af738e0
#!/bin/sh
rm -rf ./src/tmp/* || exit 1
vers=1.0.4
vers=1.0.5
cd .. || exit 1
......
x11vnc/misc/enhanced_tightvnc_viewer/src/zips/README
View file @ 4af738e0
......@@ -2,6 +2,7 @@ This is where we keep the 3rd party source zip and tar.gz files used
to build this package.
www.stunnel.org source 488512 Jul 25 15:09 stunnel-4.14.tar.gz
http://stunnel.mirt.net
www.tightvnc.com source 2182134 Jul 25 15:11 tightvnc-1.3dev7_unixsrc.tar.gz
www.tightvnc.com windows
standalone viewer binary: 209149 Jul 25 15:10 tightvnc-1.3dev7_x86_viewer.zip
......
x11vnc/x11vnc.1
View file @ 4af738e0
.\" This file was automatically generated from x11vnc -help output.
.TH X11VNC "1" "September 2006" "x11vnc " "User Commands"
.TH X11VNC "1" "October 2006" "x11vnc " "User Commands"
.SH NAME
x11vnc - allow VNC connections to real X11 displays
version: 0.8.3, lastmod: 2006-09-23
version: 0.8.3, lastmod: 2006-10-07
.SH SYNOPSIS
.B x11vnc
[OPTION]...
......
x11vnc/x11vnc_defs.c
View file @ 4af738e0
......@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.8.3 lastmod: 2006-09-23";
char lastmod[] = "0.8.3 lastmod: 2006-10-07";
/* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment