x11vnc: a VNC server for real X displays
Here are all of x11vnc command line options:
% x11vnc -opts (see below for -help long descriptions)
x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-07-01
x11vnc options:
-display disp -auth file -N
-autoport n -reflect host:N -id windowid
-sid windowid -clip WxH+X+Y -flashcmap
-shiftcmap n -notruecolor -advertise_truecolor
-visual n -overlay -overlay_nocursor
-8to24 [opts] -24to32 -scale fraction
-scale_cursor frac -viewonly -shared
-once -forever -loop
-timeout n -sleepin n -inetd
-tightfilexfer -ultrafilexfer -http
-http_ssl -avahi -mdns
-connect string -connect_or_exit str -proxy string
-vncconnect -novncconnect -allow host1[,host2..]
-localhost -nolookup -input string
-grabkbd -grabptr -grabalways
-viewpasswd string -passwdfile filename -unixpw [list]
-unixpw_nis [list] -unixpw_cmd cmd -find
-finddpy -listdpy -create
-xdummy -xvnc -xvnc_redirect
-svc -svc_xdummy -svc_xvnc
-xdmsvc -sshxdmsvc -redirect port
-display WAIT:... -nossl -ssl [pem]
-ssltimeout n -sslnofail -ssldir [dir]
-sslverify [path] -sslGenCA [dir] -sslGenCert type name
-sslEncKey [pem] -sslCertInfo [pem] -sslDelCert [pem]
-stunnel [pem] -stunnel3 [pem] -https [port]
-httpsredir [port] -ssh user@host:disp -usepw
-storepasswd pass file -nopw -accept string
-afteraccept string -gone string -users list
-noshm -flipbyteorder -onetile
-solid [color] -blackout string -xinerama
-noxinerama -xtrap -xrandr [mode]
-rotate string -padgeom WxH -o logfile
-flag file -rc filename -norc
-env VAR=VALUE -prog /path/to/x11vnc -h, -help
-?, -opts -V, -version -license
-dbg -q, -quiet -v, -verbose
-bg -modtweak -nomodtweak
-xkb -noxkb -capslock
-skip_lockkeys -skip_keycodes string -sloppy_keys
-skip_dups -noskip_dups -add_keysyms
-noadd_keysyms -clear_mods -clear_keys
-clear_all -remap string -norepeat
-repeat -nofb -nobell
-nosel -noprimary -nosetprimary
-noclipboard -nosetclipboard -seldir string
-cursor [mode] -nocursor -cursor_drag
-arrow n -noxfixes -alphacut n
-alphafrac fraction -alpharemove -noalphablend
-nocursorshape -cursorpos -nocursorpos
-xwarppointer -noxwarppointer -buttonmap string
-nodragging -ncache n -ncache_cr
-ncache_no_moveraise -ncache_no_dtchange -ncache_no_rootpixmap
-ncache_keep_anims -ncache_old_wm -ncache_pad n
-debug_ncache -wireframe [str] -nowireframe
-nowireframelocal -wirecopyrect mode -nowirecopyrect
-debug_wireframe -scrollcopyrect mode -noscrollcopyrect
-scr_area n -scr_skip list -scr_inc list
-scr_keys list -scr_term list -scr_keyrepeat lo-hi
-scr_parms string -fixscreen string -debug_scroll
-noxrecord -grab_buster -nograb_buster
-debug_grabs -debug_sel -pointer_mode n
-input_skip n -allinput -speeds rd,bw,lat
-wmdt string -debug_pointer -debug_keyboard
-defer time -wait time -wait_ui factor
-nowait_bog -slow_fb time -xrefresh time
-nap -nonap -sb time
-readtimeout n -ping n -nofbpm
-fbpm -nodpms -dpms
-forcedpms -clientdpms -noserverdpms
-noultraext -noxdamage -xd_area A
-xd_mem f -sigpipe string -threads
-nothreads -fs f -gaps n
-grow n -fuzz n -debug_tiles
-snapfb -rawfb string -freqtab file
-pipeinput cmd -macnodim -macnosleep
-macnosaver -macnowait -macwheel n
-macnoswap -macnoresize -maciconanim n
-macmenu -gui [gui-opts] -remote command
-query variable -QD variable -sync
-noremote -yesremote -unsafe
-safer -privremote -nocmds
-allowedcmds list -deny_all
libvncserver options:
-rfbport port TCP port for RFB protocol
-rfbwait time max time in ms to wait for RFB client
-rfbauth passwd-file use authentication on RFB protocol
(use 'storepasswd' to create a password file)
-rfbversion 3.x Set the version of the RFB we choose to advertise
-permitfiletransfer permit file transfer support
-passwd plain-password use authentication
(use plain-password as password, USE AT YOUR RISK)
-deferupdate time time in ms to defer updates (default 40)
-deferptrupdate time time in ms to defer pointer updates (default none)
-desktop name VNC desktop name (default "LibVNCServer")
-alwaysshared always treat new clients as shared
-nevershared never treat new clients as shared
-dontdisconnect don't disconnect existing clients when a new non-shared
connection comes in (refuse new connection instead)
-httpdir dir-path enable http server using dir-path home
-httpport portnum use portnum for http connection
-enablehttpproxy enable http proxy support
-progressive height enable progressive updating for slow links
-listen ipaddr listen for connections only on network interface with
addr ipaddr. '-listen localhost' and hostname work too.
libvncserver-tight-extension options:
-disablefiletransfer disable file transfer
-ftproot string set ftp root
% x11vnc -help
x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-07-01
(type "x11vnc -opts" to just list the options.)
Typical usage is:
Run this command in a shell on the remote machine "far-host"
with X session you wish to view:
x11vnc -display :0
Then run this in another window on the machine you are sitting at:
vncviewer far-host:0
Once x11vnc establishes connections with the X11 server and starts listening
as a VNC server it will print out a string: PORT=XXXX where XXXX is typically
5900 (the default VNC server port). One would next run something like
this on the local machine: "vncviewer hostname:N" where "hostname" is
the name of the machine running x11vnc and N is XXXX - 5900, i.e. usually
"vncviewer hostname:0".
By default x11vnc will not allow the screen to be shared and it will exit
as soon as the client disconnects. See -shared and -forever below to override
these protections. See the FAQ for details how to tunnel the VNC connection
through an encrypted channel such as ssh(1). In brief:
ssh -t -L 5900:localhost:5900 far-host 'x11vnc -localhost -display :0'
vncviewer -encodings 'copyrect tight zrle hextile' localhost:0
Also, use of a VNC password (-rfbauth or -passwdfile) is strongly recommended.
For additional info see: http://www.karlrunge.com/x11vnc/
and http://www.karlrunge.com/x11vnc/#faq
Config file support: if the file $HOME/.x11vncrc exists then each line in
it is treated as a single command line option. Disable with -norc. For
each option name, the leading character "-" is not required. E.g. a line
that is either "forever" or "-forever" may be used and are equivalent.
Likewise "wait 100" or "-wait 100" are acceptable and equivalent lines.
The "#" character comments out to the end of the line in the usual way
(backslash it for a literal). Leading and trailing whitespace is trimmed off.
Lines may be continued with a "\" as the last character of a line (it
becomes a space character).
Options:
-display disp X11 server display to connect to, usually :0. The X
server process must be running on same machine and
support MIT-SHM. Equivalent to setting the DISPLAY
environment variable to "disp".
See the description below of the "-display WAIT:..."
extensions, where alias "-find" will find the user's
display automatically, and "-create" will create a
Xvfb session if no session is found.
-auth file Set the X authority file to be "file", equivalent to
setting the XAUTHORITY environment variable to "file"
before startup. Same as -xauth file. See Xsecurity(7),
xauth(1) man pages for more info.
-N If the X display is :N, try to set the VNC display
to also be :N This just sets the -rfbport option
to 5900+N. The program will exit immediately if that
port is not available.
-autoport n Automatically probe for a free VNC port starting at n.
The default is to start probing at 5900. Use this to
stay away from other VNC servers near 5900.
-reflect host:N Instead of connecting to and polling an X display,
connect to the remote VNC server host:N and be a
reflector/repeater for it. This is useful for trying
to manage the case of many simultaneous VNC viewers
(e.g. classroom broadcasting) where, e.g. you put
a repeater on each network switch, etc, to improve
performance by distributing the load and network
traffic. Implies -shared (use -noshared as a later
option to disable). See the discussion below under
-rawfb vnc:host:N for more details.
-id windowid Show the X window corresponding to "windowid" not
the entire display. New windows like popup menus,
transient toplevels, etc, may not be seen or may be
clipped. Disabling SaveUnders or BackingStore in the
X server may help show them. x11vnc may crash if the
window is initially partially obscured, changes size,
is iconified, etc. Some steps are taken to avoid this
and the -xrandr mechanism is used to track resizes. Use
xwininfo(1) to get the window id, or use "-id pick"
to have x11vnc run xwininfo(1) for you and extract
the id. The -id option is useful for exporting very
simple applications (e.g. the current view on a webcam).
