x11vnc: -unixpw on *bsd, hpux and tru64. -unixpw_nis mode. stunnel and gui tweaks.

configure.ac

@@ -175,6 +175,21 @@ if test "$X_CFLAGS" != "-DX_DISPLAY_MISSING"; then
 			esac
 		fi
 
+		# only x11vnc uses crypt()
+		AH_TEMPLATE(HAVE_LIBCRYPT, [libcrypt library present])
+		AC_ARG_WITH(crypt,
+		[  --without-crypt         disable support for libcrypt],,)
+		if test "x$with_crypt" != "xno"; then
+			AC_CHECK_FUNCS([crypt], HAVE_LIBC_CRYPT="true")
+			if test -z "$HAVE_LIBC_CRYPT"; then
+				AC_CHECK_LIB(crypt, crypt,
+					X_PRELIBS="$X_PRELIBS -lcrypt"
+					[AC_DEFINE(HAVE_LIBCRYPT)], ,
+					$X_LIBS $X_PRELIBS -lcrypt $X_EXTRA_LIBS)
+			fi
+		fi
+
+
 		X_LIBS="$X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS"
 	fi
 fi
@@ -345,7 +360,7 @@ AC_SUBST(WSOCKLIB)
 
 # Checks for header files.
 AC_HEADER_STDC
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h sys/socket.h sys/time.h sys/timeb.h syslog.h unistd.h pwd.h sys/wait.h utmpx.h termios.h sys/ioctl.h])
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h sys/socket.h sys/time.h sys/timeb.h syslog.h unistd.h pwd.h sys/wait.h utmpx.h termios.h sys/ioctl.h sys/stropts.h])
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST

x11vnc/ChangeLog

+2006-03-04  Karl Runge <runge@karlrunge.com>
+	* x11vnc: -unixpw on *bsd, hpux and tru64.  Add -unixpw_nis for
+	  non-shadow systems. check stunnel dying.  check SSH_CONNECTION
+	  in -unixpw.  gui icon tweaks, unix username.
+
 2006-03-02  Karl Runge <runge@karlrunge.com>
 	* x11vnc: more tweaks to -unixpw mode.  Add -gone popup mode.
 	  Change filexfer via -R.  Tune SMALL_FOOTPRINT.  gui fixes.

x11vnc/connections.c

@@ -10,6 +10,7 @@
 #include "rates.h"
 #include "screen.h"
 #include "unixpw.h"
+#include "scan.h"
 
 /*
  * routines for handling incoming, outgoing, etc connections
@@ -78,7 +79,7 @@ int all_clients_initialized(void) {
 char *list_clients(void) {
 	rfbClientIteratorPtr iter;
 	rfbClientPtr cl;
-	char *list, tmp[32];
+	char *list, tmp[256];
 	int count = 0;
 
 	if (!screen) {
@@ -93,12 +94,12 @@ char *list_clients(void) {
 
 	/*
 	 * each client:
-         * <id>:<ip>:<port>:<user>:<hostname>:<input>:<loginview>,
-	 * 8+1+16+1+5+1+24+1+256+1+5+1+1+1
+         * <id>:<ip>:<port>:<user>:<unix>:<hostname>:<input>:<loginview>:<time>,
+	 * 8+1+64+1+5+1+24+1+24+1+256+1+5+1+1+1+10+1
 	 * 123.123.123.123:60000/0x11111111-rw,
-	 * so count+1 * 400 must cover it.
+	 * so count+1 * 500 must cover it.
 	 */
-	list = (char *) malloc((count+1)*400);
+	list = (char *) malloc((count+1)*500);
 	
 	list[0] = '\0';
 
@@ -114,18 +115,27 @@ char *list_clients(void) {
 		strcat(list, ":");
 		sprintf(tmp, "%d:", cd->client_port);
 		strcat(list, tmp);
-		if (*(cd->username) == '\0') {
+		if (cd->username[0] == '\0') {
 			char *s = ident_username(cl);
 			if (s) free(s);
 		}
 		strcat(list, cd->username);
 		strcat(list, ":");
+		if (cd->unixname[0] == '\0') {
+			strcat(list, "none");
+		} else {
+			strcat(list, cd->unixname);
+		}
+		strcat(list, ":");
 		strcat(list, cd->hostname);
 		strcat(list, ":");
 		strcat(list, cd->input);
 		strcat(list, ":");
 		sprintf(tmp, "%d", cd->login_viewonly);
 		strcat(list, tmp);
+		strcat(list, ":");
+		sprintf(tmp, "%d", (int) cd->login_time);
+		strcat(list, tmp);
 	}
 	rfbReleaseClientIterator(iter);
 	return list;
@@ -511,6 +521,10 @@ static void free_client_data(rfbClientPtr client) {
 				free(cd->username);
 				cd->username = NULL;
 			}
+			if (cd->unixname) {
+				free(cd->unixname);
+				cd->unixname = NULL;
+			}
 		}
 		free(client->clientData);
 		client->clientData = NULL;
@@ -828,6 +842,9 @@ static unsigned char t2x2_bits[] = {
 		sprintf(str_y, "OK");
 		sprop = "x11vnc client disconnected";
 		h = 110;
+		str1 = "";
+		str2 = "";
+		str3 = "";
 	} else if (!strcmp(mode, "mouse_only")) {
 		str1 = str1_m;
 		str2 = str2_m;
@@ -1747,6 +1764,7 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
 	cd->server_ip   = get_local_host(client->sock);
 	cd->hostname = ip2host(client->host);
 	cd->username = strdup("");
+	cd->unixname = strdup("");
 
 	cd->input[0] = '-';
 	cd->login_viewonly = -1;
@@ -1947,7 +1965,6 @@ void check_new_clients(void) {
 	int run_after_accept = 0;
 
 	if (unixpw_in_progress) {
-		int present = 0;
 		if (time(0) > unixpw_last_try_time + 30) {
 			rfbLog("unixpw_deny: timed out waiting for reply.\n");
 			unixpw_deny();

x11vnc/gui.c

@@ -14,7 +14,7 @@
 #define XEMBED_VERSION 0
 #define XEMBED_MAPPED  (1 << 0)
 
-int icon_mode = 0;		/* hack for -gui tray */
+int icon_mode = 0;		/* hack for -gui tray/icon */
 char *icon_mode_file = NULL;
 FILE *icon_mode_fh = NULL;
 int icon_mode_socks[ICON_MODE_SOCKS];

x11vnc/inet.c

@@ -288,6 +288,9 @@ char *ident_username(rfbClientPtr client) {
 		}
 		user = newuser;
 	}
+	if (!strcmp(user, "unknown-user") && cd && cd->unixname[0] != '\0') {
+		user = cd->unixname;
+	}
 	newhost = ip2host(client->host);
 	len = strlen(user) + 1 + strlen(newhost) + 1;
 	str = (char *) malloc(len);
@@ -318,7 +321,20 @@ int have_ssh_env(void) {
 	char *str, *p = getenv("SSH_CONNECTION");
 	char *rhost, *rport, *lhost, *lport;
 	
-	if (! p) return 0;
+	if (! p) {
+		char *q = getenv("SSH_CLIENT");
+		if (! q) {
+			return 0;
+		}
+		if (strstr(q, "127.0.0.1") != NULL) {
+			return 0;
+		}
+		return 1;
+	}
+
+	if (strstr(p, "127.0.0.1") != NULL) {
+		return 0;
+	}
 
 	str = strdup(p);
 	
@@ -342,10 +358,10 @@ int have_ssh_env(void) {
 
 if (0) fprintf(stderr, "%d/%d - '%s' '%s'\n", atoi(rport), atoi(lport), rhost, lhost);
 
-	if (atoi(rport) < 0 || atoi(rport) > 65535) {
+	if (atoi(rport) <= 16 || atoi(rport) > 65535) {
 		goto fail;
 	}
-	if (atoi(lport) < 0 || atoi(lport) > 65535) {
+	if (atoi(lport) <= 16 || atoi(lport) > 65535) {
 		goto fail;
 	}
 
@@ -358,7 +374,6 @@ if (0) fprintf(stderr, "%d/%d - '%s' '%s'\n", atoi(rport), atoi(lport), rhost, l
 	return 1;
 	
 	fail:
-fprintf(stderr, "failed:\n");
 
 	free(str);
 

x11vnc/options.c

@@ -16,6 +16,7 @@ int logfile_append = 0;
 char *flagfile = NULL;		/* -flag */
 char *passwdfile = NULL;	/* -passwdfile */
 int unixpw = 0;			/* -unixpw */
+int unixpw_nis = 0;		/* -unixpw_nis */
 char *unixpw_list = NULL;
 int use_stunnel = 0;		/* -stunnel */
 int stunnel_port = 0;

x11vnc/options.h

@@ -16,6 +16,7 @@ extern int logfile_append;
 extern char *flagfile;
 extern char *passwdfile;
 extern int unixpw;
+extern int unixpw_nis;
 extern char *unixpw_list;
 extern int use_stunnel;
 extern int stunnel_port;

x11vnc/remote.c

@@ -3704,6 +3704,8 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 			snprintf(buf, bufn, "aro=%s:%s", p, NONUL(passwdfile));
 		} else if (!strcmp(p, "unixpw")) {
 			snprintf(buf, bufn, "aro=%s:%d", p, unixpw);
+		} else if (!strcmp(p, "unixpw_nis")) {
+			snprintf(buf, bufn, "aro=%s:%d", p, unixpw_nis);
 		} else if (!strcmp(p, "unixpw_list")) {
 			snprintf(buf, bufn, "aro=%s:%s", p, NONUL(unixpw_list));
 		} else if (!strcmp(p, "stunnel")) {

x11vnc/sslcmds.c

@@ -19,6 +19,27 @@ void setup_stunnel(int rport, int *argc, char **argv);
 
 static pid_t stunnel_pid = 0;
 
+void check_stunnel(void) {
+	static time_t last_check = 0;
+	time_t now = time(0);
+
+	if (last_check + 3 >= now) {
+		return;
+	}
+	last_check = now;
+
+	if (stunnel_pid > 0) {
+		int status;
+		waitpid(stunnel_pid, &status, WNOHANG); 
+		if (kill(stunnel_pid, 0) != 0) {
+			waitpid(stunnel_pid, &status, WNOHANG); 
+			rfbLog("stunnel subprocess %d died.\n", stunnel_pid); 
+			stunnel_pid = 0;
+			clean_up_exit(1);
+		}
+	}
+}
+
 int start_stunnel(int stunnel_port, int x11vnc_port) {
 #ifdef SSLCMDS
 	char extra[] = ":/usr/sbin:/usr/local/sbin";

x11vnc/sslcmds.h

@@ -3,6 +3,7 @@
 
 /* -- sslcmds.h -- */
 
+extern void check_stunnel(void);
 extern int start_stunnel(int stunnel_port, int x11vnc_port);
 extern void stop_stunnel(void);
 extern void setup_stunnel(int rport, int *argc, char **argv);

x11vnc/tkx11vnc

@@ -258,6 +258,8 @@ Permissions
 	=F rfbauth:
 	unixpw
 	unixpw_list:
+	unixpw_nis
+	unixpw_nis_list:
 	=0 storepasswd
 	=GAL LOFF
 	=GAL Misc-Perms::
@@ -523,7 +525,11 @@ Set the -xrandr mode value.
 "
 
 	set helptext(unixpw_list) "
-Set the -unixpw_list usernames list value.
+Set the -unixpw usernames list value.
+"
+
+	set helptext(unixpw_nis_list) "
+Set the -unixpw_nis usernames list value.
 "
 
 	set helptext(stunnel_pem) "
@@ -658,10 +664,12 @@ to apply the changes, or press \"Cancel\" to skip applying them.
    remote-control commands.
 
  - \"Password\" lets you set the session password viewers may use to gain full
-   access to the display.
+   access to the display.  This will only work if x11vnc was started with 
+   the -gui icon or -gui tray mode.
    
  - \"ViewOnly Password\" lets you set the session password viewers may
-   use to gain view only access to the display.
+   use to gain view only access to the display.  This will only work if
+   x11vnc was started with the -gui icon or -gui tray mode.
 
 NOTE: These \"session\" passwords only last for the current x11vnc
 session (they are not remembered, see the -storepasswd, -passwdfile,
@@ -3217,25 +3225,36 @@ proc client_dialog {client} {
 	set ip ""
 	global menu_var text_area cleanup_window item_bool
 
-	append_text "\nClient info string:  $client\n\n"
-	if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$} \
-	    $client m0 m1 m2 m3 m4 m5 m6 m7]} {
-		# id:ip:port:user:hostname:input:loginvo
-		set cid $m1
-		set ip $m2
+	#<id>:<ip>:<port>:<user>:<unix>:<hostname>:<input>:<loginview>:<time>
+	append_text "\nClient info string:\n - $client\n\n"
+	if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*)$} \
+	    $client m0 m1 m2 m3 m4 m5 m6 m7 m8 m9]} {
+		set cid  $m1
+		set ip   $m2
 		set port $m3
 		set user $m4
-		set host $m5
+		set unix $m5
+		set host $m6
 		regsub {\..*$} $host "" host
-		set input $m6
-		set logvo $m7
-		append_text "Host: $host, Port: $port, User: $user, IP: $ip, Id: $cid\n"
+		set input $m7
+		set logvo $m8
+		set ltime $m9
+		append_text "Host: $host, Port: $port, User: $user"
+		if {$unix != "" && $unix != "none"} {
+			append_text ", Unix: $unix"
+		}
+		append_text ", IP: $ip, Id: $cid\n"
 		append_text " - originally logged in as: "
 		if {$logvo == "1" } {
-			append_text "View-Only Client\n"
+			append_text "View-Only Client"
 		} else {
-			append_text "Normal Client\n"
+			append_text "Normal Client"
+		}
+		if {$ltime != ""} {
+			set tim [clock format $ltime]
+			append_text ",  $tim"
 		}
+		append_text "\n"
 		append_text " - currently allowed input: "
 		set sk 0
 		set sm 0
@@ -3303,22 +3322,30 @@ proc disconnect_dialog {client} {
 	set cid ""
 	set host ""
 	set msg "\n"
-	append msg "*** Client info string: $client\n"
-	if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*)$} $client m0 m1 m2 m3 m4 m5 m6]} {
-		set cid $m1
-		set ip $m2
+	append msg "*** Client info string:\n    $client\n"
+	if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*)$} \
+	    $client m0 m1 m2 m3 m4 m5 m6 m7 m8 m9]} {
+		set cid  $m1
+		set ip   $m2
 		set port $m3
-		set host $m4
+		set user $m4
+		set unix $m5
+		set host $m6
 		regsub {\..*$} $host "" host
-		set input $m5
-		set logvo $m6
-		append_text "Host: $host, Port: $port, IP: $ip, Id: $cid\n"
+		set input $m7
+		set logvo $m8
+		set ltime $m9
+		append_text "Host: $host, Port: $port, IP: $ip, User: $user"
+		if {$unix != "" && $unix != "none"} {
+			append_text ", Unix: $unix"
+		}
+		append_text ", Id: $cid\n"
 	}
 	if {$cid == ""} {
 		append_text "Invalid client info string: $client\n"
 		return
 	}
-	append msg "*** To *DISCONNECT* this client press \"OK\", otherwise press \"Cancel\"\n"
+	append msg "*** To *DISCONNECT* this client press \"OK\" again, otherwise press \"Cancel\"\n"
 	bell
 	if {[warning_dialog $msg "current"]} {
 		push_new_value "disconnect" "disconnect" $cid 1
@@ -3389,12 +3416,19 @@ proc update_clients_menu {list} {
 		}
 		regsub -all {[{}()~!$&*|;'"`{}<>\[\]]} $client "" client
 		#'
-		if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$} \
-		    $client m0 m1 m2 m3 m4 m5 m6 m7]} {
-			# id:ip:port:user:hostname:input:loginvo
-			set host $m5
+		if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*)$} \
+		    $client m0 m1 m2 m3 m4 m5 m6 m7 m8 m9]} {
+			set id   $m1
+			set user $m4
+			set unix $m5
+			set host $m6
 			regsub {\..*$} $host "" host
-			set clabel "$host $m1"
+			set clabel "$host $id"
+			if {$unix != "" && $unix != "none"} {
+				set clabel "$unix@$clabel"
+			} elseif {$user != "unknown-user"} {
+				set clabel "$user@$clabel"
+			}
 		} else {
 			regsub {:.*$} $client "" clabel
 		}
@@ -3943,6 +3977,7 @@ proc do_props {{msg ""}} {
 	global menu_var unset_str
 	global have_labelframes ffont bfont
 	global props_buttons icon_noadvanced
+	global icon_mode icon_mode_at_startup
 
 	check_update_vars
 
@@ -4054,6 +4089,7 @@ proc do_props {{msg ""}} {
 	entry $vp.e -show "*" -textvariable props_viewpasswd -font $bfont
 	pack $vp.e -fill x -expand 1 -padx 1m -pady 1m -side top
 
+
 	lappend props_buttons $vp.e
 
 	set pw "$w.passwd"
@@ -4068,6 +4104,17 @@ proc do_props {{msg ""}} {
 	entry $pw.e -show "*" -textvariable props_passwd -font $bfont
 	pack $pw.e -fill x -expand 1 -padx 1m -pady 1m -side top
 
+	if {! $icon_mode_at_startup} {
+		$vp.e configure -state disabled
+		catch {$vp.l configure -state disabled}
+		catch {$vp configure -state disabled}
+		catch {$vp configure -foreground grey60}
+		$pw.e configure -state disabled
+		catch {$pw.l configure -state disabled}
+		catch {$pw configure -state disabled}
+		catch {$pw configure -foreground grey60}
+	}
+
 	lappend props_buttons $pw.e
 
 	set sh "$w.shared"
@@ -4188,7 +4235,8 @@ proc popup_post {m} {
 			continue
 		}
 		if {[regexp {^([^:]*):(.*)$} $client mat id lab]} {
-			$wd add command -label "$lab" \
+			set nid [expr "$id + 0"]
+			$wd add command -label "$nid $lab" \
 				-command "do_disconnect_client $id"
 		}
 	}
@@ -4213,26 +4261,38 @@ proc set_client_balloon {str} {
 	
 	set client_balloon "$vnc_display"
 	set count 0
+	regsub -all {^.*aro=clients:} $str "" str
+	regsub -all {aro=.*$} $str "" str
+	regsub -all {ans=.*$} $str "" str
 	foreach client [split $str ","] {
-		if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$} \
-		    $client m0 m1 m2 m3 m4 m5 m6 m7]} {
-			# id:ip:port:user:hostname:input:loginvo
+		#puts "client: $client"
+		if [regexp {^[ 	]*$} $client] {
+			continue
+		}
+		if {[regexp {^(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*):(.*)$} \
+		    $client m0 m1 m2 m3 m4 m5 m6 m7 m8 m9]} {
 			set id    $m1
+			set nid   [expr "$m1 + 0"]
 			set ip    $m2
 			set port  $m3
 			set user  $m4
+			set unix  $m5
 			if {[string length $user] >= 24} {
 				# weird identd hash...
 				set user [string range $user 0 8]
 				set user "${user}..."
 			}
-			set host  $m5
-			set input $m6
-			set vo    $m7
+			if {$unix != "" && $unix != "none"} {
+				set user $unix
+			}
+			set host  $m6
+			set input $m7
+			set vo    $m8
+			set ltime $m9
 			if [regexp {^[ 	]*$} $host] {
 				set host $ip
 			}
-			set client_balloon "${client_balloon}\n$user\@$host"
+			set client_balloon "${client_balloon}\n$nid $user\@$host"
 			if {$vo == "1"} {
 				set client_balloon "${client_balloon} - view"
 				lappend client_id_list "$id:$user\@$host - view"
@@ -5408,6 +5468,8 @@ proc get_nitem {item} {
 		set nitem "xrandr"
 	} elseif {$nitem == "unixpw_list"} {
 		set nitem "unixpw"
+	} elseif {$nitem == "unixpw_nis_list"} {
+		set nitem "unixpw_nis"
 	} elseif {$nitem == "stunnel_pem"} {
 		set nitem "stunnel"
 	} elseif {$nitem == "wireframe_mode"} {
@@ -5870,12 +5932,16 @@ proc setup_tray_embed {} {
 
