Commit 7fffc5d3 authored by runge's avatar runge

x11vnc: in -unixpw, initial Escape means no echo username.

parent cb227d4b
#!/bin/bash #!/bin/bash
VERSION="0.9.1" VERSION="0.9.2"
cd "$(dirname "$0")" cd "$(dirname "$0")"
......
2007-05-26 Karl Runge <runge@karlrunge.com>
* x11vnc: set to version 0.9.2, back to NCACHE -12 for testing.
in -unixpw, initial Escape means no echo username (see ssvnc).
2007-05-21 Karl Runge <runge@karlrunge.com> 2007-05-21 Karl Runge <runge@karlrunge.com>
* x11vnc: set things up (NCACHE = -1) to not have -ncache * x11vnc: set things up (NCACHE = -1) to not have -ncache
on by default; just give a blurb about it. on by default; just give a blurb about it.
......
This diff is collapsed.
...@@ -603,27 +603,32 @@ void print_help(int mode) { ...@@ -603,27 +603,32 @@ void print_help(int mode) {
" send one before a 25 second timeout. Existing clients\n" " send one before a 25 second timeout. Existing clients\n"
" are view-only during this period.\n" " are view-only during this period.\n"
"\n" "\n"
" If the first character received is \"Escape\" then the\n"
" unix username will not be displayed after \"login:\"\n"
" as it is typed. This could be of use for VNC viewers\n"
" that automatically type the username and password.\n"
"\n"
" Since the detailed behavior of su(1) can vary from\n" " Since the detailed behavior of su(1) can vary from\n"
" OS to OS and for local configurations, test the mode\n" " OS to OS and for local configurations, test the mode\n"
" carefully on your systems before using it in production.\n" " carefully. x11vnc will attempt to be conservative and\n"
" Test different combinations of valid/invalid usernames\n"
" and valid/invalid passwords to see if it behaves as\n"
" expected. x11vnc will attempt to be conservative and\n"
" reject a login if anything abnormal occurs.\n" " reject a login if anything abnormal occurs.\n"
"\n" "\n"
" On FreeBSD and the other BSD's by default it is\n" " One case to note: FreeBSD and the other BSD's by\n"
" impossible for the user running x11vnc to validate\n" " default it is impossible for the user running x11vnc to\n"
" his *own* password via su(1) (evidently commenting out\n" " validate his *own* password via su(1) (commenting out\n"
" the pam_self.so entry in /etc/pam.d/su eliminates this\n" " the pam_self.so entry in /etc/pam.d/su eliminates this\n"
" problem). So the x11vnc login will always *fail* for\n" " behavior). So the x11vnc login will always *FAIL* for\n"
" this case (even when the correct password is supplied).\n" " this case (even when the correct password is supplied).\n"
"\n" "\n"
" A possible workaround for this would be to start\n" " A possible workaround for this on *BSD would be to\n"
" x11vnc as root with the \"-users +nobody\" option to\n" " start x11vnc as root with the \"-users +nobody\" option\n"
" immediately switch to user nobody. Another source of\n" " to immediately switch to user nobody where the su'ing\n"
" problems are PAM modules that prompt for extra info,\n" " will proceed normally.\n"
" e.g. password aging modules. These logins will fail\n" "\n"
" as well even when the correct password is supplied.\n" " Another source of potential problems are PAM modules\n"
" that prompt for extra info, e.g. password aging modules.\n"
" These logins will fail as well even when the correct\n"
" password is supplied.\n"
"\n" "\n"
" **IMPORTANT**: to prevent the Unix password being sent\n" " **IMPORTANT**: to prevent the Unix password being sent\n"
" in *clear text* over the network, one of two schemes\n" " in *clear text* over the network, one of two schemes\n"
...@@ -676,10 +681,6 @@ void print_help(int mode) { ...@@ -676,10 +681,6 @@ void print_help(int mode) {
" (default port 5500). Please use a ssh or stunnel port\n" " (default port 5500). Please use a ssh or stunnel port\n"
" redirection to the viewer machine to tunnel the reverse\n" " redirection to the viewer machine to tunnel the reverse\n"
" connection over an encrypted channel.\n" " connection over an encrypted channel.\n"
#if 0
" Note that in -ssl\n"
" mode reverse connection are disabled (see below). XXX\n"
#endif
"\n" "\n"
" In -inetd mode the Method 1) will be enforced (not\n" " In -inetd mode the Method 1) will be enforced (not\n"
" Method 2). With -ssl in effect reverse connections\n" " Method 2). With -ssl in effect reverse connections\n"
...@@ -1707,6 +1708,9 @@ void print_help(int mode) { ...@@ -1707,6 +1708,9 @@ void print_help(int mode) {
" commands, RFB_SSL_CLIENT_CERT will be set to the\n" " commands, RFB_SSL_CLIENT_CERT will be set to the\n"
" client's x509 certificate string.\n" " client's x509 certificate string.\n"
"\n" "\n"
" The sslpeer= mode can aid finding X sessions via the\n"
" FINDDISPLAY and FINDCREATEDISPLAY mechanisms.\n"
"\n"
" To immediately switch to a user *before* connections\n" " To immediately switch to a user *before* connections\n"
" to the X display are made or any files opened use the\n" " to the X display are made or any files opened use the\n"
" \"=\" character: \"-users =bob\". That user needs to\n" " \"=\" character: \"-users =bob\". That user needs to\n"
......
...@@ -206,8 +206,8 @@ int wireframe_local = 1; ...@@ -206,8 +206,8 @@ int wireframe_local = 1;
#ifdef NO_NCACHE #ifdef NO_NCACHE
#define NCACHE 0 #define NCACHE 0
#else #else
#define xxNCACHE -12 #define NCACHE -12
#define NCACHE -1 #define xxNCACHE -1
#endif #endif
#endif #endif
......
...@@ -1126,6 +1126,7 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) { ...@@ -1126,6 +1126,7 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) {
int x, y, i, rc, nmax = 100; int x, y, i, rc, nmax = 100;
static char user_r[100], user[100], pass[100]; static char user_r[100], user[100], pass[100];
static int u_cnt = 0, p_cnt = 0, first = 1; static int u_cnt = 0, p_cnt = 0, first = 1;
static int echo = 1;
char keystr[100]; char keystr[100];
char *str; char *str;
...@@ -1143,6 +1144,7 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) { ...@@ -1143,6 +1144,7 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) {
in_login = 1; in_login = 1;
in_passwd = 0; in_passwd = 0;
unixpw_denied = 0; unixpw_denied = 0;
echo = 1;
if (init == 1) { if (init == 1) {
tries = 0; tries = 0;
} }
...@@ -1209,6 +1211,11 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) { ...@@ -1209,6 +1211,11 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) {
} else if (! down) { } else if (! down) {
return; return;
} }
if (in_login && keysym == XK_Escape && u_cnt == 0) {
echo = 0;
rfbLog("unixpw_keystroke: echo off.\n");
return;
}
if (in_login) { if (in_login) {
if (keysym == XK_BackSpace || keysym == XK_Delete) { if (keysym == XK_BackSpace || keysym == XK_Delete) {
...@@ -1295,8 +1302,10 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) { ...@@ -1295,8 +1302,10 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) {
x = text_x(); x = text_x();
y = text_y(); y = text_y();
rfbDrawString(pscreen, &default8x16Font, x, y, if (echo) {
str, white_pixel()); rfbDrawString(pscreen, &default8x16Font, x, y,
str, white_pixel());
}
mark_rect_as_modified(x, y-char_h, x+char_w, mark_rect_as_modified(x, y-char_h, x+char_w,
y, scaling); y, scaling);
char_col++; char_col++;
...@@ -1340,7 +1349,9 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) { ...@@ -1340,7 +1349,9 @@ void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init) {
if (db && db <= 2) fprintf(stderr, "u_cnt: %d %d/%d ks: 0x%x '%s'\n", u_cnt, x, y, keysym, keystr); if (db && db <= 2) fprintf(stderr, "u_cnt: %d %d/%d ks: 0x%x '%s'\n", u_cnt, x, y, keysym, keystr);
rfbDrawString(pscreen, &default8x16Font, x, y, keystr, white_pixel()); if (echo ) {
rfbDrawString(pscreen, &default8x16Font, x, y, keystr, white_pixel());
}
mark_rect_as_modified(x, y-char_h, x+char_w, y, scaling); mark_rect_as_modified(x, y-char_h, x+char_w, y, scaling);
char_col++; char_col++;
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
.TH X11VNC "1" "May 2007" "x11vnc " "User Commands" .TH X11VNC "1" "May 2007" "x11vnc " "User Commands"
.SH NAME .SH NAME
x11vnc - allow VNC connections to real X11 displays x11vnc - allow VNC connections to real X11 displays
version: 0.9.1, lastmod: 2007-05-21 version: 0.9.2, lastmod: 2007-05-26
.SH SYNOPSIS .SH SYNOPSIS
.B x11vnc .B x11vnc
[OPTION]... [OPTION]...
