-unixpw_system_greeteroption, when used in combined unixpw and XDMCP FINDCREATEDISPLAY mode (for example:
-xdmsvc), enables the user to press Escape to jump directly to the XDM/GDM/KDM login greeter screen. This way the user avoids entering his unix password twice at X session creation time. Also, the unixpw login panel now has a short help displayed if the user presses 'F1'.
-extra_fburoption allows one to fine tune the setting. Additionally, one may also dial down delays: e.g. "
-defer 5" and "
-wait 5" (or to 1 or even 0) or
-allinputto keep up with these VNC clients at the expense of increased system load.
-findauthruns the FINDDISPLAY script that applies heuristics that try to determine the XAUTHORITY file. The use of '
-auth guess' will use the XAUTHORITY that -findauth reveals. This can be handy in with the lastest GDM where the ability to store cookies in ~/.Xauthority has been removed. If x11vnc is running as root (e.g. inetd) and you add
-env FD_XDM=1to the above
-auth guesscommand lines, it will find the correct XAUTHORITY for the given display (this works for XDM/GDM/KDM if the login greeter panel is up or if someone has already logged into an X session.)
-create) now work correctly for the user-supplied login program scheme "
-unixpw_cmd ...", as long as the login program supports running commands specified in the environment variable "
RFB_UNIXPW_CMD_RUN" as the logged-in user. The mode "
-unixpw_nis ..." has also been made more consistent.
stunnelas an external helper program) now works with the
SAVE" and "
TMP" special certificate names. The
-sslCRLoptions now work correctly in
-stunnelmode. Single port HTTPS connections are also supported for this mode.
-id/-sidsingle window sharing:
x11vnc -appshare -help" for more info.) It is still very primitive and approximate, but at least it displays multiple top-level windows.
-Rcan be used to instruct x11vnc to resend its most recent copy of the Clipboard, Primary, or Cutbuffer selections: "
x11vnc -R resend_clipboard", "
x11vnc -R resend_primary", and "
x11vnc -R resend_cutbuffer".
-gui) can now by set via environment variables, e.g.
-env X11VNC_FONT_BOLD='Helvetica -16 bold'and
-env X11VNC_FONT_FIXED='Courier -14'.
-env X11VNC_WATCH_DX_DY=1" that tries to avoid problems with poorly constructed menu themes that place the initial position of the mouse cursor inside a menu item's active zone. More information can be found here.
Here are some features that appeared in the 0.9.8 release (Jul/2009):
-threadsmode. Running x11vnc this way is more reliable now. Threaded operation sometimes gives better interactive response and faster updates: try it out. The threaded mode now supports multiple VNC viewers using the same VNC encoding. The threaded mode can also yield a performance enhancement in the many client case (e.g. class-room broadcast.) We have tested with 30 to 50 simultaneous clients. See also
For simultaneous clients: the ZRLE encoding is thread safe on all platforms,
and the Tight and Zlib encodings are currently only thread safe on
Linux where thread local storage,
__thread, is used.
If your non-Linux system and compiler support
one can supply
-DTLS=__thread to enable it.
When there is only one connected client, all encodings are safe on all platforms.
Note that some features (e.g. scroll detection and
may be disabled or run with reduced functionality in
-repeatif the automatic workaround fails.
-clipmode works under
Here are some features that appeared in the 0.9.7 release (Mar/2009):
/dev/fb. The option to use is, for example, "
-rawfb vt2" for Virtual Terminal 2, etc. In this case the special file
/dev/vcsa2is used to retrieve vt2's current text. Text and colors are shown, but no graphics.
[Home]entry in the "drives" drop down menu. This menu can be configured with the
ftpDropDownapplet parameter. All of the applet parameters are documented in
-ncache_crthat allows smooth opaque window motions using the 'copyrect' encoding when using
-rmflagoption enables a way to indicate to other processes x11vnc has exited.
Here are some features that appeared in the 0.9.6 release (Dec/2008):
-sslmode. VNC Viewers like vinagre, gvncviewer/gtk-vnc, the vencrypt package, SSVNC, and others support this encryption mode. It can also be used with the
-unixpwoption to enable Unix username and password authentication (VeNCrypt's "
*Plain" modes.) A similar but older VNC security type "ANONTLS" (used by vino) is supported as well. See the
-anontlsoptions for additional control. The difference between x11vnc's normal
-sslmode and VeNCrypt is that the former wraps the entire VNC connection in SSL (like HTTPS does for HTTP, i.e. "vncs://") while VeNCrypt switches on the SSL/TLS at a certain point during the VNC handshake. Use
-sslonlyto disable both VeNCrypt and ANONTLS (vino.)
-ssl ANON" option enables Anonymous Diffie-Hellman (ADH) key exchange for x11vnc's normal SSL/TLS operation. Note that Anonymous Diffie-Hellman uses encryption for privacy, but provides no authentication and so is susceptible to Man-In-The-Middle attacks (and so we do not recommend it: we prefer you use "
-ssl SAVE", etc. and have the VNC viewer verify the cert.) The ANONTLS mode (vino) only supports ADH. VeNCrypt mode supports both ADH and regular X509 SSL certificates modes. For these ADH is enabled by default. See
-anontlsfor how to disable ADH.
-sslCRLoption. This will only be useful for wide deployments: say a company-wide x11vnc SSL access deployment using a central Certificate Authority (CA) via
-sslGenCert. This way if a user has his laptop lost or stolen, you only have to revoke his key instead of creating a new Certificate Authority and redeploying new keys to all users.
-ssl" (no pem file parameter supplied), is now the same as "
-ssl SAVE" and will save the generated self-signed cert in "
~/.vnc/certs/server.pem". Previously "
-ssl" would create a temporary self-signed cert that was discarded when x11vnc exited. The reason for the change is to at least give the chance for the VNC Viewer side (e.g. SSVNC) to remember the cert to authenticate subsequent connections to the same x11vnc server. Use "
-ssl TMP" to regain the previous behavior. Use "
-ssl SAVE_NOPROMPT" to avoid being prompted about using passphrase when the certificate is created.
-http_oneportenables single-port HTTP connections via the Java VNC Viewer. So, for example, the web browser URL "
http://myhost.org:5900" works the same as "
http://myhost.org:5800", but with the convenience of only involving one port instead of two. This works for both unencrypted connections and for SSH tunnels (see
-httpsredirif the tunnel port differs.) Note that HTTPS single-port operation in
-sslSSL encrypted mode has been available since x11vnc version 0.8.3.
-zeroconfService Advertizing mode, if x11vnc was not compiled with the avahi-client library, then an external helper program, either
avahi-publish(1)(on Unix) or
dns-sd(1)(on Mac OS X), is used instead.
-rfbport PROMPT" option will prompt the user via the GUI to select the VNC port (e.g. 5901) to listen on, and a few other basic settings. This enables a handy GUI mode for naive users:
x11vnc -gui tray=setpass -rfbport PROMPT -logfile $HOME/.x11vnc.log.%VNCDISPLAYsuitable for putting in a launcher or menu, e.g.
-logfileexpansion is new too. In the GUI, the
tray=setpassProperties panel has been improved.
-solidsolid background color option now works for the Mac OS X console.
-reopenoption instructs x11vnc to try to reopen the X display if it is prematurely closed by, say, the display manager (e.g. GDM.)
Here are some features that appeared in the 0.9.5 release (Oct/2008):
-scale 1280x1024" or "
-scale 0.8x0.75" Also, "
-geometry WxH" is an alias for "
-chatwindowoption allows a UltraVNC Text Chat window to appear on the local X11 console/display (this way the remote viewer can chat with the person at the physical display; e.g. helpdesk mode.) This also works on the Mac OS X console if the Xquartz X11 server (enabled by default on leopard) is running for the chatwindow.
Here are some features that appeared in the 0.9.4 release (Sep/2008):
-createX session finding or creating modes: new desktop types and service redirection options. Personal cupsd daemon and SSH port redirection helper for use with SSVNC's Terminal Services feature.
-connectwork in the
-proxy. Forward connections can also use:
UltraVNC repeater proxy(either normal or SSL) are supported. Use either the "
-connect repeater=ID:NNNN+host:port" or "
-connect repeater://host:port+ID:NNNN" notation. The SSVNC VNC viewer also supports the UltraVNC repeater. Also, a perl repeater implemention is here:
-advertise_truecolor" to handle some workaround in this mode.
-listdpyutilities help to debug and configure the
-xrandroption is not supplied.
-autoportoptions gives more control over the VNC port x11vnc chooses.
-ping secscan be used to help keep idle connections alive.
-ncache 10". The unix Enhanced TightVNC Viewer ssvnc has a nice -ycrop option to help hide the pixel cache area from view.
libsslavailable (or with
--without-ssl) has been fixed.
./configure --with-system-libvncserver" to use a system installed libvncserver library instead of the one bundled in the release tarball.
-unixpwmode in the username and password dialog no text will be echoed if the first character sent is "Escape". This enables a convenience feature in SSVNC to send the username and password automatically.
classes/ssl/UltraViewerSSL.jarfile (that is pointed to by
ultra.vnc.) The signed applet
SignedUltraViewerSSL.jarversion (pointed to by
ultrasigned.vnc) will be needed to access the local drive if you are using it for file transfer via a Web browser. Some other bugs in the UltraVNC Java viewer were fixed and a few improvements to the UI made.
-users sslpeer=". The
emailAddresssubject field is inspected for
username@hostnameand then acts as though "
-users +username" has been supplied. This way the Unix username is identified by (i.e. simply extracted from) the Client SSL Certificate. This could be useful with
-svcmodes if you are also have set up and use VNC Client SSL Certificate authentication.
WAIT:cmd=...) if the VNC Viewer is authenticated via a Client SSL Certificate, then that Certificate is available in the environment variable
-avahi" or "
-id), and disable (friendly) user input and viewing (monitor blank) at the VNC server.
-svc", and "
-xdmsvc" for commonly used FINDCREATEDISPLAY usage modes.
-noxdamage" if it is not working well. OpenGL applications like like beryl and MythTv have been shown to make XDAMAGE not work properly.
-httpsredirto spare the user from needing to include
&PORT=NNNin the browser URL.
Here are some features that appeared in the 0.8.4 release (Feb/2007):
-display WAIT:cmd=FINDCREATEDISPLAY -unixpw ..." that will Create a new X session (either virtual or real and with or without a display manager, e.g. kdm) for the user if it cannot find the user's X session display via the FINDDISPLAY method. See the
-reflect host:N" option. Instead of polling an X display, the remote VNC Server
host:Nis connected to and re-exported via VNC. This is intended for use in broadcasting a display to many (e.g. > 16; classroom or large demo) VNC viewers where bandwidth and other resources are conserved by spreading the load over a number of repeaters.
-N" option couples the VNC Display number to the X Display number. E.g. if your X DISPLAY is :2 then the VNC display will be :2 (i.e. using port 5902.) If that port is taken x11vnc will exit.
-nodpmsto avoid problems with programs like KDE's
kdesktop_lockthat keep restarting the screen saver every few seconds.
-xwarppointeroption is enabled by default when XINERAMA is active.
./configure --without-x", or download a binary mentioned above, (even if you don't plan on ever using it in this mode!), and let me know how it went. Thanks.
Here are some features that appeared in the 0.8.3 release (Nov/2006):
-ssloption provides SSL encryption and authentication natively via the www.openssl.org library. One can use from a simple self-signed certificate server certificate up to full CA and client certificate authentication schemes.
-stunneloption starts up a SSL tunnel server
stunnel(that must be installed separately on the system: stunnel.mirt.net ) to allow only encrypted SSL connections from the network.
-sslverifyoption allows for authenticating VNC clients via their certificates in either
-sslGenCA, and related options.
classes/ssl/VncViewer.jar. In addition to normal HTTP, the applet may be loaded into the web browser via HTTPS (HTTP over SSL.) (one can use the VNC port, e.g.
https://host:5900/, or also the separate
-httpsport option.) A wrapper shell script ss_vncviewer is also provided that sets up a stunnel client-side tunnel on Unix systems. See Enhanced TightVNC Viewer (SSVNC) for other SSL/SSH viewer possibilities. Samira Al-Ghuiyy reports that SSVNC works properly in remote helpdesk mode using UltraVNC Single-click in Windows Vista.
-unixpwoption supports Unix username and password authentication (a simpler variant is the
-unixpw_nisoption that works in environments where the encrypted passwords are readable, e.g. NIS.) The
-stunneloptions are enforced in this mode to prevent password sniffing. As a convenience, these requirements are lifted if a SSH tunnel can be deduced (but
-display WAIT:cmd=FINDDISPLAY" or "
-display WAIT:cmd=FINDCREATEDISPLAY" provides a way to allow a user to login with their UNIX password and have their display connected to automatically. See the
-passwdfile cmd:,custom:..." options to allow you to supply your own authentication and password lookup programs.
./configure --without-x" for
-rawfbonly operation (e.g. embedded linux console devices.)
-rotateoption enables you to rotate or reflect the screen before exporting via VNC. This is intended for use on handhelds and other devices where the rotation orientation is not "natural".
-ultrafilexfer" alias is provided and improved UltraVNC filetransfer rates have been achieved.
-connect_or_exit host" option x11vnc will exit immediately unless the reverse connection to
hostsucceeds. The "
-rfbport 0" option disables TCP listening for connections (useful for this mode.)
-rawfb rand" and "
-rawfb none" options are useful for testing automation scripts, etc., without requiring a full desktop.
-verbose" (also "
-v") to turn it back on for debugging or if you are going to send me a problem report.
uinputlinux device driver. This enables full interaction with non-X applications on the Linux console (e.g. Qt-embedded/Qtopia-Core apps). This will be autodetected in:
-rawfb consolemode, and can be forced on via:
-display WAIT:...option extends the normal
-displayoption by having x11vnc wait until a VNC viewer connects before attaching to an X display. A command can also be supplied that will determine the DISPLAY and XAUTHORITY data. A default one is built-in for
WAIT:cmd=FINDDISPLAY. Coupling this with "
-unixpw -users unixpw=" (available in beta version) provides a way to allow a user to login with their UNIX password and have their display connected to automatically.
-grabptroptions allow some degree of grabbing the pointer and keyboard so local users cannot perform input (e.g. remote helpdesk application).
-allowedcmdsto fine-tune which external commands may be run by x11vnc, rather than shutting them all off with
-env VAR=VALUEconvenience option to avoid the need of setting environment variables before starting x11vnc,
-allinputoption to enable libvncserver
-rawfb randfun/testing option using
/dev/urandomas a fb,
-licenseprint license, copying, warranty information.
/dev/video) with the
-rawfboption. E.g. "
-rawfb video0" will autodetect the video WxHxB (requires Video4Linux buildtime or the
v4l-infoutility). Use "
-rawfb video -pipeinput VID" for a simple keystroke utility to configure the capture device.
-rawfb consoleto connect to the linux console (
/dev/fb0) and inject keystrokes into it (
/dev/ttyX). Like LinuxVNC or
-pipeinput vcinject.pl, but now built in.
-24to32option provides automatic translation from 24bpp to 32bpp framebuffers to avoid problems with viewers, etc (often needed for webcams).
-usepwoption will try to use your existing ~/.vnc/passwd or ~/.vnc/passwdfile passwords or otherwise prompt you to create one (the server exits unless a password file is found and used). Use "
x11vnc -storepasswd" to prompt for a password without echoing and save it in
-nosetclipboardfor the previous PRIMARY-only behavior.
-skip_lockkeysto help manage CapsLocks behavior better.
-fbpmoption provides FBPM support for hardware that provides framebuffer power management (it needs to be disabled when vnc clients are connected).
-xineramaoption is now on by default. Use
-noxineramaoption to disable.
-passwdfileoption has been enhanced to handle any number of full-access and view only passwords in an easy to maintain format. Automatic rereading or file removal can be enabled.
-8to24option enables some multi-depth viewing on systems that don't support
-overlay. The 8bpp regions are transformed to depth 24 TrueColor.
-loopoption will run x11vnc in an outer loop restarting each time (useful for situations where the X server restarts often).
-afteracceptoption is like
-accepthowever it enables running a user supplied command after client authentication has taken place. The
RFB_* environment variables have been extended.
-slow_fballows for slow polling for special purpose applications (e.g. video).
-blackout noptr,WxH+X+Y,...will prevent the pointer from going into a blacked out region.
Here are some notes about features added in 0.7.2. Checking/Testing them is still useful and appreciated!
Note that the X DAMAGE feature will be on by default and so I am interested if that causes any problems. I'd also like to have the new wireframe move/resize, the wireframe copyrect translation, and the scroll detection+copyrect features all on by default as well since when they work they give a great speedup! (CopyRect is a VNC encoding and is very fast because the viewer already has the image data that needs to be copied: e.g. it just moves it to another part of its screen). The scroll copyrect is currently the least stable, you can toggle it off via "-noscr" or via the gui (all of the other new features can also be toggled by cmdline option or gui, see -help output for more info).