 proc restart_everything {gui_mode} {
 	global env gui_argv0 x11vnc_prog full_win
+	global icon_mode_at_startup
+	global tray_embed tray_running
 	if {$gui_mode == "full"} {
 		set env(X11VNC_ICON_MODE) 0
 	} elseif {$gui_mode == "icon"} {
 		set env(X11VNC_ICON_MODE) 1
 	} elseif {$gui_mode == "tray"} {
-		if {![regexp -nocase {TRAY} $env(X11VNC_ICON_MODE)]} 	{
+		if {$tray_running} {
+			set env(X11VNC_ICON_MODE) "RUNNING"
+		} else {
 			set env(X11VNC_ICON_MODE) "TRAY"
 		}
 	}
@@ -5957,7 +6023,8 @@ global connected_to_x11vnc
 global delay_sleep extra_sleep extra_sleep_split
 global cache_all_query_vars
 global last_query_all_time query_all_freq client_tail client_sock client_info_read
-global icon_mode tray_embed tray_running icon_setpasswd icon_embed_id
+global icon_mode icon_mode_at_startup
+global tray_embed tray_running icon_setpasswd icon_embed_id
 global icon_noadvanced icon_minimal
 global make_gui_count text_area_str
 global gui_argv0 gui_start_mode
@@ -6144,6 +6211,20 @@ if {[info exists env(X11VNC_SIMPLE_GUI)]} {
 set icon_mode 0
 set tray_embed 0
 set tray_running 0
+
+if {![info exists env(X11VNC_ICON_MODE_AT_STARTUP)]} {
+	if {[info exists env(X11VNC_ICON_MODE)]} {
+		if {$env(X11VNC_ICON_MODE) != 0} {
+			set env(X11VNC_ICON_MODE_AT_STARTUP) 1
+		} else {
+			set env(X11VNC_ICON_MODE_AT_STARTUP) 0
+		}
+	} else {
+		set env(X11VNC_ICON_MODE_AT_STARTUP) 0
+	}
+}
+set icon_mode_at_startup $env(X11VNC_ICON_MODE_AT_STARTUP)
+
 if {![info exists env(X11VNC_ICON_MODE)]} {
 	set icon_mode 0
 } elseif {$env(X11VNC_ICON_MODE) == "" || $env(X11VNC_ICON_MODE) == "0"} {
@@ -6158,6 +6239,7 @@ if {![info exists env(X11VNC_ICON_MODE)]} {
 		set tray_running 1
 	}
 }
+
 set icon_setpasswd 0
 if {[info exists env(X11VNC_ICON_SETPASS)]} {
 	if {$env(X11VNC_ICON_SETPASS) != ""} {

x11vnc/unixpw.h

@@ -8,6 +8,7 @@ extern void unixpw_keystroke(rfbBool down, rfbKeySym keysym, int init);
 extern void unixpw_accept(char *user);
 extern void unixpw_deny(void);
 extern int su_verify(char *user, char *pass);
+extern int crypt_verify(char *user, char *pass);
 
 extern int unixpw_in_progress;
 extern time_t unixpw_last_try_time;

x11vnc/x11vnc.1

@@ -2,7 +2,7 @@
 .TH X11VNC "1" "March 2006" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.8.1, lastmod: 2006-03-02
+         version: 0.8.1, lastmod: 2006-03-04
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@@ -32,10 +32,10 @@ these protections.  See the FAQ for details how to tunnel the VNC connection
 through an encrypted channel such as 
 .IR ssh (1).
 In brief:
-.IP
-ssh -L 5900:localhost:5900 far-host 'x11vnc -localhost -display :0'
-.IP
-vncviewer -encodings 'copyrect tight zrle hextile' localhost:0
+.PP
+% ssh -L 5900:localhost:5900 far-host 'x11vnc -localhost -display :0'
+.PP
+% vncviewer -encodings 'copyrect tight zrle hextile' localhost:0
 .PP
 Also, use of a VNC password (-rfbauth or \fB-passwdfile)\fR is strongly recommend.
 .PP
@@ -494,19 +494,19 @@ full-access passwords)
 .PP
 \fB-unixpw\fR \fI[list]\fR
 .IP
-Experimental option: use Unix username and password
-authentication.  x11vnc uses the 
+Use Unix username and password authentication.  x11vnc
+uses the 
 .IR su (1)
-program to verify
-the user's password.  [list] is an optional comma
-separated list of allowed Unix usernames.  See below
-for per-user options that can be applied.
+program to verify the user's password.
+[list] is an optional comma separated list of allowed
+Unix usernames.  See below for per-user options that
+can be applied.
 .IP
 A familiar "login:" and "Password:" dialog is
 presented to the user on a black screen inside the
 vncviewer.  The connection is dropped if the user fails
 to supply the correct password in 3 tries or does not
-send one before a 20 second timeout.  Existing clients
+send one before a 25 second timeout.  Existing clients
 are view-only during this period.
 .IP
 Since the detailed behavior of 
@@ -514,19 +514,24 @@ Since the detailed behavior of
 can vary from
 OS to OS and for local configurations, please test
 the mode carefully on your systems before using it.
-Try different combinations of valid/invalid usernames
-and passwords.
-.IP
-For example, on FreeBSD and the other BSD's and Tru64
-it does not appear to be possible for the user running
-x11vnc to validate his *own* password via 
-.IR su (1).
-The x11vnc login will always fail in this case.
-A possible workaround would be to start x11vnc as
-root with the "\fB-users\fR \fI+nobody\fR" option to immediately
-switch to user nobody.  Another source of problems are
-PAM modules that prompt for extra info, e.g. password
-aging modules.  These logins will always fail as well.
+E.g. try different combinations of valid/invalid
+usernames and valid/invalid passwords to see if it
+behaves correctly.  x11vnc will be conservative and
+reject a user if anything abnormal occurs.
+.IP
+For example, on FreeBSD and the other BSD's by default
+it is impossible for the user running x11vnc to validate
+his *own* password via 
+.IR su (1)
+(evidently commenting
+out the pam_self.so entry in /etc/pam.d/su eliminates
+the problem).  So the x11vnc login will always fail for
+this case.  A possible workaround would be to start
+x11vnc as root with the "\fB-users\fR \fI+nobody\fR" option to
+immediately switch to user nobody.  Another source of
+problems are PAM modules that prompt for extra info,
+e.g. password aging modules.  These logins will always
+fail as well.
 .IP
 *IMPORTANT*: to prevent the Unix password being sent in
 *clear text* over the network, two x11vnc options are
@@ -544,21 +549,22 @@ Evidently you will be using a different method to
 encrypt the data between the vncviewer and x11vnc:
 e.g. 
 .IR ssh (1)
-or a VPN.  Note that use of 
+or a VPN.  Note that use of \fB-localhost\fR
+with 
 .IR ssh (1)
-with
-\fB-localhost\fR is roughly the same as requiring a Unix
-user login (since Unix password or the user's public
-key authentication is used by ssh)
+is roughly the same as requiring a Unix
+user login (since a Unix password or the user's public
+key authentication is used by ssh on the machine where
+x11vnc runs and only local connections are accepted)
 .IP
 As a convenience, if you 
 .IR ssh (1)
-in and start x11vnc
-it will look to see if the environment variable
-SSH_CONNECTION is set and appears reasonable.  If it
-does, then the stunnel requirement is dropped since
-it is assumed you are using ssh for the encrypted
-tunnelling.  Use \fB-stunnel\fR to force stunnel usage.
+in and start x11vnc it
+will check if the environment variable SSH_CONNECTION
+is set and appears reasonable.  If it does, then the
+stunnel requirement is dropped since it is assumed
+you are using ssh for the encrypted tunnelling.
+Use \fB-stunnel\fR to force stunnel usage.
 .IP
 Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
 requirement.  One should never do this (i.e. allow the
@@ -575,20 +581,36 @@ per-user options after a ":", e.g. "fred:opts"
 where "opts" is a "+" separated list of
 "viewonly", "fullaccess", "input=XXXX", or
 "deny", e.g. "karl,fred:viewonly,boss:input=M".
-For "input=" it is the K,M,B,C describe under \fB-input.\fR
+For "input=" it is the K,M,B,C described under \fB-input.\fR
 .IP
-If a user in the list is "*" that means those options
-apply to all users.  It also means all users are allowed
-to log in.  Use "deny" to explicitly deny some users
-if you use "*" to set a global option.
+If a user in the list is "*" that means those
+options apply to all users.  It also means all users
+are allowed to log in after supplying a valid password.
+Use "deny" to explicitly deny some users if you use
+"*" to set a global option.
+.PP
+\fB-unixpw_nis\fR \fI[list]\fR
+.IP
+As \fB-unixpw\fR above, however do not run 
+.IR su (1)
+but rather
+use the traditional getpwnam() + crypt() method instead.
+This requires that the encrpyted passwords be readable.
+Passwords stored in /etc/shadow will be inaccessible
+unless run as root.  This is called "NIS" mode
+simply because in most NIS setups the user encrypted
+passwords are accessible (e.g. "ypcat passwd").
+NIS is not required for this mode to work, but it
+is unlikely it will work for any other environment.
+All of the \fB-unixpw\fR options and contraints apply.
 .PP
 \fB-stunnel\fR \fI[pem]\fR
 .IP
 Use the 
 .IR stunnel (1)
-(www.stunnel.org) to provide an
-encrypted SSL tunnel between viewers and x11vnc.
-This requires stunnel be installed on the system and
+(www.stunnel.org) to provide
+an encrypted SSL tunnel between viewers and x11vnc.
+This requires stunnel to be installed on the system and
 available via PATH (n.b. stunnel is often installed in
 sbin directories).  Version 4.x of stunnel is assumed;
 see \fB-stunnel3\fR below.
@@ -600,9 +622,9 @@ configuration.
 .IP
 stunnel is started up as a child process of x11vnc and
 any SSL connections stunnel receives are decrypted and
-sent to x11vnc over a local socket.  The strings "The
-SSL VNC desktop is ..." and SSLPORT=... are printed
-out at startup.
+sent to x11vnc over a local socket.  The strings
+"The SSL VNC desktop is ..." and "SSLPORT=..."
+are printed out at startup.
 .IP
 The \fB-localhost\fR option is enforced by default to
 avoid people routing around the SSL channel.  Set
@@ -610,7 +632,7 @@ STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.
 .IP
 Your VNC viewer will need to be able to connect via SSL.
 Unfortunately not too many do this.  UltraVNC seems to
-have a SSL plugin.   It is not too difficult to set up
+have a SSL plugin.  It is not too difficult to set up
 an stunnel or other SSL tunnel on the viewer side.
 .IP
 A simple example on Unix using stunnel 3.x is:
@@ -2694,16 +2716,16 @@ aro=  noop display vncdisplay desktopname guess_desktop
 http_url auth xauth users rootshift clipshift
 scale_str scaled_x scaled_y scale_numer scale_denom
 scale_fac scaling_blend scaling_nomult4 scaling_pad
-scaling_interpolate inetd privremote unsafe safer nocmds
-passwdfile unixpw unixpw_list stunnel stunnel_pem
-using_shm logfile o flag rc norc h help V version
-lastmod bg sigpipe threads readrate netrate netlatency
-pipeinput clients client_count pid ext_xtest ext_xtrap
-ext_xrecord ext_xkb ext_xshm ext_xinerama ext_overlay
-ext_xfixes ext_xdamage ext_xrandr rootwin num_buttons
-button_mask mouse_x mouse_y bpp depth indexed_color
-dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y
-coff_x coff_y rfbauth passwd viewpasswd
+scaling_interpolate inetd privremote unsafe safer
+nocmds passwdfile unixpw unixpw_nis unixpw_list stunnel
+stunnel_pem using_shm logfile o flag rc norc h help
+V version lastmod bg sigpipe threads readrate netrate
+netlatency pipeinput clients client_count pid ext_xtest
+ext_xtrap ext_xrecord ext_xkb ext_xshm ext_xinerama
+ext_overlay ext_xfixes ext_xdamage ext_xrandr rootwin
+num_buttons button_mask mouse_x mouse_y bpp depth
+indexed_color dpy_x dpy_y wdpy_x wdpy_y off_x off_y
+cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd
 .PP
 \fB-QD\fR \fIvariable\fR
 .IP
@@ -2896,15 +2918,26 @@ run by \fB-accept\fR and \fB-gone\fR:
 .IR vncconnect (1),
 .IR vncserver (1),
 .IR Xvnc (1),
-.IR inetd (1),
 .IR xev (1),
+.IR xdpyinfo (1),
+.IR xwininfo (1),
+.IR xprop (1),
 .IR xmodmap (1),
+.IR xrandr (1),
 .IR Xserver (1),
 .IR xauth (1),
 .IR xhost (1),
 .IR Xsecurity (7),
 .IR xmessage (1),
+.IR XGetImage (3X11),
 .IR ipcrm (1),
+.IR inetd (1),
+.IR xdm (1),
+.IR gdm (1),
+.IR kdm (1),
+.IR ssh (1),
+.IR stunnel (8),
+.IR su (1),
 .IR http://www.tightvnc.com ,
 .IR http://www.realvnc.com ,
 .IR http://www.karlrunge.com/x11vnc/ ,

x11vnc/x11vnc.c

@@ -138,6 +138,7 @@
 #include "connections.h"
 #include "rates.h"
 #include "unixpw.h"
+#include "inet.h"
 
 /*
  * main routine for the x11vnc program
@@ -467,6 +468,7 @@ if (debug_scroll) fprintf(stderr, "watch_loop: LOOP-BACK: %d\n", ret);
 			check_keycode_state();
 			check_connect_inputs();		
 			check_gui_inputs();		
+			check_stunnel();		
 			record_last_fb_update();
 			check_padded_fb();		
 			check_fixscreen();		
@@ -898,6 +900,82 @@ static void immediate_switch_user(int argc, char* argv[]) {
 	}
 }
 
+static void quick_pw(char *str) {
+	char *p, *q;
+	char tmp[1024];
+	int db = 0;
+
+	if (db) fprintf(stderr, "quick_pw: %s\n", str);
+
+	if (! str || str[0] == '\0') {
+		exit(1);
+	}
+	if (str[0] != '%') {
+		exit(1);
+	}
+	/*
+	 * "%-" or "%stdin" means read one line from stdin.
+	 *
+	 * "%env" means it is in $UNIXPW env var.
+	 *
+	 * starting "%/" or "%." means read the first line from that file.
+	 *
+	 * otherwise: %user:pass
+	 */
+	if (!strcmp(str, "%-") || !strcmp(str, "%stdin")) {
+		if(fgets(tmp, 1024, stdin) == NULL) {
+			exit(1);
+		}
+		q = strdup(tmp);
+	} else if (!strcmp(str, "%env")) {
+		if (getenv("UNIXPW") == NULL) {
+			exit(1);
+		}
+		q = strdup(getenv("UNIXPW"));
+	} else if (str[1] == '/' || str[1] == '.') {
+		FILE *in = fopen(str+1, "r");
+		if (in == NULL) {
+			exit(1);
+		}
+		if(fgets(tmp, 1024, in) == NULL) {
+			exit(1);
+		}
+		q = strdup(tmp);
+	} else {
+		q = strdup(str+1);
+	}
+	p = (char *) malloc(strlen(q) + 10);
+	strcpy(p, q);
+	if (strchr(p, '\n') == NULL) {
+		strcat(p, "\n");
+	}
+
+	if ((q = strchr(p, ':')) == NULL) {
+		exit(1);
+	}
+	*q = '\0';
+	if (db) fprintf(stderr, "'%s' '%s'\n", p, q+1);
+	if (unixpw_nis) {
+		if (crypt_verify(p, q+1)) {
+			fprintf(stdout, "Y %s\n", p);
+			exit(0);
+		} else {
+			fprintf(stdout, "N %s\n", p);
+			exit(1);
+		}
+	} else {
+		if (su_verify(p, q+1)) {
+			fprintf(stdout, "Y %s\n", p);
+			exit(0);
+		} else {
+			fprintf(stdout, "N %s\n", p);
+			exit(1);
+		}
+	}
+	/* NOTREACHED */
+	exit(1);
+}
+
 static void print_settings(int try_http, int bg, char *gui_str) {
 
 	fprintf(stderr, "\n");
@@ -1364,9 +1442,11 @@ int main(int argc, char* argv[]) {
 			CHECK_ARGC
 			passwdfile = strdup(argv[++i]);
 			got_passwdfile = 1;
-		} else if (!strcmp(arg, "-unixpw")
-		    || !strcmp(arg, "-unixpw_unsafe")) {
+		} else if (strstr(arg, "-unixpw") == arg) {
 			unixpw = 1;
+			if (strstr(arg, "-unixpw_nis")) {
+				unixpw_nis = 1;
+			}
 			if (i < argc-1) {
 				char *p, *q, *s = argv[i+1];
 				if (s[0] != '-') {
@@ -1374,23 +1454,12 @@ int main(int argc, char* argv[]) {
 					i++;
 				}
 				if (s[0] == '%') {
-					p = unixpw_list;
 					unixpw_list = NULL;
-					strcpy(p, s+1);
-					strcat(p, "\n");	/* just fits */
-					if ((q = strchr(p, ':')) == NULL) {
-						exit(1);
-					}
-					*q = '\0';
-					if (su_verify(p, q+1)) {
-						fprintf(stderr, "\nY\n");
-					} else {
-						fprintf(stderr, "\nN\n");
-					}
-					exit(0);
+					quick_pw(s);
+					exit(1);
 				}
 			}
-			if (!strcmp(arg, "-unixpw_unsafe")) {
+			if (strstr(arg, "_unsafe")) {
 				/* hidden option for testing. */
 				set_env("UNIXPW_DISABLE_STUNNEL", "1");
 				set_env("UNIXPW_DISABLE_LOCALHOST", "1");
@@ -2114,6 +2183,17 @@ int main(int argc, char* argv[]) {
 					    "mode.\n");
 				}
 				use_stunnel = 1;
+			} else if (! getenv("UNIXPW_DISABLE_STUNNEL")) {
+				char *s = getenv("SSH_CONNECTION");
+				if (! s) s = getenv("SSH_CLIENT");
+				if (! s) s = "SSH_CONNECTION";
+				fprintf(stderr, "\n");
+				rfbLog("Skipping -stunnel contraint in -unixpw mode,\n");
+				rfbLog("assuming your SSH encryption is: %s\n", s);
+				fprintf(stderr, "\n");
+				if (! nopw) {
+					usleep(2000*1000);
+				}
 			}
 		}
 	    } else if (use_stunnel) {

x11vnc/x11vnc.h

@@ -247,6 +247,19 @@ extern int h_errno;
 # endif
 #endif
 
+/*
+ * For reference, the OS header defines:
+ __SVR4 && __sun   is solaris
+ __sgi
+ __hpux
+ __osf__
+ __OpenBSD__
+ __FreeBSD__
+ __NetBSD__
+ __linux__
+ _AIX
+ */
+
 #ifdef IRIX_OVERLAY
 #include <X11/extensions/readdisplay.h>
 #endif
@@ -422,6 +435,7 @@ typedef struct _ClientData {
 	int uid;
 	char *hostname;
 	char *username;
+	char *unixname;
 	int client_port;
 	int server_port;
 	char *server_ip;

x11vnc/x11vnc_defs.c

@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.8.1 lastmod: 2006-03-02";
+char lastmod[] = "0.8.1 lastmod: 2006-03-04";
 
 /* X display info */