Commit d5cba7a5 authored by runge's avatar runge

x11vnc: kill gui_pid on exit in -connect/-connect_or_exit mode.

   -grablocal n experiment (not compiled by default).  -macuskbd
   option for macosx for orig uskdb code. keycode=N remote contol
   cmd.  Find dpy look at non-NFS cookies in /tmp.  Fix gui tray
   insertion on recent gnome dt. Fix connect_file bug. Sync SSVNC
parent dbfa4ad1
This diff is collapsed.
......@@ -1359,6 +1359,8 @@ static int get_cmap(int j, Colormap cmap) {
X_LOCK;
ncells = CellsOfScreen(ScreenOfDisplay(dpy, scr));
X_UNLOCK;
} else {
ncells = NCOLOR;
}
if (db24 > 1) fprintf(stderr, "get_cmap: %d 0x%x\n", j, (unsigned int) cmap);
......
2008-09-06 Karl Runge <runge@karlrunge.com>
* x11vnc: kill gui_pid on exit in -connect/-connect_or_exit mode.
-grablocal n experiment (not compiled by default). -macuskbd
option for macosx for orig uskdb code. keycode=N remote contol
cmd. Find dpy look at non-NFS cookies in /tmp. Fix gui tray
insertion on recent gnome dt. Fix connect_file bug. Sync SSVNC
2008-06-07 Karl Runge <runge@karlrunge.com>
* x11vnc: -clip xineramaN option, -DIGNORE_GETSPNAM for HP-UX.
Print info on SSH_CONNECTION override.
......
This diff is collapsed.
......@@ -755,6 +755,10 @@ void client_gone(rfbClientPtr client) {
if (inetd && client == inetd_client) {
rfbLog("inetd viewer exited.\n");
if (gui_pid > 0) {
rfbLog("killing gui_pid %d\n", gui_pid);
kill(gui_pid, SIGTERM);
}
clean_up_exit(0);
}
if (connect_once) {
......@@ -779,6 +783,10 @@ void client_gone(rfbClientPtr client) {
}
rfbLog("viewer exited.\n");
if ((client_connect || connect_or_exit) && gui_pid > 0) {
rfbLog("killing gui_pid %d\n", gui_pid);
kill(gui_pid, SIGTERM);
}
clean_up_exit(0);
}
#ifdef MACOSX
......@@ -2423,6 +2431,10 @@ void reverse_connect(char *str) {
if (connect_or_exit) {
rfbLogEnable(1);
rfbLog("exiting under -connect_or_exit\n");
if (gui_pid > 0) {
rfbLog("killing gui_pid %d\n", gui_pid);
kill(gui_pid, SIGTERM);
}
clean_up_exit(0);
}
return;
......@@ -2458,6 +2470,10 @@ void reverse_connect(char *str) {
if (client_count <= nclients0) {
rfbLogEnable(1);
rfbLog("exiting under -connect_or_exit\n");
if (gui_pid > 0) {
rfbLog("killing gui_pid %d\n", gui_pid);
kill(gui_pid, SIGTERM);
}
clean_up_exit(0);
}
}
......@@ -2737,6 +2753,7 @@ void check_gui_inputs(void) {
static int turn_off_truecolor = 0;
static void turn_off_truecolor_ad(rfbClientPtr client) {
if (client) {}
if (turn_off_truecolor) {
rfbLog("turning off truecolor advertising.\n");
screen->serverFormat.trueColour = FALSE;
......
......@@ -25,6 +25,7 @@ Window tray_request = None;
Window tray_window = None;
int tray_unembed = 0;
pid_t run_gui_pid = 0;
pid_t gui_pid = 0;
char *get_gui_code(void);
......@@ -50,6 +51,10 @@ static Window tweak_tk_window_id(Window win) {
char *name = NULL;
Window parent, new;
if (getenv("NO_TWEAK_TK_WINDOW_ID")) {
return win;
}
/* hack for tk, does not report outermost window */
new = win;
parent = parent_window(win, &name);
......@@ -684,12 +689,14 @@ void do_gui(char *opts, int sleep) {
fprintf(icon_mode_fh, "none\n");
fflush(icon_mode_fh);
if (! got_connect_once) {
/* want -forever for tray */
if (!client_connect && !connect_or_exit) {
/* want -forever for tray? */
connect_once = 0;
}
}
}
}
}
if ((p = fork()) > 0) {
; /* parent */
......@@ -707,6 +714,7 @@ void do_gui(char *opts, int sleep) {
}
if (connect_to_x11vnc) {
run_gui_pid = p;
gui_pid = p;
}
#else
fprintf(stderr, "system does not support fork: start "
......
......@@ -12,6 +12,7 @@ extern Window tray_request;
extern Window tray_window;
extern int tray_unembed;
extern pid_t run_gui_pid;
extern pid_t gui_pid;
extern char *get_gui_code(void);
extern int tray_embed(Window iconwin, int remove);
......
......@@ -484,7 +484,7 @@ void print_help(int mode) {
" to plumb reverse connections.\n"
"\n"
"-connect_or_exit str As with -connect, except if none of the reverse\n"
" connections succeed, then x11vnc shutdowns immediately.\n"
" connections succeed, then x11vnc shuts down immediately\n"
"\n"
" By the way, if you do not want x11vnc to listen on\n"
" ANY interface use -rfbport 0 which is handy for the\n"
......@@ -628,6 +628,16 @@ void print_help(int mode) {
" use the -R remote control to turn the other back on,\n"
" e.g. -R nograbptr.\n"
"\n"
#ifdef ENABLE_GRABLOCAL
"-grablocal n If it appears that a user sitting at the physical\n"
" display has injected a keystroke or mouse event ignore\n"
" any VNC client inputs for the next n seconds. The idea\n"
" is that during a demonstration, etc, the local user\n"
" will not be interrupted by viewers accidentally moving\n"
" the mouse, etc. The detection of local user input is\n"
" approximate and so at times gives unexpected results.\n"
"\n"
#endif
"-viewpasswd string Supply a 2nd password for view-only logins. The -passwd\n"
" (full-access) password must also be supplied.\n"
"\n"
......@@ -3631,25 +3641,27 @@ void print_help(int mode) {
" You can also set the env. var X11VNC_UINPUT_DEBUG=1 or\n"
" higher to get debugging output for UINPUT mode.\n"
"\n"
"-macnodim For the native Mac OS X server, disable dimming. \n"
"-macnosleep For the native Mac OS X server, disable display sleep.\n"
"-macnosaver For the native Mac OS X server, disable screensaver.\n"
"-macnowait For the native Mac OS X server, do not wait for the\n"
"-macnodim For the native MacOSX server, disable dimming. \n"
"-macnosleep For the native MacOSX server, disable display sleep.\n"
"-macnosaver For the native MacOSX server, disable screensaver.\n"
"-macnowait For the native MacOSX server, do not wait for the\n"
" user to switch back to his display.\n"
"-macwheel n For the native Mac OS X server, set the mouse wheel\n"
"-macwheel n For the native MacOSX server, set the mouse wheel\n"
" speed to n (default 5).\n"
"-macnoswap For the native Mac OS X server, do not swap mouse\n"
"-macnoswap For the native MacOSX server, do not swap mouse\n"
" buttons 2 and 3.\n"
"-macnoresize For the native Mac OS X server, do not resize or reset\n"
"-macnoresize For the native MacOSX server, do not resize or reset\n"
" the framebuffer even if it is detected that the screen\n"
" resolution or depth has changed.\n"
"-maciconanim n For the native Mac OS X server, set n to the number\n"
"-maciconanim n For the native MacOSX server, set n to the number\n"
" of milliseconds that the window iconify/deiconify\n"
" animation takes. In -ncache mode this value will be\n"
" used to skip the animation if possible. (default 400)\n"
"-macmenu For the native Mac OS X server, in -ncache client-side\n"
"-macmenu For the native MacOSX server, in -ncache client-side\n"
" caching mode, try to cache pull down menus (not perfect\n"
" because they have animated fades, etc.)\n"
"-macuskbd For the native MacOSX server, use the original\n"
" keystroke insertion code based on a US keyboard.\n"
"\n"
"-gui [gui-opts] Start up a simple tcl/tk gui based on the the remote\n"
" control options -remote/-query described below.\n"
......@@ -3707,6 +3719,14 @@ void print_help(int mode) {
" fully functional, the gui mode should be \"start\"\n"
" (the default).\n"
"\n"
" Note that tray or icon mode will imply the -forever\n"
" x11vnc option (if the x11vnc server is started along\n"
" with the gui) unless -connect or -connect_or_exit has\n"
" been specified. So x11vnc (and the tray/icon gui)\n"
" will wait for more connections after the first client\n"
" disconnects. If you want only one viewer connection\n"
" include the -once option.\n"
"\n"
" For \"icon\" the gui just a small standalone window.\n"
" For \"tray\" it will attempt to embed itself in the\n"
" \"system tray\" if possible. If \"=setpass\" is appended then\n"
......@@ -4397,12 +4417,13 @@ void xopen_display_fail_message(char *disp) {
fprintf(stderr, "\n");
fprintf(stderr, "Some tips and guidelines:\n");
fprintf(stderr, "\n");
fprintf(stderr, " * An X server (the one you wish to view) must"
fprintf(stderr, "** An X server (the one you wish to view) must"
" be running before x11vnc is\n");
fprintf(stderr, " started: x11vnc does not start the X server. (however, see the\n");
fprintf(stderr, " recent -create option if that is what you really want).\n");
fprintf(stderr, " started: x11vnc does not start the X server. "
"(however, see the -create\n");
fprintf(stderr, " option if that is what you really want).\n");
fprintf(stderr, "\n");
fprintf(stderr, " * You must use -display <disp>, -OR- set and"
fprintf(stderr, "** You must use -display <disp>, -OR- set and"
" export your $DISPLAY\n");
fprintf(stderr, " environment variable to refer to the display of"
" the desired X server.\n");
......@@ -4414,7 +4435,7 @@ void xopen_display_fail_message(char *disp) {
" or a guru if you are having\n");
fprintf(stderr, " difficulty determining what your X DISPLAY is.\n");
fprintf(stderr, "\n");
fprintf(stderr, " * Next, you need to have sufficient permissions"
fprintf(stderr, "** Next, you need to have sufficient permissions"
" (Xauthority) \n");
fprintf(stderr, " to connect to the X DISPLAY. Here are some"
" Tips:\n");
......@@ -4438,7 +4459,7 @@ void xopen_display_fail_message(char *disp) {
" -display :0\n");
fprintf(stderr, " you must have read permission for the auth file.\n");
fprintf(stderr, "\n");
fprintf(stderr, " - If NO ONE is logged into an X session yet, but"
fprintf(stderr, "** If NO ONE is logged into an X session yet, but"
" there is a greeter login\n");
fprintf(stderr, " program like \"gdm\", \"kdm\", \"xdm\", or"
" \"dtlogin\" running, you will need\n");
......@@ -4447,18 +4468,21 @@ void xopen_display_fail_message(char *disp) {
fprintf(stderr, " Some examples for various display managers:\n");
fprintf(stderr, "\n");
fprintf(stderr, " gdm: -auth /var/gdm/:0.Xauth\n");
fprintf(stderr, " -auth /var/lib/gdm/:0.Xauth\n");
fprintf(stderr, " kdm: -auth /var/lib/kdm/A:0-crWk72\n");
fprintf(stderr, " -auth /var/run/xauth/A:0-crWk72\n");
fprintf(stderr, " xdm: -auth /var/lib/xdm/authdir/authfiles/A:0-XQvaJk\n");
fprintf(stderr, " dtlogin: -auth /var/dt/A:0-UgaaXa\n");
fprintf(stderr, "\n");
fprintf(stderr, " Sometimes the command \"ps wwwwaux | grep auth\""
" can reveal the file location.\n");
fprintf(stderr, "\n");
fprintf(stderr, " Only root will have read permission for the"
" file, and so x11vnc must be run\n");
fprintf(stderr, " as root. The random characters in the filenames"
" will of course change,\n");
fprintf(stderr, " and the directory the cookie file resides in may"
" also be system dependent.\n");
fprintf(stderr, " Sometimes the command \"ps wwwaux | grep auth\""
" can reveal the file location.\n");
fprintf(stderr, " as root (or copy it). The random characters in the filenames"
" will of course\n");
fprintf(stderr, " change and the directory the cookie file resides in"
" is system dependent.\n");
fprintf(stderr, "\n");
fprintf(stderr, "See also: http://www.karlrunge.com/x11vnc/#faq\n");
}
......@@ -4474,7 +4498,7 @@ void nopassword_warning_msg(int gotloc) {
"#@ YOU ARE RUNNING X11VNC WITHOUT A PASSWORD!! @#\n"
"#@ @#\n"
"#@ This means anyone with network access to this computer @#\n"
"#@ will be able to view and control your desktop. @#\n"
"#@ may be able to view and control your desktop. @#\n"
"#@ @#\n"
"#@ >>> If you did not mean to do this Press CTRL-C now!! <<< @#\n"
"#@ @#\n"
......
......@@ -3149,6 +3149,7 @@ void keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
last_rfb_down = down;
last_rfb_keysym = keysym;
last_rfb_keytime = tnow;
last_rfb_key_injected = dnow();
got_user_input++;
got_keyboard_input++;
......@@ -3176,6 +3177,7 @@ void keyboard(rfbBool down, rfbKeySym keysym, rfbClientPtr client) {
last_rfb_down = down;
last_rfb_keysym = keysym;
last_rfb_keytime = tnow;
last_rfb_key_injected = dnow();
got_user_input++;
got_keyboard_input++;
......
......@@ -31,6 +31,7 @@ int macosxCG_get_cursor_pos(int *x, int *y);
int macosxCG_get_cursor(void);
void macosxCG_init_key_table(void);
void macosxCG_key_inject(int down, unsigned int keysym);
void macosxCG_keycode_inject(int down, int keycode);
CGDirectDisplayID displayID = 0;
......@@ -595,6 +596,14 @@ void macosxCG_init_key_table(void) {
}
extern void init_key_table(void);
extern int macosx_us_kbd;
void macosxCG_keycode_inject(int down, int keycode) {
CGKeyCode keyCode = (CGKeyCode) keycode;
CGCharCode keyChar = 0;
CGPostKeyboardEvent(keyChar, keyCode, down);
}
void macosxCG_key_inject(int down, unsigned int keysym) {
CGKeyCode keyCode = keyTable[(unsigned short)keysym];
......@@ -606,7 +615,7 @@ void macosxCG_key_inject(int down, unsigned int keysym) {
init_key_table();
if (keysym < 0xFF) {
if (keysym < 0xFF && macosx_us_kbd) {
keyChar = (CGCharCode) keysym;
}
if (keyCode == 0xFFFF) {
......
......@@ -20,6 +20,7 @@ extern int macosxCG_get_cursor_pos(int *x, int *y);
extern int macosxCG_get_cursor(void);
extern void macosxCG_init_key_table(void);
extern void macosxCG_key_inject(int down, unsigned int keysym);
extern void macosxCG_keycode_inject(int down, int keycode);
extern void macosxCG_refresh_callback_off(void);
extern void macosxCG_refresh_callback_on(void);
......
......@@ -29,7 +29,7 @@ survey http://rechten.uvt.nl/koops/cryptolaw/index.htm for useful
information.
All work done by Karl J. Runge in this project is
Copyright (c) 2006-2007 Karl J. Runge and is licensed under the GPL as
Copyright (c) 2006-2008 Karl J. Runge and is licensed under the GPL as
described in the file COPYING in this directory.
All the files and information in this project are provided "AS IS"
......@@ -66,23 +66,30 @@ The enhanced TightVNC viewer features are:
- Create or Import SSL Certificates and Private Keys.
- Reverse (viewer listening) VNC connections via SSL and SSH.
- Support for Web Proxies, SOCKS Proxies, and the UltraVNC
repeater proxy (e.g. repeater://host:port+ID:1234). Multiple
proxies may be chained together (3 max).
- Support for SSH Gateway connections and non-standard SSH ports.
- You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
with the front-end GUI or scripts if you like.
- Automatic Service tunnelling via SSH for CUPS and SMB Printing,
ESD/ARTSD Audio, and SMB (Windows/Samba) filesystem mounting.
- Sets up any additional SSH port redirections that you want.
- Port Knocking for "closed port" SSH/SSL connections. In addition
to a simple fixed port sequence and one-time-pad implementation,
a hook is also provided to run any port knocking client before a
connecting.
- You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
with the front-end GUI or scripts if you like.
- Sets up any additional SSH port redirections that you want.
- Support for native MacOS X usage with bundled Chicken of the
VNC viewer.
- Reverse (viewer listening) VNC connections via SSL and SSH.
VNC viewer (the Unix X11 viewer is also provided for MacOS X,
and is better IMHO).
- Dynamic VNC Server Port determination and redirection (using
ssh's builtin SOCKS proxy, -D) for servers like x11vnc that
......@@ -116,6 +123,16 @@ The enhanced TightVNC viewer features are:
(java must be in $PATH). Note that x11vnc supports UltraVNC
file transfer.
- Connection support for the UltraVNC repeater proxy (-repeater
option).
- Support for UltraVNC Single Click operation. (both unencrypted:
SC I, and SSL encrypted: SC III)
- Instead of hostname:display one can also supply "exec=command args..."
to connect the viewer to the stdio of an external command
(e.g. stunnel or socat) rather than using a TCP/IP socket.
- Extremely low color modes: 64 and 8 colors in 8bpp
(-use64/-bgr222, -use8/-bgr111)
......@@ -391,7 +408,7 @@ If you need to Build:
If your OS/arch is not included or the provided binary has the wrong
library dependencies, etc. the script "build.unix" may be able to
successfully build on for you and deposit the binaries down in ./bin/...
using the included source code.
using the included source code. It is a hack but usually works.
You MUST run the build.unix script from this directory (that this toplevel
README is in, i.e "ssvnc") and like this:
......@@ -401,9 +418,30 @@ README is in, i.e "ssvnc") and like this:
To use custom locations for libraries see the LDFLAGS_OS and CPPFLAGS_OS
description at the top of the build.unix script.
You can set these env. vars to customize the build:
SSVNC_BUILD_NO_STATIC=1 do not try to statically link libs
SSVNC_BUILD_FORCE_OVERWRITE=1 do not prompt about existing binaries
SSVNC_BUILD_SKIP_VIEWER=1 do not build vncviewer
SSVNC_BUILD_SKIP_STUNNEL=1 do not build stunnel
SSVNC_BUILD_ULTRAFTP=1 only build the file xfer helper jar
here is an example to build only the vncviewer and with normal library
linking (and in a more or less automated way):
env SSVNC_BUILD_NO_STATIC=1 SSVNC_BUILD_FORCE_OVERWRITE=1 SSVNC_BUILD_SKIP_STUNNEL=1 ./build.unix
Feel free to ask us if you need help running ./build.unix
Convential Build:
A more conventional source tarball is provided in ssvnc-x.y.z.src.tar.gz.
It uses a more or less familiar 'make config; make all; make install'
method. It does not include stunnel, so that must be installed on the
system separately.
The programs:
------------
......@@ -519,6 +557,86 @@ as long as you install external vncviewer and stunnel packages:
ssvnc_unix_minimal-1.x.y.tar.gz
Untrusted Local Users:
---------------------
*IMPORTANT WARNING*: If you run SSVNC on a workstation or computer
that other users can log into and you DO NOT TRUST these users
(it is a shame but sometimes one has to work in an environment like
this), then please note the following warning.
By 'do not trust' we mean they might try to gain access to remote
machines you connect to via SSVNC. Note that an untrusted local
user can often obtain root access in a short amount of time; if a
user has acheived that, then all bets are off for ANYTHING that you
do on the workstation. It is best to get rid of Untrusted Local
Users as soon as possible.
Both the SSL and SSH tunnels set up by SSVNC listen on certain ports
on the 'localhost' address and redirect TCP connections to the remote
machine; usually the VNC server running there (but it could also be
another service, e.g. CUPS printing). These are the stunnel(8) SSL
redirection and the ssh(1) '-L' port redirection. Because 'localhost'
is used only users or programs on the same workstation that is
running SSVNC can connect to these ports, however this includes any
local users (not just the user running SSVNC.)
If the untrusted local user tries to connect to these ports, he may
succeed in varying degrees to gain access to the remote machine.
We now list some safeguards one can put in place to try to make this
more difficult to acheive.
It probably pays to have the VNC server require a password, even
though there has already been SSL or SSH authentication (via
certificates or passwords). In general if the VNC Server requires
SSL authentication of the viewer that helps, unless the untrusted
local user has gained access to your SSVNC certificate keys.
If the VNC server is configured to only allow one viewer connection
at a time, then the window of opportunity that the untrusted local
user can use is greatly reduced: he might only have a second or two
between the tunnel being set up and the SSVNC vncviewer connecting
to it (i.e. if the VNC server only allows a single connection, the
untrusted local user cannot connect once your session is established).
Similarly, when you disconnect the tunnel is torn down quickly and
there is little or no window of opportunity to connect (e.g. x11vnc
in its default mode exits after the first client disconnects).
Also for SSL tunnelling with stunnel(8) on Unix using one of the SSVNC
prebuilt 'bundles', a patched stunnel is provided that denies all
connections after the first one, and exits when the first one closes.
This is not true if the system installed stunnel(8) is used and is
not true when using SSVNC on Windows.
The following are two experimental features that are added to SSVNC
to improve the situation for the SSL/stunnel case. Set them via
Options -> Advanced -> "STUNNEL Local Port Protections".
1) For SSL tunnelling with stunnel(8) on Unix there is a setting
'Use stunnel EXEC mode' (experimental) that will try to exec(2)
stunnel instead of using a listening socket. This will require
using the specially modified vncviewer unix viewer provided
by SSVNC. If this mode proves stable it will become the default.
2) For SSL tunnelling with stunnel(8) on Unix there is a setting
'Use stunnel IDENT check' (experimental) to limit socket
connections to be from you (this assumes the untrusted local
user has not become root on your workstation and has modified
your local IDENT check service; if he has you have much bigger
problems to worry about...)
There is also one simple LD_PRELOAD trick for SSH to limit the number
of accepted port redirection connections. This makes the window of
time the untrusted local user can connect to the tunnel much smaller.
Enable it via Options -> Advanced -> "SSH Local Port Protections".
You will need to have the lim_accept.so file in your SSVNC package.
The main message is to 'Watch your Back' when you connect via the
SSVNC tunnels and there are users you don't trust on your workstation.
The same applies to ANY use of SSH '-L' port redirections or outgoing
stunnel SSL redirection services.
Help and Info:
-------------
......
start ssvnc.exe -ssh %1 %2 %3 %4 %5 %6 %7 %8 %9
start ssvnc.exe -ts %1 %2 %3 %4 %5 %6 %7 %8 %9
#!/bin/sh
#
# wrapper for SSH_ONLY mode
#
PATH=`dirname "$0"`:$PATH; export PATH
SSVNC_SSH_ONLY=1; export SSVNC_SSH_ONLY
exec ssvnc -ssh "$@"
......@@ -79,7 +79,11 @@ nearby=0
if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then
nearby=1
fi
if [ ! -d "$dir/$name" -a $nearby = 0 ]; then
if [ "X$name" = "X." ]; then
:
#type vncviewer
#type stunnel
elif [ ! -d "$dir/$name" -a $nearby = 0 ]; then
echo
echo "Cannot find platform dir for your OS `uname -sm`:"
echo
......
#!/bin/sh
#
# Copyright (c) 2006 by Karl J. Runge <runge@karlrunge.com>
# Copyright (c) 2006-2008 by Karl J. Runge <runge@karlrunge.com>
#
# ssvnc_cmd:
#
......@@ -23,9 +23,15 @@
#
# Usage:
#
# ssvnc_cmd [ss_vncviewer-args] hostname:N [tightvncviewer-args]
# ssvnc_cmd [ss_vncviewer-args] hostname:N [vncviewer-args]
#
# "hostname:N" is the host and VNC display to connect to, e.g. snoopy:0
# if, instead, this script is named "tightvncviewer" it calls the
# vncviewer directly and must be invoked as:
#
# tightvncviewer [vncviewer-args] hostname:N
#
# In both cases, "hostname:N" is the host and VNC display to connect to,
# e.g. snoopy:0
#
# See the script util/ss_vncviewer for details about its arguments:
#
......@@ -35,6 +41,8 @@
# -alpha
# -grab
#
# N.B. if this script is named "tightvncviewer" the vncviewer is called
# directly, and there won't be any SSL or SSH encryption tunnels.
#
# If the *very first* argument is "-cotvnc" then it is assumed you are on
# Darwin and want to run the Chicken of the VNC viewer via our wrapper.
......@@ -75,9 +83,12 @@
# Option names may be abbreviated, e.g. -bgr instead of -bgr233.
# See the manual page for more information.
#
# Note: the enhanced tightvnc viewer (SSVNC) has many more options, run
# this script as "ssvnc_cmd Vnc://a:0 -help" or "tightvncviewer -help"
# to seem them.
if [ "X$1" = "X-h" -o "X$1" = "X-help" -o "X$1" = "X--help" ]; then
head -76 "$0" | grep -v bin/sh
if [ "X$1" = "X-h" -o "X$1" = "X-helpxxx" -o "X$1" = "X--help" ]; then
tail -n +2 "$0" | sed -e '/^$/ q' -e 's/^#//'
exit
fi
......@@ -145,12 +156,20 @@ do
done
dir=`dirname "$f"`
PATH="$dir:$PATH"
SSVNC_BASEDIR="$dir"
export SSVNC_BASEDIR
SSVNC_UNAME="$name"
export SSVNC_UNAME
nearby=0
if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then
nearby=1
fi
if [ ! -d "$dir/$name" -a $nearby = 0 ]; then
if [ "X$name" = "X." ]; then
:
#type vncviewer
#type stunnel
elif [ ! -d "$dir/$name" -a $nearby = 0 ]; then
echo
echo "Cannot find platform dir for your OS `uname -sm`:"
echo
......@@ -223,6 +242,9 @@ fi
#
#
if [ $use_ours = 1 ]; then
# avoid system vncviewer app-defaults
#XFILESEARCHPATH="/tmp/path/nowhere"; export XFILESEARCHPATH
if [ "X$base" = "Xtightvncviewer" ]; then
$VNCVIEWERCMD -encodings 'copyrect tight zrle zlib hextile' "$@"
else
......
#!/bin/sh
#
# wrapper for TS_ONLY mode
#
PATH=`dirname "$0"`:$PATH; export PATH
SSVNC_TS_ONLY=1; export SSVNC_TS_ONLY
exec ssvnc -ts "$@"
......@@ -447,6 +447,9 @@ findfree() {
# removes files, etc.
final() {
echo ""
if [ "X$tmp_cfg" != "X" ]; then
rm -f $tmp_cfg
fi
if [ "X$SS_VNCVIEWER_RM" != "X" ]; then
rm -f $SS_VNCVIEWER_RM 2>/dev/null
fi
......@@ -1012,6 +1015,24 @@ if [ "X$use_ssh" = "X1" ]; then
# let user override ssh via $SSH
ssh=${SSH:-"ssh -x"}
if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
SSVNC_LIM_ACCEPT_PRELOAD="$SSVNC_BASEDIR/$SSVNC_UNAME/$SSVNC_LIM_ACCEPT_PRELOAD"
fi
if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ]; then
echo ""
echo "SSVNC_LIM_ACCEPT_PRELOAD=$SSVNC_LIM_ACCEPT_PRELOAD"
fi
if [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" -a -f "$SSVNC_LIM_ACCEPT_PRELOAD" ]; then
plvar=LD_PRELOAD
if uname | grep Darwin >/dev/null; then
plvar="DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES"
fi
ssh="env $plvar=$SSVNC_LIM_ACCEPT_PRELOAD $ssh"
else
SSVNC_LIM_ACCEPT_PRELOAD=""
fi
if echo "$proxy" | egrep '(http|https|socks|socks4|socks5)://' > /dev/null; then
# Handle Web or SOCKS proxy(ies) for the initial connect.
Kecho host=$host
......@@ -1328,10 +1349,11 @@ Kecho proxy=$proxy
c=0
pssh=""
mssh=`echo "$ssh" | sed -e 's/^env.*ssh/ssh/'`
while [ $c -lt 30 ]
do
p=`expr $pmark + $c`
if ps -p "$p" 2>&1 | grep "$ssh" > /dev/null; then
if ps -p "$p" 2>&1 | grep "$mssh" > /dev/null; then
pssh=$p
break
fi
......@@ -1339,6 +1361,8 @@ Kecho proxy=$proxy
done
if [ "X$getport" != "X" ]; then
:
elif [ "X$SSVNC_LIM_ACCEPT_PRELOAD" != "X" ] ; then
sleep 2
elif [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then
#echo T sleep 1
sleep 1
......@@ -1523,9 +1547,11 @@ if [ "X$direct_connect" != "X" ]; then
exit $?
fi
tmp=/tmp/ss_vncviewer${RANDOM}.$$
mytmp "$tmp"
tmp_cfg=/tmp/ss_vncviewer${RANDOM}.$$
mytmp "$tmp_cfg"
# make_tcert is no longer invoked via the ssvnc gui (Listen mode).
# make_tcert is for testing only now via -mycert BUILTIN
make_tcert() {
tcert="/tmp/tcert${RANDOM}.$$"
cat > $tcert <<END
......@@ -1584,37 +1610,50 @@ END
echo "$tcert"
}
stunnel_exec=""
if echo $STUNNEL_EXTRA_SVC_OPTS | grep '#stunnel-exec' > /dev/null; then
stunnel_exec="#"
fi
if [ "X$reverse" = "X" ]; then
if echo "$proxy" | grep repeater:// > /dev/null; then
if [ "X$cert" = "X" ]; then
if [ "X$cert" = "XBUILTIN" ]; then
ttcert=`make_tcert`
cert="cert = $ttcert"
fi
# Note for listen mode, an empty cert will cause stunnel to fail.
# The ssvnc gui will have already taken care of this.
fi
cat > "$tmp" <<END
cat > "$tmp_cfg" <<END
foreground = yes
pid =
client = yes
debug = 6
$STUNNEL_EXTRA_OPTS
$STUNNEL_EXTRA_OPTS_USER
$verify
$cert
[vnc_stunnel]
accept = localhost:$use
${stunnel_exec}[vnc_stunnel]
${stunnel_exec}accept = localhost:$use
$connect
$STUNNEL_EXTRA_SVC_OPTS
$STUNNEL_EXTRA_SVC_OPTS_USER
END
else
stunnel_exec="" # doesn't work for listening.
p2=`expr 5500 + $N`
connect="connect = localhost:$p2"
if [ "X$cert" = "X" ]; then
if [ "X$cert" = "XBUILTIN" ]; then
ttcert=`make_tcert`
cert="cert = $ttcert"
fi
# Note for listen mode, an empty cert will cause stunnel to fail.
# The ssvnc gui will have already taken care of this.
STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
......@@ -1622,18 +1661,21 @@ else
if [ "X$use_ssh" = "X1" ]; then
hloc="localhost:"
fi
cat > "$tmp" <<END
cat > "$tmp_cfg" <<END
foreground = yes
pid =
client = no
debug = 6
$STUNNEL_EXTRA_OPTS
$STUNNEL_EXTRA_OPTS_USER
$verify
$cert
[vnc_stunnel]
accept = $hloc$port
$connect
$STUNNEL_EXTRA_SVC_OPTS
$STUNNEL_EXTRA_SVC_OPTS_USER
END
fi
......@@ -1641,31 +1683,33 @@ fi
echo ""
echo "Using this stunnel configuration:"
echo ""
cat "$tmp" | uniq
cat "$tmp_cfg" | uniq
echo ""
sleep 1
echo ""
echo "Running stunnel:"
echo "$STUNNEL $tmp"
st=`echo "$STUNNEL" | awk '{print $1}'`
$st -help > /dev/null 2>&1
$STUNNEL "$tmp" < /dev/tty > /dev/tty &
stunnel_pid=$!
echo ""
if [ "X$stunnel_exec" = "X" ]; then
echo ""
echo "Running stunnel:"
echo "$STUNNEL $tmp_cfg"
st=`echo "$STUNNEL" | awk '{print $1}'`
$st -help > /dev/null 2>&1
$STUNNEL "$tmp_cfg" < /dev/tty > /dev/tty &
stunnel_pid=$!
echo ""
# pause here to let the user supply a possible passphrase for the
# mycert key:
if [ "X$mycert" != "X" ]; then
# pause here to let the user supply a possible passphrase for the
# mycert key:
if [ "X$mycert" != "X" ]; then
sleep 1
echo ""
echo "(pausing for possible certificate passphrase dialog)"
echo ""
sleep 4
fi
#echo T sleep 1
sleep 1
rm -f "$tmp_cfg"
fi
#echo T sleep 1
sleep 1
rm -f "$tmp"
echo ""
......@@ -1675,15 +1719,19 @@ if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
fi
echo "Running viewer:"
if [ "X$reverse" = "X" ]; then
echo "$VNCVIEWERCMD" "$@" localhost:$N
vnc_hp=localhost:$N
if [ "X$stunnel_exec" != "X" ]; then
vnc_hp="exec=$STUNNEL $tmp_cfg"
fi
echo "$VNCVIEWERCMD" "$@" "$vnc_hp"
trap "final" 0 2 15
echo ""
$VNCVIEWERCMD "$@" localhost:$N
$VNCVIEWERCMD "$@" "$vnc_hp"
if [ $? != 0 ]; then
echo "vncviewer command failed: $?"
if [ "X$secondtry" = "X1" ]; then
sleep 2
$VNCVIEWERCMD "$@" localhost:$N
$VNCVIEWERCMD "$@" "$vnc_hp"
fi
fi
else
......
'\" t
.\" ** The above line should force tbl to be a preprocessor **
.\" Man page for the SSVNC vncviewer
.\"
.\" Copyright (C) 2006-2008 Karl J. Runge <runge@karlrunge.com>
.\"
.\" You may distribute under the terms of the GNU General Public
.\" License as specified in the file LICENCE.TXT that comes with the
.\" TightVNC distribution.
.\"
.TH ssvnc 1 "September 2008" "" "SSVNC"
.SH NAME
ssvnc \- a GUI wrapper for SSL and SSH VNC connections.
.SH SYNOPSIS
.B ssvnc
.br
.B ssvnc
.RI [\| host \|][\| :display \|]
.br
.B ssvnc
.RI [\| saved-profile-name \|]
.br
.B ssvnc
.RI [\| options \|][\| host-or-profile \]
.br
.B ssvnc
.IR \--help
.br
.SH DESCRIPTION
.B ssvnc
is a tcl/tk gui wrapper that runs on Unix, MacOSX, and Windows.
It sets up an SSL or SSH tunnel to the remote VNC Server and then launches
the VNC viewer (either the one provided or another one that you have
specified) to use that encrypted tunnel to connect to the VNC Server.
The use of Proxies and Gateways to make the connections is implemented.
Once you have started the SSVNC gui, you can click on the buttons
"Help", "Options -> Help", "Certs -> Help", etc. for much information
on how to use and configure the tool.
In short, you supply a VNC server "hostname:display" in the
"VNC Host:Display" entry box and then press the "Connect" button to
connect to the server via SSL (stunnel). E.g. "far-away.east:0".
Port numbers are also allowed, e.g. far-away.east:5905.
Or supply user@hostname:display and click on the "Use SSH" option, then
press the "Connect" button to connect to the server via an SSH tunnel.
E.g. "fred@far-away.east:0".
As an easter egg, we note it is also possible to disable the use of SSL/SSH
encryption tunnels by using a vnc:// or Vnc:// prefix before
host:display.
Normally you do not specify any command line options. You simply
run \fBssvnc\fR and use the GUI that starts up.
However, as shortcuts you can supply a VNC host:display (or host:port)
on the command line. to connect to immediately (the GUI is started
and the connection is initiated). For example, "\fBssvnc far-away.east:0\fR"
Instead of a host:display, you can specify the name of a saved profile to
automatically load that profile and then connect to its server.
For example "\fBssvnc far\fR", if you name the profile "far".
You can use the \fB-profiles\fR option to list the profiles you have saved.
The related commands \fBsshvnc\fR and \fBtsvnc\fR start up the GUI in
simplified modes: SSH Only Mode, and Terminal Services Mode, respectively.
See below and the application Help for more information on the modes.
There are also some command line options described as follows.
.SH OPTIONS
.TP
\fB\--help\fR
Starts up the GUI as though the 'Help' button was pressed to show the
main Help panel.
.TP
\fB\-profiles\fR
List the saved SSVNC profiles you have created. A profile
is a destination host with specific parameter settings.
.TP
\fB\-list\fR
Same as \fB\-profiles\fR
.TP
\fB\-ssh\fR
Start in "SSH Only Mode". No SSL aspects are shown.
Same as running the command \fBsshvnc\fR
.TP
\fB\-ts\fR
Start in "Terminal Services Mode". This is like "SSH Only Mode", but
simpler and assumes \fBx11vnc\fR is available on the remote side
to start and manage X and VNC sessions.
Same as running the command \fBtsvnc\fR
.TP
\fB\-tso\fR
Same as \fB-ts\fR "Terminal Services Mode", however never let the
user leave this mode (no button to switch modes is provided.)
Same as SSVNC_TS_ALWAYS=1.
.TP
\fB\-ssl\fR
Force the full GUI Mode: both SSL and SSH. This is the default.
.TP
\fB\-nv\fR
Toggle the "Verify All Certs" button to be off at startup.
.TP
\fB\-nvb\fR
Never show the "Verify All Certs" button.
Same as SSVNC_NO_VERIFY_ALL_BUTTON=1.
.TP
\fB\-bigger\fR
Make the Profile Selection Dialog window bigger.
Same as SSVNC_BIGGER_DIALOG=1.
.SH URL NOTATION
Here are all of our URL-like prefixes that you can put in front of
host:display (or host:port):
For SSL: vncs:// vncssl:// and vnc+ssl://
For SSH: vncssh:// and vnc+ssh://
For No Encryption Tunnel: vnc:// and Vnc://
Examples:
To quickly make an SSL connection: \fBssvnc vncs://snoopy.com:0\fR
To quickly make an SSH connection: \fBssvnc vnc+ssh://fred@snoopy.com:0\fR
To quickly make a direct connection: \fBssvnc Vnc://snoopy.com:0\fR
The above will also work in the "VNC Host:Display" entry box in the GUI.
Press the "Connect" button after entering them.
.SH FILES
Your SSVNC vnc profiles are stored in the \fB$HOME/.vnc/profiles\fR
directory. They end in suffix \fB.vnc\fR
Your SSVNC vnc certificates and keys are stored in the \fB$HOME/.vnc/certs\fR
directory. They typically end in \fB.pem\fR (both certificate and
private key) or \fB.crt\fR (certificate only).
You can put a few global parameters (e.g. mode=sshvnc) in your
\fB$HOME/.ssvncrc\fR file (\fBssvnc_rc\fR on Windows); see the
application Help for more information.
.SH SEE ALSO
\fBssvncviewer\fB(1), \fBvncviewer\fR(1), \fBstunnel\fR(8), \fBssh\fR(1), \fBx11vnc\fR(1), \fBvncserver\fR(1)
http://www.karlrunge.com/x11vnc http://www.karlrunge.com/x11vnc/ssvnc.html
.SH AUTHORS
Karl J. Runge <runge@karlrunge.com> wrote the SSVNC gui (tcl/tk) and
associated wrapper scripts.
This diff is collapsed.
......@@ -3,3 +3,7 @@
cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/tight-vncviewer*patch .
cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/vnc_unixsrc_vncviewer.patched.tar ../zips/
cp -p /dist/src/apps/VNC/etc/libvncserver_cvs/expts/java_ssl/ultra/ultraftp.tar ../zips/
cp -p /dist/src/apps/VNC/etc/libvncserver_cvs/expts/vncstorepw.tar ../zips/
cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/vnc_unixsrc/vncviewer/vncviewer.man ../../man/man1/ssvncviewer.1
......@@ -241,6 +241,7 @@ int ncache_dt_change = 1;
int ncache_keep_anims = 0;
int ncache_old_wm = 0;
int macosx_ncache_macmenu = 0;
int macosx_us_kbd = 0;
int ncache_beta_tester = 0;
int ncdb = 0;
......
......@@ -182,6 +182,7 @@ extern int ncache_xrootpmap;
extern int ncache_keep_anims;
extern int ncache_old_wm;
extern int macosx_ncache_macmenu;
extern int macosx_us_kbd;
extern int ncache_beta_tester;
extern int ncdb;
......
......@@ -690,6 +690,9 @@ void pointer(int mask, int x, int y, rfbClientPtr client) {
button_mask_prev = button_mask;
button_mask = mask;
}
if (!view_only && (input.motion || input.button)) {
last_rfb_ptr_injected = dnow();
}
return;
}
}
......@@ -714,6 +717,7 @@ void pointer(int mask, int x, int y, rfbClientPtr client) {
last_pointer_client = client;
last_pointer_time = now;
last_rfb_ptr_injected = dnow();
if (blackout_ptr && blackouts) {
int b, ok = 1;
......
......@@ -630,6 +630,10 @@ int remote_control_access_ok(void) {
#endif /* NO_X11 */
}
#ifdef MACOSX
void macosxCG_keycode_inject(int down, int keycode);
#endif
/*
* Huge, ugly switch to handle all remote commands and queries
* -remote/-R and -query/-Q.
......@@ -3502,6 +3506,19 @@ char *process_remote_cmd(char *cmd, int stringonly) {
adjust_grabs(0, 0);
rfbLog("disabled grab_always\n");
} else if (strstr(p, "grablocal") == p) {
COLON_CHECK("grablocal:")
if (query) {
snprintf(buf, bufn, "ans=%s%s%d", p, co,
grab_local);
goto qry;
}
p += strlen("grablocal:");
grab_local = atoi(p);
rfbLog("remote_cmd: changed -grablocal to: %d\n",
grab_local);
} else if (strstr(p, "client_input") == p) {
NOTAPP
COLON_CHECK("client_input:")
......@@ -3578,6 +3595,28 @@ char *process_remote_cmd(char *cmd, int stringonly) {
rfbLog("remote_cmd: turning off debug_keyboard.\n");
debug_keyboard = 0;
} else if (strstr(p, "keycode") == p) {
int kc;
NOTAPP
COLON_CHECK("keycode:")
p += strlen("keycode:");
kc = atoi(p);
if (kc < 0) kc = 0;
kc = kc % 256;
rfbLog("remote_cmd: insert keycode %d\n", kc);
if (macosx_console) {
#ifdef MACOSX
macosxCG_keycode_inject(1, kc);
usleep(100*1000);
macosxCG_keycode_inject(0, kc);
#endif
} else {
XTestFakeKeyEvent_wr(dpy, kc, 1, CurrentTime);
usleep(100*1000);
XTestFakeKeyEvent_wr(dpy, kc, 0, CurrentTime);
}
} else if (strstr(p, "deferupdate") == p) {
int d;
COLON_CHECK("deferupdate:")
......@@ -4421,6 +4460,19 @@ char *process_remote_cmd(char *cmd, int stringonly) {
rfbLog("remote_cmd: disable macosx_ncache_macmenu.\n");
macosx_ncache_macmenu = 0;
} else if (!strcmp(p, "macuskbd")) {
if (query) {
snprintf(buf, bufn, "ans=%s:%d", p, macosx_us_kbd); goto qry;
}
rfbLog("remote_cmd: enable macosx_us_kbd.\n");
macosx_us_kbd = 1;
} else if (!strcmp(p, "nomacuskbd")) {
if (query) {
snprintf(buf, bufn, "ans=%s:%d", p, !macosx_us_kbd); goto qry;
}
rfbLog("remote_cmd: disable macosx_us_kbd.\n");
macosx_us_kbd = 0;
} else if (strstr(p, "hack") == p) { /* skip-cmd-list */
COLON_CHECK("hack:")
if (query) {
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -2524,6 +2524,8 @@ fprintf(stderr, "\n");}
return 1;
}
void ssh_remote_tunnel(char *, int);
static XImage ximage_struct;
int wait_for_client(int *argc, char** argv, int http) {
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -7,6 +7,7 @@ extern int grab_buster;
extern int grab_kbd;
extern int grab_ptr;
extern int grab_always;
extern int grab_local;
extern int sync_tod_delay;
extern void initialize_vnc_connect_prop(void);
......
This diff is collapsed.
......@@ -13,5 +13,6 @@ extern void push_sleep(int n);
extern void push_black_screen(int n);
extern void refresh_screen(int push);
extern void zero_fb(int x1, int y1, int x2, int y2);
extern void check_xinerama_clip(void);
#endif /* _X11VNC_XINERAMA_H */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment