#!/bin/sh n=11 tmp=`mktemp -d "/tmp/ssvnc.XXXXXX"` || exit 1 if [ "X$tmp" = "X" -o ! -d "$tmp" ]; then exit 1; fi trap "cd /tmp; rm -rf $tmp" 0 2 15 tail +$n "$0" | (cd $tmp; tar xf -) || exit 1 $tmp/bin/ssvnc "$@" exit 0 data__() { README0000644000175100017510000004055310756437726012252 0ustar rungerunge00000000000000 Enhanced TightVNC Viewer (SSVNC: SSL/SSH VNC viewer) Copyright (c) 2006-2008 Karl J. Runge All rights reserved. These bundles provide 1) An enhanced TightVNC Viewer on Unix, 2) Binaries for many Operating Systems (including Windows and Mac OS X) for your convenience, 3) Wrapper scripts and a GUI for gluing them all together. One can straight-forwardly download all of the components and get them to work together by oneself: this bundle is mostly for your convenience to combine and wrap together the freely available software. Bundled software co-shipped is copyright and licensed by others. See these sites and related ones for more information: http://www.tightvnc.com http://www.realvnc.com http://www.stunnel.org http://stunnel.mirt.net http://www.openssl.org http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://sourceforge.net/projects/cotvnc/ Note: Some of the binaries included contain cryptographic software that you may not be allowed to download, use, or redistribute. Please check your situation first before downloading any of these bundles. See the survey http://rechten.uvt.nl/koops/cryptolaw/index.htm for useful information. All work done by Karl J. Runge in this project is Copyright (c) 2006-2007 Karl J. Runge and is licensed under the GPL as described in the file COPYING in this directory. All the files and information in this project are provided "AS IS" without any warranty of any kind. Use them at your own risk. ============================================================================= This bundle contains a convenient collection of enhanced TightVNC viewers and stunnel binaries for different flavors of Unix and wrapper scripts and a GUI front-end to glue them together. Automatic SSL and SSH encryption tunnelling is provided. A Windows SSL wrapper for the bundled TightVNC binary and other utilities are provided. (Launch ssvnc.exe in the Windows subdirectory). The short name of the project is "ssvnc" for SSL/SSH VNC Viewer. It is a self-contained bundle, you could carry it around on, say, a USB memory stick for secure VNC viewing from almost any machine, Unix, Mac, or Windows. Features: -------- The enhanced TightVNC viewer features are: - SSL support for connections using the bundled stunnel program. - Automatic SSH connections from the GUI (ssh must already be installed on Unix; bundled plink is used on Windows) - Ability to Save and Load VNC profiles for different hosts. - Create or Import SSL Certificates and Private Keys. - Automatic Service tunnelling via SSH for CUPS and SMB Printing, ESD/ARTSD Audio, and SMB (Windows/Samba) filesystem mounting. - Port Knocking for "closed port" SSH/SSL connections. In addition to a simple fixed port sequence and one-time-pad implementation, a hook is also provided to run any port knocking client before a connecting. - You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC, with the front-end GUI or scripts if you like. - Sets up any additional SSH port redirections that you want. - Support for native MacOS X usage with bundled Chicken of the VNC viewer. - Reverse (viewer listening) VNC connections via SSL and SSH. - Dynamic VNC Server Port determination and redirection (using ssh's builtin SOCKS proxy, -D) for servers like x11vnc that print out PORT= at startup. - Unix Username and Password entry for use with "x11vnc -unixpw" type login dialogs. - Simplified mode launched by command "sshvnc" that is SSH Only. - Simplified mode launched by command "tsvnc" that provides a VNC "Terminal Services" mode (uses x11vnc on the remote side). (the following features only apply to the bundled Unix tightvnc viewer) - rfbNewFBSize VNC support (screen resizing) - ZRLE VNC encoding support (RealVNC's encoding) - Cursor alphablending with x11vnc at 32bpp (-alpha option) - Option "-unixpw ..." for use with "x11vnc -unixpw" login dialogs. - Support for UltraVNC extensions: Single Window, Disable Server-side Input, 1/n Server side scaling, Text Chat (shell terminal UI). Both UltraVNC and x11vnc servers support these extensions - UltraVNC File Transfer via an auxiliary Java helper program (java must be in $PATH). Note that x11vnc supports UltraVNC file transfer. - Extremely low color modes: 64 and 8 colors in 8bpp (-use64/-bgr222, -use8/-bgr111) - Medium color mode: 16bpp mode even for 32bpp Viewer display (-16bpp/-bgr565) - x11vnc's client-side caching -ncache method cropping option (-ycrop n). This will "hide" the large pixel buffer cache below the actual display. Set to actual height or use -1 for autodetection (tall screens are autodetected by default). - Scrollbar width setting: -sbwidth n, the default is very thin, 2 pixels, for less distracting -ycrop usage. - Improvements to the Popup menu, all of these can now be changed dynamically via the menu: ViewOnly, Toggle Bell, CursorShape updates, X11 Cursor, Cursor Alphablending, Toggle Tight/ZRLE, Toggle JPEG, FullColor/16bpp/8bpp (256/64/8 colors), Greyscale for low color modes. - Maintains its own BackingStore if the X server does not - The default for localhost:0 connections is not raw encoding (local machine). Default assumes you are using SSH tunnel. Use -rawlocal to revert. - Support for the ZYWRLE encoding, a wavelet based extension to ZRLE to improve compression of motion video and photo regions. - XGrabServer support for fullscreen mode, for old window managers (-grab/-graball option). - Fix for Popup menu positioning for old window managers (-popupfix option). - Run vncviewer -help for all options. The list of software bundled in the archive files: TightVNC Viewer (windows, unix, macosx) Chicken of the VNC Viewer (macosx) Stunnel (windows, unix, macosx) Putty/Plink/Pageant (windows) OpenSSL (windows) esound (windows) These are all self-contained in the bundle directory: they will not be installed on your system. Just un-zip or un-tar the file you downloaded and run it straight from its directory. Quick Start: ----------- Unix and Mac OS X: Inside a Terminal do something like the following. Unpack the archive: % gzip -dc ssvnc-1.0.19.tar.gz | tar xvf - Run the GUI: % ./ssvnc/Unix/ssvnc (for Unix) % ./ssvnc/MacOSX/ssvnc (for Mac OS X) The smaller file "ssvnc_no_windows-1.0.19.tar.gz" could have been used as well. On MacOSX you could also click on the SSVNC app icon in the Finder. On MacOSX if you don't like the Chicken of the VNC (e.g. no local cursors, no screen size rescaling, and no password prompting), and you have the XDarwin X server installed, you can set DISPLAY before starting ssvnc (or type DISPLAY=... in Host:Disp and hit Return). Then our enhanced TightVNC viewer will be used instead of COTVNC. Update: there is now a 'Use X11 vncviewer on MacOSX' under Options ... If you want a SSH-only tool (without the distractions of SSL) run the command: sshvnc instead of "ssvnc". Or click "SSH-Only Mode" under Options. Control-h will toggle between the two modes. If you want a simple VNC Terminal Services only mode (requires x11vnc on the remote server) run the command: tsvnc instead of "ssvnc". Or click "Terminal Services" under Options. Control-t will toggle between the two modes. "tsvnc profile-name" and "tsvnc user@hostname" work too. Unix/MacOSX Install: There is no standard install, but you can make symlinks like so: cd /a/directory/in/PATH ln -s /path/to/ssvnc/bin/{s,t}* . Or put /path/to/ssvnc/bin, /path/to/ssvnc/Unix, or /path/to/ssvnc/MacOSX in your PATH. Windows: Unzip, using WinZip or a similar utility, the zip file: ssvnc-1.0.19.zip Run the GUI, e.g.: Start -> Run -> Browse and then navigate to .../ssvnc/Windows/ssvnc.exe select Open, and then OK to launch it. The smaller file "ssvnc_windows_only-1.0.19.zip" could have been used as well. You can make a Windows shortcut to this program if you want to. See the Windows/README.txt for more info. If you want a SSH-only tool (without the distractions of SSL) run the command: sshvnc.bat Or click "SSH-Only Mode" under Options. If you want a simple VNC Terminal Services only mode (requires x11vnc on the remote server) run the command: tsvnc.bat Or click "Terminal Services" under Options. Control-t will toggle between the two modes. "tsvnc profile-name" and "tsvnc user@hostname" work too. Important Note for Windows Vista: One user reports that on Windows Vista if you move or extract the "ssvnc" folder down to the "Program Files" folder you will be prompted to do this as the Administrator. But then when you start up ssvnc, as a regular user, it cannot create files in that folder and so it fails to run properly. We recommend to not copy or extract the "ssvnc" folder into "Program Files". Rather, extract it to somewhere you have write permission (e.g. C:\ or your User dir) and create a Shortcut to ssvnc.exe on the desktop. If you must put a launcher file down in "Program Files", perhaps an "ssvnc.bat" that looks like this: C: cd \ssvnc\Windows ssvnc.exe SSH-ONLY Mode: -------------- If you don't care for SSL and the distractions it provides in the GUI, run "sshvnc" (unix/macosx) or "sshvnc.bat" (windows) to run an SSH only version of the GUI. Terminal Services Mode ---------------------- There is an even simpler mode that uses x11vnc on the remote side for the session finding and management. Run "tsvnc" (unix/macosx) or "tsvnc.bat" (windows) to run the Terminal Services version of the GUI. Bundle Info: ------------ The bundle files unpack a directory/folder named: ssvnc It contains these programs to launch the GUI: Windows/ssvnc.exe for Windows MacOSX/ssvnc for Mac OS X Unix/ssvnc for Unix (the Mac OS X and Unix launchers are simply links to the bin directory). Your bundle file should have included binaries for many OS's: Linux, Solaris, FreeBSD, etc. Unpack your archive and see the subdirectories of ./bin for the ones that were shipped in this project, e.g. ./bin/Linux.i686 Run "uname -sm" to see your OS+arch combination (n.b. all Linux x86 are mapped to Linux.i686). (See the ./bin/ssvnc_cmd -h output for how to override platform autodection via the UNAME env. var). Memory Stick Usage: ------------------- If you create a directory named "Home" in that toplevel ssvnc directory then that will be used as the base for storing VNC profiles and certificates. Also, for convenience, if you first run the command with "." as an argument (e.g. "ssvnc .") it will automatically create that "Home" directory for you. This is handy if you want to place SSVNC on a USB flash drive that you carry around for mobile use and you want the profiles you create to stay with the drive (otherwise you'd have to browse to the drive directory each time you load or save). One user on Windows created a BAT file to launch SSVNC and needed to do this to get the Home directory correct: cd \ssvnc\Windows start \ssvnc\Windows\ssvnc.exe (an optional profile name can be supplied to the ssvnc.exe line) WARNING: if you use ssvnc from an "Internet Cafe", i.e. an untrusted computer, an intruder may be capturing keystrokes etc. External Dependencies: ---------------------- On Windows everything is included. Let us know if you find otherwise. On Unix depending on what you do you need these programs installed: - basic unix utilities (sh, ls, cat, awk, sed, etc..) - tcl/tk (wish interpreter) - xterm - perl - ssh - openssl Lesser used ones: netcat, esd/artsd, smbclient, smbmount, cups On Mac OS X depending on what you do you need these programs installed: - basic unix utilities (sh, ls, cat, awk, sed, etc..) - tcl/tk (wish interpreter) - Terminal - perl - ssh - openssl Lesser used ones: netcat, smbclient, cups Most Mac OS X and Unix OS come with the main components installed. If you need to Build: -------------------- If your OS/arch is not included or the provided binary has the wrong library dependencies, etc. the script "build.unix" may be able to successfully build on for you and deposit the binaries down in ./bin/... using the included source code. You MUST run the build.unix script from this directory (that this toplevel README is in, i.e "ssvnc") and like this: ./build.unix To use custom locations for libraries see the LDFLAGS_OS and CPPFLAGS_OS description at the top of the build.unix script. Feel free to ask us if you need help running ./build.unix The programs: ------------ Unpack your archive, and you will see "bin", "Windows", "src" directories and other files. The command line wrapper scripts: ./bin/ssvnc_cmd ./bin/tightvncviewer are the main programs that are run and will try to autodetect your OS+arch combination and if binaries are present for it automatically use them. (if not found try the running the build.unix script). If you prefer a GUI to prompt for parameters and then start ssvnc_cmd you can run this instead: ./bin/ssvnc this is the same GUI that is run on Windows (the ssvnc.exe). There are also: ./bin/sshvnc (SSH-Only) ./bin/tsvnc (Terminal Services Mode) For convenience, you can make symlinks from a directory in your PATH to any of the 3 programs above you wish to run. That is all you usually need to do for it to pick up all of the binaries, utils, etc. E.g. assuming $HOME/bin is in your $PATH: cd $HOME/bin ln -s /path/to/ssvnc/bin/{s,t}* . (note the "." at the end). The above commands is basically the way to "install" this on Unix or MacOS X. Also links to the GUI launcher script are provided in: MacOSX/ssvnc Unix/ssvnc and sshvnc and tsvnc. You could also put the Unix or MacOSX directory in your PATH. On Windows unpack your archive and run: Windows/ssvnc.exe Examples: -------- The following assume you are in the toplevel directory of the archive you unpacked. Use enhanced TightVNC unix viewer to connect to x11vnc via SSL: ./bin/ssvnc_cmd far-away.east:0 ./bin/tightvncviewer -ssl far-away.east:0 (same) ./bin/ssvnc (start GUI launcher) Use enhanced TightVNC unix viewer without SSL: ./bin/tightvncviewer far-away.east:0 Use SSL to connect to a x11vnc server, and also verify the server's identity using the SSL Certificate in the file ./x11vnc.pem: ./bin/ssvnc_cmd -alpha -verify ./x11vnc.pem far-away.east:0 (also turns on the viewer-side cursor alphablending hack). Brief description of the subdirectories: --------------------------------------- ./bin/util some utility scripts, e.g. ss_vncviewer and ssvnc.tcl ./src source code and patches. ./src/zips zip files of source code and binaries. ./src/vnc_unixsrc unpacked tightvnc source code tree. ./src/stunnel-4.14 unpacked stunnel source code tree. ./src/patches patches to TightVNC viewer for the new features on Unix (used by build.unix). ./src/tmp temporary build dir for build.unix (the last four are used by build.unix) ./man man pages for TightVNC viewer and stunnel. ./Windows Stock TightVNC viewer and Stunnel, Openssl etc Windows binaries. ssvnc.exe is the program to run. ./MacOSX contains an unpacked Chicken of the VNC viewer and a symlink to ssvnc. ./Unix contains a symlink to ssvnc. Depending on which bundle you use not all of the above may be present. The smallest bundles with binaries are: ssvnc_windows_only-1.x.y.zip Windows ssvnc_no_windows-1.x.y.tar.gz Unix and MacOSX however, the tiny scripts only one (only 60KB) will run properly on Unix as long as you install external vncviewer and stunnel packages: ssvnc_unix_minimal-1.x.y.tar.gz Help and Info: ------------- For more help on other options and usage patterns run these: ./bin/ssvnc_cmd -h ./bin/util/ss_vncviewer -h See also: http://www.karlrunge.com/x11vnc http://www.karlrunge.com/x11vnc/#faq x11vnc -h | more http://www.stunnel.org http://stunnel.mirt.net http://www.openssl.org http://www.tightvnc.com http://www.realvnc.com http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://sourceforge.net/projects/cotvnc/ COPYING0000644000175100017510000004317307331775561012423 0ustar rungerunge00000000000000 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. bin/sshvnc0000755000175100017510000000022110663431476013351 0ustar rungerunge00000000000000#!/bin/sh # # wrapper for SSH_ONLY mode # PATH=`dirname "$0"`:$PATH; export PATH SSVNC_SSH_ONLY=1; export SSVNC_SSH_ONLY exec ssvnc -ssh "$@" bin/ssvnc0000755000175100017510000000543011011641637013176 0ustar rungerunge00000000000000#!/bin/sh # # Copyright (c) 2006 by Karl J. Runge # # sslvnc: # # A wrapper for ssvnc_cmd using a tcl/tk gui. # # See ssvnc_cmd for details. # if [ "X$XTERM_PRINT" != "X" ]; then XTERM_PRINT="" cat > /dev/null fi if [ "X$1" = "X-bg" ]; then shift $0 "$@" & exit 0 fi PATH=$PATH:/usr/bin:/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin:/usr/sfw/bin:/usr/local/bin export PATH if [ "X$FULLNAME" = "XKarl J. Runge" ]; then VNCVIEWER_POPUP_FIX=1 export VNCVIEWER_POPUP_FIX PATH=`echo "$PATH" | sed -e 's,runge/bin/override,-------------,'` fi if [ "X$WISH" = "X" ]; then WISH=wish for try in wish wish8.3 wish8.4 wish8.5 wish8.6 do if type $try > /dev/null; then WISH=$try break fi done fi SSVNC_GUI_CMD="$0 $*" export SSVNC_GUI_CMD SSVNC_LAUNCH=$SSVNC_GUI_CMD export SSVNC_LAUNCH # work out os.arch platform string and check for binaries: # name=$UNAME if [ "X$name" = "X" ]; then name=`uname -sm | sed -e 's/ /./g' -e 's,/.*,,' -e 's/Linux\.i.86/Linux.i686/'` fi dL="-L" if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then dL="-h" fi f="$0" for t in 1 2 3 4 5 do if [ $dL "$f" ]; then f0="$f" f=`ls -l "$f" | sed -e 's/^.* -> //'` if echo "$f" | grep '^/' > /dev/null; then : else f="`dirname "$f0"`/$f" fi else break fi done dir=`dirname "$f"` PATH="$dir:$PATH" nearby=0 if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then nearby=1 fi if [ ! -d "$dir/$name" -a $nearby = 0 ]; then echo echo "Cannot find platform dir for your OS `uname -sm`:" echo echo " $dir/$name" echo PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin quit=0 if type vncviewer >/dev/null 2>/dev/null; then : else echo "vncviewer not found in PATH." quit=1 fi if type stunnel >/dev/null 2>/dev/null; then : else echo "stunnel not found in PATH." quit=1 fi echo if [ "X$quit" = "X1" ]; then echo "You can set the \$UNAME env. var. to override the OS setting." echo "Or, if available, run the ./build.unix script to build it." echo "Or install external \"vncviewer\" and \"stunnel\" packages." exit 1 fi echo "Using externel \"vncviewer\" and \"stunnel\" found in PATH." else STUNNEL=stunnel STUNNEL_EXTRA_OPTS=${STUNNEL_EXTRA_OPTS:-"maxconn = 1"} export STUNNEL STUNNEL_EXTRA_OPTS SSVNC_VIEWER_INTERNAL=1 export SSVNC_VIEWER_INTERNAL fi # Put our os.arch and other utils dirs at head of PATH to be sure to # pick them up: # PATH="$dir:$dir/$name:$dir/util:$PATH" if echo "$dir" | grep '^/' > /dev/null; then : else dir=`pwd`/$dir PATH="$dir:$dir/$name:$dir/util:$PATH" fi SSVNC_BASEDIR="$dir" export SSVNC_BASEDIR if [ -f "$dir/util/ultraftp.jar" ]; then SSVNC_ULTRA_FTP_JAR="$dir/util/ultraftp.jar" export SSVNC_ULTRA_FTP_JAR fi if [ "X$WISH" = "Xwish" ]; then exec ssvnc.tcl "$@" else exec $WISH $dir/util/ssvnc.tcl "$@" fi bin/ssvnc_cmd0000755000175100017510000001366511033453223014026 0ustar rungerunge00000000000000#!/bin/sh # # Copyright (c) 2006 by Karl J. Runge # # ssvnc_cmd: # # A wrapper that calls ss_vncviewer to use the enhanced TightVNC viewer. # # The enhanced TightVNC viewer features are: # # - SSL support for connections using the co-bundled stunnel program. # - rfbNewFBSize VNC support (screen resizing) # - cursor alphablending with x11vnc at 32bpp # - xgrabserver support for fullscreen mode (for old window mgrs) # # # Your platform (e.g. Linux.i686) is autodetected and enhanced # vncviewer and stunnel binaries for it are used (see the ./bin directory). # # See the build.unix script if your platform is not in this package. # You can also set the env. var. UNAME=os.arch to any "os.arch" you want # to override the autodetetion. # # Usage: # # ssvnc_cmd [ss_vncviewer-args] hostname:N [tightvncviewer-args] # # "hostname:N" is the host and VNC display to connect to, e.g. snoopy:0 # # See the script util/ss_vncviewer for details about its arguments: # # -verify pemfile # -mycert pemfile # -proxy phost:pport # -alpha # -grab # # # If the *very first* argument is "-cotvnc" then it is assumed you are on # Darwin and want to run the Chicken of the VNC viewer via our wrapper. # # # See the TightVNC viewer documentation for on its cmdline arguments. # # For convenience, here is the current (7/2006) TightVNC viewer -help output: # # TightVNC viewer version 1.3dev5 # # Usage: vncviewer [] [][:] # vncviewer [] [][::] # vncviewer [] -listen [] # vncviewer -help # # are standard Xt options, or: # -via # -shared (set by default) # -noshared # -viewonly # -fullscreen # -noraiseonbeep # -passwd (standard VNC authentication) # -user (Unix login authentication) # -encodings (e.g. "tight copyrect") # -bgr233 # -owncmap # -truecolour # -depth # -compresslevel (0..9: 0-fast, 9-best) # -quality (0..9: 0-low, 9-high) # -nojpeg # -nocursorshape # -x11cursor # -autopass # # Option names may be abbreviated, e.g. -bgr instead of -bgr233. # See the manual page for more information. # if [ "X$1" = "X-h" -o "X$1" = "X-help" -o "X$1" = "X--help" ]; then head -76 "$0" | grep -v bin/sh exit fi # Include /usr/bin... to be sure to get regular utilities: # PATH=$PATH:/usr/bin:/bin export PATH if [ "X$FULLNAME" = "XKarl J. Runge" ]; then VNCVIEWER_POPUP_FIX=1 export VNCVIEWER_POPUP_FIX PATH=`echo "$PATH" | sed -e 's,runge/bin/override,-------------,'` fi # Set this for ss_vncviewer to pick up: # if [ "X$1" = "X-cotvnc" ]; then shift DARWIN_COTVNC=1 export DARWIN_COTVNC elif [ "X$DARWIN_COTVNC" = "X" -a "X$DISPLAY" = "X" ]; then uname=`uname` if [ "X$uname" = "XDarwin" ]; then DARWIN_COTVNC=1 export DARWIN_COTVNC fi fi use_ours=0 if [ "X$VNCVIEWERCMD" = "X" ]; then VNCVIEWERCMD="vncviewer" export VNCVIEWERCMD if [ "X$DARWIN_COTVNC" != "X1" ]; then use_ours=1 fi fi # work out os.arch platform string and check for binaries: # name=$UNAME if [ "X$name" = "X" ]; then name=`uname -sm | sed -e 's/ /./g' -e 's,/.*,,' -e 's/Linux\.i.86/Linux.i686/'` fi dL="-L" if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then dL="-h" fi f="$0" for t in 1 2 3 4 5 6 do if [ $dL "$f" ]; then f0="$f" f=`ls -l "$f" | sed -e 's/^.* -> //'` if echo "$f" | grep '^/' > /dev/null; then : else f="`dirname "$f0"`/$f" fi else break fi done dir=`dirname "$f"` PATH="$dir:$PATH" nearby=0 if [ -x "$dir/vncviewer" -a -x "$dir/stunnel" ]; then nearby=1 fi if [ ! -d "$dir/$name" -a $nearby = 0 ]; then echo echo "Cannot find platform dir for your OS `uname -sm`:" echo echo " $dir/$name" echo PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin quit=0 if type vncviewer >/dev/null 2>/dev/null; then : else echo "vncviewer not found in PATH." quit=1 fi if type stunnel >/dev/null 2>/dev/null; then : else echo "stunnel not found in PATH." quit=1 fi echo if [ "X$quit" = "X1" ]; then echo "You can set the \$UNAME env. var. to override the OS setting." echo "Or, if available, run the ./build.unix script to build it." echo "Or install external \"vncviewer\" and \"stunnel\" packages." exit 1 fi echo "Using externel \"vncviewer\" and \"stunnel\" found in PATH." else STUNNEL=stunnel STUNNEL_EXTRA_OPTS=${STUNNEL_EXTRA_OPTS:-"maxconn = 1"} export STUNNEL STUNNEL_EXTRA_OPTS SSVNC_VIEWER_INTERNAL=1 export SSVNC_VIEWER_INTERNAL fi if [ "X$DARWIN_COTVNC" != "X1" -a "X$VNCVIEWERCMD" = "Xvncviewer" ]; then hstr=`$VNCVIEWERCMD -h 2>&1 | head -5` if echo "$hstr" | grep '^TightVNC.*version 1\.[23]' > /dev/null; then # we need to avoid raw encoding use_ours=1 fi fi # Put our os.arch and other utils dirs at head of PATH to be sure to # pick them up: # PATH="$dir:$dir/$name:$dir/util:$PATH" if echo "$dir" | grep '^/' > /dev/null; then : else dir=`pwd`/$dir PATH="$dir:$dir/$name:$dir/util:$PATH" fi if [ -f "$dir/util/ultraftp.jar" ]; then SSVNC_ULTRA_FTP_JAR="$dir/util/ultraftp.jar" export SSVNC_ULTRA_FTP_JAR fi base=`basename "$0"` if [ "X$1" = "X-ssl" ]; then shift base="ssvnc_cmd" fi # If ours (and not cotvnc), force the use of tight encoding for localhost # redir connection: # # if [ $use_ours = 1 ]; then # avoid system vncviewer app-defaults XFILESEARCHPATH="/tmp/path/nowhere" export XFILESEARCHPATH if [ "X$base" = "Xtightvncviewer" ]; then $VNCVIEWERCMD -encodings 'copyrect tight zrle zlib hextile' "$@" else ss_vncviewer "$@" -encodings 'copyrect tight zrle zlib hextile' fi else if [ "X$base" = "Xtightvncviewer" ]; then $VNCVIEWERCMD "$@" else ss_vncviewer "$@" fi fi bin/util/ss_vncviewer0000755000175100017510000012275511011660451015541 0ustar rungerunge00000000000000#!/bin/sh # # ss_vncviewer: wrapper for vncviewer to use an stunnel SSL tunnel # or an SSH tunnel. # # Copyright (c) 2006-2008 by Karl J. Runge # # You must have stunnel(8) installed on the system and in your PATH # (however, see the -ssh option below, in which case you will need ssh(1) # installed) Note: stunnel is usually installed in an "sbin" subdirectory. # # You should have "x11vnc -ssl ..." or "x11vnc -stunnel ..." # already running as the VNC server on the remote machine. # (or use stunnel on the server side for any other VNC server) # # # Usage: ss_vncviewer [cert-args] host:display # # e.g.: ss_vncviewer snoopy:0 # ss_vncviewer snoopy:0 -encodings "copyrect tight zrle hextile" # # [cert-args] can be: # # -verify /path/to/cacert.pem # -mycert /path/to/mycert.pem # -proxy host:port # # -verify specifies a CA cert PEM file (or a self-signed one) for # authenticating the VNC server. # # -mycert specifies this client's cert+key PEM file for the VNC server to # authenticate this client. # # -proxy try host:port as a Web proxy to use the CONNECT method # to reach the VNC server (e.g. your firewall requires a proxy). # # For the "double proxy" case use -proxy host1:port1,host2:port2 # (the first CONNECT is done through host1:port1 to host2:port2 # and then a 2nd CONNECT to the destination VNC server.) # # Use socks://host:port, socks4://host:port, or socks5://host,port # to force usage of a SOCKS proxy. Also repeater://host:port. # # -showcert Only fetch the certificate using the 'openssl s_client' # command (openssl(1) must in installed). # # See http://www.karlrunge.com/x11vnc/#faq-ssl-ca for details on SSL # certificates with VNC. # # A few other args (not related to SSL and certs): # # -2nd Run the vncviewer a 2nd time if the first connections fails. # # -ssh Use ssh instead of stunnel SSL. ssh(1) must be installed and you # must be able to log into the remote machine via ssh. # # In this case "host:display" may be of the form "user@host:display" # where "user@host" is used for the ssh login (see ssh(1) manpage). # # If -proxy is supplied it can be of the forms: "gwhost" "gwhost:port" # "user@gwhost" or "user@gwhost:port". "gwhost" is an incoming ssh # gateway machine (the VNC server is not running there), an ssh -L # redir is used to "host" in "host:display" from "gwhost". Any "user@" # part must be in the -proxy string (not in "host:display"). # # Under -proxy use "gwhost:port" if connecting to any ssh port # other than the default (22). (even for the non-gateway case, # -proxy must be used to specify a non-standard ssh port) # # A "double ssh" can be specified via a -proxy string with the two # hosts separated by a comma: # # [user1@]host1[:port1],[user2@]host2[:port2] # # in which case a ssh to host1 and thru it via a -L redir a 2nd # ssh is established to host2. # # Examples: # # ss_vncviewer -ssh bob@bobs-home.net:0 # ss_vncviewer -ssh -sshcmd 'x11vnc -localhost' bob@bobs-home.net:0 # # ss_vncviewer -ssh -proxy fred@mygate.com:2022 mymachine:0 # ss_vncviewer -ssh -proxy bob@bobs-home.net:2222 localhost:0 # # ss_vncviewer -ssh -proxy fred@gw-host,fred@peecee localhost:0 # # -sshcmd cmd Run "cmd" via ssh instead of the default "sleep 15" # e.g. -sshcmd 'x11vnc -display :0 -localhost -rfbport 5900' # # -sshargs "args" pass "args" to the ssh process, e.g. -L/-R port redirs. # # -sshssl Tunnel the SSL connection thru a SSH connection. The tunnel as # under -ssh is set up and the SSL connection goes thru it. Use # this if you want to have and end-to-end SSL connection but must # go thru a SSH gateway host (e.g. not the vnc server). Or use # this if you need to tunnel additional services via -R and -L # (see -sshargs above). # # ss_vncviewer -sshssl -proxy fred@mygate.com mymachine:0 # # -listen (or -reverse) set up a reverse connection. # # -alpha turn on cursor alphablending hack if you are using the # enhanced tightvnc vncviewer. # # -grab turn on XGrabServer hack if you are using the enhanced tightvnc # vncviewer (e.g. for fullscreen mode in some windowmanagers like # fvwm that do not otherwise work in fullscreen mode) # # # set VNCVIEWERCMD to whatever vncviewer command you want to use. # VNCIPCMD=${VNCVIEWERCMD:-vncip} VNCVIEWERCMD=${VNCVIEWERCMD:-vncviewer} # # Same for STUNNEL, e.g. set it to /path/to/stunnel or stunnel4, etc. # # turn on verbose debugging output if [ "X$SS_DEBUG" != "X" ]; then set -xv fi PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH # work out which stunnel t use (debian installs as stunnel4) if [ "X$STUNNEL" = "X" ]; then type stunnel4 > /dev/null 2>&1 if [ $? = 0 ]; then STUNNEL=stunnel4 else STUNNEL=stunnel fi fi help() { tail -n +2 "$0" | sed -e '/^$/ q' } secondtry="" gotalpha="" use_ssh="" use_sshssl="" direct_connect="" ssh_sleep=15 # sleep longer in -listen mode: if echo "$*" | grep '.*-listen' > /dev/null; then ssh_sleep=1800 fi ssh_cmd="" # env override of ssh_cmd: if [ "X$SS_VNCVIEWER_SSH_CMD" != "X" ]; then ssh_cmd="$SS_VNCVIEWER_SSH_CMD" fi ssh_args="" showcert="" reverse="" if [ "X$1" = "X-viewerflavor" ]; then # special case, try to guess which viewer: # if echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then echo "unknown" exit 0 fi if echo "$VNCVIEWERCMD" | grep -i chicken.of > /dev/null; then echo "cotvnc" exit 0 fi if echo "$VNCVIEWERCMD" | grep -i ultra > /dev/null; then echo "ultravnc" exit 0 fi # OK, run it for help output... str=`$VNCVIEWERCMD -h 2>&1 | head -n 5` if echo "$str" | grep -i 'TightVNC.viewer' > /dev/null; then echo "tightvnc" elif echo "$str" | grep -i 'RealVNC.Ltd' > /dev/null; then echo "realvnc4" elif echo "$str" | grep -i 'VNC viewer version 3' > /dev/null; then echo "realvnc3" else echo "unknown" fi exit 0 fi # maxconn is something we added to stunnel, this disables it: if [ "X$SS_VNCVIEWER_NO_MAXCONN" != "X" ]; then STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'` elif echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'` fi # grab our cmdline options: while [ "X$1" != "X" ] do case $1 in "-verify") shift; verify="$1" ;; "-mycert") shift; mycert="$1" ;; "-proxy") shift; proxy="$1" ;; "-ssh") use_ssh=1 ;; "-sshssl") use_ssh=1 use_sshssl=1 ;; "-sshcmd") shift; ssh_cmd="$1" ;; "-sshargs") shift; ssh_args="$1" ;; "-alpha") gotalpha=1 ;; "-showcert") showcert=1 ;; "-listen") reverse=1 ;; "-reverse") reverse=1 ;; "-2nd") secondtry=1 ;; "-grab") VNCVIEWER_GRAB_SERVER=1; export VNCVIEWER_GRAB_SERVER ;; "-h"*) help; exit 0 ;; "--h"*) help; exit 0 ;; *) break ;; esac shift done # this is the -t ssh option (gives better keyboard responsd thru SSH tunnel) targ="-t" if [ "X$SS_VNCVIEWER_NO_T" != "X" ]; then targ="" fi # set the alpha blending env. hack: if [ "X$gotalpha" = "X1" ]; then VNCVIEWER_ALPHABLEND=1 export VNCVIEWER_ALPHABLEND else NO_ALPHABLEND=1 export NO_ALPHABLEND fi if [ "X$reverse" != "X" ]; then ssh_sleep=1800 if [ "X$proxy" != "X" ]; then # check proxy usage under reverse connection: if [ "X$use_ssh" = "X" -a "X$use_sshssl" = "X" ]; then echo "" if echo "$proxy" | egrep "repeater://" > /dev/null; then : else echo "*Warning*: SSL -listen and a Web proxy does not make sense." sleep 3 fi elif echo "$proxy" | grep "," > /dev/null; then : else echo "" echo "*Warning*: -listen and a single proxy/gateway does not make sense." sleep 3 fi fi fi if [ "X$ssh_cmd" = "X" ]; then # if no remote ssh cmd, sleep a bit: ssh_cmd="sleep $ssh_sleep" fi # this should be a host:display: # orig="$1" shift # check -ssh and -mycert/-verify conflict: if [ "X$use_ssh" = "X1" -a "X$use_sshssl" = "X" ]; then if [ "X$mycert" != "X" -o "X$verify" != "X" ]; then echo "-mycert and -verify cannot be used in -ssh mode" exit 1 fi fi # direct mode Vnc:// means show no warnings. # direct mode vnc:// will show warnings. if echo "$orig" | grep '^V[Nn][Cc]://' > /dev/null; then SSVNC_NO_ENC_WARN=1 export SSVNC_NO_ENC_WARN orig=`echo "$orig" | sed -e 's/^...:/vnc:/'` fi # interprest the pseudo URL proto:// strings: if echo "$orig" | grep '^vnc://' > /dev/null; then orig=`echo "$orig" | sed -e 's,vnc://,,'` verify="" mycert="" use_ssh="" use_sshssl="" direct_connect=1 elif echo "$orig" | grep '^vncs://' > /dev/null; then orig=`echo "$orig" | sed -e 's,vncs://,,'` elif echo "$orig" | grep '^vncssl://' > /dev/null; then orig=`echo "$orig" | sed -e 's,vncssl://,,'` elif echo "$orig" | grep '^vnc+ssl://' > /dev/null; then orig=`echo "$orig" | sed -e 's,vnc.ssl://,,'` elif echo "$orig" | grep '^vncssh://' > /dev/null; then orig=`echo "$orig" | sed -e 's,vncssh://,,'` use_ssh=1 elif echo "$orig" | grep '^vnc+ssh://' > /dev/null; then orig=`echo "$orig" | sed -e 's,vnc.ssh://,,'` use_ssh=1 fi # (possibly) tell the vncviewer to only listen on lo: if [ "X$reverse" != "X" -a "X$direct_connect" = "X" ]; then VNCVIEWER_LISTEN_LOCALHOST=1 export VNCVIEWER_LISTEN_LOCALHOST fi # rsh mode is an internal/secret thing only I use. rsh="" if echo "$orig" | grep '^rsh://' > /dev/null; then use_ssh=1 rsh=1 orig=`echo "$orig" | sed -e 's,rsh://,,'` elif echo "$orig" | grep '^rsh:' > /dev/null; then use_ssh=1 rsh=1 orig=`echo "$orig" | sed -e 's,rsh:,,'` fi # play around with host:display port: if echo "$orig" | grep ':' > /dev/null; then : else # add or assume :0 if no ':' if [ "X$reverse" = "X" ]; then orig="$orig:0" elif [ "X$orig" = "X" ]; then orig=":0" fi fi # extract host and disp number: host=`echo "$orig" | awk -F: '{print $1}'` disp=`echo "$orig" | awk -F: '{print $2}'` if [ "X$host" = "X" ]; then host=localhost fi if [ "X$disp" = "X" ]; then port="" # probably -listen mode. elif [ $disp -lt 0 ]; then # negative means use |n| without question: port=`expr 0 - $disp` elif [ $disp -lt 200 ]; then # less than 200 means 5900+n if [ "X$reverse" = "X" ]; then port=`expr $disp + 5900` else port=`expr $disp + 5500` fi else # otherwise use the number directly, e.g. 443, 2345 port=$disp fi # try to find an open listening port via netstat(1): inuse="" if uname | grep Linux > /dev/null; then inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'` elif uname | grep SunOS > /dev/null; then inuse=`netstat -an -f inet -P tcp | grep LISTEN | awk '{print $1}' | sed 's/^.*\.//'` elif uname | grep -i bsd > /dev/null; then inuse=`netstat -ant -f inet | grep LISTEN | awk '{print $4}' | sed 's/^.*\.//'` # add others... fi # this is a crude attempt for unique ports tags, etc. date_sec=`date +%S` # these are special cases of no vnc, e.g. sleep or xmessage. # these are for using ssvnc as a general port redirector. if echo "$VNCVIEWERCMD" | grep '^sleep[ ][ ]*[0-9][0-9]*' > /dev/null; then if [ "X$SS_VNCVIEWER_LISTEN_PORT" = "X" ]; then p=`echo "$VNCVIEWERCMD" | awk '{print $3}'` if [ "X$p" != "X" ]; then SS_VNCVIEWER_LISTEN_PORT=$p fi fi p2=`echo "$VNCVIEWERCMD" | awk '{print $2}'` VNCVIEWERCMD="eval sleep $p2; echo Local " elif echo "$VNCVIEWERCMD" | grep '^xmessage[ ][ ]*[0-9][0-9]*' > /dev/null; then if [ "X$SS_VNCVIEWER_LISTEN_PORT" = "X" ]; then p=`echo "$VNCVIEWERCMD" | awk '{print $2}'` SS_VNCVIEWER_LISTEN_PORT=$p fi fi # utility to find a free port to listen on. findfree() { try0=$1 try=$try0 use0="" if [ "X$SS_VNCVIEWER_LISTEN_PORT" != "X" ]; then echo "$SS_VNCVIEWER_LISTEN_PORT" return fi if [ $try -ge 6000 ]; then fmax=`expr $try + 1000` else fmax=6000 fi while [ $try -lt $fmax ] do if [ "X$inuse" = "X" ]; then break fi if echo "$inuse" | grep -w $try > /dev/null; then : else use0=$try break fi try=`expr $try + 1` done if [ "X$use0" = "X" ]; then use0=`expr $date_sec + $try0` fi echo $use0 } # utility for exiting; kills some helper processes, # removes files, etc. final() { echo "" if [ "X$SS_VNCVIEWER_RM" != "X" ]; then rm -f $SS_VNCVIEWER_RM 2>/dev/null fi if [ "X$tcert" != "X" ]; then rm -f $tcert fi if [ "X$pssh" != "X" ]; then echo "Terminating background ssh process" echo kill -TERM "$pssh" kill -TERM "$pssh" 2>/dev/null sleep 1 kill -KILL "$pssh" 2>/dev/null pssh="" fi if [ "X$stunnel_pid" != "X" ]; then echo "Terminating background stunnel process" echo kill -TERM "$stunnel_pid" kill -TERM "$stunnel_pid" 2>/dev/null sleep 1 kill -KILL "$stunnel_pid" 2>/dev/null stunnel_pid="" fi if [ "X$tail_pid" != "X" ]; then kill -TERM $tail_pid fi } if [ "X$reverse" = "X" ]; then # normal connections try 5930-5999: use=`findfree 5930` if [ $use -ge 5900 ]; then N=`expr $use - 5900` else N=$use fi else # reverse connections: p2=`expr $port + 30` use=`findfree $p2` if [ $use -ge 5500 ]; then N=`expr $use - 5500` else N=$use fi fi # this is for my special use of ss_vncip -> vncip viewer. if echo "$0" | grep vncip > /dev/null; then VNCVIEWERCMD="$VNCIPCMD" fi rchk() { # a kludge to set $RANDOM if we are not bash: if [ "X$BASH_VERSION" = "X" ]; then RANDOM=`date +%S``sh -c 'echo $$'``ps -elf 2>&1 | sum 2>&1 | awk '{print $1}'` fi } rchk dL="-L" if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then dL="-h" fi # a portable, but not absolutely safe, tmp file creator mytmp() { tf=$1 rm -rf "$tf" || exit 1 if [ -d "$tf" ]; then echo "tmp file $tf still exists as a directory." exit 1 elif [ $dL "$tf" ]; then echo "tmp file $tf still exists as a symlink." exit 1 elif [ -f "$tf" ]; then echo "tmp file $tf still exists." exit 1 fi touch "$tf" || exit 1 chmod 600 "$tf" || exit 1 rchk } # trick for the undocumented rsh://host:port method. rsh_setup() { if echo "$ssh_host" | grep '@' > /dev/null; then ul=`echo "$ssh_host" | awk -F@ '{print $1}'` ul="-l $ul" ssh_host=`echo "$ssh_host" | awk -F@ '{print $2}'` else ul="" fi ssh_cmd=`echo "$ssh_cmd" | sed -e 's/ -localhost/ /g'` } # trick for the undocumented rsh://host:port method. rsh_viewer() { trap "final" 0 2 15 if [ "X$PORT" = "X" ]; then exit 1 elif [ $PORT -ge 5900 ]; then vdpy=`expr $PORT - 5900` else vdpy=":$PORT" fi stty sane echo "$VNCVIEWERCMD" "$@" $ssh_host:$vdpy echo "" $VNCVIEWERCMD "$@" $ssh_host:$vdpy if [ $? != 0 ]; then sleep 2 $VNCVIEWERCMD "$@" $ssh_host:$vdpy fi } # this is the PPROXY tool. used only here for now... pcode() { tf=$1 PPROXY_PROXY=$proxy; export PPROXY_PROXY PPROXY_DEST="$host:$port"; export PPROXY_DEST cod='#!/usr/bin/perl # A hack to glue stunnel to a Web proxy or SOCKS for client connections. use IO::Socket::INET; if (exists $ENV{PPROXY_SLEEP}) { print STDERR "PPROXY_PID: $$\n"; sleep $ENV{PPROXY_SLEEP}; } foreach my $var (qw(PPROXY_PROXY PPROXY_SOCKS PPROXY_DEST PPROXY_LISTEN PPROXY_REVERSE PPROXY_REPEATER PPROXY_REMOVE PPROXY_KILLPID PPROXY_SLEEP)) { if (0 || $ENV{SS_DEBUG}) { print STDERR "$var: $ENV{$var}\n"; } } if ($ENV{PPROXY_SOCKS} ne "" && $ENV{PPROXY_PROXY} !~ m,^socks5?://,i) { if ($ENV{PPROXY_SOCKS} eq "5") { $ENV{PPROXY_PROXY} = "socks5://$ENV{PPROXY_PROXY}"; } else { $ENV{PPROXY_PROXY} = "socks://$ENV{PPROXY_PROXY}"; } } my ($first, $second, $third) = split(/,/, $ENV{PPROXY_PROXY}, 3); my ($mode_1st, $mode_2nd, $mode_3rd) = ("", "", ""); ($first, $mode_1st) = url_parse($first); my ($proxy_host, $proxy_port) = split(/:/, $first); my $connect = $ENV{PPROXY_DEST}; if ($second ne "") { ($second, $mode_2nd) = url_parse($second); } if ($third ne "") { ($third, $mode_3rd) = url_parse($third); } print STDERR "\n"; print STDERR "PPROXY v0.2: a tool for Web proxies and SOCKS connections.\n"; print STDERR "proxy_host: $proxy_host\n"; print STDERR "proxy_port: $proxy_port\n"; print STDERR "proxy_connect: $connect\n"; print STDERR "pproxy_params: $ENV{PPROXY_PROXY}\n"; print STDERR "pproxy_listen: $ENV{PPROXY_LISTEN}\n"; print STDERR "pproxy_reverse: $ENV{PPROXY_REVERSE}\n"; print STDERR "\n"; if (1) { print STDERR "pproxy 1st: $first\t- $mode_1st\n"; print STDERR "pproxy 2nd: $second\t- $mode_2nd\n"; print STDERR "pproxy 3rd: $third\t- $mode_3rd\n"; print STDERR "\n"; } my $listen_handle = ""; if ($ENV{PPROXY_REVERSE} ne "") { my ($rhost, $rport) = split(/:/, $ENV{PPROXY_REVERSE}); $rport = 5900 unless $rport; $listen_handle = IO::Socket::INET->new( PeerAddr => $rhost, PeerPort => $rport, Proto => "tcp" ); if (! $listen_handle) { die "pproxy: $! -- PPROXY_REVERSE\n"; } print STDERR "PPROXY_REVERSE: connected to $rhost $rport\n"; } elsif ($ENV{PPROXY_LISTEN} ne "") { my $listen_sock = IO::Socket::INET->new( Listen => 2, LocalAddr => "localhost", LocalPort => $ENV{PPROXY_LISTEN}, Proto => "tcp" ); if (! $listen_sock) { die "pproxy: $! -- PPROXY_LISTEN\n"; } my $ip; ($listen_handle, $ip) = $listen_sock->accept(); if (! $listen_handle) { die "pproxy: $!\n"; } } my $sock = IO::Socket::INET->new( PeerAddr => $proxy_host, PeerPort => $proxy_port, Proto => "tcp" ); if (! $sock) { my $err = $!; unlink($0) if $ENV{PPROXY_REMOVE}; die "pproxy: $err\n"; } unlink($0) if $ENV{PPROXY_REMOVE}; $cur_proxy = $first; setmode($mode_1st); if ($second ne "") { connection($second, 1); setmode($mode_2nd); $cur_proxy = $second; if ($third ne "") { connection($third, 2); setmode($mode_3rd); $cur_proxy = $third; connection($connect, 3); } else { connection($connect, 2); } } else { connection($connect, 1); } $parent = $$; $child = fork; if (! defined $child) { kill "TERM", $ENV{PPROXY_KILLPID} if $ENV{PPROXY_KILLPID}; exit 1; } if ($child) { print STDERR "pproxy parent\[$$] STDIN -> socket\n"; if ($listen_handle) { xfer($listen_handle, $sock); } else { xfer(STDIN, $sock); } select(undef, undef, undef, 0.25); if (kill 0, $child) { select(undef, undef, undef, 1.5); #print STDERR "pproxy\[$$]: kill TERM $child\n"; kill "TERM", $child; } } else { print STDERR "pproxy child \[$$] socket -> STDOUT\n"; if ($listen_handle) { xfer($sock, $listen_handle); } else { xfer($sock, STDOUT); } select(undef, undef, undef, 0.25); if (kill 0, $parent) { select(undef, undef, undef, 1.5); #print STDERR "pproxy\[$$]: kill TERM $parent\n"; kill "TERM", $parent; } } if ($ENV{PPROXY_KILLPID} ne "") { if ($ENV{PPROXY_KILLPID} =~ /^(\+|-)/) { $ENV{PPROXY_KILLPID} = $$ + $ENV{PPROXY_KILLPID}; } print STDERR "kill TERM, $ENV{PPROXY_KILLPID}\n"; kill "TERM", $ENV{PPROXY_KILLPID}; } exit; sub url_parse { my $hostport = shift; my $mode = "http"; if ($hostport =~ m,^socks4?://(\S*)$,i) { $mode = "socks4"; $hostport = $1; } elsif ($hostport =~ m,^socks5://(\S*)$,i) { $mode = "socks5"; $hostport = $1; } elsif ($hostport =~ m,^https?://(\S*)$,i) { $mode = "http"; $hostport = $1; } elsif ($hostport =~ m,^repeater://(\S*)\+(\S*)$,i) { # ultravnc repeater proxy. $hostport = $1; $mode = "repeater:$2"; if ($hostport !~ /:\d+/) { $hostport .= ":5900"; } } return ($hostport, $mode); } sub setmode { my $mode = shift; $ENV{PPROXY_REPEATER} = ""; if ($mode =~ /^socks/) { if ($mode =~ /^socks5/) { $ENV{PPROXY_SOCKS} = 5; } else { $ENV{PPROXY_SOCKS} = 1; } } elsif ($mode =~ /^repeater:(.*)/) { $ENV{PPROXY_REPEATER} = $1; $ENV{PPROXY_SOCKS} = ""; } else { $ENV{PPROXY_SOCKS} = ""; } } sub connection { my ($CONNECT, $w) = @_; my $con = ""; my $msg = ""; if ($ENV{PPROXY_SOCKS} eq "5") { # SOCKS5 my ($h, $p) = split(/:/, $CONNECT); $con .= pack("C", 0x05); $con .= pack("C", 0x01); $con .= pack("C", 0x00); $msg = "SOCKS5 via $cur_proxy to $h:$p\n\n"; print STDERR "proxy_request$w: $msg"; syswrite($sock, $con, length($con)); my ($n1, $n2, $n3, $n4, $n5, $n6); my ($r1, $r2, $r3, $r4, $r5, $r6); my ($s1, $s2, $s3, $s4, $s5, $s6); $n1 = sysread($sock, $r1, 1); $n2 = sysread($sock, $r2, 1); $s1 = unpack("C", $r1); $s2 = unpack("C", $r2); if ($s1 != 0x05 || $s2 != 0x00) { print STDERR "SOCKS5 fail s1=$s1 s2=$s2 n1=$n1 n2=$n2\n"; close $sock; exit(1); } $con = ""; $con .= pack("C", 0x05); $con .= pack("C", 0x01); $con .= pack("C", 0x00); $con .= pack("C", 0x03); $con .= pack("C", length($h)); $con .= $h; $con .= pack("C", $p >> 8); $con .= pack("C", $p & 0xff); syswrite($sock, $con, length($con)); $n1 = sysread($sock, $r1, 1); $n2 = sysread($sock, $r2, 1); $n3 = sysread($sock, $r3, 1); $n4 = sysread($sock, $r4, 1); $s1 = unpack("C", $r1); $s2 = unpack("C", $r2); $s3 = unpack("C", $r3); $s4 = unpack("C", $r4); if ($s4 == 0x1) { sysread($sock, $r5, 4 + 2); } elsif ($s4 == 0x3) { sysread($sock, $r5, 1); $s5 = unpack("C", $r5); sysread($sock, $r6, $s5 + 2); } elsif ($s4 == 0x4) { sysread($sock, $r5, 16 + 2); } if ($s1 != 0x5 || $s2 != 0x0 || $s3 != 0x0) { print STDERR "SOCKS5 failed: s1=$s1 s2=$s2 s3=$s3 s4=$s4 n1=$n1 n2=$n2 n3=$n3 n4=$n4\n"; close $sock; exit(1); } } elsif ($ENV{PPROXY_SOCKS} ne "") { # SOCKS4 SOCKS4a my ($h, $p) = split(/:/, $CONNECT); $con .= pack("C", 0x04); $con .= pack("C", 0x01); $con .= pack("n", $p); my $SOCKS_4a = 0; if ($h eq "localhost" || $h eq "127.0.0.1") { $con .= pack("C", 127); $con .= pack("C", 0); $con .= pack("C", 0); $con .= pack("C", 1); } elsif ($h =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) { $con .= pack("C", $1); $con .= pack("C", $2); $con .= pack("C", $3); $con .= pack("C", $4); } else { $con .= pack("C", 0); $con .= pack("C", 0); $con .= pack("C", 0); $con .= pack("C", 3); $SOCKS_4a = 1; } $con .= "nobody"; $con .= pack("C", 0); $msg = "SOCKS4 via $cur_proxy to $h:$p\n\n"; if ($SOCKS_4a) { $con .= $h; $con .= pack("C", 0); $msg =~ s/SOCKS4/SOCKS4a/; } print STDERR "proxy_request$w: $msg"; syswrite($sock, $con, length($con)); my $ok = 1; for (my $i = 0; $i < 8; $i++) { my $c; sysread($sock, $c, 1); my $s = unpack("C", $c); if ($i == 0) { $ok = 0 if $s != 0x0; } elsif ($i == 1) { $ok = 0 if $s != 0x5a; } } if (! $ok) { print STDERR "SOCKS4 failed.\n"; close $sock; exit(1); } } elsif ($ENV{PPROXY_REPEATER} ne "") { my $rep = $ENV{PPROXY_REPEATER}; print STDERR "repeater: $rep\n"; $rep .= pack("x") x 250; syswrite($sock, $rep, 250); my $ok = 1; for (my $i = 0; $i < 12; $i++) { my $c; sysread($sock, $c, 1); print STDERR $c; } } else { # Web Proxy: $con = "CONNECT $CONNECT HTTP/1.1\r\n"; $con .= "Host: $CONNECT\r\n"; $con .= "Connection: close\r\n\r\n"; $msg = $con; print STDERR "proxy_request$w: via $cur_proxy:\n$msg"; syswrite($sock, $con, length($con)); my $rep = ""; my $n = 0; while ($rep !~ /\r\n\r\n/ && $n < 30000) { my $c; sysread($sock, $c, 1); print STDERR $c; $rep .= $c; $n++; } if ($rep !~ m,HTTP/.* 200,) { print STDERR "HTTP CONNECT failed.\n"; close $sock; exit(1); } } } sub xfer { my($in, $out) = @_; $RIN = $WIN = $EIN = ""; $ROUT = ""; vec($RIN, fileno($in), 1) = 1; vec($WIN, fileno($in), 1) = 1; $EIN = $RIN | $WIN; while (1) { my $nf = 0; while (! $nf) { $nf = select($ROUT=$RIN, undef, undef, undef); } my $len = sysread($in, $buf, 8192); if (! defined($len)) { next if $! =~ /^Interrupted/; print STDERR "pproxy\[$$]: $!\n"; last; } elsif ($len == 0) { print STDERR "pproxy\[$$]: Input is EOF.\n"; last; } my $offset = 0; my $quit = 0; while ($len) { my $written = syswrite($out, $buf, $len, $offset); if (! defined $written) { print STDERR "pproxy\[$$]: Output is EOF. $!\n"; $quit = 1; last; } $len -= $written; $offset += $written; } last if $quit; } close($in); close($out); } ' # xpg_echo will expand \n \r, etc. # try to unset and then test for it. shopt -u xpg_echo >/dev/null 2>&1 v='print STDOUT "abc\n";' echo "$v" > $tf chmod 700 $tf lc=`wc -l $tf | awk '{print $1}'` if [ "X$lc" = "X1" ]; then echo "$cod" > $tf else printf "%s" "$cod" > $tf echo "" >> $tf fi # prime perl perl -e 'use IO::Socket::INET; select(undef, undef, undef, 0.01)' >/dev/null 2>&1 } Kecho() { if [ "X$USER" = "Xrunge" ]; then echo "dbg: $*" fi } if [ "X$use_ssh" = "X1" ]; then # # USING SSH # ssh_port="22" ssh_host="$host" vnc_host="localhost" # let user override ssh via $SSH ssh=${SSH:-"ssh -x"} if echo "$proxy" | egrep '(http|https|socks|socks4|socks5)://' > /dev/null; then # Handle Web or SOCKS proxy(ies) for the initial connect. Kecho host=$host Kecho port=$port pproxy="" sproxy1="" sproxy_rest="" for part in `echo "$proxy" | tr ',' ' '` do Kecho proxy_part=$part if [ "X$part" = "X" ]; then continue elif echo "$part" | egrep -i '^(http|https|socks|socks4|socks5)://' > /dev/null; then pproxy="$pproxy,$part" else if [ "X$sproxy1" = "X" ]; then sproxy1="$part" else sproxy_rest="$sproxy_rest,$part" fi fi done pproxy=`echo "$pproxy" | sed -e 's/^,,*//' -e 's/,,*/,/g'` sproxy_rest=`echo "$sproxy_rest" | sed -e 's/^,,*//' -e 's/,,*/,/g'` Kecho pproxy=$pproxy Kecho sproxy1=$sproxy1 Kecho sproxy_rest=$sproxy_rest sproxy1_host="" sproxy1_port="" sproxy1_user="" if [ "X$sproxy1" != "X" ]; then sproxy1_host=`echo "$sproxy1" | awk -F: '{print $1}'` sproxy1_user=`echo "$sproxy1_host" | awk -F@ '{print $1}'` sproxy1_host=`echo "$sproxy1_host" | awk -F@ '{print $2}'` if [ "X$sproxy1_host" = "X" ]; then sproxy1_host=$sproxy1_user sproxy1_user="" else sproxy1_user="${sproxy1_user}@" fi sproxy1_port=`echo "$sproxy1" | awk -F: '{print $2}'` if [ "X$sproxy1_port" = "X" ]; then sproxy1_port="22" fi else sproxy1_host=`echo "$host" | awk -F: '{print $1}'` sproxy1_user=`echo "$sproxy1_host" | awk -F@ '{print $1}'` sproxy1_host=`echo "$sproxy1_host" | awk -F@ '{print $2}'` if [ "X$sproxy1_host" = "X" ]; then sproxy1_host=$sproxy1_user sproxy1_user="" else sproxy1_user="${sproxy1_user}@" fi sproxy1_port=`echo "$host" | awk -F: '{print $2}'` if [ "X$sproxy1_port" = "X" ]; then sproxy1_port="22" fi fi Kecho sproxy1_host=$sproxy1_host Kecho sproxy1_port=$sproxy1_port Kecho sproxy1_user=$sproxy1_user ptmp="/tmp/ss_vncviewer${RANDOM}.$$.pl" mytmp "$ptmp" PPROXY_REMOVE=1; export PPROXY_REMOVE proxy=$pproxy port_save=$port host_save=$host if [ "X$sproxy1_host" != "X" ]; then host=$sproxy1_host fi if [ "X$sproxy1_port" != "X" ]; then port=$sproxy1_port fi host=`echo "$host" | sed -e 's/^.*@//'` port=`echo "$port" | sed -e 's/^.*://'` pcode "$ptmp" port=$port_save host=$host_save nd=`findfree 6700` PPROXY_LISTEN=$nd; export PPROXY_LISTEN $ptmp & sleep 2 ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes" if [ "X$sproxy1" = "X" ]; then u="" if echo "$host" | grep '@' > /dev/null; then u=`echo "$host" | sed -e 's/@.*$/@/'` fi proxy="${u}localhost:$nd" else proxy="${sproxy1_user}localhost:$nd" fi if [ "X$sproxy_rest" != "X" ]; then proxy="$proxy,$sproxy_rest" fi Kecho proxy=$proxy fi if echo "$proxy" | grep "," > /dev/null; then proxy1=`echo "$proxy" | awk -F, '{print $1}'` proxy2=`echo "$proxy" | awk -F, '{print $2}'` # user1@gw1.com:port1,user2@ws2:port2 ssh_host1=`echo "$proxy1" | awk -F: '{print $1}'` ssh_port1=`echo "$proxy1" | awk -F: '{print $2}'` if [ "X$ssh_port1" != "X" ]; then ssh_port1="-p $ssh_port1" fi ssh_host2=`echo "$proxy2" | awk -F: '{print $1}'` ssh_user2=`echo "$ssh_host2" | awk -F@ '{print $1}'` ssh_host2=`echo "$ssh_host2" | awk -F@ '{print $2}'` if [ "X$ssh_host2" = "X" ]; then ssh_host2=$ssh_user2 ssh_user2="" else ssh_user2="${ssh_user2}@" fi ssh_port2=`echo "$proxy2" | awk -F: '{print $2}'` if [ "X$ssh_port2" = "X" ]; then ssh_port2="22" fi proxport=`findfree 3500` echo echo "Running 1st ssh proxy:" echo "$ssh -f -x $ssh_port1 $targ -e none -o NoHostAuthenticationForLocalhost=yes -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 \"sleep 30\"" echo "" $ssh -f -x $ssh_port1 $targ -e none -o NoHostAuthenticationForLocalhost=yes -L $proxport:$ssh_host2:$ssh_port2 $ssh_host1 "sleep 30" ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes" sleep 1 stty sane proxy="${ssh_user2}localhost:$proxport" fi if [ "X$proxy" != "X" ]; then ssh_port=`echo "$proxy" | awk -F: '{print $2}'` if [ "X$ssh_port" = "X" ]; then ssh_port="22" fi ssh_host=`echo "$proxy" | awk -F: '{print $1}'` vnc_host="$host" fi echo "" echo "Running ssh:" sz=`echo "$ssh_cmd" | wc -c` if [ "$sz" -gt 300 ]; then info="..." else info="$ssh_cmd" fi C="" if [ "X$SS_VNCVIEWER_USE_C" != "X" ]; then C="-C" fi getport="" teeport="" if echo "$ssh_cmd" | egrep "^(PORT=|P=)" > /dev/null; then getport=1 if echo "$ssh_cmd" | egrep "^P=" > /dev/null; then teeport=1 fi PORT="" ssh_cmd=`echo "$ssh_cmd" | sed -e 's/^PORT=[ ]*//' -e 's/^P=//'` SSVNC_NO_ENC_WARN=1 if [ "X$use_sshssl" = "X" ]; then direct_connect=1 fi fi if [ "X$getport" != "X" ]; then ssh_redir="-D ${use}" elif [ "X$reverse" = "X" ]; then ssh_redir="-L ${use}:${vnc_host}:${port}" else ssh_redir="-R ${port}:${vnc_host}:${use}" fi pmark=`sh -c 'echo $$'` # the -t option actually speeds up typing response via VNC!! if [ "X$ssh_port" = "X22" ]; then ssh_port="" else ssh_port="-p $ssh_port" fi if [ "X$SS_VNCVIEWER_SSH_ONLY" != "X" ]; then echo "$ssh -x $ssh_port $targ $C $ssh_args $ssh_host \"$info\"" echo "" $ssh -x $ssh_port $targ $C $ssh_args $ssh_host "$ssh_cmd" exit $? elif [ "X$SS_VNCVIEWER_NO_F" != "X" ]; then echo "$ssh -x $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\"" echo "" $ssh -x $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" rc=$? elif [ "X$getport" != "X" ]; then tport=/tmp/tport${RANDOM}.$$ mytmp $tport if [ "X$rsh" != "X1" ]; then if echo "$ssh_cmd" | grep -w sudo > /dev/null; then echo "" echo "Initial ssh with 'sudo id' to prime sudo so hopefully the next one" echo "will require no password..." echo "" targ="-t" $ssh -x $ssh_port $targ $ssh_args $ssh_host "sudo id; tty" echo "" fi echo "$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\"" echo "" $ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" > $tport if [ "X$teeport" = "X1" ]; then tail -f $tport 1>&2 & tail_pid=$! fi rc=$? else rsh_setup echo "rsh $ul $ssh_host \"$ssh_cmd\"" echo "" rsh $ul $ssh_host "$ssh_cmd" > $tport & sleep 1 rc=0 fi if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then echo "sleep $SSVNC_EXTRA_SLEEP" sleep $SSVNC_EXTRA_SLEEP fi stty sane i=0 if type perl > /dev/null 2>&1; then imax=50 sleepit="perl -e 'select(undef, undef, undef, 0.20)'" else imax=10 sleepit="sleep 1" fi while [ $i -lt $imax ]; do #echo $sleepit eval $sleepit PORT=`grep "^PORT=" $tport | head -n 1 | sed -e 's/PORT=//' -e 's/\r//g'` if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then break fi vnss=`sed -e 's/\r//g' $tport | egrep -i '^(New.* desktop is|A VNC server is already running).*:[0-9[0-9]*$' | head -n 1 | awk '{print $NF}'` if [ "X$vnss" != "X" ]; then PORT=`echo "$vnss" | awk -F: '{print $2}'` if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then if [ $PORT -lt 100 ]; then PORT=`expr $PORT + 5900` fi fi if echo "$PORT" | grep '^[0-9][0-9]*$' > /dev/null; then break fi fi i=`expr $i + 1` done echo "PORT=$PORT" 1>&2 rm -f $tport if [ "X$rsh" = "X1" ]; then rsh_viewer "$@" exit $? fi PPROXY_SOCKS=1 if [ "X$SSVNC_SOCKS5" != "X" ]; then PPROXY_SOCKS=5 fi export PPROXY_SOCKS host="localhost" port="$PORT" proxy="localhost:$use" else if [ "X$rsh" != "X1" ]; then echo "$ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host \"$info\"" echo "" $ssh -x -f $ssh_port $targ $C $ssh_redir $ssh_args $ssh_host "$ssh_cmd" rc=$? else rsh_setup echo "rsh $ul $ssh_host \"$ssh_cmd\"" echo "" rsh $ul $ssh_host "$ssh_cmd" & sleep 1 PORT=$port rsh_viewer "$@" exit $? fi fi if [ "$rc" != "0" ]; then echo "" echo "ssh to $ssh_host failed." exit 1 fi stty sane c=0 pssh="" while [ $c -lt 30 ] do p=`expr $pmark + $c` if ps -p "$p" 2>&1 | grep "$ssh" > /dev/null; then pssh=$p break fi c=`expr $c + 1` done if [ "X$getport" != "X" ]; then : elif [ "X$ssh_cmd" = "Xsleep $ssh_sleep" ] ; then #echo T sleep 1 sleep 1 elif echo "$ssh_cmd" | grep '^sleep ' >/dev/null; then #echo T sleep 2 sleep 2 else # let any command get started a bit. #echo T sleep 5 sleep 5 fi echo "" #reset stty sane if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then echo "sleep $SSVNC_EXTRA_SLEEP" sleep $SSVNC_EXTRA_SLEEP fi #echo "pssh=\"$pssh\"" if [ "X$use_sshssl" = "X" -a "X$getport" = "X" ]; then echo "Running viewer:" trap "final" 0 2 15 if [ "X$reverse" = "X" ]; then echo "$VNCVIEWERCMD" "$@" localhost:$N echo "" $VNCVIEWERCMD "$@" localhost:$N if [ $? != 0 ]; then echo "vncviewer command failed: $?" if [ "X$secondtry" = "X1" ]; then sleep 2 $VNCVIEWERCMD "$@" localhost:$N fi fi else echo "" echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode." echo "" echo "$VNCVIEWERCMD" "$@" -listen $N echo "" $VNCVIEWERCMD "$@" -listen $N fi exit $? else use2=`findfree 5960` host0=$host port0=$port host=localhost port=$use use=$use2 N=`expr $use - 5900` if [ "X$getport" != "X" ]; then host="$host0" port="$port0" else proxy="" fi fi fi # create the stunnel config file: if [ "X$verify" != "X" ]; then if [ -d $verify ]; then verify="CApath = $verify" else verify="CAfile = $verify" fi verify="$verify verify = 2" fi if [ "X$mycert" != "X" ]; then cert="cert = $mycert" fi ptmp="" if [ "X$proxy" != "X" ]; then ptmp="/tmp/ss_vncviewer${RANDOM}.$$.pl" mytmp "$ptmp" PPROXY_REMOVE=1; export PPROXY_REMOVE pcode "$ptmp" if [ "X$showcert" != "X1" -a "X$direct_connect" = "X" ]; then if uname | egrep 'Darwin|SunOS' >/dev/null; then # on mac we need to listen on socket instead of stdio: nd=`findfree 6700` PPROXY_LISTEN=$nd export PPROXY_LISTEN if [ "X$reverse" = "X" ]; then #$ptmp 2>/dev/null & $ptmp & fi #sleep 3 sleep 2 host="localhost" port="$nd" connect="connect = localhost:$nd" else # otherwise on unix we can exec it: connect="exec = $ptmp" fi else connect="exec = $ptmp" fi else connect="connect = $host:$port" fi if [ "X$showcert" = "X1" ]; then if [ "X$proxy" != "X" ]; then PPROXY_LISTEN=$use export PPROXY_LISTEN $ptmp 2>/dev/null & sleep 1 host="localhost" port="$use" fi openssl s_client -connect $host:$port 2>&1 < /dev/null exit $? fi if [ "X$direct_connect" != "X" ]; then if [ "X$getport" = "X" ]; then echo "" echo "Running viewer for direct connection:" echo "" echo "** NOTE: THERE WILL BE NO SSL OR SSH ENCRYPTION **" echo "" fi x="" if [ "X$SSVNC_NO_ENC_WARN" != "X" ]; then if [ "X$getport" = "X" ]; then sleep 1 fi elif type printf > /dev/null 2>&1; then printf "Are you sure you want to continue? [y]/n " read x else echo -n "Are you sure you want to continue? [y]/n " read x fi if [ "X$x" = "Xn" ]; then exit 1 fi echo "" if [ "X$ptmp" != "X" ]; then PPROXY_LISTEN=$use export PPROXY_LISTEN $ptmp & if [ "X$reverse" = "X" ]; then #sleep 2 #echo T sleep 1 sleep 1 fi host="localhost" disp="$N" fi if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then echo "T sleep $SSVNC_EXTRA_SLEEP" sleep $SSVNC_EXTRA_SLEEP fi if [ "X$reverse" = "X" ]; then echo "$VNCVIEWERCMD" "$@" $host:$disp trap "final" 0 2 15 echo "" $VNCVIEWERCMD "$@" $host:$disp if [ $? != 0 ]; then echo "vncviewer command failed: $?" if [ "X$secondtry" = "X1" ]; then sleep 2 $VNCVIEWERCMD "$@" $host:$disp fi fi else echo "" echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode." echo "" echo "$VNCVIEWERCMD" "$@" -listen $disp trap "final" 0 2 15 echo "" $VNCVIEWERCMD "$@" -listen $disp fi exit $? fi tmp=/tmp/ss_vncviewer${RANDOM}.$$ mytmp "$tmp" make_tcert() { tcert="/tmp/tcert${RANDOM}.$$" cat > $tcert < /dev/null; then if [ "X$cert" = "X" ]; then ttcert=`make_tcert` cert="cert = $ttcert" fi fi cat > "$tmp" < "$tmp" < /dev/null 2>&1 $STUNNEL "$tmp" < /dev/tty > /dev/tty & stunnel_pid=$! echo "" # pause here to let the user supply a possible passphrase for the # mycert key: if [ "X$mycert" != "X" ]; then sleep 1 echo "" echo "(pausing for possible certificate passphrase dialog)" echo "" sleep 4 fi #echo T sleep 1 sleep 1 rm -f "$tmp" echo "" if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then echo "sleep $SSVNC_EXTRA_SLEEP" sleep $SSVNC_EXTRA_SLEEP fi echo "Running viewer:" if [ "X$reverse" = "X" ]; then echo "$VNCVIEWERCMD" "$@" localhost:$N trap "final" 0 2 15 echo "" $VNCVIEWERCMD "$@" localhost:$N if [ $? != 0 ]; then echo "vncviewer command failed: $?" if [ "X$secondtry" = "X1" ]; then sleep 2 $VNCVIEWERCMD "$@" localhost:$N fi fi else echo "" echo "NOTE: Press Ctrl-C to terminate viewer LISTEN mode." echo "" echo "$VNCVIEWERCMD" "$@" -listen $N trap "final" 0 2 15 echo "" if [ "X$proxy" != "X" ]; then PPROXY_REVERSE="localhost:$port"; export PPROXY_REVERSE PPROXY_SLEEP=1; export PPROXY_SLEEP; PPROXY_KILLPID=+1; export PPROXY_KILLPID; $ptmp & fi $VNCVIEWERCMD "$@" -listen $N fi sleep 1 bin/util/ssvnc.tcl0000755000175100017510000123407011033507404014736 0ustar rungerunge00000000000000#!/bin/sh # the next line restarts using wish \ exec wish "$0" "$@" # # Copyright (c) 2006-2007 by Karl J. Runge # # ssvnc.tcl: gui wrapper to the programs in this # package. Also sets up service port forwarding. # set version 1.0.20 set buck_zero $argv0 proc center_win {w} { global is_windows update set W [winfo screenwidth $w] set W [expr $W + 1] wm geometry $w +$W+0 update set x [expr [winfo screenwidth $w]/2 - [winfo width $w]/2] set y [expr [winfo screenheight $w]/2 - [winfo height $w]/2] if {$is_windows} { set y [expr "$y - 30"] if {$y <= 0} { set y 1 } } wm geometry $w +$x+$y wm deiconify $w update } proc mac_raise {} { global uname if {$uname == "Darwin"} { catch {exec /bin/sh -c {osascript -e 'tell application "Wish Shell" to activate' >/dev/null 2>&1 &}} after 150 update update idletasks } } proc toplev {w} { catch {destroy $w} toplevel $w catch {wm withdraw $w} } proc apply_bg {w} { global is_windows system_button_face if {$is_windows && $system_button_face != ""} { catch {$w configure -bg "$system_button_face"} } } proc scroll_text {fr {w 80} {h 35}} { global help_font is_windows scroll_text_focus catch {destroy $fr} frame $fr -bd 0 eval text $fr.t -width $w -height $h $help_font \ -setgrid 1 -bd 2 -yscrollcommand {"$fr.y set"} -relief ridge apply_bg $fr.t scrollbar $fr.y -orient v -relief sunken -command "$fr.t yview" pack $fr.y -side right -fill y pack $fr.t -side top -fill both -expand 1 if {$scroll_text_focus} { focus $fr.t } } proc scroll_text_dismiss {fr {w 80} {h 35}} { global help_font scroll_text $fr $w $h set up $fr regsub {\.[^.]*$} $up "" up button $up.d -text "Dismiss" -command "destroy $up" bind $up "destroy $up" pack $up.d -side bottom -fill x pack $fr -side top -fill both -expand 1 } proc jiggle_text {w} { global uname if {$uname == "Darwin"} { $w yview scroll 1 pages update idletasks $w yview scroll -1 pages update idletasks } } proc ts_help {} { toplev .h scroll_text_dismiss .h.f center_win .h wm title .h "Terminal Services VNC Viewer Help" set msg { Terminal Services: The Terminal Services VNC Viewer uses SSH to establish an encrypted and authenticated connection to the remote server. Through the SSH channel, it automatically starts x11vnc in terminal services mode on the remote server to find or create your desktop session. x11vnc is used for both the session management and the VNC transport. You MUST be able to log in via SSH to the remote terminal server. Ask your administrator to set this up for you if it isn't already. x11vnc must also be installed on the remote server machine. See "Requirements" below. This mode is started by the commands 'tsvnc' or 'ssvnc -ts' or toggled by pressing Ctrl-t. "SSVNC Mode" under Options -> Advanced will also return to the full SSVNC. Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=tsvnc" to have the tool always start up in that mode. To constrain the UI, run with -tso or SSVNC_TS_ALWAYS set to prevent leaving the Terminal Services mode. Hosts and Displays: Enter the remote VNC Terminal Services hostname in the 'VNC Terminal Server' entry. Examples: 24.67.132.27 far-away.east fred@someplace.no Then click on "Connect". Once the SSH is running (you may need to type a password in the terminal window that pops up), the TightVNC Viewer (Or Chicken-of-the-VNC on Mac OS X) will be automatically started directed to the local port of the SSH tunnel which, in turn, encrypts and redirects the connection to the remote VNC server. x11vnc is run remotely to find or create your terminal services desktop session. Enter "user@hostname.com" in 'VNC Terminal Server' if the remote username is different from the yours on this machine. On Windows you *MUST* supply the remote username. This entry is passed to SSH; it could also be an SSH alias you have created (in ~/.ssh/config). If the remote SSH server is run on a non-standard port, e.g. 2222, use something like this: far-away.east:2222 fred@someplace.no:2222 (unlike SSVNC mode, the number is the SSH port, not the VNC display) Proxies/Gateways: Proxy/Gateway is usually a gateway machine to log into via SSH that is not the machine running the VNC terminal services. However, Web and SOCKS proxies can also be used (see below). For example if a company had a central login server: "ssh.company.com" (accessible from the internet) and the internal server name was "ts-server", one could put in VNC Terminal Server: ts-server Proxy/Gateway: ssh.company.com It is OK if the hostname "ts-server" only resolves inside the firewall. The 2nd host, ts-server in this example, MUST also be running an SSH server and you must be able to log into it. You may need to supply a 2nd password to it to login. Use username@host (e.g. joe@ts-server or jsmith@ssh.company.com) if the user name differs between machines. To use a non-standard ssh port (i.e. a port other than 22) in Proxy/Gateways use something like this for port 2222: VNC Terminal Server: ts-server Proxy/Gateway: jsmith@ssh.company.com:2222 The username@ is not needed if it is the same as on this machine. A Web or SOCKS proxy can also be used. Use this if you are inside a firewall that prohibits direct connections to remote SSH servers. VNC Terminal Server: fred@someplace.no Proxy/Gateway: http://myproxy.west:8080 or for SOCKS: VNC Terminal Server: fred@someplace.no Proxy/Gateway: socks://mysocks.west:1080 use socks5://... to force the SOCKS5 version. For a non-standard port the above would be, e.g., fred@someplace.no:2222 One can also chain proxies and other things. See the section "SSH Proxies/Gateways" in the Main SSVNC Help for full details. Options: Click on Options to get to dialog boxes to: - Desktop Type (kde, gnome, failsafe, twm...) - Desktop Size (Geometry WxH and pixel depth) - X Server Type (Xvfb, Xdummy, Xvnc) - Enable Printing (CUPS and/or SMB/Windows) - Enable Sound (TBD, ESD partially working) - File Transfer (Ultra or TightVNC filexfer) - View Only (View only client) - Change VNC Viewer (Realvnc, ultra, etc...) - X11 viewer MacOSX (use bundled X11 vncviewer) - Delete Profile... (Delete a saved profile) - Advanced Options: - VNC Shared (optional traditional VNC sharing) - Multiple Sessions (more than 1 session per server) - X Login (Connect to Login/Greeter Display) - Other VNC Server (redirect to 3rd party VNC Server) - Use unixpw (optional x11vnc login mode) - Client 8bit Color (VNC Viewer requests low color mode) - Client-Side Caching (experimental x11vnc speedup) - X11VNC Options (set any extra x11vnc options) - SSVNC Mode (Return to full SSVNC mode) Profiles: Use "Save" to save a profile (i.e. a host:display and its specific settings) with a name. The "TS-" prefix will be suggested to help you distinguish between Terminal Services and regular profiles. To load in a saved Options profile, click on the "Load" button, and choose which one you want. To list your profiles from the command line use: tsvnc -profiles (or -list) To launch profile1 directly from the command-line, or to a server use things like: tsvnc profile1 tsvnc hostname tsvnc user@hostname Requirements: When running this application on Unix/MacOSX the ssh(1) program must be installed locally. On Windows a plink/putty binary is included. On the remote VNC Terminal Services host, x11vnc must be installed (0.9.3 or higher), and at least one virtual X server: Xvfb, Xdummy, or Xvnc must be available. Xvfb is the most often used one. All of these programs must be available in $PATH on the remote server when logged in via SSH. The VNC terminal services administrator can make "x11vnc" be a wrapper script that sets everything up correctly and then runs the real x11vnc. Real X servers: As a *BONUS*, if on the remote host, say a workstation, you have a regular X session running on the physical hardware that you are ALREADY logged into you can access to that display as well (x11vnc will find it). So this tool can be used as a simple way to launch x11vnc to find your real X display on your workstation and connect to it. The Printing and Sound redirection won't work for this mode however. You will need to use the full SSVNC application to attempt that. If you (mistakenly) have not logged into an X session on the real X server on the workstation, a VIRTUAL (Xvfb, etc.) server will be created for you (that may or may not be what you want). The X Login Advanced setting can be used to connect to a X Display Manger Greeter login panel (no one is logged in yet). This requires sudo(1) privileges on the remote machine. More Info: See these links for more information: http://www.karlrunge.com/x11vnc/#tunnelling } global version set msg " SSVNC version: $version\n$msg" .h.f.t insert end $msg jiggle_text .h.f.t } proc help {} { global ts_only if {$ts_only} { ts_help return } toplev .h scroll_text_dismiss .h.f center_win .h wm title .h "SSL/SSH VNC Viewer Help" set msg { Hosts and Displays: Enter the VNC host and display in the 'VNC Host:Display' entry box. It is of the form "host:number", where "host" is the hostname of the machine running the VNC Server and "number" is the VNC display number; it is often "0". Some Examples: snoopy:0 far-away.east:0 sunray-srv1.west:17 24.67.132.27:0 Then click on "Connect". When you do the STUNNEL program will be started locally to provide you with an outgoing SSL tunnel. Once the STUNNEL is running, the TightVNC Viewer (Or Chicken of the VNC on Mac OS X, or one you set under Options) will be automatically started directed to the local port of the SSL tunnel which, in turn, encrypts and redirects the connection to the remote VNC server. The remote VNC server MUST support an initial SSL handshake before using the VNC protocol (i.e. VNC is tunnelled through the SSL channel after it is established). "x11vnc -ssl ..." does this, and any VNC server can be made to do this by using, e.g., STUNNEL on the remote side. Automatic SSH tunnels are described below. See tip 5) below for how to disable encryption. Port numbers: If you are using a port less than the default VNC port 5900 (usually the VNC display = port - 5900), use the full port number itself, e.g.: 24.67.132.27:443 Note, however, if the number n after the colon is < 200, then a port number 5900 + n is assumed; i.e. n is the VNC display number. If you must use a TCP port less than 200, specify a negative value, e.g.: 24.67.132.27:-80 SSL Certificate Verification: *IMPORTANT*: If you do not take the steps to VERIFY the VNC Server's SSL Certificate, you are theoretically vulnerable to a Man-In-The-Middle attack. Without SSL Certificate verification, only passive network sniffing attacks will be guaranteed to be prevented. You can use the "Fetch Cert" button to retrieve the Cert and then after you check it is OK (say, via comparing the MD5 or other info) you can "Save" it and use it to verify future connections to servers. When "Verify All Certs" is checked, this check is always enforced, and so the first time you connect to a new server you may need to follow a few dialogs to inspect and save the server certificate. See the "Certs... -> Help" for information on how to manage certificates. "Verify All Certs" is on by default. However, "Fetch Cert" and "Verify All Certs" are currently disabled in the rare "SSH + SSL" usage mode (e.g. SSH is used to enter a firewall gateway, and then SSL is tunneled through that to reach the workstation). Windows STUNNEL: Note that on Windows when the Viewer connection is finished you will be prompted if you want SSVNC to try to kill the STUNNEL process for you. Usually you will say Yes, however if there are problems connecting you may want to look at the STUNNEL Log first. Double clicking the STUNNEL tray icon (dark green) will show you its Log file (useful for debugging connections). SSVNC will kill the STUNNEL process for you, but you may still need to move the mouse over the icon to make it go away. In some cases you may need to terminate STUNNEL manually from the System Tray (right click on dark green icon) and selecting "Exit". VNC Password: On Unix or MacOSX if there is a VNC password for the server you can enter it in the "VNC Password:" entry box. This is *REQUIRED* on MacOSX when Chicken of the VNC is used. On Unix if you choose not to enter the password you will be prompted for it in the terminal window running TightVNC viewer if one is required. On Windows TightVNC viewer should prompt you when a password is required. NOTE: when you Save a VNC profile, the password is NOT saved (you need to enter it each time). SSH: Click on "Use SSH" if you want to use an *SSH* tunnel instead of SSL (then the VNC Server does not need to speak SSL or use STUNNEL). You will need to be able to login to your account on the remote host via SSH (e.g. via password or ssh-agent). Specify the SSH hostname and VNC display in the VNC Host:Display entry. Use something like: username@far-away.east:0 if your remote username is different from the one on the local viewer machine. On Windows you MUST supply the "username@" part. "SSH + SSL" is similar but its use is more rare because it requires 2 encrypted tunnels to reach the VNC server. See the Help under Options for more info. To connect to a non-standard SSH port, see SSH Proxies/Gateways below. See Tip 13) below for how to make this application be SSH-only with the -ssh command line option or "sshvnc". Remote SSH Command: In SSH or SSH + SSL mode you can also specify a remote command to run on the remote ssh host in the "Remote SSH Command" entry. The default is just to sleep a bit (e.g. sleep 30) to make sure the port tunnels are established. Alternatively you could have the remote command start the VNC server, e.g. x11vnc -display :0 -rfbport 5900 -localhost -nopw When starting the VNC server this way, note that sometimes you will need to correlate the VNC Display number with the "-rfbport" (or similar) option of the server. E.g.: VNC Host:Display username@somehost.com:2 Remote SSH Command: x11vnc -find -rfbport 5902 -nopw See the the Tip below (11) for using x11vnc PORT=NNNN feature (or vncserver(1) output) to not need to specify the VNC display number or the x11vnc -rfbport option. Profiles: Use "Save" to save a profile (i.e. a host:display and its specific settings) with a name. To load in a saved Options profile, click on the "Load" button. To list your profiles from the command line use: ssvnc -profiles (or -list) You can launch ssvnc and have it immediately connect to the server by invoking it something like this: ssvnc profile1 (launches profile named "profile1") ssvnc hostname:0 (connect to hostname VNC disp 0 via SSL) ssvnc vnc+ssl://hostname:0 (same) ssvnc vnc+ssh://hostname:0 (connect to hostname VNC disp 0 via SSH) see the Tips 5 and 9 below for more about the URL-like syntax. Proxies/Gateways: If an intermediate proxy is needed to make the SSL connection (e.g. web gateway out of a firewall) enter it in the "Proxy/Gateway" entry box: VNC Host-Display: host:number Proxy/Gateway: proxy-host:port e.g.: VNC Host-Display: far-away.east:0 Proxy/Gateway: myproxy.west:8080 If the "double proxy" case is required (e.g. coming out of a web proxied firewall environment and then INTO a 2nd proxy to ultimately reach the VNC server), separate them via a comma, e.g.: VNC Host-Display: far-away:0 Proxy/Gateway: myproxy.west:8080,myhome.net:443 So it goes: viewer -> myproxy.west -> myhome.net -> far-away (VNC) The proxies are assumed to be Web proxies. To use SOCKS proxies: VNC Host-Display: far-away.east:0 Proxy/Gateway: socks://mysocks.west:1080 Use socks5:// to force the SOCKS5 proxy protocol (e.g. for ssh -D). You can prefix web proxies with http:// but it doesn't matter since that is the default. Note that Web proxies are often configured to ONLY allow outgoing connections to ports 443 (HTTPS) and 563 (SNEWS), so you might have run the VNC server (or router port redirector) on those ports. SOCKS proxies usually have no restrictions on port number. You can chain up to 3 proxies (any combination of http:// and socks://) by separating them with commas (i.e. first,second,third). See the ss_vncviewer description and x11vnc FAQ for info on proxies: http://www.karlrunge.com/x11vnc/#ss_vncviewer http://www.karlrunge.com/x11vnc/#faq-ssl-java-viewer-proxy SSH Proxies/Gateways: Proxy/Gateway also applies to SSH mode, it is a usually a gateway SSH machine to log into via ssh that is not the workstation running the VNC server. However, Web and SOCKS proxies can also be used (see below). For example if a company had a central login server: "ssh.company.com" (accessible from the internet) and the internal workstation name was "joes-pc", one could put in for the VNC Host:Display: joes-pc:0 Proxy/Gateway: ssh.company.com It is OK if the hostname "joes-pc" only resolves inside the firewall. The 2nd leg, from ssh.company.com -> joes-pc is done by a ssh -L redir and is not encrypted (but viewer -> ssh.company.com is encrypted). To SSH encrypt BOTH legs, try the "double SSH gateway" method using the "comma" notation: VNC Host:Display: localhost:0 Proxy/Gateway: ssh.company.com,joes-pc this requires an SSH server running on joes-pc. So an initial SSH login is done to ssh.company.com, then a 2nd SSH is performed (through port a redirection of the first) to login straight to joes-pc where the VNC server is running. Use username@host (e.g. joe@joes-pc jsmith@ssh.company.com) if the user names differ between the various machines. On Windows you MUST supply the usernames. To use a non-standard ssh port (i.e. a port other than 22) you need to use the Proxy/Gateways as well. E.g. something like this for port 2222: VNC Host:Display: localhost:0 Proxy/Gateway: joe@far-away.east:2222 The username@ is not needed if it is the same as on the client. This will also work going to a different internal machine, e.g. "joes-pc:0" instead of "localhost:0", as in the first example. A Web or SOCKS proxy can also be used with SSH. Use this if you are inside a firewall that prohibits direct connections to remote SSH servers. VNC Host:Display: joe@far-away.east:0 Proxy/Gateway: http://myproxy.west:8080 or for SOCKS: VNC Host:Display: joe@far-away.east:0 Proxy/Gateway: socks://mysocks.west:1080 use socks5://... to force the SOCKS5 version. You can chain up to 3 proxies (any combination of http:// and socks://) by separating them with commas (i.e. first,second,third). For a non-standard SSH port and a Web or SOCKS proxy try: VNC Host:Display: localhost:0 Proxy/Gateway: http://myproxy.west:8080,joe@far-away.east:2222 Even the "double SSH gateway" method (2 SSH encrypted legs) described above works with an initial Web or SOCKS proxy, e.g.: VNC Host:Display: localhost:0 Proxy/Gateway: http://mysocks.west:1080,ssh.company.com,joes-pc UltraVNC Proxies/Gateways: UltraVNC has a "repeater" tool (http://www.uvnc.com/addons/repeater.html and http://koti.mbnet.fi/jtko/) that acts as an VNC proxy. SSVNC can work with both mode I and mode II schemes of this repeater. Note: only SSL (or unencrypted) SSVNC connections make sense with the UltraVNC repeater. SSH connections (previous section) do not seem to (let us know if you find a way to use it). For mode I repeater the viewer initiates the connection and passes a string that is the internal VNC server's IP address (or hostname) and port or display: VNC Host:Display: :0 Proxy/Gateway: repeater://myproxy.west:5900+joes-pc:1 Note here that the VNC Host:Display can be anything; we use :0. The Proxy/Gateway format is repeater://proxy:port+vncserver:display. The string after the "+" sign is passed to the repeater server for it to interpret. For this example, instead of joes-pc:1 it could be joes-pc:5901 or 192.168.1.4:1, 192.168.1.4:5901, etc. If you do not supply a proxy port, then the default 5900 is assumed, e.g. repeater://myproxy.west+joes-pc:1 For mode II repeater both the VNC viewer and VNC server initiate connections to the repeater proxy. In this case they pass a string that identifies their mutual connection via "ID:NNNN": VNC Host:Display: :0 Proxy/Gateway: repeater://myproxy.west:5900+ID:1234 again, the default proxy port is 5900 if not supplied. In this case, mode II, you MUST set Options -> Reverse VNC Connection. That is to say a "Listening Connection". The reason for this is that the VNC server acts as a SSL *client* and so requires the Viewer end to have an SSL cert, etc. Set REPEATER_FORCE=1 in the Host:Display (hit Enter, and then clear it) to force SSVNC to try to a forward connection in this situation. We have also found that usually the Listening viewer must be started BEFORE the VNC Server connects to the proxy. This is a likely bug in the repeater tool. For mode II, you probably should also disable "Verify All Certs" unless you have taken the steps beforehand to save the VNC server's certificate, or have previously accepted it using another method. Also, after the connection you MUST terminate the listening VNC Viewer (Ctrl-C) and connect again (the proxy only runs once.) In Windows, go to the System Tray and terminate the Listening VNC Viewer. BTW, the x11vnc VNC server command for the mode II case would be something like: x11vnc -ssl SAVE -connect repeater=ID:1234+myproxy.west:5500 ... It also supports -connect repeater://myproxy.west:5500+ID:1234 notation. For mode I operation x11vnc simply runs as a normal SSL/VNC server x11vnc -ssl SAVE SSL Certificates: If you want to use a SSL Certificate (PEM) file to authenticate yourself to the VNC server ("MyCert") or to verify the identity of the VNC Server ("ServerCert" or "CertsDir") select the certificate file by clicking the "Certs ..." button before connecting. Certificate verification is needed to prevent Man-In-The-Middle attacks; if it is not done then only passive network sniffing attacks are prevented. See the x11vnc documentation: http://www.karlrunge.com/x11vnc/ssl.html for how to create and use PEM SSL certificate files. An easy way is: x11vnc -ssl SAVE ... where it will print out its automatically generated certificate to the screen and that can be safely copied to the viewer side. You can also use the "Create Certificate" feature of this program under "Certs ...". Just click on it and follow the instructions in the dialog. Then copy the cert file to the VNC Server and specify the other one in the "Certs ..." dialog. Alternatively you can use the "Import Certificate" action to paste in a certificate or read one in from a file. Or you can use the "Fetch Cert" button on the main panel. If "Verify All Certs" is checked, you will be forced to check Certs of any new servers the first time you connect. Note that "Verify All Certs" is on by default so that users who do not understand the SSL Man-In-The-Middle problem will not be left completely vulnerable to it (everyone still must make the effort to verify new certificates by an external method to be completely safe). To have "Verify All Certs" toggled off at startup, use "ssvnc -nv" or set SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want to see the button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1. More Options: To set other Options, e.g. for View-Only usage or to limit the number of colors used. click on the "Options ..." button and read the Help there. More Info: See these links for more information: http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-ext http://www.stunnel.org http://www.tightvnc.com Tips and Tricks: 1) On Unix to get a 2nd GUI (e.g. for a 2nd connection) press Ctrl-N on the GUI. If only the xterm window is visible you can press Ctrl-N or try Ctrl-LeftButton -> New SSVNC_GUI. On Windows you will have to manually Start a new one: Start -> Run ..., etc. 2) If you use "SHELL" for the "Remote SSH Command" (or in the display line: "user@hostname cmd=SHELL") then you get an SSH shell only: no VNC viewer will be launched. On Windows "PUTTY" will try to use putty.exe (better terminal emulation than plink.exe). A ShortCut for this is Ctrl-S as long as user@hostname is present in the entry box. 3) If you use "KNOCK" for the "Remote SSH Command" (or int he display line "user@hostname cmd=KNOCK") then only the port-knocking is performed. A ShortCut for this is Ctrl-P as long as hostname is present in the entry box. If it is KNOCKF, i.e. an extra "F", then the port-knocking "FINISH" sequence is sent, if any. A ShortCut for this Shift-Ctrl-P as long as hostname is present. 4) Pressing the "Load" button or pressing Ctrl-L or Clicking the Right mouse button on the main GUI will invoke the Load dialog. 5) If you want to do a Direct VNC connection, WITH **NO** SSL OR SSH ENCRYPTION, use the "vnc://" prefix, e.g. vnc://far-away.east:0 This also works for reverse connections (see below). Sorry we do not make this easy to figure out how to do (e.g. a button on the main panel), but the goal of SSVNC is secure connections! Set the env var SSVNC_NO_ENC_WARN=1 (or use Vnc://) to skip the warning prompts. 6) Reverse VNC connections are possible as well. Go to Options and select "Reverse VNC connection". In the 'VNC Host:Display' entry box put in the number (e.g. "0" or ":0") that corresponds to the Listening display (0 -> port 5500). See the Options Help for more info. 7) On Unix to have SSVNC act as a general STUNNEL redirector (i.e. no VNC), put the the desired host:port in VNC Host:Display (use a negative port value if it is to be less than 200), then go to Options -> Advanced -> Change VNC Viewer. Change the "viewer" command to be "xmessage OK" or "xmessage " (or sleep) where port is the desired local listening port. Then click Connect. If you didn't set the local port look for it in the terminal output. On Windows set it to "NOTEPAD" or similar; you can't control the port though. It is usually 5930, 5931, ... Watch the messages. 8) On Unix if you are going to an older SSH server (e.g. Solaris 10), you will probably need to set the env. var. SS_VNCVIEWER_NO_T=1 to disable the ssh "-t" option being used (that can prevent the command from being run). 9) In the VNC Host:Display entry you can also use these "URL-like" prefixes: vncs://host:0, vncssl://host:0, vnc+ssl://host:0 for SSL and vncssh://host:0, vnc+ssh://host:0 for SSH There is no need to toggle the SSL/SSH setting. These also work from the command line, e.g.: ssvnc vnc+ssh://mymachine:10 10) Mobile USB memory stick / flash drive usage: You can unpack ssvnc to a flash drive for impromptu usage (e.g. from a friends computer). If you create a directory "Home" in the toplevel ssvnc directory, then that will be the default location for your VNC profiles and certs. So they follow the drive this way. If you run like this: "ssvnc ." or "ssvnc.exe ." the "Home" directory will be created for you. WARNING: if you use ssvnc from an "Internet Cafe", i.e. an untrusted computer, an unscrupulous person may be capturing keystrokes, etc.! You can also set the SSVNC_HOME env. var. to point to any directory you want. It can be set after starting ssvnc by putting HOME=/path/to/dir in the Host:Display box and clicking "Connect". For a Windows BAT file to get the "Home" directory correct something like this might be needed: cd \ssvnc\Windows start \ssvnc\Windows\ssvnc.exe 11) Dynamic VNC Server Port determination and redirection: If you are running SSVNC on Unix and are using SSH to start the remote VNC server and the VNC server prints out the line "PORT=NNNN" to indicate which dynamic port it is using (x11vnc does this), then if you prefix the SSH command with "PORT=" SSVNC will watch for the PORT=NNNN line and uses ssh's built in SOCKS proxy (ssh -D ...) to connect to the dynamic VNC server port through the SSH tunnel. For example: VNC Host:Display user@somehost.com Remote SSH Command: PORT= x11vnc -find -nopw or "PORT= x11vnc -display :0 -localhost", etc. Or use "P= ..." There is also code to detect the display of the regular Unix vncserver(1). It extracts the display (and hence port) from the lines "New 'X' desktop is hostname:4" and also "VNC server is already running as :4". So you can use something like: PORT= vncserver; sleep 15 or: PORT= vncserver :4; sleep 15 the latter is preferred because when you reconnect with it will find the already running one. The former one will keep creating new X sessions if called repeatedly. On Windows if PORT= is supplied SOCKS proxying is not used, but rather a high, random value of the VNC port is chosen (e.g. 8453) and assumed to be free, and is passed to x11vnc's -rfbport option. This only works with x11vnc (not vncserver). 12) You can change the X DISPLAY variable by typing DISPLAY=... into VNC Host:Display and hitting Return or clicking Connect. Same for HOME=. Setting SLEEP=n increases the amount of time waited before starting the viewer. The env. var. SSVNC_EXTRA_SLEEP also does this (and also Sleep: Option setting) On Mac, you can set DYLD_LIBRARY_PATH=... too. It should propagate down the the viewer. 13) If you want this application to be SSH only, then supply the command line option "-ssh" or set the env. var SSVNC_SSH_ONLY=1. Then no GUI elements specific to SSL will appear (the documentation will refer to the SSL mode, however). To convert a running app to ssh-only select "Mode: SSH-Only" in Options. The wrapper scripts "sshvnc" and "sshvnc.bat" will start it up automatically this way. Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=sshvnc" to have the tool always start up in that mode. 14) For an even simpler "Terminal Services" mode use "tsvnc" or "tsvnc.bat" (or "-ts" option). This mode automatically launches x11vnc on the remote side to find or create your Desktop session (usually the Xvfb X server). From a full ssvnc you can press Ctrl-h to go into ssh-only mode and Ctrl-t to toggle between "tsvnc" and "ssvnc" modes. The Options Mode menu also let you switch. Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=tsvnc" to have the tool always start up in that mode. 15) You can put global options in your ~/.ssvncrc file (ssvnc_rc on Windows). Currently they are: Put "mode=tsvnc" or "mode=sshvnc" in the ~/.ssvncrc file to have the application start up in the given mode. desktop_type=wmaker (e.g.) to switch the default Desktop Type. desktop_size=1280x1024 (e.g.) to switch the default Desktop Size. desktop_depth=24 (e.g.) to switch the default Desktop Color Depth xserver_type=Xdummy (e.g.) to switch the default X Server Type. (The above 4 settings apply only to the Terminal Services Mode.) 16) On Unix you can make the "Open File" and "Save File" dialogs bigger by setting the env. var. SSVNC_BIGGER_DIALOG=1 or supplying the -bigger option. If you set it to a Width x Height, e.g. SSVNC_BIGGER_DIALOG=500x200, that size will be used. } global version set msg " SSVNC version: $version\n$msg" .h.f.t insert end $msg jiggle_text .h.f.t } # Or Alternatively one can supply both hosts separated by # spaces (with the proxy second) in the VNC Host:Display box: # # VNC Host-Display: far-away.east:0 theproxy.net:8080 # # This looks a little strange, but it actually how SSVNC stores the # host info internally. # You can also specify the remote SSH command by putting a string like # # cmd=x11vnc -nopw -display :0 -rfbport 5900 -localhost # # (use any command you wish to run) at the END of the VNC Host:Display # entry. In general, you can cram it all in the VNC Host:Display if # you like: host:disp proxy:port cmd=... (this is the way it is # stored internally). proc help_certs {} { toplev .ch scroll_text_dismiss .ch.f 90 33 center_win .ch wm resizable .ch 1 0 wm title .ch "SSL Certificates Help" set msg { Description: *IMPORTANT*: Only with SSL Certificate verification (either manually or via a Certificate Authority certificate) can Man-In-The-Middle attacks be prevented. Otherwise, only passive network sniffing attacks are prevented. The SSL Certificate files described below may have been created externally (e.g. by x11vnc or openssl): you can import them via "Import Certificate". OR you can click on "Create Certificate ..." to use THIS program to generate a Certificate + Private Key pair for you (in this case you will need to distribute one of the generated files to the VNC Server). Then you associate the Saved cert with the VNC server, see the panel entry box description below, and then Connect. You will usually want to Save this association in a VNC Server profile for the next time you connect. Fetch Cert: You can also retrieve and view the VNC Server's Cert via the "Fetch Cert" button on the main panel. After you check that it is the correct Cert (e.g. by comparing MD5 hash or other info), you can save it. The file it was saved as will be set as the "ServerCert" to verify against for the next connection. To make this verification check permanent, you will need to save the profile via 'Save'. Verify All Certs: If "Verify All Certs" is checked on the main panel, you are always forced to check unrecognized server certs, and so the first time you connect to a new server you may need to follow a few dialogs to inspect and save the server certificate. Under "Verify All Certs", new certificates are saved in the 'Accepted Certs' directory. When the checkbox is set all host profiles with "CertsDir" set to "ACCEPTED_CERTS" (and an empty "ServerCert" setting) will be checked against the pool of accepted certificates in the 'Accepted Certs' directory. Note that we have "Verify All Certs" on by default so that users who do not understand the SSL Man-In-The-Middle problem will not be left completely vulnerable to it. Everyone still must make the effort to verify new certificates by an external method to be completely safe. To have "Verify All Certs" toggled off at startup, use "ssvnc -nv" or set SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want to see the button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1. Note: "Fetch Cert" and "Verify All Certs" do not currently work in "SSH + SSL" mode. In this case to have server authentication "ServerCert" must be set explicitly to a file (or "CertDir" to a directory). CA: One can make SSL VNC server authentication more "automatic" as it is in Web Browsers going to HTTPS sites, by using a Certificate Authority (CA) cert (e.g. a professional one like Verisign or Thawte, or one your company or organization creates) for the "ServerCert". This is described in detail here: http://www.karlrunge.com/x11vnc/ssl.html CA's are not often used, but if the number of VNC Servers scales up it can be very convenient because the viewers (i.e. SSVNC) only need the CA cert, not all of the Server certs. Now what goes into the panel's entry boxes is described. Your Certificate + Key: You can specify YOUR own SSL certificate (PEM) file in "MyCert" in which case it is used to authenticate YOU (the viewer) to the remote VNC Server. If this fails the remote VNC Server will drop the connection. So the Server could use this method to authenticate Viewers instead of the more common practice of using a VNC password or x11vnc's -unixpw mode. Server Certificates: Server certs can be specified in one of two ways: - A single certificate (PEM) file for a single server or a single C