...@@ -718,31 +718,36 @@ to supply the correct password in 3 tries or does not ...@@ -718,31 +718,36 @@ to supply the correct password in 3 tries or does not
send one before a 25 second timeout. Existing clients send one before a 25 second timeout. Existing clients
are view-only during this period. are view-only during this period.
.IP .IP
If the first character received is "Escape" then the
unix username will not be displayed after "login:"
as it is typed. This could be of use for VNC viewers
that automatically type the username and password.
.IP
Since the detailed behavior of Since the detailed behavior of
.IR su (1) .IR su (1)
can vary from can vary from
OS to OS and for local configurations, test the mode OS to OS and for local configurations, test the mode
carefully on your systems before using it in production. carefully. x11vnc will attempt to be conservative and
Test different combinations of valid/invalid usernames
and valid/invalid passwords to see if it behaves as
expected. x11vnc will attempt to be conservative and
reject a login if anything abnormal occurs. reject a login if anything abnormal occurs.
.IP .IP
On FreeBSD and the other BSD's by default it is One case to note: FreeBSD and the other BSD's by
impossible for the user running x11vnc to validate default it is impossible for the user running x11vnc to
his *own* password via validate his *own* password via
.IR su (1) .IR su (1)
(evidently commenting out (commenting out
the pam_self.so entry in /etc/pam.d/su eliminates this the pam_self.so entry in /etc/pam.d/su eliminates this
problem). So the x11vnc login will always *fail* for behavior). So the x11vnc login will always *FAIL* for
this case (even when the correct password is supplied). this case (even when the correct password is supplied).
.IP .IP
A possible workaround for this would be to start A possible workaround for this on *BSD would be to
x11vnc as root with the "\fB-users\fR \fI+nobody\fR" option to start x11vnc as root with the "\fB-users\fR \fI+nobody\fR" option
immediately switch to user nobody. Another source of to immediately switch to user nobody where the su'ing
problems are PAM modules that prompt for extra info, will proceed normally.
e.g. password aging modules. These logins will fail .IP
as well even when the correct password is supplied. Another source of potential problems are PAM modules
that prompt for extra info, e.g. password aging modules.
These logins will fail as well even when the correct
password is supplied.
.IP .IP
**IMPORTANT**: to prevent the Unix password being sent **IMPORTANT**: to prevent the Unix password being sent
in *clear text* over the network, one of two schemes in *clear text* over the network, one of two schemes
...@@ -1934,6 +1939,9 @@ env. vars. (see \fB-accept)\fR passed to external cmd= ...@@ -1934,6 +1939,9 @@ env. vars. (see \fB-accept)\fR passed to external cmd=
commands, RFB_SSL_CLIENT_CERT will be set to the commands, RFB_SSL_CLIENT_CERT will be set to the
client's x509 certificate string. client's x509 certificate string.
.IP .IP
The sslpeer= mode can aid finding X sessions via the
FINDDISPLAY and FINDCREATEDISPLAY mechanisms.
.IP
To immediately switch to a user *before* connections To immediately switch to a user *before* connections
to the X display are made or any files opened use the to the X display are made or any files opened use the
"=" character: "\fB-users\fR \fI=bob\fR". That user needs to "=" character: "\fB-users\fR \fI=bob\fR". That user needs to
......
...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; ...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.9.1 lastmod: 2007-05-21"; char lastmod[] = "0.9.2 lastmod: 2007-05-26";
/* X display info */ /* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment