Commit c49eee2c authored by runge's avatar runge

ssvnc: SOCKS support, PORT=, Verify all Certs and accepted certs logging....

ssvnc: SOCKS support, PORT=, Verify all Certs and accepted certs logging. x11vnc SSL debugging output.
parent 8b2bb652
2007-05-16 Karl Runge <runge@karlrunge.com>
* x11vnc: print out peer host and port for debugging SSL.
* ssvnc: rand check, SOCKS support, PORT=, Verify all Certs
and accepted certs logging.
2007-05-06 Karl Runge <runge@karlrunge.com> 2007-05-06 Karl Runge <runge@karlrunge.com>
* x11vnc: lower -wait and -defer to 20ms. Change some SSL * x11vnc: lower -wait and -defer to 20ms. Change some SSL
debug output. Drop client doing ultravnc stuff in -unixpw debug output. Drop client doing ultravnc stuff in -unixpw
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -77,13 +77,19 @@ The enhanced TightVNC viewer features are: ...@@ -77,13 +77,19 @@ The enhanced TightVNC viewer features are:
- You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC, - You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
with the front-end GUI or scripts if you like. with the front-end GUI or scripts if you like.
- Sets up any additional SSH port redirections that you desire. - Sets up any additional SSH port redirections that you want.
- Support for native MacOS X usage with bundled Chicken of the - Support for native MacOS X usage with bundled Chicken of the
VNC viewer. VNC viewer.
- Reverse (viewer listening) VNC connections via SSL and SSH.
(these features only apply to the bundled Unix tightvnc viewer) - Dynamic VNC Server Port determination and redirection (using
ssh's builtin SOCKS proxy, -D) for servers like x11vnc that
print out PORT= at startup.
(the following features only apply to the bundled Unix tightvnc viewer)
- rfbNewFBSize VNC support (screen resizing) - rfbNewFBSize VNC support (screen resizing)
......
...@@ -325,6 +325,8 @@ if uname | grep Linux > /dev/null; then ...@@ -325,6 +325,8 @@ if uname | grep Linux > /dev/null; then
inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'` inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'`
elif uname | grep SunOS > /dev/null; then elif uname | grep SunOS > /dev/null; then
inuse=`netstat -an -f inet -P tcp | grep LISTEN | awk '{print $1}' | sed 's/^.*\.//'` inuse=`netstat -an -f inet -P tcp | grep LISTEN | awk '{print $1}' | sed 's/^.*\.//'`
elif uname | grep -i bsd > /dev/null; then
inuse=`netstat -ant -f inet | grep LISTEN | awk '{print $4}' | sed 's/^.*\.//'`
# add others... # add others...
fi fi
...@@ -423,6 +425,31 @@ if echo "$0" | grep vncip > /dev/null; then ...@@ -423,6 +425,31 @@ if echo "$0" | grep vncip > /dev/null; then
VNCVIEWERCMD="$VNCIPCMD" VNCVIEWERCMD="$VNCIPCMD"
fi fi
rchk() {
if [ "X$BASH_VERSION" = "X" ]; then
RANDOM=`date +%S``sh -c 'echo $$'``ps -elf 2>&1 | sum 2>&1 | awk '{print $1}'`
fi
}
rchk
mytmp() {
tf=$1
rm -rf "$tf" || exit 1
if [ -d "$tf" ]; then
echo "tmp file $tf still exists as a directory."
exit 1
elif [ -L "$tf" ]; then
echo "tmp file $tf still exists as a symlink."
exit 1
elif [ -f "$tf" ]; then
echo "tmp file $tf still exists."
exit 1
fi
touch "$tf" || exit 1
chmod 600 "$tf" || exit 1
rchk
}
if [ "X$use_ssh" = "X1" ]; then if [ "X$use_ssh" = "X1" ]; then
ssh_port="22" ssh_port="22"
ssh_host="$host" ssh_host="$host"
...@@ -483,28 +510,88 @@ if [ "X$use_ssh" = "X1" ]; then ...@@ -483,28 +510,88 @@ if [ "X$use_ssh" = "X1" ]; then
if [ "X$SS_VNCVIEWER_USE_C" != "X" ]; then if [ "X$SS_VNCVIEWER_USE_C" != "X" ]; then
C="-C" C="-C"
fi fi
if [ "X$reverse" = "X" ]; then
getport=""
if echo "$ssh_cmd" | egrep "^(PORT=|P=)" > /dev/null; then
getport=1
PORT=""
ssh_cmd=`echo "$ssh_cmd" | sed -e 's/^PORT=[ ]*//' -e 's/^P=//'`
SSVNC_NO_ENC_WARN=1
if [ "X$use_sshssl" = "X" ]; then
direct_connect=1
fi
fi
if [ "X$getport" != "X" ]; then
ssh_redir="-D ${use}"
elif [ "X$reverse" = "X" ]; then
ssh_redir="-L ${use}:${vnc_host}:${port}" ssh_redir="-L ${use}:${vnc_host}:${port}"
else else
ssh_redir="-R ${port}:${vnc_host}:${use}" ssh_redir="-R ${port}:${vnc_host}:${use}"
fi fi
pmark=`sh -c 'echo $$'` pmark=`sh -c 'echo $$'`
# the -t option actually speeds up typing response via VNC!! # the -t option actually speeds up typing response via VNC!!
if [ "X$SS_VNCVIEWER_SSH_ONLY" != "X" ]; then if [ "X$SS_VNCVIEWER_SSH_ONLY" != "X" ]; then
echo "$ssh -x -p $ssh_port $targ $C $ssh_args $ssh_host \"$info\"" echo "$ssh -x -p $ssh_port $targ $C $ssh_args $ssh_host \"$info\""
echo "" echo ""
$ssh -x -p $ssh_port $targ $C $ssh_args $ssh_host "$ssh_cmd" $ssh -x -p $ssh_port $targ $C $ssh_args $ssh_host "$ssh_cmd"
exit $? exit $?
elif [ "X$SS_VNCVIEWER_NO_F" != "X" ]; then elif [ "X$SS_VNCVIEWER_NO_F" != "X" ]; then
echo "$ssh -x -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\"" echo "$ssh -x -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
echo "" echo ""
$ssh -x -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" $ssh -x -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd"
rc=$?
elif [ "X$getport" != "X" ]; then
echo "$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
echo ""
tport=/tmp/tport${RANDOM}.$$
mytmp $tport
$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" > $tport
rc=$?
stty sane
i=0
while [ $i -lt 10 ]; do
sleep 1
PORT=`grep "^PORT=" $tport | head -1 | sed -e 's/PORT=//' -e 's/\r//g'`
if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
break
fi
vnss=`sed -e 's/\r//g' $tport | egrep -i '^(New.* desktop is|A VNC server is already running).*:[0-9[0-9]*$' | head -1 | awk '{print $NF}'`
if [ "X$vnss" != "X" ]; then
PORT=`echo "$vnss" | awk -F: '{print $2}'`
if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
if [ $PORT -lt 100 ]; then
PORT=`expr $PORT + 5900`
fi
fi
if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then
break
fi
fi
i=`expr $i + 1`
done
echo "PORT=$PORT" 1>&2
PPROXY_SOCKS=1
export PPROXY_SOCKS
host="localhost"
port="$PORT"
proxy="localhost:$use"
rm -f $tport
else else
echo "$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\"" echo "$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\""
echo "" echo ""
$ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" $ssh -x -f -p $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd"
rc=$?
fi fi
if [ "$?" != "0" ]; then
if [ "$rc" != "0" ]; then
echo "" echo ""
echo "ssh to $ssh_host failed." echo "ssh to $ssh_host failed."
exit 1 exit 1
...@@ -522,7 +609,9 @@ if [ "X$use_ssh" = "X1" ]; then ...@@ -522,7 +609,9 @@ if [ "X$use_ssh" = "X1" ]; then
fi fi
c=`expr $c + 1` c=`expr $c + 1`
done done
if [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then if [ "X$getport" != "X" ]; then
:
elif [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then
sleep 1 sleep 1
else else
# let any command get started a bit. # let any command get started a bit.
...@@ -532,7 +621,7 @@ if [ "X$use_ssh" = "X1" ]; then ...@@ -532,7 +621,7 @@ if [ "X$use_ssh" = "X1" ]; then
#reset #reset
stty sane stty sane
#echo "pssh=\"$pssh\"" #echo "pssh=\"$pssh\""
if [ "X$use_sshssl" = "X" ]; then if [ "X$use_sshssl" = "X" -a "X$getport" = "X" ]; then
echo "Running viewer:" echo "Running viewer:"
trap "final" 0 2 15 trap "final" 0 2 15
...@@ -558,7 +647,12 @@ if [ "X$use_ssh" = "X1" ]; then ...@@ -558,7 +647,12 @@ if [ "X$use_ssh" = "X1" ]; then
port=$use port=$use
use=$use2 use=$use2
N=`expr $use - 5900` N=`expr $use - 5900`
proxy="" if [ "X$getport" != "X" ]; then
host="$host0"
port="$port0"
else
proxy=""
fi
fi fi
fi fi
...@@ -576,53 +670,33 @@ if [ "X$mycert" != "X" ]; then ...@@ -576,53 +670,33 @@ if [ "X$mycert" != "X" ]; then
cert="cert = $mycert" cert="cert = $mycert"
fi fi
mytmp() {
tf=$1
rm -rf "$tf" || exit 1
if [ -d "$tf" ]; then
echo "tmp file $tf still exists as a directory."
exit 1
elif [ -L "$tf" ]; then
echo "tmp file $tf still exists as a symlink."
exit 1
elif [ -f "$tf" ]; then
echo "tmp file $tf still exists."
exit 1
fi
touch "$tf" || exit 1
chmod 600 "$tf" || exit 1
}
if echo "$RANDOM" | grep '[^0-9]' > /dev/null; then
RANDOM=`date +%S`
fi
pcode() { pcode() {
tf=$1 tf=$1
SSVNC_PROXY=$proxy; export SSVNC_PROXY PPROXY_PROXY=$proxy; export PPROXY_PROXY
SSVNC_DEST="$host:$port"; export SSVNC_DEST PPROXY_DEST="$host:$port"; export PPROXY_DEST
cod='#!/usr/bin/perl cod='#!/usr/bin/perl
# A hack to glue stunnel to a Web proxy for client connections. # A hack to glue stunnel to a Web proxy or SOCKS for client connections.
use IO::Socket::INET; use IO::Socket::INET;
my ($first, $second) = split(/,/, $ENV{SSVNC_PROXY}); my ($first, $second) = split(/,/, $ENV{PPROXY_PROXY});
my ($proxy_host, $proxy_port) = split(/:/, $first); my ($proxy_host, $proxy_port) = split(/:/, $first);
my $connect = $ENV{SSVNC_DEST}; my $connect = $ENV{PPROXY_DEST};
print STDERR "\nperl script for web proxing:\n"; print STDERR "\nPPROXY v0.0: a tool for Web proxies and SOCKS connections.\n";
print STDERR "proxy_host: $proxy_host\n"; print STDERR "proxy_host: $proxy_host\n";
print STDERR "proxy_port: $proxy_port\n"; print STDERR "proxy_port: $proxy_port\n";
print STDERR "proxy_connect: $connect\n"; print STDERR "proxy_connect: $connect\n";
my $listen_handle = ""; my $listen_handle = "";
if ($ENV{SSVNC_LISTEN} != "") { if ($ENV{PPROXY_LISTEN} != "") {
my $listen_sock = IO::Socket::INET->new( my $listen_sock = IO::Socket::INET->new(
Listen => 2, Listen => 2,
LocalAddr => "localhost", LocalAddr => "localhost",
LocalPort => $ENV{SSVNC_LISTEN}, LocalPort => $ENV{PPROXY_LISTEN},
Proto => "tcp"); Proto => "tcp"
);
if (! $listen_sock) { if (! $listen_sock) {
die "perl proxy: $!\n"; die "perl proxy: $!\n";
} }
...@@ -636,7 +710,8 @@ if ($ENV{SSVNC_LISTEN} != "") { ...@@ -636,7 +710,8 @@ if ($ENV{SSVNC_LISTEN} != "") {
my $sock = IO::Socket::INET->new( my $sock = IO::Socket::INET->new(
PeerAddr => $proxy_host, PeerAddr => $proxy_host,
PeerPort => $proxy_port, PeerPort => $proxy_port,
Proto => "tcp"); Proto => "tcp"
);
if (! $sock) { if (! $sock) {
unlink($0); unlink($0);
...@@ -644,24 +719,77 @@ if (! $sock) { ...@@ -644,24 +719,77 @@ if (! $sock) {
} }
my $con = ""; my $con = "";
if ($second ne "") { my $con0 = "";
if ($ENV{PPROXY_SOCKS} ne "") {
$second = "";
my ($h, $p) = split(/:/, $connect);
$con .= pack("C", 0x04);
$con .= pack("C", 0x01);
$con .= pack("n", $p);
my $SOCKS_4a = 0;
if ($h eq "localhost" || $h eq "127.0.0.1") {
$con .= pack("C", 127);
$con .= pack("C", 0);
$con .= pack("C", 0);
$con .= pack("C", 1);
} elsif ($h =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
$con .= pack("C", $1);
$con .= pack("C", $2);
$con .= pack("C", $3);
$con .= pack("C", $4);
} else {
$con .= pack("C", 0);
$con .= pack("C", 0);
$con .= pack("C", 0);
$con .= pack("C", 3);
$SOCKS_4a = 1;
}
$con .= "nobody";
$con .= pack("C", 0);
if ($SOCKS_4a) {
$con .= $h;
$con .= pack("C", 0);
}
$con0 = "SOCKS4 via $proxy_host:$proxy_port to $h:$p\n\n";
} elsif ($second ne "") {
$con = "CONNECT $second HTTP/1.1\r\n"; $con = "CONNECT $second HTTP/1.1\r\n";
$con .= "Host: $second\r\n\r\n"; $con .= "Host: $second\r\n\r\n";
$con0 = $con;
} else { } else {
$con = "CONNECT $connect HTTP/1.1\r\n"; $con = "CONNECT $connect HTTP/1.1\r\n";
$con .= "Host: $connect\r\n\r\n"; $con .= "Host: $connect\r\n\r\n";
$con0 = $con;
} }
print STDERR "proxy_request1:\n$con"; print STDERR "proxy_request1:\n$con0";
print $sock $con; print $sock $con;
unlink($0); unlink($0);
my $rep = ""; my $rep = "";
while ($rep !~ /\r\n\r\n/) { if ($ENV{PPROXY_SOCKS} ne "") {
my $c = getc($sock); $rep = "HTTP/1.0 200";
print STDERR $c; for (my $i = 0; $i < 8; $i++) {
$rep .= $c; my $c;
sysread($sock, $c, 1);
my $s = unpack("C", $c);
if ($i == 0) {
$rep = "" if $s != 0x0;
} elsif ($i == 1) {
$rep = "" if $s != 0x5a;
}
}
} else {
while ($rep !~ /\r\n\r\n/) {
my $c;
sysread($sock, $c, 1);
print STDERR $c;
$rep .= $c;
}
} }
if ($rep !~ m,HTTP/.* 200,) { if ($rep !~ m,HTTP/.* 200,) {
die "proxy error: $rep\n"; die "proxy error: $rep\n";
...@@ -676,7 +804,8 @@ if ($second ne "") { ...@@ -676,7 +804,8 @@ if ($second ne "") {
$rep = ""; $rep = "";
while ($rep !~ /\r\n\r\n/) { while ($rep !~ /\r\n\r\n/) {
my $c = getc($sock); my $c;
sysread($sock, $c, 1);
print STDERR $c; print STDERR $c;
$rep .= $c; $rep .= $c;
} }
...@@ -754,8 +883,8 @@ if [ "X$proxy" != "X" ]; then ...@@ -754,8 +883,8 @@ if [ "X$proxy" != "X" ]; then
if [ "X$showcert" != "X1" -a "X$direct_connect" = "X" ]; then if [ "X$showcert" != "X1" -a "X$direct_connect" = "X" ]; then
if uname | grep Darwin >/dev/null; then if uname | grep Darwin >/dev/null; then
nd=`expr $use + 333` nd=`expr $use + 333`
SSVNC_LISTEN=$nd PPROXY_LISTEN=$nd
export SSVNC_LISTEN export PPROXY_LISTEN
$ptmp 2>/dev/null & $ptmp 2>/dev/null &
sleep 3 sleep 3
host="localhost" host="localhost"
...@@ -773,8 +902,8 @@ fi ...@@ -773,8 +902,8 @@ fi
if [ "X$showcert" = "X1" ]; then if [ "X$showcert" = "X1" ]; then
if [ "X$proxy" != "X" ]; then if [ "X$proxy" != "X" ]; then
SSVNC_LISTEN=$use PPROXY_LISTEN=$use
export SSVNC_LISTEN export PPROXY_LISTEN
$ptmp 2>/dev/null & $ptmp 2>/dev/null &
sleep 3 sleep 3
host="localhost" host="localhost"
...@@ -785,11 +914,13 @@ if [ "X$showcert" = "X1" ]; then ...@@ -785,11 +914,13 @@ if [ "X$showcert" = "X1" ]; then
fi fi
if [ "X$direct_connect" != "X" ]; then if [ "X$direct_connect" != "X" ]; then
echo "" if [ "X$getport" = "X" ]; then
echo "Running viewer for direct connection:" echo ""
echo "" echo "Running viewer for direct connection:"
echo "** NOTE: THERE WILL BE NO SSL OR SSH ENCRYPTION **" echo ""
echo "" echo "** NOTE: THERE WILL BE NO SSL OR SSH ENCRYPTION **"
echo ""
fi
if [ "X$SSVNC_NO_ENC_WARN" != "X" ]; then if [ "X$SSVNC_NO_ENC_WARN" != "X" ]; then
sleep 1 sleep 1
elif type printf > /dev/null 2>&1; then elif type printf > /dev/null 2>&1; then
...@@ -804,8 +935,8 @@ if [ "X$direct_connect" != "X" ]; then ...@@ -804,8 +935,8 @@ if [ "X$direct_connect" != "X" ]; then
fi fi
echo "" echo ""
if [ "X$ptmp" != "X" ]; then if [ "X$ptmp" != "X" ]; then
SSVNC_LISTEN=$use PPROXY_LISTEN=$use
export SSVNC_LISTEN export PPROXY_LISTEN
$ptmp & $ptmp &
if [ "X$reverse" = "X" ]; then if [ "X$reverse" = "X" ]; then
sleep 2 sleep 2
...@@ -830,8 +961,6 @@ if [ "X$direct_connect" != "X" ]; then ...@@ -830,8 +961,6 @@ if [ "X$direct_connect" != "X" ]; then
exit $? exit $?
fi fi
##debug = 7
## debug = 6
tmp=/tmp/ss_vncviewer${RANDOM}.$$ tmp=/tmp/ss_vncviewer${RANDOM}.$$
mytmp "$tmp" mytmp "$tmp"
......
...@@ -12,6 +12,7 @@ exec wish "$0" "$@" ...@@ -12,6 +12,7 @@ exec wish "$0" "$@"
set buck_zero $argv0 set buck_zero $argv0
proc center_win {w} { proc center_win {w} {
global is_windows
update update
set W [winfo screenwidth $w] set W [winfo screenwidth $w]
set W [expr $W + 1] set W [expr $W + 1]
...@@ -19,6 +20,13 @@ proc center_win {w} { ...@@ -19,6 +20,13 @@ proc center_win {w} {
update update
set x [expr [winfo screenwidth $w]/2 - [winfo width $w]/2] set x [expr [winfo screenwidth $w]/2 - [winfo width $w]/2]
set y [expr [winfo screenheight $w]/2 - [winfo height $w]/2] set y [expr [winfo screenheight $w]/2 - [winfo height $w]/2]
if {$is_windows} {
set y [expr "$y - 30"]
if {$y <= 0} {
set y 1
}
}
wm geometry $w +$x+$y wm geometry $w +$x+$y
wm deiconify $w wm deiconify $w
update update
...@@ -91,7 +99,7 @@ proc help {} { ...@@ -91,7 +99,7 @@ proc help {} {
wm title .h "SSL/SSH VNC Viewer Help" wm title .h "SSL/SSH VNC Viewer Help"
set msg { set msg {
Hosts: Hosts and Displays:
Enter the VNC host and display in the 'VNC Host:Display' entry box. Enter the VNC host and display in the 'VNC Host:Display' entry box.
...@@ -112,6 +120,8 @@ proc help {} { ...@@ -112,6 +120,8 @@ proc help {} {
tunnel which, in turn, encrypts and redirects the connection to the tunnel which, in turn, encrypts and redirects the connection to the
remote VNC server. remote VNC server.
SSH tunnels are described below.
If you are using a port less than the default VNC port 5900 (usually If you are using a port less than the default VNC port 5900 (usually
the VNC display = port - 5900), use the full port number itself, e.g.: the VNC display = port - 5900), use the full port number itself, e.g.:
...@@ -127,13 +137,24 @@ proc help {} { ...@@ -127,13 +137,24 @@ proc help {} {
after it is established). "x11vnc -ssl ..." does this, and any VNC after it is established). "x11vnc -ssl ..." does this, and any VNC
server can be made to do this by using, e.g., STUNNEL on the remote side. server can be made to do this by using, e.g., STUNNEL on the remote side.
*IMPORTANT*: If you do not take the steps to verify the VNC Server's *IMPORTANT*: If you do not take the steps to verify the VNC Server's
SSL Certificate, you are vulnerable to a Man-In-The-Middle attack. SSL Certificate, you are vulnerable to a Man-In-The-Middle attack.
(Only passive sniffing attacks are prevented). You can use the "Fetch Only passive network sniffing attacks will be prevented.
Cert" button to retrieve the Cert and then after you check it is OK
(say, via comparing the MD5 or other info) you can save it and use You can use the "Fetch Cert" button to retrieve the Cert and then
it to verify connections. See the Certs... Help for information on after you check it is OK (say, via comparing the MD5 or other info)
how to do this. you can Save it and use it to verify future connections to servers.
If "Verify All Certs" is checked, this check is always enforced, and
so the first time you connect to a new server you may need to follow
a few dialogs to inspect and save the server certificate. See the
"Certs... -> Help" for information on how to manage certificates.
"Fetch Cert" and "Verify All Certs" are currently disabled in the
"SSH + SSL" mode (e.g. SSH is used to enter a firewall gateway,
and then SSL is tunneled through that to reach the workstation).
Note that on Windows when the Viewer connection is finished you may Note that on Windows when the Viewer connection is finished you may
need to terminate STUNNEL manually from the System Tray (right click need to terminate STUNNEL manually from the System Tray (right click
...@@ -142,18 +163,27 @@ proc help {} { ...@@ -142,18 +163,27 @@ proc help {} {
VNC Password: VNC Password:
On Unix or MacOSX if there is a VNC password for the server you On Unix or MacOSX if there is a VNC password for the server you
can enter it in the "VNC Password:" entry box. This is required on can enter it in the "VNC Password:" entry box.
MacOSX when Chicken of the VNC (the default) is used. On Unix if
you choose not to enter the password you will be prompted for it in This is *REQUIRED* on MacOSX when Chicken of the VNC (the default)
the terminal running TightVNC viewer. On Windows TightVNC viewer is used. On Unix if you choose not to enter the password you will
should prompt you. When you Save a VNC profile, the password is be prompted for it in the terminal window running TightVNC viewer.
not saved (you need to enter it each time). On Windows TightVNC viewer should prompt you.
NOTE: when you Save a VNC profile (Options ... -> Save Profile),
the password is not saved (you need to enter it each time).
SSH: SSH:
Click on "Use SSH" or go to "Options ..." if you want to use an *SSH* Click on "Use SSH" or go to "Options ..." if you want to use an
tunnel instead of SSL (then the VNC Server does not need to speak SSL or *SSH* tunnel instead of SSL (then the VNC Server does not need to
use STUNNEL). "Use SSH and SSL" is similar: see the Help under Options. speak SSL or use STUNNEL). You will need to be able to login to the
remote host via SSH (e.g. via password or ssh-agent).
Specify the hostname and VNC display in the VNC Host:Display entry.
Use something like "username@hostname.com:0" if the remote username
is different. "SSH + SSL" is similar but its use is more rare. See
the Help under Options for more info.
Proxies: Proxies:
...@@ -180,12 +210,15 @@ proc help {} { ...@@ -180,12 +210,15 @@ proc help {} {
http://www.karlrunge.com/x11vnc/#ss_vncviewer http://www.karlrunge.com/x11vnc/#ss_vncviewer
http://www.karlrunge.com/x11vnc/#faq-ssl-java-viewer-proxy http://www.karlrunge.com/x11vnc/#faq-ssl-java-viewer-proxy
Proxies also apply to SSH mode, it is a usually a gateway machine to
log into via SSH that is not the workstation running the VNC server.
Remote SSH Command: Remote SSH Command:
In SSH or SSH and SSL mode you can also specify a remote command to run In SSH or SSH + SSL mode you can also specify a remote command to run
on the remote ssh host in the "Remote SSH Command" entry. The default on the remote ssh host in the "Remote SSH Command" entry. The default
is just to sleep a bit (sleep 30) to make sure the port tunnels are is just to sleep a bit (e.g. sleep 30) to make sure the port tunnels are
active. Alternatively you could have the remote command start the active. Alternatively you could have the remote command start the
VNC server, e.g. x11vnc -nopw -display :0 -rfbport 5900 -localhost VNC server, e.g. x11vnc -nopw -display :0 -rfbport 5900 -localhost
...@@ -198,16 +231,28 @@ proc help {} { ...@@ -198,16 +231,28 @@ proc help {} {
you like: host:disp proxy:port cmd=... (this is the way it is you like: host:disp proxy:port cmd=... (this is the way it is
stored internally). stored internally).
When starting the VNC server this way, note that sometimes you
will need to correlate the VNC Display number with the "-rfbport"
(or similar) option of the server. E.g.:
VNC Host:Display username@somehost.com:2
Remote SSH Command: x11vnc -find -rfbport 5902
See the the Tip below (11) for using x11vnc PORT=NNNN feature (or
vncserver(1) output) to not need to specify the VNC display number
or the x11vnc -rfbport option.
SSL Certificates: SSL Certificates:
If you want to use a SSL Certificate (PEM) file to authenticate yourself If you want to use a SSL Certificate (PEM) file to authenticate
to the VNC server ("MyCert") or to verify the identity of the VNC Server yourself to the VNC server ("MyCert") or to verify the identity of
("ServerCert" or "CertsDir") select the certificate file by clicking the VNC Server ("ServerCert" or "CertsDir") select the certificate
the "Certs ..." button before connecting. file by clicking the "Certs ..." button before connecting.
Certificate verification is needed to prevent Man-In-The-Middle attacks. Certificate verification is needed to prevent Man-In-The-Middle
See the x11vnc documentation: attacks; if it is not done then only passive network sniffing attacks
are prevented. See the x11vnc documentation:
http://www.karlrunge.com/x11vnc/ssl.html http://www.karlrunge.com/x11vnc/ssl.html
...@@ -220,10 +265,23 @@ proc help {} { ...@@ -220,10 +265,23 @@ proc help {} {
You can also use the "Create Certificate" feature of this program You can also use the "Create Certificate" feature of this program
under "Certs ...". Just click on it and follow the instructions in under "Certs ...". Just click on it and follow the instructions in
the dialog. Then copy the cert file to the VNC Server and specify the the dialog. Then copy the cert file to the VNC Server and specify
other one in the "Certs ..." dialog. Alternatively you can use the the other one in the "Certs ..." dialog.
"Import Certificate" action to paste in a certificate or read one in
from a file or use the "Fetch Cert" button on the main panel. Alternatively you can use the "Import Certificate" action to paste
in a certificate or read one in from a file or use the "Fetch Cert"
button on the main panel. If "Verify All Certs" is checked, you
will be forced to check Certs of any new servers the first time
you connect.
Note that "Verify All Certs" is on by default so that users who do
not understand the SSL Man-In-The-Middle problem will not be left
completely vulnerable to it (everyone still must make the effort to
verify new certificates by an external method to be completely safe).
To have "Verify All Certs" toggled off at startup, use "ssvnc -nv"
or set SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want
to see the button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1.
More Options: More Options:
...@@ -232,18 +290,34 @@ proc help {} { ...@@ -232,18 +290,34 @@ proc help {} {
View-Only usage, click on the "Options ..." button and read the Help View-Only usage, click on the "Options ..." button and read the Help
there. there.
Profiles:
Use "Save Profile" under "Options ..." to save a profile (i.e. a
host:display and its specific settings) with a name.
To load in a saved Options profile, click on the "Load" button. To load in a saved Options profile, click on the "Load" button.
This is the same as the "Load Profile" button under "Options" This is the same as the "Load Profile" button under "Options"
See "Save Profile" under "Options" to save a profile.
To list your profiles use: "ssvnc -profiles"
You can launch ssvnc and have it immediately connect to the server
by invoking it something like this:
ssvnc profile1 (launches profile named "profile1")
ssvnc hostname:0 (connect to hostname VNC disp 0 via SSL)
ssvnc vnc+ssl://hostname:0 (same)
ssvnc vnc+ssh://hostname:0 (connect to hostname VNC disp 0 via SSH)
see the Tips 5 and 9 below for more about the URL-like syntax.
More Info: More Info:
See these links for more information: See these links for more information:
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-ext http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-ext
http://www.stunnel.org http://www.stunnel.org
http://www.tightvnc.com http://www.tightvnc.com
Tips and Tricks: Tips and Tricks:
...@@ -256,15 +330,15 @@ proc help {} { ...@@ -256,15 +330,15 @@ proc help {} {
2) If you use "user@hostname cmd=SHELL" then you get an SSH shell only: 2) If you use "user@hostname cmd=SHELL" then you get an SSH shell only:
no VNC viewer will be launched. On Windows "user@hostname cmd=PUTTY" no VNC viewer will be launched. On Windows "user@hostname cmd=PUTTY"
will try to use putty.exe (better terminal emulation than will try to use putty.exe (better terminal emulation than
plink.exe). A shortcut for this is Ctrl-S as long as user@hostname plink.exe). A ShortCut for this is Ctrl-S as long as user@hostname
is present in the entry box. You can also put the string in the is present in the entry box. You can also put the string in the
"Remote SSH Command" entry. "Remote SSH Command" entry.
3) If you use "user@hostname cmd=KNOCK" then only the port-knocking 3) If you use "user@hostname cmd=KNOCK" then only the port-knocking
is performed. A shortcut for this is Ctrl-P as long as hostname is performed. A ShortCut for this is Ctrl-P as long as hostname
is present in the entry box. If it matches cmd=KNOCKF, i.e. an is present in the entry box. If it matches cmd=KNOCKF, i.e. an
extra "F", then the port-knocking "FINISH" sequence is sent, if any. extra "F", then the port-knocking "FINISH" sequence is sent, if any.
A shortcut for this Shift-Ctrl-P as long as hostname is present. A ShortCut for this Shift-Ctrl-P as long as hostname is present.
You can also put the string in the "Remote SSH Command" entry. You can also put the string in the "Remote SSH Command" entry.
4) Pressing the "Load" button or pressing Ctrl-L or Clicking the Right 4) Pressing the "Load" button or pressing Ctrl-L or Clicking the Right
...@@ -303,9 +377,9 @@ proc help {} { ...@@ -303,9 +377,9 @@ proc help {} {
9) In the VNC Host:Display entry you can also use these "URL-like" 9) In the VNC Host:Display entry you can also use these "URL-like"
prefixes: vncs://host:0, vncssl://host:0, and vnc+ssl://host:0 prefixes: vncs://host:0, vncssl://host:0, and vnc+ssl://host:0
(for SSL) and vncssh://host:0 and vnc+ssh://host:0 for SSH. There for SSL, and vncssh://host:0 and vnc+ssh://host:0 for SSH. There
is no need to toggle the SSL/SSH else. These also work from the is no need to toggle the SSL/SSH setting. These also work from
command line, e.g.: ssvnc vnc+ssh://mymachine:10 the command line, e.g.: ssvnc vnc+ssh://mymachine:10
10) Mobile USB memory stick / flash drive usage: You can unpack ssvnc 10) Mobile USB memory stick / flash drive usage: You can unpack ssvnc
to a flash drive for impromptu usage (e.g. from a friends computer) to a flash drive for impromptu usage (e.g. from a friends computer)
...@@ -319,6 +393,33 @@ proc help {} { ...@@ -319,6 +393,33 @@ proc help {} {
You can also set the SSVNC_HOME env. var. to point to any You can also set the SSVNC_HOME env. var. to point to any
directory you want. It can be set after starting ssvnc by putting directory you want. It can be set after starting ssvnc by putting
HOME=/path/to/dir in the Host:Display box and clicking "Connect". HOME=/path/to/dir in the Host:Display box and clicking "Connect".
11) Dynamic VNC Server Port determination and redirection: If you
are running SSVNC on Unix and are using SSH to start the remote
VNC server and the VNC server prints out the line "PORT=NNNN"
to indicate which dynamic port it is using (x11vnc does this),
then if you prefix the SSH command with "PORT=" SSVNC will watch
for the PORT=NNNN line and uses ssh's built in SOCKS proxy
(ssh -D ...) to connect to the dynamic VNC server port through
the SSH tunnel. For example:
VNC Host:Display user@somehost.com
Remote SSH Command: PORT= x11vnc -find
or "PORT= x11vnc -display :0 -localhost", etc. Or use "P= ..."
There is also code to detect the display of the regular Unix
vncserver(1). It extracts the display (and hence port) from
the lines "New 'X' desktop is hostname:4" and also
"VNC server is already running as :4". So you can use
something like:
PORT= vncserver; sleep 15
or: PORT= vncserver :4; sleep 15
the latter is preferred because when you reconnect with it will
find the already running one. The former one will keep creating
new X sessions if called repeatedly.
} }
.h.f.t insert end $msg .h.f.t insert end $msg
...@@ -338,9 +439,9 @@ proc help_certs {} { ...@@ -338,9 +439,9 @@ proc help_certs {} {
set msg { set msg {
Description: Description:
*IMPORTANT*: Only with SSL Certificate verification can Man-In-The-Middle *IMPORTANT*: Only with SSL Certificate verification (either manually or via
attacks be prevented. Otherwise, only passive snooping attacks are prevented Certificate Authority) can Man-In-The-Middle attacks be prevented. Otherwise,
with SSL. only passive network sniffing attacks are prevented.
The SSL Certificate files described below can have been created externally The SSL Certificate files described below can have been created externally
(e.g. by x11vnc), you can import it via "Import Certificate" if you like. (e.g. by x11vnc), you can import it via "Import Certificate" if you like.
...@@ -354,7 +455,31 @@ proc help_certs {} { ...@@ -354,7 +455,31 @@ proc help_certs {} {
"ServerCert" to verify against for the connection. To make this verification "ServerCert" to verify against for the connection. To make this verification
check permanent, you will need to save the profile via Options -> Save Profile. check permanent, you will need to save the profile via Options -> Save Profile.
Note: due to a deficiency in openssl "Fetch Cert" is very slow on Windows. If "Verify All Certs" is checked, you are forced to do this check, and so the
first time you connect to a new server you may need to follow a few dialogs to
inspect and save the server certificate. In this case certificates are saved
in the 'Accepted Certs' directory. When "Verify All Certs" is checked all
hosts or profiles with "CertsDir" set to "ACCEPTED_CERTS" (and no "ServerCert"
setting) will be check against the accepted certificates.
Note that "Verify All Certs" is on by default so that users who do not
understand the SSL Man-In-The-Middle problem will not be left completely
vulnerable to it (everyone still must make the effort to verify new certificates
by an external method to be completely safe)
To have "Verify All Certs" toggled off at startup, use "ssvnc -nv" or set
SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want to see the
button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1.
Note: due to a deficiency in openssl "Fetch Cert" may be slow on Windows. Also:
"Fetch Cert" and "Verify All Certs" do not currently work in "SSH + SSL" mode.
One can make SSL VNC server authentication "automatic" as it is in Web
Browsers going to HTTPS sites, by using a Certificate Authority (CA) cert
(e.g. a professional one like Verisign or Thawte, or one your company or
organization creates). This is described in detail here:
http://www.karlrunge.com/x11vnc/ssl.html You simply use the CA cert in the
entries described below.
Your Certificate + Key: Your Certificate + Key:
...@@ -384,11 +509,22 @@ proc help_certs {} { ...@@ -384,11 +509,22 @@ proc help_certs {} {
If the remote VNC Server fails to authenticate itself with respect to the specified If the remote VNC Server fails to authenticate itself with respect to the specified
certificate(s), then the VNC Viewer (your side) will drop the connection. certificate(s), then the VNC Viewer (your side) will drop the connection.
Select which file or directory by clicking on the appropriate "Browse..." button. Select which file or directory by clicking on the appropriate "Browse..." button.
Once selected, if you click Info or the Right Mouse button on "Browse..." Once selected, if you click Info or the Right Mouse button on "Browse..."
then information about the certificate will be displayed. then information about the certificate will be displayed.
If "CertsDir" is set to the token "ACCEPTED_CERTS" (and "ServerCert" is
unset) then the certificates accumulated in the special 'Accepted Certs'
directory will be used. "ACCEPTED_CERTS" is the default for every server
("Verify All Certs"). Note that if you ever need to clean this directory,
each cert is saved in two files, for example:
bf-d0-d6-9c-68-5a-fe-24-c6-60-ba-b4-14-e6-66-14=hostname-0.crt
and
9eb7c8be.0
This is because of the way OpenSSL must use hash-based filenames in Cert dirs.
Notes: Notes:
...@@ -485,7 +621,7 @@ set msg { ...@@ -485,7 +621,7 @@ set msg {
A shortcut for this is Ctrl-S as long as user@hostname is present A shortcut for this is Ctrl-S as long as user@hostname is present
in the "VNC Host:Display" box. in the "VNC Host:Display" box.
Use SSH and SSL: Tunnel the SSL connection through a SSH tunnel. Use this Use SSH + SSL: Tunnel the SSL connection through a SSH tunnel. Use this
if you want end-to-end SSL and must use a SSH gateway (e.g. to if you want end-to-end SSL and must use a SSH gateway (e.g. to
enter a firewall) or if additional SSH port redirs are required enter a firewall) or if additional SSH port redirs are required
(CUPS, Sound, SMB tunnelling: See Advanced Options). (CUPS, Sound, SMB tunnelling: See Advanced Options).
...@@ -636,7 +772,12 @@ proc help_fetch_cert {} { ...@@ -636,7 +772,12 @@ proc help_fetch_cert {} {
certificate file with the VNC server host, you MUST save the setting as certificate file with the VNC server host, you MUST save the setting as
a profile for loading later. To Save a Profile, click on Options -> Save a profile for loading later. To Save a Profile, click on Options -> Save
Profile ..., and choose a name for the profile and then click on Save. Profile ..., and choose a name for the profile and then click on Save.
If "Verify All Certs" is checked, then you are forced to check all
new certs. In this case the certs are saved in the 'Accepted Certs'
directory against which all servers will be checked unless "ServerCert"
or "CertsDir" has been set to something else.
To reload the profile at a later time, click on the "Load" button on To reload the profile at a later time, click on the "Load" button on
the main panel and then select the name and click "Open". If you want the main panel and then select the name and click "Open". If you want
to be sure the certificate is still associated with the loaded in host, to be sure the certificate is still associated with the loaded in host,
...@@ -842,7 +983,7 @@ proc set_defaults {} { ...@@ -842,7 +983,7 @@ proc set_defaults {} {
set defs(mycert) "" set defs(mycert) ""
set defs(svcert) "" set defs(svcert) ""
set defs(crtdir) "" set defs(crtdir) "ACCEPTED_CERTS"
set defs(use_cups) 0 set defs(use_cups) 0
set defs(use_sound) 0 set defs(use_sound) 0
...@@ -1839,9 +1980,6 @@ proc check_ssh_needed {} { ...@@ -1839,9 +1980,6 @@ proc check_ssh_needed {} {
set must_addl 1 set must_addl 1
} }
if {$must_cups || $must_snd || $must_smb || $must_addl} { if {$must_cups || $must_snd || $must_smb || $must_addl} {
# set use_sshssl 1
# ssl_ssh_adjust sshssl
# mesg "Enabling \"Use SSH and SSL\" mode for port redir"
mesg "Cannot do Port redirs in non-SSH mode (SSL)" mesg "Cannot do Port redirs in non-SSH mode (SSL)"
set msg "" set msg ""
if {$must_smb} { if {$must_smb} {
...@@ -2245,7 +2383,7 @@ proc direct_connect_msg {} { ...@@ -2245,7 +2383,7 @@ proc direct_connect_msg {} {
} }
} }
proc fetch_cert {} { proc fetch_cert {save} {
global vncdisplay is_windows global vncdisplay is_windows
set hp [get_vncdisplay] set hp [get_vncdisplay]
...@@ -2330,7 +2468,15 @@ proc fetch_cert {} { ...@@ -2330,7 +2468,15 @@ proc fetch_cert {} {
} }
set cert_text "SSL Certificate from $hp\n\n$cert_text" set cert_text "SSL Certificate from $hp\n\n$cert_text"
} }
if {! $save} {
return $cert_text
}
fetch_dialog $cert_text $hp $hpnew $ok $n
}
proc fetch_dialog {cert_text hp hpnew ok n} {
toplev .fetch toplev .fetch
scroll_text_dismiss .fetch.f 90 $n scroll_text_dismiss .fetch.f 90 $n
...@@ -2434,7 +2580,6 @@ proc fetch_cert_windows {hp} { ...@@ -2434,7 +2580,6 @@ proc fetch_cert_windows {hp} {
set got 0 set got 0
while {[gets $ph line] > -1} { while {[gets $ph line] > -1} {
append text "$line\n" append text "$line\n"
#mesg "line: $line"; after 10
if [regexp {END CERT} $line] { if [regexp {END CERT} $line] {
set got 1 set got 1
} }
...@@ -2481,10 +2626,8 @@ if {1} { ...@@ -2481,10 +2626,8 @@ if {1} {
set got 0 set got 0
set ph "" set ph ""
catch {set ph [open $tou "r"]} catch {set ph [open $tou "r"]}
#mesg "open: $tou"
if {$ph != ""} { if {$ph != ""} {
while {[gets $ph line] > -1} { while {[gets $ph line] > -1} {
#mesg "line: $line"; after 10
if [regexp {END CERT} $line] { if [regexp {END CERT} $line] {
set got 1 set got 1
break break
...@@ -2492,15 +2635,12 @@ if {1} { ...@@ -2492,15 +2635,12 @@ if {1} {
} }
close $ph close $ph
} }
#mesg "clse: $tou"
if {$got} { if {$got} {
break break
#mesg "GOT"; after 200
} }
} }
global is_win9x global is_win9x
foreach pid $pids { foreach pid $pids {
#mesg "kill -- $pid"
if {$pid == ""} { if {$pid == ""} {
; ;
} elseif {$is_win9x} { } elseif {$is_win9x} {
...@@ -2524,6 +2664,278 @@ if {1} { ...@@ -2524,6 +2664,278 @@ if {1} {
return $text return $text
} }
proc check_accepted_certs {} {
global cert_text always_verify_ssl
global skip_verify_accepted_certs
if {! $always_verify_ssl} {
set skip_verify_accepted_certs 1
return 1
}
set cert_text [fetch_cert 0]
set from ""
set fingerprint ""
set fingerline ""
set i 0
foreach line [split $cert_text "\n"] {
incr i
if {$i > 4} {
break
}
if [regexp {^SSL Certificate from (.*)} $line mv str] {
set from [string trim $str]
}
if [regexp -nocase {Fingerprint=(.*)} $line mv str] {
set fingerline $line
set fingerprint [string trim $str]
}
}
set fingerprint [string tolower $fingerprint]
regsub -all {:} $fingerprint "-" fingerprint
regsub -all {[\\/=]} $fingerprint "_" fingerprint
set from [string tolower $from]
regsub -all {^[+a-z]*://} $from "" from
regsub -all {:} $from "-" from
regsub -all {[\\/=]} $from "_" from
if {$from == "" || $fingerprint == ""} {
bell
catch {raise .; update}
mesg "WARNING: Error fetching Server Cert"
after 2000
return 0
}
set hp [get_vncdisplay]
set adir [get_idir_certs ""]
catch {file mkdir $adir}
set adir "$adir/accepted"
catch {file mkdir $adir}
set crt "$adir/$fingerprint=$from.crt"
if [file exists $crt] {
mesg "OK: Certificate found in ACCEPTED_CERTS"
after 550
return 1
}
set cnt 0
foreach f [glob -nocomplain -directory $adir "$fingerprint=*"] {
mesg "CERT: $f"
after 150
incr cnt
}
set oth 0
set others [list]
foreach f [glob -nocomplain -directory $adir "*=$from.crt"] {
if {$f == $crt} {
continue
}
set fb [file tail $f]
mesg "OTHER CERT: $fb"
if {$cnt > 0} {
after 400
} else {
bell
after 800
}
lappend others $f
incr oth
}
foreach f [glob -nocomplain -directory $adir "*.crt"] {
if {$f == $crt} {
continue
}
set saw 0
foreach o $others {
if {$f == $o} {
set saw 1
break
}
}
if {$saw} {
continue
}
set fh [open $f "r"]
if {$fh == ""} {
continue
}
set same 0
while {[gets $fh line] > -1} {
if [regexp {^Host-Display: (.*)$} mv hd] {
if {$hd == $hp || $hd == $from} {
set same 1
}
}
}
close $fh;
if {! $same} {
continue
}
set fb [file tail $f]
mesg "OTHER CERT: $fb"
if {$cnt > 0} {
after 400
} else {
bell
after 800
}
lappend others $f
incr oth
}
if {$cnt > 0} {
mesg "OK: Certificate found in ACCEPTED_CERTS"
after 300
return 1
}
set hp2 [get_vncdisplay]
set msg "
The SSL Certificate from host:
$hp2
with fingerprint:
$fingerprint
is not present in the 'Accepted Certs' directory:
$adir
%WARN
You will need to verify on your own that this is a certificate from a
VNC server that you trust (e.g. by checking the fingerprint with that
sent to you by the server administrator).
Should this certificate be saved in the accepted certs directory and
then used to SSL authenticate VNC servers?
By clicking 'Inspect and maybe Save Cert' you will be given the opportunity
to inspect the certificate before deciding to save it or not.
Choose 'Ignore Cert for One Connection' to connect one time to the
server and not require any certificate verification.
"
if {$oth == 0} {
regsub {%WARN} $msg "" msg
} else {
set warn ""
set wfp ""
if {$oth == 1} {
set warn "
**WARNING** The Following Cert was previously saved FOR THE SAME HOST-DISPLAY:
"
set wfp "BUT WITH A DIFFERENT FINGERPRINT."
} else {
set warn "
**WARNING** The Following Certs were previously saved FOR THE SAME HOST-DISPLAY:
"
set wfp "BUT WITH DIFFERENT FINGERPRINTS."
}
foreach o $others {
set fb [file tail $o]
set warn "$warn $fb\n"
}
set warn "$warn\n $wfp\n"
set warn "$warn\n This could be a Man-In-The-Middle attack, or simply that the Server changed"
set warn "$warn\n its Certificate. *PLEASE CHECK* before proceeding!\n"
regsub {%WARN} $msg $warn msg
bell
}
set n 0
foreach l [split $msg "\n"] {
incr n
}
toplev .acert
scroll_text .acert.f 83 $n
button .acert.inspect -text "Inspect and maybe Save Cert ..." -command "destroy .acert; set accept_cert_dialog 1"
button .acert.accept -text "Ignore Cert for One Connection " -command "destroy .acert; set accept_cert_dialog 2"
button .acert.cancel -text "Cancel" -command "destroy .acert; set accept_cert_dialog 0"
wm title .acert "Unrecognized SSL Cert!"
.acert.f.t insert end $msg
pack .acert.cancel .acert.accept .acert.inspect -side bottom -fill x
pack .acert.f -side top -fill both -expand 1
center_win .acert
global accept_cert_dialog
set accept_cert_dialog ""
jiggle_text .acert.f.t
tkwait window .acert
if {$accept_cert_dialog == 2} {
set skip_verify_accepted_certs 1
return 1
}
if {$accept_cert_dialog != 1} {
return 0
}
global accepted_cert_dialog_in_progress
set accepted_cert_dialog_in_progress 1
global fetch_cert_filename
set fetch_cert_filename $crt
fetch_dialog $cert_text $hp $hp 1 47
catch {tkwait window .fetch}
after 200
catch {tkwait window .scrt}
set fetch_cert_filename ""
if [file exists $crt] {
set ossl [get_openssl]
set hash [exec $ossl x509 -hash -noout -in $crt]
set hash [string trim $hash]
if [regexp {^([0-9a-f][0-9a-f]*)} $hash mv h] {
set hashfile "$adir/$h.0"
if [file exists $hashfile] {
set hashfile "$adir/$h.1"
}
set fh [open $crt "a"]
if {$fh != ""} {
puts $fh ""
puts $fh "SSVNC info:"
puts $fh "Host-Display: $hp"
puts $fh "$fingerline"
puts $fh "hash filename: $h.0"
puts $fh "full filename: $fingerprint=$from.crt"
close $fh
}
catch {file copy -force $crt $hashfile}
if [file exists $hashfile] {
return 1
}
}
}
return 0
}
proc launch_unix {hp} { proc launch_unix {hp} {
global smb_redir_0 smb_mounts env global smb_redir_0 smb_mounts env
global vncauth_passwd global vncauth_passwd
...@@ -2532,6 +2944,16 @@ proc launch_unix {hp} { ...@@ -2532,6 +2944,16 @@ proc launch_unix {hp} {
set cmd "" set cmd ""
if {[regexp {^vncssh://} $hp] || [regexp {^vnc\+ssh://} $hp]} {
set use_ssl 0
set use_ssh 1
sync_use_ssl_ssh
} elseif {[regexp {^vncs://} $hp] || [regexp {^vncssl://} $hp] || [regexp {^vnc\+ssl://} $hp]} {
set use_ssl 1
set use_ssh 0
sync_use_ssl_ssh
}
check_ssh_needed check_ssh_needed
set_smb_mounts set_smb_mounts
...@@ -2541,10 +2963,14 @@ proc launch_unix {hp} { ...@@ -2541,10 +2963,14 @@ proc launch_unix {hp} {
set pk_hp "" set pk_hp ""
set skip_ssh 0 set skip_ssh 0
set do_direct 0
if [regexp {vnc://} $hp] { if [regexp {vnc://} $hp] {
set skip_ssh 1 set skip_ssh 1
direct_connect_msg set do_direct 1
if {! [info exists env(SSVNC_NO_ENC_WARN)]} {
direct_connect_msg
}
} }
if {$use_ssh || $use_sshssl} { if {$use_ssh || $use_sshssl} {
...@@ -2559,7 +2985,7 @@ proc launch_unix {hp} { ...@@ -2559,7 +2985,7 @@ proc launch_unix {hp} {
} }
if {$svcert != ""} { if {$svcert != ""} {
set cmd "$cmd -verify '$svcert'" set cmd "$cmd -verify '$svcert'"
} elseif {$crtdir != ""} { } elseif {$crtdir != "" && $crtdir != "ACCEPTED_CERTS"} {
set cmd "$cmd -verify '$crtdir'" set cmd "$cmd -verify '$crtdir'"
} }
} }
...@@ -2670,13 +3096,29 @@ proc launch_unix {hp} { ...@@ -2670,13 +3096,29 @@ proc launch_unix {hp} {
set cmd "ssvnc_cmd" set cmd "ssvnc_cmd"
set hpnew [get_ssh_hp $hp] set hpnew [get_ssh_hp $hp]
set proxy [get_ssh_proxy $hp] set proxy [get_ssh_proxy $hp]
if {$mycert != ""} { if {! $do_direct && ![regexp -nocase {ssh://} $hpnew]} {
set cmd "$cmd -mycert '$mycert'" if {$mycert != ""} {
} set cmd "$cmd -mycert '$mycert'"
if {$svcert != ""} { }
set cmd "$cmd -verify '$svcert'" if {$svcert != ""} {
} elseif {$crtdir != ""} { set cmd "$cmd -verify '$svcert'"
set cmd "$cmd -verify '$crtdir'" } elseif {$crtdir != ""} {
if {$crtdir == "ACCEPTED_CERTS"} {
global skip_verify_accepted_certs
set skip_verify_accepted_certs 0
if {! [check_accepted_certs]} {
return
}
if {! $skip_verify_accepted_certs} {
set adir [get_idir_certs ""]
set adir "$adir/accepted"
catch {file mkdir $adir}
set cmd "$cmd -verify '$adir'"
}
} else {
set cmd "$cmd -verify '$crtdir'"
}
}
} }
if {$proxy != ""} { if {$proxy != ""} {
set cmd "$cmd -proxy '$proxy'" set cmd "$cmd -proxy '$proxy'"
...@@ -3046,6 +3488,7 @@ proc del_launch_windows_ssh_files {} { ...@@ -3046,6 +3488,7 @@ proc del_launch_windows_ssh_files {} {
proc launch_shell_only {} { proc launch_shell_only {} {
global is_windows global is_windows
global skip_pre global skip_pre
global use_ssl use_ssh use_sshssl
set hp [get_vncdisplay] set hp [get_vncdisplay]
regsub {cmd=.*$} $hp "" hp regsub {cmd=.*$} $hp "" hp
...@@ -3055,8 +3498,19 @@ proc launch_shell_only {} { ...@@ -3055,8 +3498,19 @@ proc launch_shell_only {} {
} else { } else {
append hp " cmd=SHELL" append hp " cmd=SHELL"
} }
set use_ssl_save $use_ssl
set use_ssh_save $use_ssh
set use_sshssl_save $use_sshssl
set skip_pre 1 set skip_pre 1
if {! $use_ssh && ! $use_sshssl} {
set use_ssh 1
set use_ssl 1
}
launch $hp launch $hp
set use_ssl $use_ssl_save
set use_ssh $use_ssh_save
set use_sshssl $use_sshssl_save
} }
proc launch {{hp ""}} { proc launch {{hp ""}} {
...@@ -3064,7 +3518,7 @@ proc launch {{hp ""}} { ...@@ -3064,7 +3518,7 @@ proc launch {{hp ""}} {
global mycert svcert crtdir global mycert svcert crtdir
global pids_before pids_after pids_new global pids_before pids_after pids_new
global env global env
global use_ssh use_sshssl use_listen global use_ssl use_ssh use_sshssl use_listen
set debug 0 set debug 0
if {$hp == ""} { if {$hp == ""} {
...@@ -3095,7 +3549,12 @@ proc launch {{hp ""}} { ...@@ -3095,7 +3549,12 @@ proc launch {{hp ""}} {
} }
if {! [regexp ":" $hp]} { if {! [regexp ":" $hp]} {
if {! [regexp {cmd=} $hp]} { if {! [regexp {cmd=} $hp]} {
append hp ":0" set s [string trim $hp]
if {! [regexp { } $s]} {
append hp ":0"
} else {
regsub { } $hp ":0 " hp
}
} }
} }
...@@ -3121,32 +3580,51 @@ proc launch {{hp ""}} { ...@@ -3121,32 +3580,51 @@ proc launch {{hp ""}} {
set env(SSVNC_NO_ENC_WARN) 1 set env(SSVNC_NO_ENC_WARN) 1
regsub {V[Nn][Cc]://} $hp "vnc://" hp regsub {V[Nn][Cc]://} $hp "vnc://" hp
} }
regsub -nocase {^vnc://} $hp "vnc://" hp
regsub -nocase {^vncs://} $hp "vncs://" hp
regsub -nocase {^vncssl://} $hp "vncssl://" hp
regsub -nocase {^vnc\+ssl://} $hp "vnc+ssl://" hp
regsub -nocase {^vncssh://} $hp "vncssh://" hp
regsub -nocase {^vnc\+ssh://} $hp "vnc+ssh://" hp
if {! $is_windows} { if {! $is_windows} {
launch_unix $hp launch_unix $hp
return return
} }
############################################################## ##############################################################
if [regexp {vnc://} $hp] { # WINDOWS BELOW:
if [regexp {^vnc://} $hp] {
direct_connect_msg direct_connect_msg
regsub {vnc://} $hp "" hp regsub {^vnc://} $hp "" hp
direct_connect_windows $hp direct_connect_windows $hp
return return
} elseif [regexp {vncs://} $hp] { } elseif [regexp {^vncs://} $hp] {
set use_ssl 1 set use_ssl 1
regsub {vncs://} $hp "" hp set use_ssh 0
} elseif [regexp {vncssl://} $hp] { regsub {^vncs://} $hp "" hp
sync_use_ssl_ssh
} elseif [regexp {^vncssl://} $hp] {
set use_ssl 1 set use_ssl 1
regsub {vncssl://} $hp "" hp set use_ssh 0
} elseif [regexp {vnc\+ssl://} $hp] { regsub {^vncssl://} $hp "" hp
sync_use_ssl_ssh
} elseif [regexp {^vnc\+ssl://} $hp] {
set use_ssl 1 set use_ssl 1
regsub {vnc\+ssl://} $hp "" hp set use_ssh 0
} elseif [regexp {vncssh://} $hp] { regsub {^vnc\+ssl://} $hp "" hp
sync_use_ssl_ssh
} elseif [regexp {^vncssh://} $hp] {
set use_ssh 1 set use_ssh 1
set use_ssl 0
regsub {vncssh://} $hp "" hp regsub {vncssh://} $hp "" hp
} elseif [regexp {vnc\+ssh://} $hp] { sync_use_ssl_ssh
} elseif [regexp {^vnc\+ssh://} $hp] {
set use_ssh 1 set use_ssh 1
regsub {vnc\+ssh://} $hp "" hp set use_ssl 0
regsub {^vnc\+ssh://} $hp "" hp
sync_use_ssl_ssh
} }
check_ssh_needed check_ssh_needed
...@@ -3166,7 +3644,7 @@ proc launch {{hp ""}} { ...@@ -3166,7 +3644,7 @@ proc launch {{hp ""}} {
return return
} }
} elseif {$crtdir != ""} { } elseif {$crtdir != ""} {
if {! [file exists $crtdir]} { if {! [file exists $crtdir] && $crtdir != "ACCEPTED_CERTS"} {
mesg "CertsDir does not exist: $crtdir" mesg "CertsDir does not exist: $crtdir"
bell bell
return return
...@@ -3314,6 +3792,7 @@ proc launch {{hp ""}} { ...@@ -3314,6 +3792,7 @@ proc launch {{hp ""}} {
puts $fh "RNDfile = bananarand.bin" puts $fh "RNDfile = bananarand.bin"
puts $fh "RNDoverwrite = yes" puts $fh "RNDoverwrite = yes"
puts $fh "debug = 6" puts $fh "debug = 6"
if {$mycert != ""} { if {$mycert != ""} {
if {! [file exists $mycert]} { if {! [file exists $mycert]} {
mesg "MyCert does not exist: $mycert" mesg "MyCert does not exist: $mycert"
...@@ -3337,13 +3816,28 @@ proc launch {{hp ""}} { ...@@ -3337,13 +3816,28 @@ proc launch {{hp ""}} {
puts $fh "CAfile = $svcert" puts $fh "CAfile = $svcert"
puts $fh "verify = 2" puts $fh "verify = 2"
} elseif {$crtdir != ""} { } elseif {$crtdir != ""} {
if {! [file exists $crtdir]} { if {$crtdir == "ACCEPTED_CERTS"} {
mesg "CertsDir does not exist: $crtdir" global skip_verify_accepted_certs
bell set skip_verify_accepted_certs 0
set fail 1 if {! [check_accepted_certs]} {
set fail 1
}
if {! $skip_verify_accepted_certs} {
set adir [get_idir_certs ""]
set adir "$adir/accepted"
catch {file mkdir $adir}
puts $fh "CApath = $adir"
puts $fh "verify = 2"
}
} else {
if {! [file exists $crtdir]} {
mesg "CertsDir does not exist: $crtdir"
bell
set fail 1
}
puts $fh "CApath = $crtdir"
puts $fh "verify = 2"
} }
puts $fh "CApath = $crtdir"
puts $fh "verify = 2"
} }
if {$n == ""} { if {$n == ""} {
...@@ -3739,7 +4233,12 @@ proc set_svcert {{parent "."}} { ...@@ -3739,7 +4233,12 @@ proc set_svcert {{parent "."}} {
proc set_crtdir {{parent "."}} { proc set_crtdir {{parent "."}} {
global svcert crtdir global svcert crtdir
set idir [get_idir_certs $crtdir] set idir ""
if {$crtdir == "ACCEPTED_CERTS"} {
set idir [get_idir_certs ""]
} else {
set idir [get_idir_certs $crtdir]
}
set t "" set t ""
if {$idir != ""} { if {$idir != ""} {
set t [tk_chooseDirectory -parent $parent -initialdir $idir] set t [tk_chooseDirectory -parent $parent -initialdir $idir]
...@@ -4397,8 +4896,11 @@ proc do_save {} { ...@@ -4397,8 +4896,11 @@ proc do_save {} {
catch {destroy .icrt} catch {destroy .icrt}
set p .c set p .c
if {![winfo exists .c]} { if {![winfo exists .c]} {
getcerts global accepted_cert_dialog_in_progress
update if {! $accepted_cert_dialog_in_progress} {
getcerts
update
}
} }
if {![winfo exists .c]} { if {![winfo exists .c]} {
set p . set p .
...@@ -4543,11 +5045,18 @@ proc save_cert {hp} { ...@@ -4543,11 +5045,18 @@ proc save_cert {hp} {
scroll_text .scrt.f 90 17 scroll_text .scrt.f 90 17
set scroll_text_focus 1 set scroll_text_focus 1
set msg { global accepted_cert_dialog_in_progress
if {$accepted_cert_dialog_in_progress} {
set mode "accepted"
} else {
set mode "normal"
}
set msg1 {
This dialog lets you import a SSL Certificate retrieved from a VNC server. This dialog lets you import a SSL Certificate retrieved from a VNC server.
Be sure to have verified its authenticity via an external means (checking Be sure to have verified its authenticity via an external means (checking
the MD5 hash value, etc) the MD5 hash value sent to you by the administrator, etc)
Set the "Save to File" name to the file where the imported certificate Set the "Save to File" name to the file where the imported certificate
will be saved. will be saved.
...@@ -4561,6 +5070,29 @@ proc save_cert {hp} { ...@@ -4561,6 +5070,29 @@ proc save_cert {hp} {
select Options -> Save Profile to save it in a profile. select Options -> Save Profile to save it in a profile.
} }
set msg2 {
This dialog lets you import a SSL Certificate retrieved from a VNC server.
Be sure to have verified its authenticity via an external means (checking
the MD5 hash value sent to you by the administrator, etc)
It will be added to the 'Accepted Certs' directory. The "Save to File"
below is already set to the correct directory and file name.
Click on "Save" to add it to the Accepted Certs.
It, and the others certs in that directory, will be used to authenticate
any VNC Server that has "ACCEPTED_CERTS" as the "CertsDir" value in the
"Certs..." dialog.
}
set msg ""
if {$mode == "normal"} {
set msg $msg1
} else {
set msg $msg2
}
regsub {%HOST} $msg "$hp" msg regsub {%HOST} $msg "$hp" msg
.scrt.f.t insert end $msg .scrt.f.t insert end $msg
...@@ -4577,7 +5109,11 @@ proc save_cert {hp} { ...@@ -4577,7 +5109,11 @@ proc save_cert {hp} {
bind .scrt <Escape> {destroy .scrt; catch {raise .c}} bind .scrt <Escape> {destroy .scrt; catch {raise .c}}
global import_save_file global import_save_file
button .scrt.save -text "Save" -command {do_save; set svcert $import_save_file} if {$mode == "normal"} {
button .scrt.save -text "Save" -command {do_save; set svcert $import_save_file}
} else {
button .scrt.save -text "Save" -command {do_save}
}
set w .scrt.sf set w .scrt.sf
frame $w frame $w
...@@ -4585,10 +5121,15 @@ proc save_cert {hp} { ...@@ -4585,10 +5121,15 @@ proc save_cert {hp} {
label $w.l -text "Save to File:" -anchor w label $w.l -text "Save to File:" -anchor w
set import_save_file "server:$hp.crt" set import_save_file "server:$hp.crt"
global is_windows global is_windows
if {$is_windows} { regsub -all {:} $import_save_file "-" import_save_file
regsub -all {:} $import_save_file "_" import_save_file
}
set import_save_file [get_idir_certs ""]/$import_save_file set import_save_file [get_idir_certs ""]/$import_save_file
global fetch_cert_filename
if {$fetch_cert_filename != ""} {
set import_save_file $fetch_cert_filename
}
entry $w.e -width 40 -textvariable import_save_file entry $w.e -width 40 -textvariable import_save_file
button $w.b -pady 1 -anchor w -text "Browse..." -command {import_save_browse .scrt} button $w.b -pady 1 -anchor w -text "Browse..." -command {import_save_browse .scrt}
...@@ -4726,6 +5267,7 @@ proc get_profiles_dir {} { ...@@ -4726,6 +5267,7 @@ proc get_profiles_dir {} {
} }
} elseif [info exists env(SSVNC_HOME)] { } elseif [info exists env(SSVNC_HOME)] {
set t "$env(SSVNC_HOME)/.vnc" set t "$env(SSVNC_HOME)/.vnc"
catch {file mkdir $t}
if [file isdirectory $t] { if [file isdirectory $t] {
set dir $t set dir $t
set s "$t/profiles" set s "$t/profiles"
...@@ -4902,13 +5444,7 @@ proc load_profile {{parent "."} {infile ""}} { ...@@ -4902,13 +5444,7 @@ proc load_profile {{parent "."} {infile ""}} {
} elseif {$use_ssh && $use_sshssl} { } elseif {$use_ssh && $use_sshssl} {
set use_ssh 0 set use_ssh 0
} }
if {$use_ssl} { sync_use_ssl_ssh
ssl_ssh_adjust ssl
} elseif {$use_ssh} {
ssl_ssh_adjust ssh
} elseif {$use_sshssl} {
ssl_ssh_adjust sshssl
}
set compresslevel_text "Compress Level: $use_compresslevel" set compresslevel_text "Compress Level: $use_compresslevel"
set quality_text "Quality: $use_quality" set quality_text "Quality: $use_quality"
...@@ -4918,6 +5454,17 @@ proc load_profile {{parent "."} {infile ""}} { ...@@ -4918,6 +5454,17 @@ proc load_profile {{parent "."} {infile ""}} {
listen_adjust listen_adjust
} }
proc sync_use_ssl_ssh {} {
global use_ssl use_ssh use_sshssl ssl_ssh_adjust
if {$use_ssl} {
ssl_ssh_adjust ssl
} elseif {$use_ssh} {
ssl_ssh_adjust ssh
} elseif {$use_sshssl} {
ssl_ssh_adjust sshssl
}
}
proc dummy_cert {} { proc dummy_cert {} {
set str { set str {
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
...@@ -4985,13 +5532,20 @@ proc save_profile {{parent "."}} { ...@@ -4985,13 +5532,20 @@ proc save_profile {{parent "."}} {
set vncdisp [get_vncdisplay] set vncdisp [get_vncdisplay]
set disp [string trim $vncdisp] set disp [string trim $vncdisp]
if {$disp != ""} { if {$disp != ""} {
regsub {[ ].*$} $disp "" disp regsub {[ ].*$} $disp "" disp
regsub -all {/} $disp "" disp regsub -all {/} $disp "" disp
} else {
mesg "No VNC Host:Disp supplied."
bell
return
} }
if {$is_windows || $uname == "Darwin"} { if {$is_windows || $uname == "Darwin"} {
regsub -all {:} $disp "_" disp regsub -all {:} $disp "-" disp
} else {
regsub -all {:} $disp "-" disp
} }
set file [tk_getSaveFile -parent $parent -defaultextension ".vnc" \ set file [tk_getSaveFile -parent $parent -defaultextension ".vnc" \
...@@ -5731,8 +6285,8 @@ proc cups_dialog {} { ...@@ -5731,8 +6285,8 @@ proc cups_dialog {} {
set msg { set msg {
CUPS Printing requires SSH be used to set up the Print service port CUPS Printing requires SSH be used to set up the Print service port
redirection. This will be either of the "Use SSH" or "Use SSH and redirection. This will be either of the "Use SSH" or "SSH + SSL"
SSL" modes under "Options". Pure SSL tunnelling will not work. modes under "Options". Pure SSL tunnelling will not work.
This method requires working CUPS software setups on both the remote This method requires working CUPS software setups on both the remote
and local sides of the connection. and local sides of the connection.
...@@ -5889,7 +6443,7 @@ proc sound_dialog {} { ...@@ -5889,7 +6443,7 @@ proc sound_dialog {} {
set msg { set msg {
Sound tunnelling to a sound daemon requires SSH be used to set up Sound tunnelling to a sound daemon requires SSH be used to set up
the service port redirection. This will be either of the "Use SSH" the service port redirection. This will be either of the "Use SSH"
or "Use SSH and SSL" modes under "Options". Pure SSL tunnelling or "SSH + SSL" modes under "Options". Pure SSL tunnelling
will not work. will not work.
This method requires working Sound daemon (e.g. ESD or ARTSD) software This method requires working Sound daemon (e.g. ESD or ARTSD) software
...@@ -6647,7 +7201,7 @@ proc smb_dialog {} { ...@@ -6647,7 +7201,7 @@ proc smb_dialog {} {
set msg { set msg {
Windows/Samba Filesystem mounting requires SSH be used to set up the Windows/Samba Filesystem mounting requires SSH be used to set up the
SMB service port redirection. This will be either of the "Use SSH" SMB service port redirection. This will be either of the "Use SSH"
or "Use SSH and SSL" modes under "Options". Pure SSL tunnelling or "SSH + SSL" modes under "Options". Pure SSL tunnelling
will not work. will not work.
This method requires a working Samba software setup on the remote This method requires a working Samba software setup on the remote
...@@ -6781,7 +7335,7 @@ proc help_advanced_opts {} { ...@@ -6781,7 +7335,7 @@ proc help_advanced_opts {} {
The Service redirection options, CUPS, ESD/ARTSD, and SMB will The Service redirection options, CUPS, ESD/ARTSD, and SMB will
require that you use SSH for tunneling so that they can use the -R require that you use SSH for tunneling so that they can use the -R
port redirection will be enabled for each service. I.e. "Use SSH" port redirection will be enabled for each service. I.e. "Use SSH"
or "Use SSH and SSL" mode. or "SSH + SSL" mode.
These options may also require additional configuration to get them These options may also require additional configuration to get them
to work properly. Please submit bug reports if it appears it should to work properly. Please submit bug reports if it appears it should
...@@ -7778,18 +8332,21 @@ proc ssl_ssh_adjust {which} { ...@@ -7778,18 +8332,21 @@ proc ssl_ssh_adjust {which} {
set use_sshssl 0 set use_sshssl 0
set sshssl_sw "ssl" set sshssl_sw "ssl"
catch {.f4.getcert configure -state normal} catch {.f4.getcert configure -state normal}
catch {.f4.always configure -state normal}
} elseif {$which == "ssh"} { } elseif {$which == "ssh"} {
set use_ssl 0 set use_ssl 0
set use_ssh 1 set use_ssh 1
set use_sshssl 0 set use_sshssl 0
set sshssl_sw "ssh" set sshssl_sw "ssh"
catch {.f4.getcert configure -state disabled} catch {.f4.getcert configure -state disabled}
catch {.f4.always configure -state disabled}
} elseif {$which == "sshssl"} { } elseif {$which == "sshssl"} {
set use_ssl 0 set use_ssl 0
set use_ssh 0 set use_ssh 0
set use_sshssl 1 set use_sshssl 1
set sshssl_sw "sshssl" set sshssl_sw "sshssl"
catch {.f4.getcert configure -state disabled} catch {.f4.getcert configure -state disabled}
catch {.f4.always configure -state disabled}
} }
if [info exists remote_ssh_cmd_list] { if [info exists remote_ssh_cmd_list] {
...@@ -7845,7 +8402,7 @@ proc set_options {} { ...@@ -7845,7 +8402,7 @@ proc set_options {} {
incr i incr i
radiobutton .o.b$i -anchor w -variable sshssl_sw -value sshssl -text \ radiobutton .o.b$i -anchor w -variable sshssl_sw -value sshssl -text \
"Use SSH and SSL" -command {ssl_ssh_adjust sshssl} "Use SSH + SSL" -command {ssl_ssh_adjust sshssl}
set iss $i set iss $i
incr i incr i
...@@ -8050,12 +8607,13 @@ if [file exists $buck_zero] { ...@@ -8050,12 +8607,13 @@ if [file exists $buck_zero] {
lappend dirs $up lappend dirs $up
} }
if {$argc > 0} { for {set i 0} {$i < $argc} {incr i} {
set i [lindex $argv 0] set it0 [lindex $argv $i]
if {$i == "."} { if {$it0 == "."} {
if {![file isdirectory "$up/home"] && ![file isdirectory "$up/Home"]} { if {![file isdirectory "$up/home"] && ![file isdirectory "$up/Home"]} {
catch {file mkdir "$up/Home"} catch {file mkdir "$up/Home"}
} }
break
} }
} }
...@@ -8091,6 +8649,29 @@ if [file exists $buck_zero] { ...@@ -8091,6 +8649,29 @@ if [file exists $buck_zero] {
#puts "HOME: $env(SSVNC_HOME)" #puts "HOME: $env(SSVNC_HOME)"
} }
for {set i 0} {$i < $argc} {incr i} {
set item [lindex $argv $i]
regsub {^--} $item "-" item
if {$item == "-profiles"} {
set dir [get_profiles_dir]
puts stderr "VNC Profiles:"
puts stderr " "
set profs [list]
foreach prof [glob -nocomplain -directory $dir "*.vnc"] {
set s [file tail $prof]
regsub {\.vnc$} $s "" s
lappend profs [file tail $s]
}
foreach prof [lsort $profs] {
puts "$prof"
}
exit
} elseif {$item == "-nvb"} {
global env
set env(SSVNC_NO_VERIFY_ALL_BUTTON) 1
}
}
if {$is_windows} { if {$is_windows} {
check_writable check_writable
} }
...@@ -8136,6 +8717,9 @@ set vncauth_passwd "" ...@@ -8136,6 +8717,9 @@ set vncauth_passwd ""
global did_listening_message global did_listening_message
set did_listening_message 0 set did_listening_message 0
global accepted_cert_dialog_in_progress
set accepted_cert_dialog_in_progress 0
label .l -text "SSL/SSH VNC Viewer" -relief ridge label .l -text "SSL/SSH VNC Viewer" -relief ridge
set wl 21 set wl 21
...@@ -8179,10 +8763,27 @@ set remote_ssh_cmd_list {.f3.e .f3.l} ...@@ -8179,10 +8763,27 @@ set remote_ssh_cmd_list {.f3.e .f3.l}
frame .f4 frame .f4
radiobutton .f4.ssl -anchor w -variable sshssl_sw -value ssl -command {ssl_ssh_adjust ssl} -text "Use SSL" radiobutton .f4.ssl -anchor w -variable sshssl_sw -value ssl -command {ssl_ssh_adjust ssl} -text "Use SSL"
radiobutton .f4.ssh -anchor w -variable sshssl_sw -value ssh -command {ssl_ssh_adjust ssh} -text "Use SSH" radiobutton .f4.ssh -anchor w -variable sshssl_sw -value ssh -command {ssl_ssh_adjust ssh} -text "Use SSH"
radiobutton .f4.sshssl -anchor w -variable sshssl_sw -value sshssl -command {ssl_ssh_adjust sshssl} -text "Use SSH and SSL" radiobutton .f4.sshssl -anchor w -variable sshssl_sw -value sshssl -command {ssl_ssh_adjust sshssl} -text "SSH + SSL "
button .f4.getcert -command {fetch_cert} -text "Fetch Cert"
pack .f4.ssl .f4.ssh .f4.sshssl -side left -fill x pack .f4.ssl .f4.ssh .f4.sshssl -side left -fill x
global skip_verify_accepted_certs
set skip_verify_accepted_certs 0
global always_verify_ssl
set always_verify_ssl 1;
if {[info exists env(SSVNC_NO_VERIFY_ALL)]} {
set always_verify_ssl 0;
}
button .f4.getcert -command {fetch_cert 1} -text "Fetch Cert"
checkbutton .f4.always -variable always_verify_ssl -text "Verify All Certs"
pack .f4.getcert -side right -fill x pack .f4.getcert -side right -fill x
if {[info exists env(SSVNC_NO_VERIFY_ALL_BUTTON)]} {
set always_verify_ssl 0;
} else {
pack .f4.always -side right -fill x
}
ssl_ssh_adjust ssl ssl_ssh_adjust ssl
...@@ -8190,12 +8791,13 @@ frame .b ...@@ -8190,12 +8791,13 @@ frame .b
button .b.help -text "Help" -command help button .b.help -text "Help" -command help
button .b.certs -text "Certs ..." -command getcerts button .b.certs -text "Certs ..." -command getcerts
button .b.opts -text "Options ..." -command set_options button .b.opts -text "Options ..." -command set_options
button .b.load -text "Load ..." -command {load_profile} button .b.load -text "Load" -command {load_profile}
button .b.save -text "Save" -command {save_profile}
button .b.conn -text "Connect" -command launch button .b.conn -text "Connect" -command launch
button .b.exit -text "Exit" -command {destroy .; exit} button .b.exit -text "Exit" -command {destroy .; exit}
pack .b.certs .b.opts .b.load .b.conn .b.help .b.exit -side left -expand 1 -fill x pack .b.certs .b.opts .b.save .b.load .b.conn .b.help .b.exit -side left -expand 1 -fill x
if {$multientry} { if {$multientry} {
if {! $is_windows} { if {! $is_windows} {
...@@ -8210,6 +8812,7 @@ if {![info exists env(SSVNC_GUI_CHILD)] || $env(SSVNC_GUI_CHILD) == ""} { ...@@ -8210,6 +8812,7 @@ if {![info exists env(SSVNC_GUI_CHILD)] || $env(SSVNC_GUI_CHILD) == ""} {
center_win . center_win .
} }
focus .f0.e focus .f0.e
wm deiconify . wm deiconify .
global system_button_face global system_button_face
...@@ -8239,15 +8842,16 @@ bind .f0.l <ButtonPress> {set button_gui_top 1} ...@@ -8239,15 +8842,16 @@ bind .f0.l <ButtonPress> {set button_gui_top 1}
update update
if {$argc > 0} { for {set i 0} {$i < $argc} {incr i} {
set item [lindex $argv 0] set item [lindex $argv $i]
regsub {^--} $item "-" item
if {$item == "."} { if {$item == "."} {
set item "" ;
if {$argc > 1} { } elseif {$item == "-nv"} {
set item [lindex $argv 1] set always_verify_ssl 0
} } elseif {$item == "-help"} {
} help
if {$item != ""} { } elseif {$item != ""} {
if [file exists $item] { if [file exists $item] {
load_profile . $item load_profile . $item
} else { } else {
...@@ -8264,6 +8868,9 @@ if {$argc > 0} { ...@@ -8264,6 +8868,9 @@ if {$argc > 0} {
if {! $ok && [regexp {:} $item]} { if {! $ok && [regexp {:} $item]} {
global vncdisplay global vncdisplay
set vncdisplay $item set vncdisplay $item
set ok 1
}
if {$ok} {
update update
after 750 after 750
launch launch
...@@ -8271,5 +8878,3 @@ if {$argc > 0} { ...@@ -8271,5 +8878,3 @@ if {$argc > 0} {
} }
} }
} }
#mesg "$buck_zero"
...@@ -1322,6 +1322,7 @@ char *certret_str = NULL; ...@@ -1322,6 +1322,7 @@ char *certret_str = NULL;
void accept_openssl(int mode, int presock) { void accept_openssl(int mode, int presock) {
int sock = -1, listen = -1, cport, csock, vsock; int sock = -1, listen = -1, cport, csock, vsock;
int peerport = 0;
int status, n, i, db = 0; int status, n, i, db = 0;
struct sockaddr_in addr; struct sockaddr_in addr;
#ifdef __hpux #ifdef __hpux
...@@ -1441,8 +1442,10 @@ void accept_openssl(int mode, int presock) { ...@@ -1441,8 +1442,10 @@ void accept_openssl(int mode, int presock) {
if (mode != OPENSSL_INETD) { if (mode != OPENSSL_INETD) {
name = get_remote_host(sock); name = get_remote_host(sock);
peerport = get_remote_port(sock);
} else { } else {
openssl_last_ip = get_remote_host(fileno(stdin)); openssl_last_ip = get_remote_host(fileno(stdin));
peerport = get_remote_port(fileno(stdin));
if (openssl_last_ip) { if (openssl_last_ip) {
name = strdup(openssl_last_ip); name = strdup(openssl_last_ip);
} else { } else {
...@@ -1452,10 +1455,10 @@ void accept_openssl(int mode, int presock) { ...@@ -1452,10 +1455,10 @@ void accept_openssl(int mode, int presock) {
if (name) { if (name) {
if (mode == OPENSSL_INETD) { if (mode == OPENSSL_INETD) {
rfbLog("SSL: (inetd) spawning helper process " rfbLog("SSL: (inetd) spawning helper process "
"to handle: %s\n", name); "to handle: %s:%d\n", name, peerport);
} else { } else {
rfbLog("SSL: spawning helper process to handle: " rfbLog("SSL: spawning helper process to handle: "
"%s\n", name); "%s:%d\n", name, peerport);
} }
free(name); free(name);
name = NULL; name = NULL;
...@@ -1996,6 +1999,7 @@ static void ssl_timeout (int sig) { ...@@ -1996,6 +1999,7 @@ static void ssl_timeout (int sig) {
static int ssl_init(int s_in, int s_out) { static int ssl_init(int s_in, int s_out) {
unsigned char *sid = (unsigned char *) "x11vnc SID"; unsigned char *sid = (unsigned char *) "x11vnc SID";
char *name; char *name;
int peerport = 0;
int db = 0, rc, err; int db = 0, rc, err;
int ssock = s_in; int ssock = s_in;
double start = dnow(); double start = dnow();
...@@ -2041,6 +2045,7 @@ if (db > 1) fprintf(stderr, "ssl_init: 2\n"); ...@@ -2041,6 +2045,7 @@ if (db > 1) fprintf(stderr, "ssl_init: 2\n");
if (db > 1) fprintf(stderr, "ssl_init: 3\n"); if (db > 1) fprintf(stderr, "ssl_init: 3\n");
name = get_remote_host(ssock); name = get_remote_host(ssock);
peerport = get_remote_port(ssock);
if (db > 1) fprintf(stderr, "ssl_init: 4\n"); if (db > 1) fprintf(stderr, "ssl_init: 4\n");
...@@ -2066,29 +2071,29 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n"); ...@@ -2066,29 +2071,29 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
} else if (err == SSL_ERROR_WANT_READ) { } else if (err == SSL_ERROR_WANT_READ) {
if (db) fprintf(stderr, "got SSL_ERROR_WANT_READ\n"); if (db) fprintf(stderr, "got SSL_ERROR_WANT_READ\n");
rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n", rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
getpid(), name); getpid(), name, peerport);
return 0; return 0;
} else if (err == SSL_ERROR_WANT_WRITE) { } else if (err == SSL_ERROR_WANT_WRITE) {
if (db) fprintf(stderr, "got SSL_ERROR_WANT_WRITE\n"); if (db) fprintf(stderr, "got SSL_ERROR_WANT_WRITE\n");
rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n", rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
getpid(), name); getpid(), name, peerport);
return 0; return 0;
} else if (err == SSL_ERROR_SYSCALL) { } else if (err == SSL_ERROR_SYSCALL) {
if (db) fprintf(stderr, "got SSL_ERROR_SYSCALL\n"); if (db) fprintf(stderr, "got SSL_ERROR_SYSCALL\n");
rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n", rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
getpid(), name); getpid(), name, peerport);
return 0; return 0;
} else if (err == SSL_ERROR_ZERO_RETURN) { } else if (err == SSL_ERROR_ZERO_RETURN) {
if (db) fprintf(stderr, "got SSL_ERROR_ZERO_RETURN\n"); if (db) fprintf(stderr, "got SSL_ERROR_ZERO_RETURN\n");
rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s\n", rfbLog("SSL: ssl_helper[%d]: SSL_accept() failed for: %s:%d\n",
getpid(), name); getpid(), name, peerport);
return 0; return 0;
} else if (rc < 0) { } else if (rc < 0) {
...@@ -2118,7 +2123,7 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n"); ...@@ -2118,7 +2123,7 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
usleep(10 * 1000); usleep(10 * 1000);
} }
rfbLog("SSL: ssl_helper[%d]: SSL_accept() succeeded for: %s\n", getpid(), name); rfbLog("SSL: ssl_helper[%d]: SSL_accept() succeeded for: %s:%d\n", getpid(), name, peerport);
if (SSL_get_verify_result(ssl) == X509_V_OK) { if (SSL_get_verify_result(ssl) == X509_V_OK) {
X509 *x; X509 *x;
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
.TH X11VNC "1" "May 2007" "x11vnc " "User Commands" .TH X11VNC "1" "May 2007" "x11vnc " "User Commands"
.SH NAME .SH NAME
x11vnc - allow VNC connections to real X11 displays x11vnc - allow VNC connections to real X11 displays
version: 0.9.1, lastmod: 2007-05-06 version: 0.9.1, lastmod: 2007-05-16
.SH SYNOPSIS .SH SYNOPSIS
.B x11vnc .B x11vnc
[OPTION]... [OPTION]...
......
...@@ -3230,7 +3230,7 @@ int main(int argc, char* argv[]) { ...@@ -3230,7 +3230,7 @@ int main(int argc, char* argv[]) {
rfbLog("rfbRegisterTightVNCFileTransferExtension: 6\n"); rfbLog("rfbRegisterTightVNCFileTransferExtension: 6\n");
rfbRegisterTightVNCFileTransferExtension(); rfbRegisterTightVNCFileTransferExtension();
} else { } else {
rfbLog("rfbUnregisterTightVNCFileTransferExtension: 3\n"); if (0) rfbLog("rfbUnregisterTightVNCFileTransferExtension: 3\n");
rfbUnregisterTightVNCFileTransferExtension(); rfbUnregisterTightVNCFileTransferExtension();
} }
#endif #endif
......
...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; ...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.9.1 lastmod: 2007-05-06"; char lastmod[] = "0.9.1 lastmod: 2007-05-16";
/* X display info */ /* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment