x11vnc: kill gui_pid on exit in -connect/-connect_or_exit mode.

   -grablocal n experiment (not compiled by default).  -macuskbd
   option for macosx for orig uskdb code. keycode=N remote contol
   cmd.  Find dpy look at non-NFS cookies in /tmp.  Fix gui tray
   insertion on recent gnome dt. Fix connect_file bug. Sync SSVNC

x11vnc/8to24.c

@@ -1359,6 +1359,8 @@ static int get_cmap(int j, Colormap cmap) {
 		X_LOCK;
 		ncells = CellsOfScreen(ScreenOfDisplay(dpy, scr));
 		X_UNLOCK;
+	} else {
+		ncells = NCOLOR;
 	}
 if (db24 > 1) fprintf(stderr, "get_cmap: %d 0x%x\n", j, (unsigned int) cmap);
 

x11vnc/ChangeLog

+2008-09-06  Karl Runge <runge@karlrunge.com>
+	* x11vnc: kill gui_pid on exit in -connect/-connect_or_exit mode.
+	  -grablocal n experiment (not compiled by default).  -macuskbd
+	  option for macosx for orig uskdb code. keycode=N remote contol
+	  cmd.  Find dpy look at non-NFS cookies in /tmp.  Fix gui tray
+	  insertion on recent gnome dt. Fix connect_file bug. Sync SSVNC
+
 2008-06-07  Karl Runge <runge@karlrunge.com>
 	* x11vnc: -clip xineramaN option, -DIGNORE_GETSPNAM for HP-UX.
 	  Print info on SSH_CONNECTION override.

x11vnc/connections.c

@@ -755,6 +755,10 @@ void client_gone(rfbClientPtr client) {
 
 	if (inetd && client == inetd_client) {
 		rfbLog("inetd viewer exited.\n");
+		if (gui_pid > 0) {
+			rfbLog("killing gui_pid %d\n", gui_pid);
+			kill(gui_pid, SIGTERM);
+		}
 		clean_up_exit(0);
 	}
 	if (connect_once) {
@@ -779,6 +783,10 @@ void client_gone(rfbClientPtr client) {
 		}
 
 		rfbLog("viewer exited.\n");
+		if ((client_connect || connect_or_exit) && gui_pid > 0) {
+			rfbLog("killing gui_pid %d\n", gui_pid);
+			kill(gui_pid, SIGTERM);
+		}
 		clean_up_exit(0);
 	}
 #ifdef MACOSX
@@ -2423,6 +2431,10 @@ void reverse_connect(char *str) {
 		if (connect_or_exit) {
 			rfbLogEnable(1);
 			rfbLog("exiting under -connect_or_exit\n");
+			if (gui_pid > 0) {
+				rfbLog("killing gui_pid %d\n", gui_pid);
+				kill(gui_pid, SIGTERM);
+			}
 			clean_up_exit(0);
 		}
 		return;
@@ -2458,6 +2470,10 @@ void reverse_connect(char *str) {
 		if (client_count <= nclients0)  {
 			rfbLogEnable(1);
 			rfbLog("exiting under -connect_or_exit\n");
+			if (gui_pid > 0) {
+				rfbLog("killing gui_pid %d\n", gui_pid);
+				kill(gui_pid, SIGTERM);
+			}
 			clean_up_exit(0);
 		}
 	}
@@ -2737,6 +2753,7 @@ void check_gui_inputs(void) {
 static int turn_off_truecolor = 0;
 
 static void turn_off_truecolor_ad(rfbClientPtr client) {
+	if (client) {}
 	if (turn_off_truecolor) {
 		rfbLog("turning off truecolor advertising.\n");
 		screen->serverFormat.trueColour = FALSE;

x11vnc/gui.c

@@ -25,6 +25,7 @@ Window tray_request = None;
 Window tray_window = None;
 int tray_unembed = 0;
 pid_t run_gui_pid = 0;
+pid_t gui_pid = 0;
 
 
 char *get_gui_code(void);
@@ -50,6 +51,10 @@ static Window tweak_tk_window_id(Window win) {
 	char *name = NULL;
 	Window parent, new;
 
+	if (getenv("NO_TWEAK_TK_WINDOW_ID")) {
+		return win;
+	}
+
 	/* hack for tk, does not report outermost window */
 	new = win;
 	parent = parent_window(win, &name);
@@ -684,8 +689,10 @@ void do_gui(char *opts, int sleep) {
 					fprintf(icon_mode_fh, "none\n");
 					fflush(icon_mode_fh);
 					if (! got_connect_once) {
-						/* want -forever for tray */
-						connect_once = 0;
+						if (!client_connect && !connect_or_exit) {
+							/* want -forever for tray? */
+							connect_once = 0;
+						}
 					}
 				}
 			}
@@ -707,6 +714,7 @@ void do_gui(char *opts, int sleep) {
 		}
 		if (connect_to_x11vnc) {
 			run_gui_pid = p;
+			gui_pid = p;
 		}
 #else
 		fprintf(stderr, "system does not support fork: start "

x11vnc/gui.h

@@ -12,6 +12,7 @@ extern Window tray_request;
 extern Window tray_window;
 extern int tray_unembed;
 extern pid_t run_gui_pid;
+extern pid_t gui_pid;
 
 extern char *get_gui_code(void);
 extern int tray_embed(Window iconwin, int remove);

x11vnc/help.c

@@ -484,7 +484,7 @@ void print_help(int mode) {
 "                       to plumb reverse connections.\n"
 "\n"
 "-connect_or_exit str   As with -connect, except if none of the reverse\n"
-"                       connections succeed, then x11vnc shutdowns immediately.\n"
+"                       connections succeed, then x11vnc shuts down immediately\n"
 "\n"
 "                       By the way, if you do not want x11vnc to listen on\n"
 "                       ANY interface use -rfbport 0  which is handy for the\n"
@@ -628,6 +628,16 @@ void print_help(int mode) {
 "                       use the -R remote control to turn the other back on,\n"
 "                       e.g. -R nograbptr.\n"
 "\n"
+#ifdef ENABLE_GRABLOCAL
+"-grablocal n           If it appears that a user sitting at the physical\n"
+"                       display has injected a keystroke or mouse event ignore\n"
+"                       any VNC client inputs for the next n seconds.  The idea\n"
+"                       is that during a demonstration, etc, the local user\n"
+"                       will not be interrupted by viewers accidentally moving\n"
+"                       the mouse, etc.  The detection of local user input is\n"
+"                       approximate and so at times gives unexpected results.\n"
+"\n"
+#endif
 "-viewpasswd string     Supply a 2nd password for view-only logins.  The -passwd\n"
 "                       (full-access) password must also be supplied.\n"
 "\n"
@@ -3631,25 +3641,27 @@ void print_help(int mode) {
 "                       You can also set the env. var X11VNC_UINPUT_DEBUG=1 or\n"
 "                       higher to get debugging output for UINPUT mode.\n"
 "\n"
-"-macnodim              For the native Mac OS X server, disable dimming. \n"
-"-macnosleep            For the native Mac OS X server, disable display sleep.\n"
-"-macnosaver            For the native Mac OS X server, disable screensaver.\n"
-"-macnowait             For the native Mac OS X server, do not wait for the\n"
+"-macnodim              For the native MacOSX server, disable dimming. \n"
+"-macnosleep            For the native MacOSX server, disable display sleep.\n"
+"-macnosaver            For the native MacOSX server, disable screensaver.\n"
+"-macnowait             For the native MacOSX server, do not wait for the\n"
 "                       user to switch back to his display.\n"
-"-macwheel n            For the native Mac OS X server, set the mouse wheel\n"
+"-macwheel n            For the native MacOSX server, set the mouse wheel\n"
 "                       speed to n (default 5).\n"
-"-macnoswap             For the native Mac OS X server, do not swap mouse\n"
+"-macnoswap             For the native MacOSX server, do not swap mouse\n"
 "                       buttons 2 and 3.\n"
-"-macnoresize           For the native Mac OS X server, do not resize or reset\n"
+"-macnoresize           For the native MacOSX server, do not resize or reset\n"
 "                       the framebuffer even if it is detected that the screen\n"
 "                       resolution or depth has changed.\n"
-"-maciconanim n         For the native Mac OS X server, set n to the number\n"
+"-maciconanim n         For the native MacOSX server, set n to the number\n"
 "                       of milliseconds that the window iconify/deiconify\n"
 "                       animation takes.  In -ncache mode this value will be\n"
 "                       used to skip the animation if possible. (default 400)\n"
-"-macmenu               For the native Mac OS X server, in -ncache client-side\n"
+"-macmenu               For the native MacOSX server, in -ncache client-side\n"
 "                       caching mode, try to cache pull down menus (not perfect\n"
 "                       because they have animated fades, etc.)\n"
+"-macuskbd              For the native MacOSX server, use the original\n"
+"                       keystroke insertion code based on a US keyboard.\n"
 "\n"
 "-gui [gui-opts]        Start up a simple tcl/tk gui based on the the remote\n"
 "                       control options -remote/-query described below.\n"
@@ -3707,6 +3719,14 @@ void print_help(int mode) {
 "                       fully functional, the gui mode should be \"start\"\n"
 "                       (the default).\n"
 "\n"
+"                       Note that tray or icon mode will imply the -forever\n"
+"                       x11vnc option (if the x11vnc server is started along\n"
+"                       with the gui) unless -connect or -connect_or_exit has\n"
+"                       been specified.  So x11vnc (and the tray/icon gui)\n"
+"                       will wait for more connections after the first client\n"
+"                       disconnects.  If you want only one viewer connection\n"
+"                       include the -once option.\n"
+"\n"
 "                       For \"icon\" the gui just a small standalone window.\n"
 "                       For \"tray\" it will attempt to embed itself in the\n"
 "                       \"system tray\" if possible. If \"=setpass\" is appended then\n"
@@ -4397,12 +4417,13 @@ void xopen_display_fail_message(char *disp) {
 	fprintf(stderr, "\n");
 	fprintf(stderr, "Some tips and guidelines:\n");
 	fprintf(stderr, "\n");
-	fprintf(stderr, " * An X server (the one you wish to view) must"
+	fprintf(stderr, "** An X server (the one you wish to view) must"
 	    " be running before x11vnc is\n");
-	fprintf(stderr, "   started: x11vnc does not start the X server.  (however, see the\n");
-	fprintf(stderr, "   recent -create option if that is what you really want).\n");
+	fprintf(stderr, "   started: x11vnc does not start the X server.  "
+	    "(however, see the -create\n");
+	fprintf(stderr, "   option if that is what you really want).\n");
 	fprintf(stderr, "\n");
-	fprintf(stderr, " * You must use -display <disp>, -OR- set and"
+	fprintf(stderr, "** You must use -display <disp>, -OR- set and"
 	    " export your $DISPLAY\n");
 	fprintf(stderr, "   environment variable to refer to the display of"
 	    " the desired X server.\n");
@@ -4414,7 +4435,7 @@ void xopen_display_fail_message(char *disp) {
 	    " or a guru if you are having\n");
 	fprintf(stderr, "   difficulty determining what your X DISPLAY is.\n");
 	fprintf(stderr, "\n");
-	fprintf(stderr, " * Next, you need to have sufficient permissions"
+	fprintf(stderr, "** Next, you need to have sufficient permissions"
 	    " (Xauthority) \n");
 	fprintf(stderr, "   to connect to the X DISPLAY.   Here are some"
 	    " Tips:\n");
@@ -4438,7 +4459,7 @@ void xopen_display_fail_message(char *disp) {
 	    " -display :0\n");
 	fprintf(stderr, "   you must have read permission for the auth file.\n");
 	fprintf(stderr, "\n");
-	fprintf(stderr, " - If NO ONE is logged into an X session yet, but"
+	fprintf(stderr, "** If NO ONE is logged into an X session yet, but"
 	    " there is a greeter login\n");
 	fprintf(stderr, "   program like \"gdm\", \"kdm\", \"xdm\", or"
 	    " \"dtlogin\" running, you will need\n");
@@ -4447,18 +4468,21 @@ void xopen_display_fail_message(char *disp) {
 	fprintf(stderr, "   Some examples for various display managers:\n");
 	fprintf(stderr, "\n");
 	fprintf(stderr, "     gdm:     -auth /var/gdm/:0.Xauth\n");
+	fprintf(stderr, "              -auth /var/lib/gdm/:0.Xauth\n");
 	fprintf(stderr, "     kdm:     -auth /var/lib/kdm/A:0-crWk72\n");
+	fprintf(stderr, "              -auth /var/run/xauth/A:0-crWk72\n");
 	fprintf(stderr, "     xdm:     -auth /var/lib/xdm/authdir/authfiles/A:0-XQvaJk\n");
 	fprintf(stderr, "     dtlogin: -auth /var/dt/A:0-UgaaXa\n");
 	fprintf(stderr, "\n");
+	fprintf(stderr, "   Sometimes the command \"ps wwwwaux | grep auth\""
+	    " can reveal the file location.\n");
+	fprintf(stderr, "\n");
 	fprintf(stderr, "   Only root will have read permission for the"
 	    " file, and so x11vnc must be run\n");
-	fprintf(stderr, "   as root.  The random characters in the filenames"
-	    " will of course change,\n");
-	fprintf(stderr, "   and the directory the cookie file resides in may"
-	    " also be system dependent.\n");
-	fprintf(stderr, "   Sometimes the command \"ps wwwaux | grep auth\""
-	    " can reveal the file location.\n");
+	fprintf(stderr, "   as root (or copy it).  The random characters in the filenames"
+	    " will of course\n");
+	fprintf(stderr, "   change and the directory the cookie file resides in"
+	    " is system dependent.\n");
 	fprintf(stderr, "\n");
 	fprintf(stderr, "See also: http://www.karlrunge.com/x11vnc/#faq\n");
 }
@@ -4474,7 +4498,7 @@ void nopassword_warning_msg(int gotloc) {
 "#@        YOU ARE RUNNING X11VNC WITHOUT A PASSWORD!!        @#\n"
 "#@                                                           @#\n"
 "#@  This means anyone with network access to this computer   @#\n"
-"#@  will be able to view and control your desktop.           @#\n"
+"#@  may be able to view and control your desktop.            @#\n"
 "#@                                                           @#\n"
 "#@ >>> If you did not mean to do this Press CTRL-C now!! <<< @#\n"
 "#@                                                           @#\n"

x11vnc/keyboard.c

@@ -3149,6 +3149,7 @@ void keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
 				last_rfb_down = down;
 				last_rfb_keysym = keysym;
 				last_rfb_keytime = tnow;
+				last_rfb_key_injected = dnow();
 
 				got_user_input++;
 				got_keyboard_input++;
@@ -3176,6 +3177,7 @@ void keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
 	last_rfb_down = down;
 	last_rfb_keysym = keysym;
 	last_rfb_keytime = tnow;
+	last_rfb_key_injected = dnow();
 
 	got_user_input++;
 	got_keyboard_input++;

x11vnc/macosxCG.c

@@ -31,6 +31,7 @@ int macosxCG_get_cursor_pos(int *x, int *y);
 int macosxCG_get_cursor(void);
 void macosxCG_init_key_table(void);
 void macosxCG_key_inject(int down, unsigned int keysym);
+void macosxCG_keycode_inject(int down, int keycode);
 
 CGDirectDisplayID displayID = 0;
 
@@ -595,6 +596,14 @@ void macosxCG_init_key_table(void) {
 }
 
 extern void init_key_table(void);
+extern int macosx_us_kbd;
+
+void macosxCG_keycode_inject(int down, int keycode) {
+	CGKeyCode keyCode = (CGKeyCode) keycode;
+	CGCharCode keyChar = 0;
+
+	CGPostKeyboardEvent(keyChar, keyCode, down);
+}
 
 void macosxCG_key_inject(int down, unsigned int keysym) {
 	CGKeyCode keyCode = keyTable[(unsigned short)keysym];
@@ -606,7 +615,7 @@ void macosxCG_key_inject(int down, unsigned int keysym) {
 
 	init_key_table();
 
-	if (keysym < 0xFF) {
+	if (keysym < 0xFF && macosx_us_kbd) {
 		keyChar = (CGCharCode) keysym;
 	}
 	if (keyCode == 0xFFFF) {

x11vnc/macosxCG.h

@@ -20,6 +20,7 @@ extern int macosxCG_get_cursor_pos(int *x, int *y);
 extern int macosxCG_get_cursor(void);
 extern void macosxCG_init_key_table(void);
 extern void macosxCG_key_inject(int down, unsigned int keysym);
+extern void macosxCG_keycode_inject(int down, int keycode);
 
 extern void macosxCG_refresh_callback_off(void);
 extern void macosxCG_refresh_callback_on(void);

x11vnc/misc/enhanced_tightvnc_viewer/README

@@ -29,7 +29,7 @@ survey http://rechten.uvt.nl/koops/cryptolaw/index.htm for useful
 information.
 
 All work done by Karl J. Runge in this project is
-Copyright (c) 2006-2007 Karl J. Runge and is licensed under the GPL as
+Copyright (c) 2006-2008 Karl J. Runge and is licensed under the GPL as
 described in the file COPYING in this directory.
 
 All the files and information in this project are provided "AS IS"
@@ -66,23 +66,30 @@ The enhanced TightVNC viewer features are:
 
 	- Create or Import SSL Certificates and Private Keys.
 
+	- Reverse (viewer listening) VNC connections via SSL and SSH.
+
+	- Support for Web Proxies, SOCKS Proxies, and the UltraVNC
+	  repeater proxy (e.g. repeater://host:port+ID:1234). Multiple
+	  proxies may be chained together (3 max).
+
+	- Support for SSH Gateway connections and non-standard SSH ports.
+
+	- You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
+	  with the front-end GUI or scripts if you like.
+
 	- Automatic Service tunnelling via SSH for CUPS and SMB Printing,
 	  ESD/ARTSD Audio, and SMB (Windows/Samba) filesystem mounting.
 
+	- Sets up any additional SSH port redirections that you want.
+
         - Port Knocking for "closed port" SSH/SSL connections.  In addition
           to a simple fixed port sequence and one-time-pad implementation,
           a hook is also provided to run any port knocking client before a
           connecting.
 
-	- You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
-	  with the front-end GUI or scripts if you like.
-
-	- Sets up any additional SSH port redirections that you want.
-
 	- Support for native MacOS X usage with bundled Chicken of the
-	  VNC viewer.
-
-	- Reverse (viewer listening) VNC connections via SSL and SSH.
+	  VNC viewer (the Unix X11 viewer is also provided for MacOS X,
+	  and is better IMHO).
 
 	- Dynamic VNC Server Port determination and redirection (using
 	  ssh's builtin SOCKS proxy, -D) for servers like x11vnc that
@@ -116,6 +123,16 @@ The enhanced TightVNC viewer features are:
 	  (java must be in $PATH). Note that x11vnc supports UltraVNC
 	  file transfer.
 
+	- Connection support for the UltraVNC repeater proxy (-repeater
+	  option).
+
+	- Support for UltraVNC Single Click operation. (both unencrypted:
+	  SC I, and SSL encrypted: SC III)
+
+	- Instead of hostname:display one can also supply "exec=command args..."
+	  to connect the viewer to the stdio of an external command
+	  (e.g. stunnel or socat) rather than using a TCP/IP socket.
+
 	- Extremely low color modes: 64 and 8 colors in 8bpp
 	  (-use64/-bgr222, -use8/-bgr111)
 
@@ -391,7 +408,7 @@ If you need to Build:
 If your OS/arch is not included or the provided binary has the wrong
 library dependencies, etc. the script "build.unix" may be able to
 successfully build on for you and deposit the binaries down in ./bin/...
-using the included source code.
+using the included source code.  It is a hack but usually works.
 
 You MUST run the build.unix script from this directory (that this toplevel
 README is in, i.e "ssvnc") and like this:
@@ -401,9 +418,30 @@ README is in, i.e "ssvnc") and like this:
 To use custom locations for libraries see the LDFLAGS_OS and CPPFLAGS_OS
 description at the top of the build.unix script.
 
+You can set these env. vars to customize the build:
+
+	SSVNC_BUILD_NO_STATIC=1        do not try to statically link libs
+	SSVNC_BUILD_FORCE_OVERWRITE=1  do not prompt about existing binaries
+	SSVNC_BUILD_SKIP_VIEWER=1      do not build vncviewer
+	SSVNC_BUILD_SKIP_STUNNEL=1     do not build stunnel
+	SSVNC_BUILD_ULTRAFTP=1         only build the file xfer helper jar
+
+here is an example to build only the vncviewer and with normal library
+linking (and in a more or less automated way):
+
+ env SSVNC_BUILD_NO_STATIC=1 SSVNC_BUILD_FORCE_OVERWRITE=1 SSVNC_BUILD_SKIP_STUNNEL=1 ./build.unix
+
 Feel free to ask us if you need help running ./build.unix
 
 
+Convential Build:
+
+A more conventional source tarball is provided in ssvnc-x.y.z.src.tar.gz.
+It uses a more or less familiar 'make config; make all; make install'
+method.  It does not include stunnel, so that must be installed on the
+system separately.
+
+
 The programs:
 ------------
 
@@ -519,6 +557,86 @@ as long as you install external vncviewer and stunnel packages:
 	ssvnc_unix_minimal-1.x.y.tar.gz
 
 
+Untrusted Local Users:
+---------------------
+
+    *IMPORTANT WARNING*:  If you run SSVNC on a workstation or computer
+    that other users can log into and you DO NOT TRUST these users
+    (it is a shame but sometimes one has to work in an environment like
+    this), then please note the following warning.
+
+    By 'do not trust' we mean they might try to gain access to remote
+    machines you connect to via SSVNC.  Note that an untrusted local
+    user can often obtain root access in a short amount of time; if a
+    user has acheived that, then all bets are off for ANYTHING that you
+    do on the workstation.  It is best to get rid of Untrusted Local
+    Users as soon as possible.
+
+    Both the SSL and SSH tunnels set up by SSVNC listen on certain ports
+    on the 'localhost' address and redirect TCP connections to the remote
+    machine; usually the VNC server running there (but it could also be
+    another service, e.g. CUPS printing).  These are the stunnel(8) SSL
+    redirection and the ssh(1) '-L' port redirection.  Because 'localhost'
+    is used only users or programs on the same workstation that is
+    running SSVNC can connect to these ports, however this includes any
+    local users (not just the user running SSVNC.)
+
+    If the untrusted local user tries to connect to these ports, he may
+    succeed in varying degrees to gain access to the remote machine.
+    We now list some safeguards one can put in place to try to make this
+    more difficult to acheive.
+
+    It probably pays to have the VNC server require a password, even
+    though there has already been SSL or SSH authentication (via
+    certificates or passwords).  In general if the VNC Server requires
+    SSL authentication of the viewer that helps, unless the untrusted
+    local user has gained access to your SSVNC certificate keys.
+
+    If the VNC server is configured to only allow one viewer connection
+    at a time, then the window of opportunity that the untrusted local
+    user can use is greatly reduced: he might only have a second or two
+    between the tunnel being set up and the SSVNC vncviewer connecting
+    to it (i.e. if the VNC server only allows a single connection, the
+    untrusted local user cannot connect once your session is established).
+    Similarly, when you disconnect the tunnel is torn down quickly and
+    there is little or no window of opportunity to connect (e.g. x11vnc
+    in its default mode exits after the first client disconnects).
+
+    Also for SSL tunnelling with stunnel(8) on Unix using one of the SSVNC
+    prebuilt 'bundles', a patched stunnel is provided that denies all
+    connections after the first one, and exits when the first one closes.
+    This is not true if the system installed stunnel(8) is used and is
+    not true when using SSVNC on Windows.
+
+    The following are two experimental features that are added to SSVNC
+    to improve the situation for the SSL/stunnel case.  Set them via
+    Options -> Advanced -> "STUNNEL Local Port Protections".
+
+    1) For SSL tunnelling with stunnel(8) on Unix there is a setting
+       'Use stunnel EXEC mode' (experimental) that will try to exec(2)
+       stunnel instead of using a listening socket.  This will require
+       using the specially modified vncviewer unix viewer provided
+       by SSVNC.  If this mode proves stable it will become the default.
+
+    2) For SSL tunnelling with stunnel(8) on Unix there is a setting
+       'Use stunnel IDENT check' (experimental) to limit socket
+       connections to be from you (this assumes the untrusted local
+       user has not become root on your workstation and has modified
+       your local IDENT check service; if he has you have much bigger
+       problems to worry about...)
+
+    There is also one simple LD_PRELOAD trick for SSH to limit the number
+    of accepted port redirection connections.  This makes the window of
+    time the untrusted local user can connect to the tunnel much smaller.
+    Enable it via Options -> Advanced -> "SSH Local Port Protections".
+    You will need to have the lim_accept.so file in your SSVNC package.
+
+    The main message is to 'Watch your Back' when you connect via the
+    SSVNC tunnels and there are users you don't trust on your workstation.
+    The same applies to ANY use of SSH '-L' port redirections or outgoing
+    stunnel SSL redirection services.
+
+
 Help and Info:
 -------------
 

x11vnc/misc/enhanced_tightvnc_viewer/Windows/sshvnc.bat

+start ssvnc.exe -ssh %1 %2 %3 %4 %5 %6 %7 %8 %9

x11vnc/misc/enhanced_tightvnc_viewer/Windows/tsvnc.bat

+start ssvnc.exe -ts %1 %2 %3 %4 %5 %6 %7 %8 %9

x11vnc/misc/enhanced_tightvnc_viewer/bin/sshvnc

+#!/bin/sh
+# 
+# wrapper for SSH_ONLY mode 
+# 
+PATH=`dirname "$0"`:$PATH; export PATH
+SSVNC_SSH_ONLY=1; export SSVNC_SSH_ONLY
+exec ssvnc -ssh "$@"

x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc

@@ -79,7 +79,11 @@ nearby=0
 if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then
 	nearby=1
 fi
-if [ ! -d "$dir/$name" -a $nearby = 0 ]; then
+if [ "X$name" = "X." ]; then
+	:
+	#type vncviewer
+	#type stunnel
+elif [ ! -d "$dir/$name" -a $nearby = 0 ]; then
 	echo
 	echo "Cannot find platform dir for your OS `uname -sm`:"
 	echo

x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd

 #!/bin/sh
 #
-# Copyright (c) 2006 by Karl J. Runge <runge@karlrunge.com>
+# Copyright (c) 2006-2008 by Karl J. Runge <runge@karlrunge.com>
 #
 # ssvnc_cmd:
 #
@@ -23,9 +23,15 @@
 #
 # Usage:
 #
-#     ssvnc_cmd [ss_vncviewer-args] hostname:N [tightvncviewer-args]
+#     ssvnc_cmd [ss_vncviewer-args] hostname:N [vncviewer-args]
 #
-# "hostname:N" is the host and VNC display to connect to, e.g. snoopy:0
+#  if, instead, this script is named "tightvncviewer" it calls the
+#  vncviewer directly and must be invoked as:
+#
+#     tightvncviewer [vncviewer-args] hostname:N
+#
+# In both cases, "hostname:N" is the host and VNC display to connect to,
+# e.g. snoopy:0
 #
 # See the script util/ss_vncviewer for details about its arguments:
 #
@@ -35,6 +41,8 @@
 #	-alpha
 #	-grab
 #
+# N.B. if this script is named "tightvncviewer" the vncviewer is called
+# directly, and there won't be any SSL or SSH encryption tunnels.
 #
 # If the *very first* argument is "-cotvnc" then it is assumed you are on
 # Darwin and want to run the Chicken of the VNC viewer via our wrapper.
@@ -75,9 +83,12 @@
 #       Option names may be abbreviated, e.g. -bgr instead of -bgr233.
 #       See the manual page for more information.
 #  
+# Note: the enhanced tightvnc viewer (SSVNC) has many more options, run
+# this script as "ssvnc_cmd Vnc://a:0 -help" or "tightvncviewer -help"
+# to seem them.
 
-if [ "X$1" = "X-h" -o "X$1" = "X-help" -o "X$1" = "X--help" ]; then
-	head -76 "$0" | grep -v bin/sh
+if [ "X$1" = "X-h" -o "X$1" = "X-helpxxx" -o "X$1" = "X--help" ]; then
+	tail -n +2 "$0" | sed -e '/^$/ q' -e 's/^#//' 
 	exit
 fi
 
@@ -145,12 +156,20 @@ do
 done
 dir=`dirname "$f"`
 PATH="$dir:$PATH"
+SSVNC_BASEDIR="$dir"
+export SSVNC_BASEDIR
+SSVNC_UNAME="$name"
+export SSVNC_UNAME
 
 nearby=0
 if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then
 	nearby=1
 fi
-if [ ! -d "$dir/$name" -a $nearby = 0 ]; then
+if [ "X$name" = "X." ]; then
+	:
+	#type vncviewer
+	#type stunnel
+elif [ ! -d "$dir/$name" -a $nearby = 0 ]; then
 	echo
 	echo "Cannot find platform dir for your OS `uname -sm`:"
 	echo
@@ -223,6 +242,9 @@ fi
 #
 #
 if [ $use_ours = 1 ]; then
+	# avoid system vncviewer app-defaults
+	#XFILESEARCHPATH="/tmp/path/nowhere"; export XFILESEARCHPATH
+
 	if [ "X$base" = "Xtightvncviewer" ]; then
 		$VNCVIEWERCMD -encodings 'copyrect tight zrle zlib hextile' "$@"
 	else

x11vnc/misc/enhanced_tightvnc_viewer/bin/tsvnc

+#!/bin/sh
+# 
+# wrapper for TS_ONLY mode 
+# 
+PATH=`dirname "$0"`:$PATH; export PATH
+SSVNC_TS_ONLY=1; export SSVNC_TS_ONLY
+exec ssvnc -ts "$@"

x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer

@@ -447,6 +447,9 @@ findfree() {
 # removes files, etc.
 final() {
 	echo ""
+	if [ "X$tmp_cfg" != "X" ]; then
+		rm -f $tmp_cfg
+	fi
 	if [ "X$SS_VNCVIEWER_RM" != "X" ]; then
 		rm -f $SS_VNCVIEWER_RM 2>/dev/null
 	fi
@@ -1012,6 +1015,24 @@ if [ "X$use_ssh" = "X1" ]; then
 	# let user override ssh via $SSH
 	ssh=${SSH:-"ssh -x"}
 
+	if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
+		SSVNC_LIM_ACCEPT_PRELOAD="$SSVNC_BASEDIR/$SSVNC_UNAME/$SSVNC_LIM_ACCEPT_PRELOAD"
+	fi
+	if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
+		echo ""
+		echo "SSVNC_LIM_ACCEPT_PRELOAD=$SSVNC_LIM_ACCEPT_PRELOAD"
+	fi
+
+	if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" -a -f "$SSVNC_LIM_ACCEPT_PRELOAD" ]; then
+		plvar=LD_PRELOAD
+		if uname | grep Darwin >/dev/null; then
+			plvar="DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES"
+		fi
+		ssh="env $plvar=$SSVNC_LIM_ACCEPT_PRELOAD $ssh"
+	else
+		SSVNC_LIM_ACCEPT_PRELOAD=""
+	fi
+
 	if echo "$proxy" | egrep '(http|https|socks|socks4|socks5)://' > /dev/null; then
 		# Handle Web or SOCKS proxy(ies) for the initial connect.
 Kecho host=$host
@@ -1328,10 +1349,11 @@ Kecho proxy=$proxy
 
 	c=0
 	pssh=""
+	mssh=`echo "$ssh" | sed -e 's/^env.*ssh/ssh/'`
 	while [ $c -lt 30 ]
 	do
 		p=`expr $pmark + $c`
-		if ps -p "$p" 2>&1 | grep "$ssh" > /dev/null; then
+		if ps -p "$p" 2>&1 | grep "$mssh" > /dev/null; then
 			pssh=$p
 			break
 		fi
@@ -1339,6 +1361,8 @@ Kecho proxy=$proxy
 	done
 	if [ "X$getport" != "X" ]; then
 		:
+	elif [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ] ; then
+		sleep 2
 	elif [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then
 		#echo T sleep 1
 		sleep 1
@@ -1523,9 +1547,11 @@ if [ "X$direct_connect" != "X" ]; then
 	exit $?
 fi
 
-tmp=/tmp/ss_vncviewer${RANDOM}.$$
-mytmp "$tmp"
+tmp_cfg=/tmp/ss_vncviewer${RANDOM}.$$
+mytmp "$tmp_cfg"
 
+# make_tcert is no longer invoked via the ssvnc gui (Listen mode).
+# make_tcert is for testing only now via -mycert BUILTIN
 make_tcert() {
 	tcert="/tmp/tcert${RANDOM}.$$"
 	cat > $tcert <<END
@@ -1584,37 +1610,50 @@ END
 	echo "$tcert"
 }
 
+stunnel_exec=""
+if echo $STUNNEL_EXTRA_SVC_OPTS | grep '#stunnel-exec' > /dev/null; then
+	stunnel_exec="#"
+fi
+
 if [ "X$reverse" = "X" ]; then
 
 	if echo "$proxy" | grep repeater:// > /dev/null; then
-		if [ "X$cert" = "X" ]; then
+		if [ "X$cert" = "XBUILTIN" ]; then
 			ttcert=`make_tcert`
 			cert="cert = $ttcert"
 		fi
+		# Note for listen mode, an empty cert will cause stunnel to fail.
+		# The ssvnc gui will have already taken care of this.
 	fi
 
-	cat > "$tmp" <<END
+	cat > "$tmp_cfg" <<END
 foreground = yes
 pid =
 client = yes
 debug = 6
 $STUNNEL_EXTRA_OPTS
+$STUNNEL_EXTRA_OPTS_USER
 $verify
 $cert
 
-[vnc_stunnel]
-accept = localhost:$use
+${stunnel_exec}[vnc_stunnel]
+${stunnel_exec}accept = localhost:$use
 $connect
+$STUNNEL_EXTRA_SVC_OPTS
+$STUNNEL_EXTRA_SVC_OPTS_USER
 
 END
 else
+	stunnel_exec=""	# doesn't work for listening.
 
 	p2=`expr 5500 + $N`
 	connect="connect = localhost:$p2"
-	if [ "X$cert" = "X" ]; then
+	if [ "X$cert" = "XBUILTIN" ]; then
 		ttcert=`make_tcert`
 		cert="cert = $ttcert"
 	fi
+	# Note for listen mode, an empty cert will cause stunnel to fail.
+	# The ssvnc gui will have already taken care of this.
 
 	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
 
@@ -1622,18 +1661,21 @@ else
 	if [ "X$use_ssh" = "X1" ]; then
 		hloc="localhost:"
 	fi
-	cat > "$tmp" <<END
+	cat > "$tmp_cfg" <<END
 foreground = yes
 pid =
 client = no
 debug = 6
 $STUNNEL_EXTRA_OPTS
+$STUNNEL_EXTRA_OPTS_USER
 $verify
 $cert
 
 [vnc_stunnel]
 accept = $hloc$port
 $connect
+$STUNNEL_EXTRA_SVC_OPTS
+$STUNNEL_EXTRA_SVC_OPTS_USER
 
 END
 fi
@@ -1641,31 +1683,33 @@ fi
 echo ""
 echo "Using this stunnel configuration:"
 echo ""
-cat "$tmp" | uniq
+cat "$tmp_cfg" | uniq
 echo ""
 sleep 1
 
-echo ""
-echo "Running stunnel:"
-echo "$STUNNEL $tmp"
-st=`echo "$STUNNEL" | awk '{print $1}'`
-$st -help > /dev/null 2>&1
-$STUNNEL "$tmp" < /dev/tty > /dev/tty &
-stunnel_pid=$!
-echo ""
-
-# pause here to let the user supply a possible passphrase for the
-# mycert key:
-if [ "X$mycert" != "X" ]; then
-	sleep 1
+if [ "X$stunnel_exec" = "X" ]; then
 	echo ""
-	echo "(pausing for possible certificate passphrase dialog)"
+	echo "Running stunnel:"
+	echo "$STUNNEL $tmp_cfg"
+	st=`echo "$STUNNEL" | awk '{print $1}'`
+	$st -help > /dev/null 2>&1
+	$STUNNEL "$tmp_cfg" < /dev/tty > /dev/tty &
+	stunnel_pid=$!
 	echo ""
-	sleep 4
+
+	# pause here to let the user supply a possible passphrase for the
+	# mycert key:
+	if [ "X$mycert" != "X" ]; then
+		sleep 1
+		echo ""
+		echo "(pausing for possible certificate passphrase dialog)"
+		echo ""
+		sleep 4
+	fi
+	#echo T sleep 1
+	sleep 1
+	rm -f "$tmp_cfg"
 fi
-#echo T sleep 1
-sleep 1
-rm -f "$tmp"
 
 
 echo ""
@@ -1675,15 +1719,19 @@ if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
 fi
 echo "Running viewer:"
 if [ "X$reverse" = "X" ]; then
-	echo "$VNCVIEWERCMD" "$@" localhost:$N
+	vnc_hp=localhost:$N
+	if [ "X$stunnel_exec" != "X" ]; then
+		vnc_hp="exec=$STUNNEL $tmp_cfg"
+	fi
+	echo "$VNCVIEWERCMD" "$@" "$vnc_hp"
 	trap "final" 0 2 15
 	echo ""
-	$VNCVIEWERCMD "$@" localhost:$N
+	$VNCVIEWERCMD "$@" "$vnc_hp"
 	if [ $? != 0 ]; then
 		echo "vncviewer command failed: $?"
 		if [ "X$secondtry" = "X1" ]; then
 			sleep 2
-			$VNCVIEWERCMD "$@" localhost:$N
+			$VNCVIEWERCMD "$@" "$vnc_hp"
 		fi
 	fi
 else

x11vnc/misc/enhanced_tightvnc_viewer/man/man1/ssvnc.1

+'\" t
+.\" ** The above line should force tbl to be a preprocessor **
+.\" Man page for the SSVNC vncviewer
+.\"
+.\" Copyright (C) 2006-2008 Karl J. Runge <runge@karlrunge.com>
+.\"
+.\" You may distribute under the terms of the GNU General Public
+.\" License as specified in the file LICENCE.TXT that comes with the
+.\" TightVNC distribution.
+.\"
+.TH ssvnc 1 "September 2008" "" "SSVNC"
+.SH NAME
+ssvnc \- a GUI wrapper for SSL and SSH VNC connections.
+.SH SYNOPSIS
+.B ssvnc
+.br
+.B ssvnc
+.RI [\| host \|][\| :display \|]
+.br
+.B ssvnc
+.RI [\| saved-profile-name \|]
+.br
+.B ssvnc
+.RI [\| options \|][\| host-or-profile \]
+.br
+.B ssvnc
+.IR \--help
+.br
+.SH DESCRIPTION
+.B ssvnc
+is a tcl/tk gui wrapper that runs on Unix, MacOSX, and Windows.
+It sets up an SSL or SSH tunnel to the remote VNC Server and then launches
+the VNC viewer (either the one provided or another one that you have
+specified) to use that encrypted tunnel to connect to the VNC Server.
+The use of Proxies and Gateways to make the connections is implemented. 
+
+Once you have started the SSVNC gui, you can click on the buttons
+"Help", "Options -> Help", "Certs -> Help", etc. for much information
+on how to use and configure the tool.
+
+In short, you supply a VNC server "hostname:display" in the
+"VNC Host:Display" entry box and then press the "Connect" button to
+connect to the server via SSL (stunnel).  E.g. "far-away.east:0".
+Port numbers are also allowed, e.g. far-away.east:5905.
+
+Or supply user@hostname:display and click on the "Use SSH" option, then
+press the "Connect" button to connect to the server via an SSH tunnel.
+E.g. "fred@far-away.east:0".
+
+As an easter egg, we note it is also possible to disable the use of SSL/SSH 
+encryption tunnels by using a vnc:// or Vnc:// prefix before
+host:display.
+
+Normally you do not specify any command line options.  You simply
+run \fBssvnc\fR and use the GUI that starts up.
+
+However, as shortcuts you can supply a VNC host:display (or host:port)
+on the command line.  to connect to immediately (the GUI is started
+and the connection is initiated).  For example, "\fBssvnc far-away.east:0\fR"
+Instead of a  host:display, you can specify the name of a saved profile to
+automatically load that profile and then connect to its server.  
+For example "\fBssvnc far\fR", if you name the profile "far".
+You can use the \fB-profiles\fR option to list the profiles you have saved.
+
+The related commands \fBsshvnc\fR and \fBtsvnc\fR start up the GUI in
+simplified modes: SSH Only Mode, and Terminal Services Mode, respectively.
+See below and the application Help for more information on the modes.
+
+There are also some command line options described as follows.
+.SH OPTIONS
+.TP
+\fB\--help\fR
+Starts up the GUI as though the 'Help' button was pressed to show the
+main Help panel.
+.TP
+\fB\-profiles\fR
+List the saved SSVNC profiles you have created.  A profile
+is a destination host with specific parameter settings.
+.TP
+\fB\-list\fR
+Same as \fB\-profiles\fR
+.TP
+\fB\-ssh\fR
+Start in "SSH Only Mode".  No SSL aspects are shown.
+Same as running the command \fBsshvnc\fR
+.TP
+\fB\-ts\fR
+Start in "Terminal Services Mode".  This is like "SSH Only Mode", but
+simpler and assumes \fBx11vnc\fR is available on the remote side
+to start and manage X and VNC sessions.
+Same as running the command \fBtsvnc\fR
+.TP
+\fB\-tso\fR
+Same as \fB-ts\fR "Terminal Services Mode", however never let the
+user leave this mode (no button to switch modes is provided.)
+Same as SSVNC_TS_ALWAYS=1.
+.TP
+\fB\-ssl\fR
+Force the full GUI Mode: both SSL and SSH.  This is the default.
+.TP
+\fB\-nv\fR
+Toggle the "Verify All Certs" button to be off at startup.
+.TP
+\fB\-nvb\fR
+Never show the "Verify All Certs" button.
+Same as SSVNC_NO_VERIFY_ALL_BUTTON=1.
+.TP
+\fB\-bigger\fR
+Make the Profile Selection Dialog window bigger.
+Same as SSVNC_BIGGER_DIALOG=1.
+.SH URL NOTATION
+Here are all of our URL-like prefixes that you can put in front of
+host:display (or host:port): 
+
+For SSL:  vncs:// vncssl:// and vnc+ssl://
+
+For SSH:  vncssh:// and vnc+ssh://
+
+For No Encryption Tunnel:  vnc:// and Vnc://
+
+Examples:
+
+To quickly make an SSL connection: \fBssvnc vncs://snoopy.com:0\fR
+
+To quickly make an SSH connection: \fBssvnc vnc+ssh://fred@snoopy.com:0\fR
+
+To quickly make a direct connection: \fBssvnc Vnc://snoopy.com:0\fR
+
+The above will also work in the "VNC Host:Display" entry box in the GUI.
+Press the "Connect" button after entering them.
+.SH FILES
+Your SSVNC vnc profiles are stored in the \fB$HOME/.vnc/profiles\fR
+directory.  They end in suffix \fB.vnc\fR
+
+Your SSVNC vnc certificates and keys are stored in the \fB$HOME/.vnc/certs\fR
+directory.  They typically end in \fB.pem\fR (both certificate and
+private key) or \fB.crt\fR (certificate only).
+
+You can put a few global parameters (e.g. mode=sshvnc) in your
+\fB$HOME/.ssvncrc\fR file (\fBssvnc_rc\fR on Windows); see the
+application Help for more information.
+
+.SH SEE ALSO
+\fBssvncviewer\fB(1), \fBvncviewer\fR(1), \fBstunnel\fR(8), \fBssh\fR(1), \fBx11vnc\fR(1), \fBvncserver\fR(1) 
+http://www.karlrunge.com/x11vnc http://www.karlrunge.com/x11vnc/ssvnc.html
+.SH AUTHORS
+Karl J. Runge <runge@karlrunge.com> wrote the SSVNC gui (tcl/tk) and
+associated wrapper scripts.

x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_getpatches

@@ -3,3 +3,7 @@
 cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/tight-vncviewer*patch .
 cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/vnc_unixsrc_vncviewer.patched.tar ../zips/
 
+cp -p /dist/src/apps/VNC/etc/libvncserver_cvs/expts/java_ssl/ultra/ultraftp.tar ../zips/
+cp -p /dist/src/apps/VNC/etc/libvncserver_cvs/expts/vncstorepw.tar ../zips/
+
+cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/vnc_unixsrc/vncviewer/vncviewer.man ../../man/man1/ssvncviewer.1

x11vnc/options.c

@@ -241,6 +241,7 @@ int ncache_dt_change = 1;
 int ncache_keep_anims = 0;
 int ncache_old_wm = 0;
 int macosx_ncache_macmenu = 0;
+int macosx_us_kbd = 0;
 int ncache_beta_tester = 0;
 int ncdb = 0;
 

x11vnc/options.h

@@ -182,6 +182,7 @@ extern int ncache_xrootpmap;
 extern int ncache_keep_anims;
 extern int ncache_old_wm;
 extern int macosx_ncache_macmenu;
+extern int macosx_us_kbd;
 extern int ncache_beta_tester;
 extern int ncdb;
 

x11vnc/pointer.c

@@ -690,6 +690,9 @@ void pointer(int mask, int x, int y, rfbClientPtr client) {
 				button_mask_prev = button_mask;
 				button_mask = mask;
 			}
+			if (!view_only && (input.motion || input.button)) {
+				last_rfb_ptr_injected = dnow();
+			}
 			return;
 		}
 	}
@@ -714,6 +717,7 @@ void pointer(int mask, int x, int y, rfbClientPtr client) {
 		last_pointer_client = client;
 
 		last_pointer_time = now;
+		last_rfb_ptr_injected = dnow();
 
 		if (blackout_ptr && blackouts) {
 			int b, ok = 1;

x11vnc/remote.c

@@ -630,6 +630,10 @@ int remote_control_access_ok(void) {
 #endif	/* NO_X11 */
 }
 
+#ifdef MACOSX
+void macosxCG_keycode_inject(int down, int keycode);
+#endif
+
 /*
  * Huge, ugly switch to handle all remote commands and queries
  * -remote/-R and -query/-Q.
@@ -3502,6 +3506,19 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 		adjust_grabs(0, 0);
 		rfbLog("disabled grab_always\n");
 
+	} else if (strstr(p, "grablocal") == p) {
+		COLON_CHECK("grablocal:")
+		if (query) {
+			snprintf(buf, bufn, "ans=%s%s%d", p, co,
+			    grab_local);
+			goto qry;
+		}
+		p += strlen("grablocal:");
+
+		grab_local = atoi(p);
+		rfbLog("remote_cmd: changed -grablocal to: %d\n",
+		    grab_local);
+
 	} else if (strstr(p, "client_input") == p) {
 		NOTAPP
 		COLON_CHECK("client_input:")
@@ -3578,6 +3595,28 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 		rfbLog("remote_cmd: turning off debug_keyboard.\n");
 		debug_keyboard = 0;
 
+	} else if (strstr(p, "keycode") == p) {
+		int kc;
+		NOTAPP
+		COLON_CHECK("keycode:")
+		p += strlen("keycode:");
+		kc = atoi(p);
+		if (kc < 0) kc = 0;
+		kc = kc % 256;
+		rfbLog("remote_cmd: insert keycode %d\n", kc);
+
+		if (macosx_console) {
+#ifdef MACOSX
+			macosxCG_keycode_inject(1, kc);
+			usleep(100*1000);
+			macosxCG_keycode_inject(0, kc);
+#endif
+		} else {
+			XTestFakeKeyEvent_wr(dpy, kc, 1, CurrentTime);
+			usleep(100*1000);
+			XTestFakeKeyEvent_wr(dpy, kc, 0, CurrentTime);
+		}
+		
 	} else if (strstr(p, "deferupdate") == p) {
 		int d;
 		COLON_CHECK("deferupdate:")
@@ -4421,6 +4460,19 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 		rfbLog("remote_cmd: disable macosx_ncache_macmenu.\n");
 		macosx_ncache_macmenu = 0;
 
+	} else if (!strcmp(p, "macuskbd")) {
+		if (query) {
+			snprintf(buf, bufn, "ans=%s:%d", p, macosx_us_kbd); goto qry;
+		}
+		rfbLog("remote_cmd: enable macosx_us_kbd.\n");
+		macosx_us_kbd = 1;
+	} else if (!strcmp(p, "nomacuskbd")) {
+		if (query) {
+			snprintf(buf, bufn, "ans=%s:%d", p, !macosx_us_kbd); goto qry;
+		}
+		rfbLog("remote_cmd: disable macosx_us_kbd.\n");
+		macosx_us_kbd = 0;
+
 	} else if (strstr(p, "hack") == p) { /* skip-cmd-list */
 		COLON_CHECK("hack:")
 		if (query) {