-sid windowid As -id, but instead of using the window directly it
shifts a root view to it: this shows SaveUnders menus,
etc, although they will be clipped if they extend beyond
the window.
-clip WxH+X+Y Only show the sub-region of the full display that
corresponds to the rectangle geometry with size WxH and
offset +X+Y. The VNC display has size WxH (i.e. smaller
than the full display). This also works for -id/-sid
mode where the offset is relative to the upper left
corner of the selected window. An example use of this
option would be to split a large (e.g. Xinerama) display
into two parts to be accessed via separate viewers by
running a separate x11vnc on each part.
Use '-clip xinerama0' to clip to the first xinerama
sub-screen (if xinerama is active). xinerama1 for the
2nd sub-screen, etc. This way you don't need to figure
out the WxH+X+Y of the desired xinerama sub-screen.
screens are sorted in increasing distance from the
(0,0) origin (I.e. not the Xserver's order).
-flashcmap In 8bpp indexed color, let the installed colormap flash
as the pointer moves from window to window (slow).
Also try the -8to24 option to avoid flash altogether.
-shiftcmap n Rare problem, but some 8bpp displays use less than 256
colorcells (e.g. 16-color grayscale, perhaps the other
bits are used for double buffering) *and* also need to
shift the pixels values away from 0, .., ncells. "n"
indicates the shift to be applied to the pixel values.
To see the pixel values set DEBUG_CMAP=1 to print out
a colormap histogram. Example: -shiftcmap 240
-notruecolor For 8bpp displays, force indexed color (i.e. a colormap)
even if it looks like 8bpp TrueColor (rare problem).
-advertise_truecolor If the X11 display is indexed color, lie to clients
when they first connect by telling them it is truecolor.
To workaround RealVNC: inPF has colourMap but not 8bpp
Use '-advertise_truecolor reset' to reset client fb too.
-visual n This option probably does not do what you think.
It simply *forces* the visual used for the framebuffer;
this may be a bad thing... (e.g. messes up colors or
cause a crash). It is useful for testing and for some
workarounds. n may be a decimal number, or 0x hex.
Run xdpyinfo(1) for the values. One may also use
"TrueColor", etc. see <X11/X.h> for a list. If the
string ends in ":m" then for better or for worse
the visual depth is forced to be m. You may want to
use -noshm when using this option (so XGetImage may
automatically translate the pixel data).
-overlay Handle multiple depth visuals on one screen, e.g. 8+24
and 24+8 overlay visuals (the 32 bits per pixel are
packed with 8 for PseudoColor and 24 for TrueColor).
Currently -overlay only works on Solaris via
XReadScreen(3X11) and IRIX using XReadDisplay(3).
On Solaris there is a problem with image "bleeding"
around transient popup menus (but not for the menu
itself): a workaround is to disable SaveUnders
by passing the "-su" argument to Xsun (in
/etc/dt/config/Xservers).
Use -overlay as a workaround for situations like these:
Some legacy applications require the default visual to
be 8bpp (8+24), or they will use 8bpp PseudoColor even
when the default visual is depth 24 TrueColor (24+8).
In these cases colors in some windows will be incorrect
in x11vnc unless -overlay is used. Another use of
-overlay is to enable showing the exact mouse cursor
shape (details below).
Under -overlay, performance will be somewhat slower
due to the extra image transformations required.
For optimal performance do not use -overlay, but rather
configure the X server so that the default visual is
depth 24 TrueColor and try to have all apps use that
visual (e.g. some apps have -use24 or -visual options).
-overlay_nocursor Sets -overlay, but does not try to draw the exact mouse
cursor shape using the overlay mechanism.
-8to24 [opts] Try this option if -overlay is not supported on your
OS, and you have a legacy 8bpp app that you want to
view on a multi-depth display with default depth 24
(and is 32 bpp) OR have a default depth 8 display with
depth 24 overlay windows for some apps. This option
may not work on all X servers and hardware (tested
on XFree86/Xorg mga driver and Xsun). The "opts"
string is not required and is described below.
This mode enables a hack where x11vnc monitors windows
within 3 levels from the root window. If it finds
any that are 8bpp it extracts the indexed color
pixel values using XGetImage() and then applies a
transformation using the colormap(s) to create TrueColor
RGB values that it in turn inserts into bits 1-24 of
the framebuffer. This creates a depth 24 "view"
of the display that is then exported via VNC.
Conversely, for default depth 8 displays, the depth
24 regions are read by XGetImage() and everything is
transformed and inserted into a depth 24 TrueColor
framebuffer.
Note that even if there are *no* depth 24 visuals or
windows (i.e. pure 8bpp), this mode is potentially
an improvement over -flashcmap because it avoids the
flashing and shows each window in the correct color.
This method appear to work, but may still have bugs
and it does hog resources. If there are multiple 8bpp
windows using different colormaps, one may have to
iconify all but one for the colors to be correct.
There may be painting errors for clipping and switching
between windows of depths 8 and 24. Heuristics are
applied to try to minimize the painting errors. One can
also press 3 Alt_L's in a row to refresh the screen
if the error does not repair itself. Also the option
-fixscreen 8=3.0 or -fixscreen V=3.0 may be used to
periodically refresh the screen at the cost of bandwidth
(every 3 sec for this example).
The [opts] string can contain the following settings.
Multiple settings are separated by commas.
For for some X servers with default depth 24 a
speedup may be achieved via the option "nogetimage".
This enables a scheme were XGetImage() is not used
to retrieve the 8bpp data. Instead, it assumes that
the 8bpp data is in bits 25-32 of the 32bit X pixels.
There is no requirement that the X server should put
the data there for our poll requests, but some do and
so the extra steps to retrieve it can be skipped.
Tested with mga driver with XFree86/Xorg. For the
default depth 8 case this option is ignored.
To adjust how often XGetImage() is used to poll the
non-default visual regions for changes, use the option
"poll=t" where "t" is a floating point time.
(default: 0.05)
Setting the option "level2" will limit the search
for non-default visual windows to two levels from the
root window. Do this on slow machines where you know
the window manager only imposes one extra window between
the app window and the root window.
Also for very slow machines use "cachewin=t"
where t is a floating point amount of time to cache
XGetWindowAttributes results. E.g. cachewin=5.0.
This may lead to the windows being unnoticed for this
amount of time when deiconifying, painting errors, etc.
While testing on a very old SS20 these options gave
tolerable response: -8to24 poll=0.2,cachewin=5.0. For
this machine -overlay is supported and gives better
response.
Debugging for this mode can be enabled by setting
"dbg=1", "dbg=2", or "dbg=3".
-24to32 Very rare problem: if the framebuffer (X display
or -rawfb) is 24bpp instead of the usual 32bpp, then
dynamically transform the pixels to 32bpp. This will be
slower, but can be used to work around problems where
VNC viewers cannot handle 24bpp (e.g. "main: setPF:
not 8, 16 or 32 bpp?"). See the FAQ for more info.
In the case of -rawfb mode, the pixels are directly
modified by inserting a 0 byte to pad them out to 32bpp.
For X displays, a kludge is done that is equivalent to
"-noshm -visual TrueColor:32". (If better performance
is needed for the latter, feel free to ask).
-scale fraction Scale the framebuffer by factor "fraction". Values
less than 1 shrink the fb, larger ones expand it. Note:
image may not be sharp and response may be slower.
If "fraction" contains a decimal point "." it
is taken as a floating point number, alternatively
the notation "m/n" may be used to denote fractions
exactly, e.g. -scale 2/3
Scaling Options: can be added after "fraction" via
":", to supply multiple ":" options use commas.
If you just want a quick, rough scaling without
blending, append ":nb" to "fraction" (e.g. -scale
1/3:nb). No blending is the default for 8bpp indexed
color, to force blending for this case use ":fb".
To disable -scrollcopyrect and -wirecopyrect under
-scale use ":nocr". If you need to to enable them use
":cr" or specify them explicitly on the command line.
If a slow link is detected, ":nocr" may be applied
automatically. Default: :cr
More esoteric options: for compatibility with vncviewers
the scaled width is adjusted to be a multiple of 4:
to disable this use ":n4". ":in" use interpolation
scheme even when shrinking, ":pad" pad scaled width
and height to be multiples of scaling denominator
(e.g. 3 for 2/3).
-scale_cursor frac By default if -scale is supplied the cursor shape is
scaled by the same factor. Depending on your usage,
you may want to scale the cursor independently of the
screen or not at all. If you specify -scale_cursor
the cursor will be scaled by that factor. When using
-scale mode to keep the cursor at its "natural" size
use "-scale_cursor 1". Most of the ":" scaling
options apply here as well.
-viewonly All VNC clients can only watch (default off).
-shared VNC display is shared, i.e. more than one viewer can
connect at the same time (default off).
-once Exit after the first successfully connected viewer
disconnects, opposite of -forever. This is the Default.
-forever Keep listening for more connections rather than exiting
as soon as the first client(s) disconnect. Same as -many
-loop Create an outer loop restarting the x11vnc process
whenever it terminates. -bg and -inetd are ignored
in this mode (however see -loopbg below).
Useful for continuing even if the X server terminates
and restarts (at that moment the process will need
permission to reconnect to the new X server of course).
Use, e.g., -loop100 to sleep 100 millisecs between
restarts, etc. Default is 2000ms (i.e. 2 secs) Use,
e.g. -loop300,5 to sleep 300 ms and only loop 5 times.
If -loopbg (plus any numbers) is specified instead,
the "-bg" option is implied and the mode approximates
inetd(8) usage to some degree. In this case when
it goes into the background any listening sockets
(i.e. ports 5900, 5800) are closed, so the next one
in the loop can use them. This mode will only be of
use if a VNC client (the only client for that process)
is already connected before the process goes into the
background, for example, usage of -display WAIT:..,
-svc, and -connect can make use of this "poor man's"
inetd mode. The default wait time is 500ms in this
mode. This usage could use useful: -svc -bg -loopbg
-timeout n Exit unless a client connects within the first n seconds
after startup.
-sleepin n At startup sleep n seconds before proceeding (e.g. to
allow redirs and listening clients to start up)
-inetd Launched by inetd(8): stdio instead of listening socket.
Note: if you are not redirecting stderr to a log file
(via shell 2> or -o option) you MUST also specify the -q
option, otherwise the stderr goes to the viewer which
will cause it to abort. Specifying both -inetd and -q
and no -o will automatically close the stderr.
-tightfilexfer Enable the TightVNC file transfer extension. Note that
that when the -viewonly option is supplied all file
transfers are disabled. Also clients that log in
viewonly cannot transfer files. However, if the remote
control mechanism is used to change the global or
per-client viewonly state the filetransfer permissions
will NOT change.
IMPORTANT: please understand if -tightfilexfer is
specified and you run x11vnc as root for, say, inetd
or display manager (gdm, kdm, ...) access and you do
not have it switch users via the -users option, then
VNC Viewers that connect are able to do filetransfer
reads and writes as *root*.
Also, tightfilexfer is disabled in -unixpw mode.
-ultrafilexfer Note: to enable UltraVNC filetransfer and to get it to
work you probably need to supply these libvncserver
options: "-rfbversion 3.6 -permitfiletransfer"
"-ultrafilexfer" is an alias for this combination.
IMPORTANT: please understand if -ultrafilexfer is
specified and you run x11vnc as root for, say, inetd
or display manager (gdm, kdm, ...) access and you do
not have it switch users via the -users option, then
VNC Viewers that connect are able to do filetransfer
reads and writes as *root*.
Note that sadly you cannot do both -tightfilexfer and
-ultrafilexfer at the same time because the latter
requires setting the version to 3.6 and tightvnc will
not do filetransfer when it sees that version number.
-http Instead of using -httpdir (see below) to specify
where the Java vncviewer applet is, have x11vnc try
to *guess* where the directory is by looking relative
to the program location and in standard locations
(/usr/local/share/x11vnc/classes, etc). Under -ssl or
-stunnel the ssl classes subdirectory is sought.
-http_ssl As -http, but force lookup for ssl classes subdir.
-avahi Use the Avahi/mDNS ZeroConf protocol to advertise
this VNC server to the local network. (Related terms:
Rendezvous, Bonjour). Depending on your setup, you
may need to start avahi-daemon and open udp port 5353
in your firewall.
-mdns Same as -avahi.
-connect string For use with "vncviewer -listen" reverse connections.
If "string" has the form "host" or "host:port"
the connection is made once at startup.
Use commas for a list of host's and host:port's.
E.g. -connect host1,host2 or host1:0,host2:5678.
Note that to reverse connect to multiple hosts at the
same time you will likely need to also supply: -shared
Note that unlike most vnc servers, x11vnc will require a
password for reverse as well as for forward connections.
(provided password auth has been enabled, -rfbauth, etc)
If you do not want to require a password for reverse
connections set X11VNC_REVERSE_CONNECTION_NO_AUTH=1 in
your environment before starting x11vnc.
If "string" contains "/" it is instead interpreted
as a file to periodically check for new hosts.
The first line is read and then the file is truncated.
Be careful about the location of this file if x11vnc
is running as root (e.g. via gdm(1), etc).
Repeater mode: Some services provide an intermediate
"vnc repeater": http://www.uvnc.com/addons/repeater.html
(and also http://koti.mbnet.fi/jtko/ for linux port)
that acts as a proxy / gateway. Modes like these require
an initial string to be sent for the reverse connection
before the VNC protocol is started. Here are the ways
to do this:
-connect pre=some_string+host:port
-connect pre128=some_string+host:port
-connect repeater=ID:1234+host:port
-connect repeater=23.45.67.89::5501+host:port
SSVNC notation is also supported:
-connect repeater://host:port+ID:1234
As with normal -connect usage, if the repeater port is
not supplied 5500 is assumed.
The basic idea is between the special tag, e.g. "pre="
and "+" is the pre-string to be sent. Note that in
this case host:port is the repeater server, NOT the
vnc viewer. Somehow the pre-string tells the repeater
server how to find the vnc viewer and connect you to it.
In the case pre=some_string+host:port, "some_string"
is simply sent. In the case preNNN=some_string+host:port
"some_string" is sent in a null padded buffer of
length NNN. repeater= is the same as pre250=, this is
the ultravnc repeater buffer size.
Strings like "\n" and "\r", etc. are expanded to
newline and carriage return. "\c" is expanded to
"," since the connect string is comma separated.
See also the -proxy option below for additional ways
to plumb reverse connections.
-connect_or_exit str As with -connect, except if none of the reverse
connections succeed, then x11vnc shutdowns immediately.
By the way, if you do not want x11vnc to listen on
ANY interface use -rfbport 0 which is handy for the
-connect_or_exit mode.
-proxy string Use proxy in string (e.g. host:port) as a proxy for
making reverse connections (-connect or -connect_or_exit
options).
Web proxies are supported, but note by default most of
them only support destination connections to ports 443
or 563, so this might not be very useful (the viewer
would need to listen on that port or the router would
have to do a port redirection).
A web proxy may be specified by either "host:port"
or "http://host:port" (the port is required even if
it is the common choices 80 or 8080)
SOCKS4, SOCKS4a, and SOCKS5 are also supported.
SOCKS proxies normally do not have restrictions on the
destination port number.
Use a format like this: socks://host:port or
socks5://host:port. Note that ssh -D does not support
SOCKS4a, so use socks5://. For socks:// SOCKS4 is used
on a numerical IP and "localhost", otherwise SOCKS4a
is used (and so the proxy tries to do the DNS lookup).
An experimental mode is "-proxy http://host:port/..."
Note the "/" after the port that distinguishes it from
a normal web proxy. The port must be supplied even if
it is the default 80. For this mode a GET is done to
the supplied URL with the string host=H&port=P appended.
H and P will be the -connect reverse connect host
and port. Use the string "__END__" to disable the
appending. The basic idea here is that maybe some cgi
script provides the actual viewer hookup and tunnelling.
How to actually achieve this within cgi, php, etc. is
not clear... A custom web server or apache module
would be straight-forward.
Another experimental mode is "-proxy ssh://user@host"
in which case a SSH tunnel is used for the proxying.
"user@" is not needed unless your unix username is
different on "host". For a non-standard SSH port
use ssh://user@host:port. If proxies are chained (see
next paragraph) then the ssh one must be the first one.
If ssh-agent is not active, then the ssh password needs
to be entered in the terminal where x11vnc is running.
Examples:
-connect localhost:0 -proxy ssh://me@friends-pc:2222
-connect snoopy:0 -proxy ssh://ssh.company.com
Multiple proxies may be chained together in case one
needs to ricochet off of a number of hosts to finally
reach the VNC viewer. Up to 3 may be chained, separate
them by commas in the order they are to be connected to.
E.g.: http://host1:port1,socks5://host2:port2 or three
like: first,second,third
-vncconnect Monitor the VNC_CONNECT X property set by the standard
-novncconnect VNC program vncconnect(1). When the property is
set to "host" or "host:port" establish a reverse
connection. Using xprop(1) instead of vncconnect may
work (see the FAQ). The -remote control mechanism uses
X11VNC_REMOTE channel, and this option disables/enables
it as well. Default: -vncconnect
-allow host1[,host2..] Only allow client connections from hosts matching
the comma separated list of hostnames or IP addresses.
Can also be a numerical IP prefix, e.g. "192.168.100."
to match a simple subnet, for more control build
libvncserver with libwrap support (See the FAQ). If the
list contains a "/" it instead is a interpreted as a
file containing addresses or prefixes that is re-read
each time a new client connects. Lines can be commented
out with the "#" character in the usual way.
-localhost Basically the same as "-allow 127.0.0.1".
Note: if you want to restrict which network interface
x11vnc listens on, see the -listen option below.
E.g. "-listen localhost" or "-listen 192.168.3.21".
As a special case, the option "-localhost" implies
"-listen localhost".
A rare case, but for non-localhost -listen usage, if
you use the remote control mechanism (-R) to change
the -listen interface you may need to manually adjust
the -allow list (and vice versa) to avoid situations
where no connections (or too many) are allowed.
If you do not want x11vnc to listen on ANY interface
(evidently you are using -connect or -connect_or_exit,
or plan to use remote control: -R connect:host), use
-rfbport 0
-nolookup Do not use gethostbyname() or gethostbyaddr() to look up
host names or IP numbers. Use this if name resolution
is incorrectly set up and leads to long pauses as name
lookups time out, etc.
-input string Fine tuning of allowed user input. If "string" does
not contain a comma "," the tuning applies only to
normal clients. Otherwise the part before "," is
for normal clients and the part after for view-only
clients. "K" is for Keystroke input, "M" for
Mouse-motion input, "B" for Button-click input, "C"
is for Clipboard input, and "F" is for File transfer
(ultravnc only). Their presence in the string enables
that type of input. E.g. "-input M" means normal
users can only move the mouse and "-input KMBCF,M"
lets normal users do anything and enables view-only
users to move the mouse. This option is ignored when
a global -viewonly is in effect (all input is discarded
in that case).
-grabkbd When VNC viewers are connected, attempt to the grab
the keyboard so a (non-malicious) user sitting at the
physical display is not able to enter keystrokes.
This method uses XGrabKeyboard(3X11) and so it is
not secure and does not rule out the person at the
physical display injecting keystrokes by flooding the
server with them, grabbing the keyboard himself, etc.
Some degree of cooperation from the person at the
display is assumed. This is intended for remote
help-desk or educational usage modes.
-grabptr As -grabkbd, but for the mouse pointer using
XGrabPointer(3X11). Unfortunately due to the way the X
server works, the mouse can still be moved around by the
user at the physical display, but he will not be able to
change window focus with it. Also some window managers
that call XGrabServer(3X11) for resizes, etc, will
act on the local user's input. Again, some degree of
cooperation from the person at the display is assumed.
-grabalways Apply both -grabkbd and -grabptr even when no VNC
viewers are connected. If you only want one of them,
use the -R remote control to turn the other back on,
e.g. -R nograbptr.
-viewpasswd string Supply a 2nd password for view-only logins. The -passwd
(full-access) password must also be supplied.
-passwdfile filename Specify the libvncserver password via the first line
of the file "filename" (instead of via -passwd on
the command line where others might see it via ps(1)).
See the descriptions below for how to supply multiple
passwords, view-only passwords, to specify external
programs for the authentication, and other features.
If the filename is prefixed with "rm:" it will be
removed after being read. Perhaps this is useful in
limiting the readability of the file. In general, the
password file should not be readable by untrusted users
(BTW: neither should the VNC -rfbauth file: it is NOT
encrypted, only obscured with a fixed key).
If the filename is prefixed with "read:" it will
periodically be checked for changes and reread. It is
guaranteed to be reread just when a new client connects
so that the latest passwords will be used.
If "filename" is prefixed with "cmd:" then the
string after the ":" is run as an external command:
the output of the command will be interpreted as if it
were read from a password file (see below). If the
command does not exit with 0, then x11vnc terminates
immediately. To specify more than 1000 passwords this
way set X11VNC_MAX_PASSWDS before starting x11vnc.
The environment variables are set as in -accept.
Note that due to the VNC protocol only the first 8
characters of a password are used (DES key).
If "filename" is prefixed with "custom:" then a
custom password checker is supplied as an external
command following the ":". The command will be run
when a client authenticates. If the command exits with
0 the client is accepted, otherwise it is rejected.
The environment variables are set as in -accept.
The standard input to the custom command will be a
decimal digit "len" followed by a newline. "len"
specifies the challenge size and is usually 16 (the
VNC spec). Then follows len bytes which is the random
challenge string that was sent to the client. This is
then followed by len more bytes holding the client's
response (i.e. the challenge string encrypted via DES
with the user password in the standard situation).
The "custom:" scheme can be useful to implement
dynamic passwords or to implement methods where longer
passwords and/or different encryption algorithms
are used. The latter will require customizing the VNC
client as well. One could create an MD5SUM based scheme
for example.
File format for -passwdfile:
If multiple non-blank lines exist in the file they are
all taken as valid passwords. Blank lines are ignored.
Password lines may be "commented out" (ignored) if
they begin with the character "#" or the line contains
the string "__SKIP__". Lines may be annotated by use
of the "__COMM__" string: from it to the end of the
line is ignored. An empty password may be specified
via the "__EMPTY__" string on a line by itself (note
your viewer might not accept empty passwords).
If the string "__BEGIN_VIEWONLY__" appears on a
line by itself, the remaining passwords are used for
viewonly access. For compatibility, as a special case
if the file contains only two password lines the 2nd
one is automatically taken as the viewonly password.
Otherwise the "__BEGIN_VIEWONLY__" token must be
used to have viewonly passwords. (tip: make the 3rd
and last line be "__BEGIN_VIEWONLY__" to have 2
full-access passwords)
-unixpw [list] Use Unix username and password authentication. x11vnc
uses the su(1) program to verify the user's password.
[list] is an optional comma separated list of allowed
Unix usernames. If the [list] string begins with the
character "!" then the entire list is taken as an
exclude list. See below for per-user options that can
be applied.
A familiar "login:" and "Password:" dialog is
presented to the user on a black screen inside the
vncviewer. The connection is dropped if the user fails
to supply the correct password in 3 tries or does not
send one before a 25 second timeout. Existing clients
are view-only during this period.
If the first character received is "Escape" then the
unix username will not be displayed after "login:"
as it is typed. This could be of use for VNC viewers
that automatically type the username and password.
Since the detailed behavior of su(1) can vary from
OS to OS and for local configurations, test the mode
carefully. x11vnc will attempt to be conservative and
reject a login if anything abnormal occurs.
One case to note: FreeBSD and the other BSD's by
default it is impossible for the user running x11vnc to
validate his *own* password via su(1) (commenting out
the pam_self.so entry in /etc/pam.d/su eliminates this
behavior). So the x11vnc login will always *FAIL* for
this case (even when the correct password is supplied).
A possible workaround for this on *BSD would be to
start x11vnc as root with the "-users +nobody" option
to immediately switch to user nobody where the su'ing
will proceed normally.
Another source of potential problems are PAM modules
that prompt for extra info, e.g. password aging modules.
These logins will fail as well even when the correct
password is supplied.
**IMPORTANT**: to prevent the Unix password being sent
in *clear text* over the network, one of two schemes
will be enforced: 1) the -ssl builtin SSL mode, or 2)
require both -localhost and -stunnel be enabled.
Method 1) ensures the traffic is encrypted between
viewer and server. A PEM file will be required, see the
discussion under -ssl below (under some circumstances
a temporary one can be automatically generated).
Method 2) requires the viewer connection to appear
to come from the same machine x11vnc is running on
(e.g. from a ssh -L port redirection). And that the
-stunnel SSL mode be used for encryption over the
network.(see the description of -stunnel below).
Note: as a convenience, if you ssh(1) in and start
x11vnc it will check if the environment variable
SSH_CONNECTION is set and appears reasonable. If it
does, then the -ssl or -stunnel requirement will be
dropped since it is assumed you are using ssh for the
encrypted tunnelling. -localhost is still enforced.
Use -ssl or -stunnel to force SSL usage even if
SSH_CONNECTION is set.
To override the above restrictions you can set
environment variables before starting x11vnc:
Set UNIXPW_DISABLE_SSL=1 to disable requiring either
-ssl or -stunnel. Evidently you will be using a
different method to encrypt the data between the
vncviewer and x11vnc: perhaps ssh(1) or an IPSEC VPN.
Note that use of -localhost with ssh(1) is roughly
the same as requiring a Unix user login (since a Unix
password or the user's public key authentication is
used by sshd on the machine where x11vnc runs and only
local connections from that machine are accepted).
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost
requirement in Method 2). One should never do this
(i.e. allow the Unix passwords to be sniffed on the
network).
Regarding reverse connections (e.g. -R connect:host
and -connect host), when the -localhost constraint is
in effect then reverse connections can only be used
to connect to the same machine x11vnc is running on
(default port 5500). Please use a ssh or stunnel port
redirection to the viewer machine to tunnel the reverse
connection over an encrypted channel.
In -inetd mode the Method 1) will be enforced (not
Method 2). With -ssl in effect reverse connections
are disabled. If you override this via env. var, be
sure to also use encryption from the viewer to inetd.
Tip: you can also have your own stunnel spawn x11vnc
in -inetd mode (thereby bypassing inetd). See the FAQ
for details.
The user names in the comma separated [list] can have
per-user options after a ":", e.g. "fred:opts"
where "opts" is a "+" separated list of
"viewonly", "fullaccess", "input=XXXX", or
"deny", e.g. "karl,wally:viewonly,boss:input=M".
For "input=" it is the K,M,B,C described under -input.
If an item in the list is "*" that means those
options apply to all users. It also means all users
are allowed to log in after supplying a valid password.
Use "deny" to explicitly deny some users if you use
"*" to set a global option. If [list] begins with
the "!" character then "*" is ignored for checking
if the user is allowed, but the any value of options
associated with it does apply as normal.
There are also some utilities for testing password
if [list] starts with the "%" character. See the
quick_pw() function in the source for details.
-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather
use the traditional getpwnam(3) + crypt(3) method to
verify passwords. All of the above -unixpw options and
constraints apply.
This mode requires that the encrypted passwords be
readable. Encrypted passwords stored in /etc/shadow
will be inaccessible unless x11vnc is run as root.
This is called "NIS" mode simply because in most
NIS setups user encrypted passwords are accessible
(e.g. "ypcat passwd") by an ordinary user and so that
user can authenticate ANY user.
NIS is not required for this mode to work (only that
getpwnam(3) return the encrypted password is required),
but it is unlikely it will work for any most modern
environments unless x11vnc is run as root to be able
to access /etc/shadow (note running as root is often
done when running x11vnc from inetd and xdm/gdm/kdm).
Looked at another way, if you do not want to use the
su(1) method provided by -unixpw, you can run x11vnc
as root and use -unixpw_nis. Any users with passwords
in /etc/shadow can then be authenticated. You may want
to use -users unixpw= to switch the process user after
the user logs in.
-unixpw_cmd cmd As -unixpw above, however do not use su(1) but rather
run the externally supplied command "cmd". The first
line of its stdin will the username and the second line
the received password. If the command exits with status
0 (success) the VNC client will be accepted. It will be
rejected for any other return status.
Dynamic passwords and non-unix passwords can be
implemented this way by providing your own custom helper
program. Note that under unixpw mode the remote viewer
is given 3 tries to enter the correct password.
If a list of allowed users is needed use -unixpw [list]
in addition to this option.
-find Find the user's display using FINDDISPLAY. This is an
alias for "-display WAIT:cmd=FINDDISPLAY".
For this and the next few options see -display WAIT:...
below for all of the details.
-finddpy Run the FINDDISPLAY program, print out the found
display (if any) and exit. Output is like: DISPLAY=:0.0
DISPLAY=:0.0,XPID=12345 or DISPLAY=:0.0,VT=7. XPID is
the process ID of the found X server. VT is the Linux
virtual terminal of the X server.
-listdpy Have the FINDDISPLAY program list all of your displays
(i.e. all the X displays on the local machine that you
have access rights to).
-create First try to find the user's display using FINDDISPLAY,
if that doesn't succeed create an X session via the
FINDCREATEDISPLAY method. This is an alias for
"-display WAIT:cmd=FINDCREATEDISPLAY-Xvfb".
SSH NOTE: for both -find and -create you can (should!)
add the "-localhost" option to force SSH tunnel access.
-xdummy As in -create, except Xdummy instead of Xvfb.
-xvnc As in -create, except Xvnc instead of Xvfb.
-xvnc_redirect As in -create, except Xvnc.redirect instead of Xvfb.
-svc Terminal services mode based on SSL access. Alias for
-display WAIT:cmd=FINDCREATEDISPLAY-Xvfb -unixpw -users
unixpw= -ssl SAVE Also "-service".
-svc_xdummy As -svc except Xdummy instead of Xvfb.
-svc_xvnc As -svc except Xvnc instead of Xvfb.
-xdmsvc Display manager Terminal services mode based on SSL.
Alias for -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb.xdmcp
-unixpw -users unixpw= -ssl SAVE Also "-xdm_service".
To create a session a user will have to first log in
to the -unixpw dialog and then log in again to the
XDM/GDM/KDM prompt. Subsequent re-connections will
only require the -unixpw password. See the discussion
under -display WAIT:... for more details about XDM,
etc configuration.
-sshxdmsvc Display manager Terminal services mode based on SSH.
Alias for -display WAIT:cmd=FINDCREATEDISPLAY-Xvfb.xdmcp
-localhost.
The -localhost option constrains connections to come
in via a SSH tunnel (which will require a login).
To create a session a user will also have to log into
the XDM GDM KDM prompt. Subsequent re-connections will
only only require the SSH login. See the discussion
under -display WAIT:... for more details about XDM,
etc configuration.
-redirect port As in FINDCREATEDISPLAY-Xvnc.redirect mode except
redirect immediately (i.e. without X session finding
or creation) to a VNC server listening on port. You
can also supply host:port to redirect to a different
machine.
If 0 <= port < 200 it is taken as a VNC display (5900 is
added to get the actual port), if port < 0 then -port
is used.
Probably the only reason to use the -redirect option is
in conjunction with SSL support, e.g. -ssl, -ssl SAVE.
This provides an easy way to add SSL encryption to a VNC
server that does not support SSL (e.g. Xvnc or vnc.so)
In fact, the protocol does not even need to be VNC,
and so "-ssl SAVE -redirect host:port" can act as a
replacement for stunnel(1).
This mode only allows one redirected connection.
The -forever option does not apply. Use -inetd or
-loop for persistant service.
-display_WAIT :... A special usage mode for the normal -display option.
Useful with -unixpw, but can be used independently
of it. If the display string begins with WAIT: then
x11vnc waits until a VNC client connects before opening
the X display (or -rawfb device).
This could be useful for delaying opening the display
for certain usage modes (say if x11vnc is started at
boot time and no X server is running or users logged
in yet).
If the string is, e.g. WAIT:0.0 or WAIT:1, i.e. "WAIT"
in front of a normal X display, then that indicated
display is used.
One can also insert a geometry between colons, e.g.
WAIT:1280x1024:... to set the size of the display the
VNC client first attaches to since some VNC viewers
will not automatically adjust to a new framebuffer size.
A more interesting case is like this:
WAIT:cmd=/usr/local/bin/find_display
in which case the command after "cmd=" is run to
dynamically work out the DISPLAY and optionally the
XAUTHORITY data. The first line of the command output
must be of the form DISPLAY=<xdisplay>. On Linux
if the virtual terminal is known append ",VT=n" to
this string and the chvt(1) program will also be run.
Any remaining output is taken as XAUTHORITY data.
It can be either of the form XAUTHORITY=<file> or raw
xauthority data for the display (e.g. "xauth extract -
$DISPLAY" output).
In the case of -unixpw (but not -unixpw_nis), then the
above command is run as the user who just authenticated
via the login and password prompt.
Also in the case of -unixpw, the user logging in can
place a colon at the end of her username and supply
a few options: scale=, scale_cursor= (or sc=), solid
(or so), id=, clear_mods (or cm), clear_keys (or ck),
repeat, speeds= (or sp=), readtimeout= (or rd=),
rotate= (or ro=), or noncache (or nc) separated by
commas if there is more than one. After the user logs
in successfully, these options will be applied to the
VNC screen. For example,
login: fred:scale=3/4,sc=1,repeat
Password: ...
login: runge:sp=modem,rd=120,solid
for convenience m/n implies scale= e.g. fred:3/4 If you
type and enter your password incorrectly, to retrieve
your long "login:" line press the Up arrow once
(before typing anything else).
Another option is "geom=WxH" or "geom=WxHxD" (or
ge=). This only has an effect in FINDCREATEDISPLAY
mode when a virtual X server such as Xvfb is going
to be created. It sets the width and height of
the new display, and optionally the color depth as
well. You can also supply "gnome", "kde", "twm",
"fvwm", "mwm", "dtwm", "wmaker", "xfce",
"enlightenment", "Xsession", or "failsafe"
(same as "xterm") to have the created display use
that mode for the user session.
To disable the option setting set the environment
variable X11VNC_NO_UNIXPW_OPTS=1 before starting x11vnc.
To set any other options, the user can use the gui
(x11vnc -gui connect) or the remote control method
(x11vnc -R opt:val) during his VNC session.
The combination of -display WAIT:cmd=... and -unixpw
allows automatic pairing of an unix authenticated VNC
user with his desktop. This could be very useful on
SunRays and also any system where multiple users share
a given machine. The user does not need to remember
special ports or passwords set up for his desktop
and VNC.
A nice way to use WAIT:cmd=... is out of inetd(8)
(it automatically forks a new x11vnc for each user).
You can have the x11vnc inetd spawned process run as,
say, root or nobody. When run as root (for either inetd
or display manager), you can also supply the option
"-users unixpw=" to have the x11vnc process switch to
the user as well. Note: there will be a 2nd SSL helper
process that will not switch, but it is only encoding
and decoding the encrypted stream at that point.
As a special case, WAIT:cmd=FINDDISPLAY will run a
script that works on most Unixes to determine a user's
DISPLAY variable and xauthority data (see who(1)).
To have this default script printed to stdout (e.g. for
customization) run with WAIT:cmd=FINDDISPLAY-print To
have the script run to print what display it would find
use "-finddpy" or WAIT:cmd=FINDDISPLAY-run
As another special case, WAIT:cmd=HTTPONCE will allow
x11vnc to service one http request and then exit.
This is usually done in -inetd mode to run on, say,
port 5800 and allow the Java vncviewer to be downloaded
by client web browsers. For example:
5815 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc \
-inetd -q -http_ssl -prog /.../x11vnc \
-display WAIT:cmd=HTTPONCE
Where /.../x11vnc is the full path to x11vnc.
It is used in the Apache SSL-portal example (see FAQ).
In this mode you can set X11VNC_SKIP_DISPLAY to a comma
separated list of displays (e.g. ":0,:1") to ignore
in the finding process. This can also be set by the
user via "nd=" using "-" instead of ","
An interesting option is WAIT:cmd=FINDCREATEDISPLAY
that is like FINDDISPLAY in that is uses the same method
to find an existing display. However, if it does not
find one it will try to *start* up an X server session
for the user. This is the only time x11vnc tries to
actually start up an X server.
By default FINDCREATEDISPLAY will try Xdummy and then
Xvfb:
The Xdummy wrapper is part of the x11vnc source code
(x11vnc/misc/Xdummy) It should be available in PATH and
have run "Xdummy -install" once to create the shared
library. Xdummy requires root permission and only works
on Linux. (Note: specify FD_XDUMMY_NOROOT=1 to skip
a check for the root id; evidently your sudo(1) will
take care of everything. The -xdummy and -svc_xdummy
options imply FD_XDUMMY_NOROOT=1).
Xvfb is available on most platforms and does not
require root.
When x11vnc exits (i.e. user disconnects) the X
server session stays running in the background.
The FINDDISPLAY will find it directly next time.
The user must exit the X session in the usual way for
it to terminate (or kill the X server process if all
else fails).
So this is a somewhat odd mode for x11vnc in that it
will start up and poll virtual X servers! This can
be used from, say, inetd(8) to provide a means of
definitely getting a desktop (either real or virtual)
on the machine. E.g. a desktop service:
5900 stream tcp nowait root /usr/sbin/tcpd /.../x11vnc
-inetd -q -http -ssl SAVE -unixpw -users unixpw=\
-passwd secret -prog /.../x11vnc \
-display WAIT:cmd=FINDCREATEDISPLAY
Where /.../x11vnc is the full path to x11vnc.
If for some reason you do not want x11vnc to ever
try to find an existing display set the env. var
X11VNC_FINDDISPLAY_ALWAYS_FAILS=1 (also -env ...)
Use WAIT:cmd=FINDCREATEDISPLAY-print to print out the
script used.
You can specify the preferred X server order via e.g.,
WAIT:cmd=FINDCREATEDISPLAY-Xdummy,Xvfb,X and/or leave
out ones you do not want. The the case "X" means try
to start up a real, hardware X server using xinit(1)
or startx(1). If there is already an X server running
the X case may only work on Linux (see startx(1)).
"Xvnc" will start up a VNC X server (real-
or tight-vnc, e.g. use if Xvfb is not available).
"Xsrv" will start up the server program in the
variable "FD_XSRV" if it is non-empty. You can make
this be a wrapper script if you like (it must handle :N,
-geometry, and -depth and other X server options).
You can set the environment variable FD_GEOM (or
X11VNC_CREATE_GEOM) to WxH or WxHxD to set the width and
height and optionally the color depth of the created
display. You can also set FD_SESS to be the session
(short name of the windowmanager: kde, gnome, twm,
failsafe, etc.). FD_OPTS as extra options to pass to
the X server. You can also set FD_PROG to be the full
path to the session/windowmanager program.
More FD tricks: FD_CUPS=port or FD_CUPS=host:port
will set the cups printing environment. Similarly
for FD_ESD=port or FD_ESD=host:port for esddsp sound
redirection. FD_XDUMMY_NOROOT means the Xdummy server
does not need to be started as root (e.g. it will sudo
automatically)
If you want the FINDCREATEDISPLAY session to contact an
XDMCP login manager (xdm/gdm/kdm) on the same machine,
then use "Xvfb.xdmcp" instead of "Xvfb", etc.
The user will have to supply his username and password
one more time (but he gets to select his desktop type
so that can be useful). For this to work, you will
need to enable localhost XDMCP (udp port 177) for the
display manager. This seems to be:
for gdm in gdm.conf: Enable=true in section [xdmcp]
for kdm in kdmrc: Enable=true in section [Xdmcp]
for xdm in xdm-config: DisplayManager.requestPort: 177
See the shorthand options above "-svc", "-xdmsvc"
and "-sshxdmsvc" that specify the above options for
some useful cases.
If you set the env. var WAITBG=1 x11vnc will go into
the background once listening in wait mode.
Another special mode is FINDCREATEDISPLAY-Xvnc.redirect,
(or FINDDISPLAY-Xvnc.redirect). In this case it will
start up Xvnc as above if needed, but instead of
polling it in its normal way, it simply does a socket
redirection of the connected VNC viewer to the Xvnc.
So in Xvnc.redirect x11vnc does no VNC but merely
transfers the data back and forth. This should be
faster then x11vnc's polling method, but not as fast
as connecting directly to the Xvnc with the VNC Viewer.
The idea here is to take advantage of x11vnc's display
finding/creating scheme, SSL, and perhaps a few others.
Most of x11vnc's options do not apply in this mode.
Xvnc.redirect should also work for the vnc.so X server
module for the h/w display however it will work only
for finding the display and the user must already be
logged into the X console.
-nossl Disable the -ssl option (see below). Since -ssl is off
by default -nossl would only be used on the commandline
to unset any *earlier* -ssl option (or -svc...)
-ssl [pem] Use the openssl library (www.openssl.org) to provide a
built-in encrypted SSL tunnel between VNC viewers and
x11vnc. This requires libssl support to be compiled
into x11vnc at build time. If x11vnc is not built
with libssl support it will exit immediately when -ssl
is prescribed.
The VNC Viewer-side needs support SSL as well.
See this URL and also the discussion below for ideas
on how to enable SSL support for the viewer:
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers
[pem] is optional, use "-ssl /path/to/mycert.pem"
to specify a PEM certificate file to use to identify
and provide a key for this server. See openssl(1) for
more info about PEMs and the -sslGenCert option below.
The connecting VNC viewer SSL tunnel can optionally
authenticate this server if they have the public
key part of the certificate (or a common certificate
authority, CA, is a more sophisticated way to verify
this server's cert, see -sslGenCA below). This is
used to prevent man-in-the-middle attacks. Otherwise,
if the VNC viewer accepts this server's key without
verification, at least the traffic is protected
from passive sniffing on the network (but *NOT* from
man-in-the-middle attacks).
If [pem] is not supplied and the openssl(1) utility
command exists in PATH, then a temporary, self-signed
certificate will be generated for this session (this
may take 5-30 seconds on slow machines). If openssl(1)
cannot be used to generate a temporary certificate
x11vnc exits immediately.
If successful in using openssl(1) to generate a
temporary certificate, the public part of it will be
displayed to stderr (e.g. one could copy it to the
client-side to provide authentication of the server to
VNC viewers.) See following paragraphs for how to save
keys to reuse when x11vnc is restarted.
Set the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc
print out the entire certificate, including the PRIVATE
KEY part, to stderr. One could reuse this cert if saved
in a [pem] file. Similarly, set X11VNC_KEEP_TMP_PEM=1
to not delete the temporary PEM file: the file name
will be printed to stderr (so one could move it to
a safe place for reuse). You will be prompted for a
passphrase for the private key.
If [pem] is "SAVE" then the certificate will be saved
to the file ~/.vnc/certs/server.pem, or if that file
exists it will be used directly. Similarly, if [pem]
is "SAVE_PROMPT" the server.pem certificate will be
made based on your answers to its prompts for info such
as OrganizationalName, CommonName, etc.
We expect most users to use "-ssl SAVE".
Use "SAVE-<string>" and "SAVE_PROMPT-<string>"
to refer to the file ~/.vnc/certs/server-<string>.pem
instead. E.g. "SAVE-charlie" will store to the file
~/.vnc/certs/server-charlie.pem
See -ssldir below to use a directory besides the
default ~/.vnc/certs
Example: x11vnc -ssl SAVE -display :0 ...
Your VNC viewer will need to be able to connect
via SSL. See the discussion below under -stunnel and
http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers
for how this might be achieved. E.g. on Unix it is
easy to write a shell script that starts up stunnel
and then vncviewer. Also in the x11vnc source a SSL
enabled Java VNC Viewer applet is provided in the
classes/ssl directory.
-ssltimeout n Set SSL read timeout to n seconds. In some situations
(i.e. an iconified viewer in Windows) the viewer stops
talking and the connection is dropped after the default
timeout (25s for about the first minute, 43200s later).
Set to zero to poll forever. Set to a negative value
to use the builtin setting.
-sslnofail Exit at the first SSL connection failure. Useful when
scripting SSL connections (e.g. x11vnc is started via
ssh) and you do not want x11vnc waiting around for more
connections, tying up ports, etc.
-ssldir [dir] Use [dir] as an alternate ssl certificate and key
management toplevel directory. The default is
~/.vnc/certs
This directory is used to store server and other
certificates and keys and also other materials. E.g. in
the simplest case, "-ssl SAVE" will store the x11vnc
server cert in [dir]/server.pem
Use of alternate directories via -ssldir allows you to
manage multiple VNC Certificate Authority (CA) keys.
Another use is if ~/.vnc/cert is on an NFS share you
might want your certificates and keys to be on a local
filesystem to prevent network snooping (for example
-ssldir /var/lib/x11vnc-certs).
-ssldir affects nearly all of the other -ssl* options,
e.g. -ssl SAVE, -sslGenCert, etc..
-sslverify [path] For either of the -ssl or -stunnel modes, use [path]
to provide certificates to authenticate incoming VNC
*Client* connections (normally only the server is
authenticated in SSL.) This can be used as a method
to replace standard password authentication of clients.
If [path] is a directory it contains the client (or CA)
certificates in separate files. If [path] is a file,
it contains multiple certificates. See special tokens
below. These correspond to the "CApath = dir" and
"CAfile = file" stunnel options. See the stunnel(8)
manpage for details.
Examples:
x11vnc -ssl -sslverify ~/my.crt
x11vnc -ssl -sslverify ~/my_pem_dir/
Note that if [path] is a directory, it must contain
the certs in separate files named like <HASH>.0, where
the value of <HASH> is found by running the command
"openssl x509 -hash -noout -in file.crt". Evidently
one uses <HASH>.1 if there is a collision...
The the key-management utility "-sslCertInfo HASHON"
and "-sslCertInfo HASHOFF" will create/delete these
hashes for you automatically (via symlink) in the HASH
subdirs it manages. Then you can point -sslverify to
the HASH subdir.
Special tokens: in -ssl mode, if [path] is not a file or
a directory, it is taken as a comma separated list of
tokens that are interpreted as follows:
If a token is "CA" that means load the CA/cacert.pem
file from the ssl directory. If a token is "clients"
then all the files clients/*.crt in the ssl directory
are loaded. Otherwise the file clients/token.crt
is attempted to be loaded. As a kludge, use a token
like ../server-foo to load a server cert if you find
that necessary.
Use -ssldir to use a directory different from the
~/.vnc/certs default.
Note that if the "CA" cert is loaded you do not need
to load any of the certs that have been signed by it.
You will need to load any additional self-signed certs
however.
Examples:
x11vnc -ssl -sslverify CA
x11vnc -ssl -sslverify self:fred,self:jim
x11vnc -ssl -sslverify CA,clients
Usually "-sslverify CA" is the most effective.
See the -sslGenCA and -sslGenCert options below for
how to set up and manage the CA framework.
NOTE: the following utilities, -sslGenCA, -sslGenCert,
-sslEncKey, and -sslCertInfo are provided for
completeness, but for casual usage they are overkill.
They provide VNC Certificate Authority (CA) key creation
and server / client key generation and signing. So they
provide a basic Public Key management framework for
VNC-ing with x11vnc. (note that they require openssl(1)
be installed on the system)
However, the simplest usage mode (where x11vnc
automatically generates its own, self-signed, temporary
key and the VNC viewers always accept it, e.g. accepting
via a dialog box) is probably safe enough for most
scenarios. CA management is not needed.
To protect against Man-In-The-Middle attacks the
simplest mode can be improved by using "-ssl SAVE"
to have x11vnc create a longer term self-signed
certificate, and then (safely) copy the corresponding
public key cert to the desired client machines (care
must be taken the private key part is not stolen;
you will be prompted for a passphrase).
So keep in mind no CA key creation or management
(-sslGenCA and -sslGenCert) is needed for either of
the above two common usage modes.
One might want to use -sslGenCA and -sslGenCert
if you had a large number of VNC client and server
workstations. That way the administrator could generate
a single CA key with -sslGenCA and distribute its
certificate part to all of the workstations.
Next, he could create signed VNC server keys
(-sslGenCert server ...) for each workstation or user
that then x11vnc would use to authenticate itself to
any VNC client that has the CA cert.
Optionally, the admin could also make it so the
VNC clients themselves are authenticated to x11vnc
(-sslGenCert client ...) For this -sslverify would be
pointed to the CA cert (and/or self-signed certs).
x11vnc will be able to use all of these cert and
key files. On the VNC client side, they will need to
be "imported" somehow. Web browsers have "Manage
Certificates" actions as does the Java applet plugin
Control Panel. stunnel can also use these files (see
the ss_vncviewer example script in the FAQ.)
-sslGenCA [dir] Generate your own Certificate Authority private key,
certificate, and other files in directory [dir].
If [dir] is not supplied, a -ssldir setting is used,
or otherwise ~/.vnc/certs is used.
This command also creates directories where server and
client certs and keys will be stored. The openssl(1)
program must be installed on the system and available
in PATH.
After the CA files and directories are created the
command exits; the VNC server is not run.
You will be prompted for information to put into the CA
certificate. The info does not have to be accurate just
as long as clients accept the cert for VNC connections.
You will also need to supply a passphrase of at least
4 characters for the CA private key.
Once you have generated the CA you can distribute
its certificate part, [dir]/CA/cacert.pem, to other
workstations where VNC viewers will be run. One will
need to "import" this certificate in the applications,
e.g. Web browser, Java applet plugin, stunnel, etc.
Next, you can create and sign keys using the CA with
the -sslGenCert option below.
Examples:
x11vnc -sslGenCA
x11vnc -sslGenCA ~/myCAdir
x11vnc -ssldir ~/myCAdir -sslGenCA
(the last two lines are equivalent)
-sslGenCert type name Generate a VNC server or client certificate and private
key pair signed by the CA created previously with
-sslGenCA. The openssl(1) program must be installed
on the system and available in PATH.
After the Certificate is generated the command exits;
the VNC server is not run.
The type of key to be generated is the string "type".
It is either "server" (i.e. for use by x11vnc) or
"client" (for a VNC viewer). Note that typically
only "server" is used: the VNC clients authenticate
themselves by a non-public-key method (e.g. VNC or
unix password). "type" is required.
An arbitrary default name you want to associate with
the key is supplied by the "name" string. You can
change it at the various prompts when creating the key.
"name" is optional.
If name is left blank for clients keys then "nobody"
is used. If left blank for server keys, then the
primary server key: "server.pem" is created (this
is the saved one referenced by "-ssl SAVE" when the
server is started)
If "name" begins with the string "self:" then
a self-signed certificate is created instead of one
signed by your CA key.
If "name" begins with the string "req:" then only a
key (.key) and a certificate signing *request* (.req)
are generated. You can then send the .req file to
an external CA (even a professional one, e.g. Thawte)
and then combine the .key and the received cert into
the .pem file with the same basename.
The distinction between "server" and "client" is
simply the choice of output filenames and sub-directory.
This makes it so the -ssl SAVE-name option can easily
pick up the x11vnc PEM file this option generates.
And similarly makes it easy for the -sslverify option
to pick up your client certs.
There is nothing special about the filename or directory
location of either the "server" and "client" certs.
You can rename the files or move them to wherever
you like.
Precede this option with -ssldir [dir] to use a
directory other than the default ~/.vnc/certs You will
need to run -sslGenCA on that directory first before
doing any -sslGenCert key creation.
Note you cannot recreate a cert with exactly the same
distiguished name (DN) as an existing one. To do so,
you will need to edit the [dir]/CA/index.txt file to
delete the line.
Similar to -sslGenCA, you will be prompted to fill
in some information that will be recorded in the
certificate when it is created. Tip: if you know
the fully-qualified hostname other people will be
connecting to you can use that as the CommonName "CN"
to avoid some applications (e.g. web browsers and java
plugin) complaining it does not match the hostname.
You will also need to supply the CA private key
passphrase to unlock the private key created from
-sslGenCA. This private key is used to sign the server
or client certificate.
The "server" certs can be used by x11vnc directly by
pointing to them via the -ssl [pem] option. The default
file will be ~/.vnc/certs/server.pem. This one would
be used by simply typing -ssl SAVE. The pem file
contains both the certificate and the private key.
server.crt file contains the cert only.
The "client" cert + private key file will need
to be copied and imported into the VNC viewer
side applications (Web browser, Java plugin,
stunnel, etc.) Once that is done you can delete the
"client" private key file on this machine since
it is only needed on the VNC viewer side. The,
e.g. ~/.vnc/certs/clients/<name>.pem contains both
the cert and private key. The <name>.crt contains the
certificate only.
NOTE: It is very important to know one should always
generate new keys with a passphrase. Otherwise if an
untrusted user steals the key file he could use it to
masquerade as the x11vnc server (or VNC viewer client).
You will be prompted whether to encrypt the key with
a passphrase or not. It is recommended that you do.
One inconvenience to a passphrase is that it must
be suppled every time x11vnc or the client app is
started up.
Examples:
x11vnc -sslGenCert server
x11vnc -ssl SAVE -display :0 ...
and then on viewer using ss_vncviewer stunnel wrapper
(see the FAQ):
ss_vncviewer -verify ./cacert.crt hostname:0
(this assumes the cacert.crt cert from -sslGenCA
was safely copied to the VNC viewer machine where
ss_vncviewer is run)
Example using a name:
x11vnc -sslGenCert server charlie
x11vnc -ssl SAVE-charlie -display :0 ...
Example for a client certificate (rarely used):
x11vnc -sslGenCert client roger
scp ~/.vnc/certs/clients/roger.pem somehost:.
rm ~/.vnc/certs/clients/roger.pem
x11vnc is then started with the the option -sslverify
~/.vnc/certs/clients/roger.crt (or simply -sslverify
roger), and on the viewer user on somehost could do
for example:
ss_vncviewer -mycert ./roger.pem hostname:0
If you set the env. var REQ_ARGS='...' it will be
passed to openssl req(1). A common use would be
REQ_ARGS='-days 1095' to bump up the expiration date
(3 years in this case).
-sslEncKey [pem] Utility to encrypt an existing PEM file with a
passphrase you supply when prompted. For that key to be
used (e.g. by x11vnc) the passphrase must be supplied
each time.
The "SAVE" notation described under -ssl applies as
well. (precede this option with -ssldir [dir] to refer
a directory besides the default ~/.vnc/certs)
The openssl(1) program must be installed on the system
and available in PATH. After the Key file is encrypted
the command exits; the VNC server is not run.
Examples:
x11vnc -sslEncKey /path/to/foo.pem
x11vnc -sslEncKey SAVE
x11vnc -sslEncKey SAVE-charlie
-sslCertInfo [pem] Prints out information about an existing PEM file.
In addition the public certificate is also printed.
The openssl(1) program must be in PATH. Basically the
command "openssl x509 -text" is run on the pem.
The "SAVE" notation described under -ssl applies
as well.
Using "LIST" will give a list of all certs being
managed (in the ~/.vnc/certs dir, use -ssldir to refer
to another dir). "ALL" will print out the info for
every managed key (this can be very long). Giving a
client or server cert shortname will also try a lookup
(e.g. -sslCertInfo charlie). Use "LISTL" or "LL"
for a long (ls -l style) listing.
Using "HASHON" will create subdirs [dir]/HASH and
[dir]/HASH with OpenSSL hash filenames (e.g. 0d5fbbf1.0)
symlinks pointing up to the corresponding *.crt file.
([dir] is ~/.vnc/certs or one given by -ssldir.)
This is a useful way for other OpenSSL applications
(e.g. stunnel) to access all of the certs without
having to concatenate them. x11vnc will not use them
unless you specifically reference them. "HASHOFF"
removes these HASH subdirs.
The LIST, LISTL, LL, ALL, HASHON, HASHOFF words can
also be lowercase, e.g. "list".
-sslDelCert [pem] Prompts you to delete all .crt .pem .key .req files
associated with [pem]. "SAVE" and lookups as in
-sslCertInfo apply as well.
-stunnel [pem] Use the stunnel(8) (www.stunnel.org) to provide an
encrypted SSL tunnel between viewers and x11vnc.
This external tunnel method was implemented prior to the
integrated -ssl encryption described above. It still
works well. This requires stunnel to be installed
on the system and available via PATH (n.b. stunnel is
often installed in sbin directories). Version 4.x of
stunnel is assumed (but see -stunnel3 below.)
[pem] is optional, use "-stunnel /path/to/stunnel.pem"
to specify a PEM certificate file to pass to stunnel.
Whether one is needed or not depends on your stunnel
configuration. stunnel often generates one at install
time. See the stunnel documentation for details.
stunnel is started up as a child process of x11vnc and
any SSL connections stunnel receives are decrypted and
sent to x11vnc over a local socket. The strings
"The SSL VNC desktop is ..." and "SSLPORT=..."
are printed out at startup to indicate this.
The -localhost option is enforced by default
to avoid people routing around the SSL channel.
Set STUNNEL_DISABLE_LOCALHOST=1 before starting x11vnc
to disable the requirement.
Your VNC viewer will also need to be able to connect via
SSL. Unfortunately not too many do this. UltraVNC has
an encryption plugin but it does not seem to be SSL.
Also, in the x11vnc distribution, a patched TightVNC
Java applet is provided in classes/ssl that does SSL
connections (only).
It is also not too difficult to set up an stunnel or
other SSL tunnel on the viewer side. A simple example
on Unix using stunnel 3.x is:
% stunnel -c -d localhost:5901 -r remotehost:5900
% vncviewer localhost:1
For Windows, stunnel has been ported to it and there
are probably other such tools available. See the FAQ
for more examples.
-stunnel3 [pem] Use version 3.x stunnel command line syntax instead of
version 4.x
-https [port] Choose a separate HTTPS port (-ssl mode only).
In -ssl mode, it turns out you can use the
single VNC port (e.g. 5900) for both VNC and HTTPS
connections. (HTTPS is used to retrieve a SSL-aware
VncViewer.jar applet that is provided with x11vnc).
Since both use SSL the implementation was extended to
detect if HTTP traffic (i.e. GET) is taking place and
handle it accordingly. The URL would be, e.g.:
https://mymachine.org:5900/
This is convenient for firewalls, etc, because only one
port needs to be allowed in. However, this heuristic
adds a few seconds delay to each connection and can be
unreliable (especially if the user takes much time to
ponder the Certificate dialogs in his browser, Java VM,
or VNC Viewer applet. That's right 3 separate "Are
you sure you want to connect?" dialogs!)
So use the -https option to provide a separate, more
reliable HTTPS port that x11vnc will listen on. If
[port] is not provided (or is 0), one is autoselected.
The URL to use is printed out at startup.
The SSL Java applet directory is specified via the
-httpdir option. If not supplied it will try to guess
the directory as though the -http option was supplied.
-httpsredir [port] In -ssl mode with the Java applet retrieved via HTTPS,
when the HTML file containing applet parameters
('index.vnc' or 'proxy.vnc') is sent do NOT set the
applet PORT parameter to the actual VNC port but set it
to "port" instead. If "port" is not supplied, then
the port number is guessed from the Host: HTTP header.
This is useful when an incoming TCP connection
redirection is performed by a router/gateway/firewall
from one port to an internal machine where x11vnc is
listening on a different port. The Java applet needs to
connect to the firewall/router port, not the VNC port
on the internal workstation. For example, one could
redir from mygateway.com:443 to workstation:5900.
This spares the user from having to type in
https://mygateway.com/?PORT=443 into their web
browser. Note that port 443 is the default https port;
other ports must be explicitly indicated, for example:
https://mygateway.com:8000/?PORT=8000. To avoid having
to include the PORT= in the browser URL, simply supply
"-httpsredir" to x11vnc.
-ssh user@host:disp Create a remote listening port on machine "host"
via a SSH tunnel using the -R rport:localhost:lport
method. lport will be the local x11vnc listening port,
so a connection to rport (5900+disp) on "host"
will reach x11vnc. E.g. fred@snoopy.com:0
This could be useful if a firewall/router prevents
incoming connections to the x11vnc machine, but
the ssh machine "host" can be reached by the VNC
viewer. "user@" is not needed unless the remote unix
username differs from the current one.
By default the remote sshd is usually configured to
only listen on localhost for rport, so the viewer may
need to ssh -L redir to "host" as well (See SSVNC to
automate this). The sshd setting GatewayPorts enables
listening on all interfaces for rport; viewers can
reach it more easily.
"disp" is the VNC display for the remote SSH side,
e.g. 0 corresponds to port 5900, etc. If disp is
greater than 200 the value is used as the port. Use a
negative value to force a low port, e.g. host:-80 will
use port 80.
If ssh-agent is not active, then the ssh password needs
to be entered in the terminal where x11vnc is running.
By default the remote ssh will issue a 'sleep 300' to
wait for the incoming connection for 5 mins. To modify
this use user@host:disp+secs.
If the remote SSH server is on a non-standard port
(i.e. not 22) use user@host:port:disp+secs.
Note that the ssh process MAY NOT be killed when
x11vnc exits. It tries by looking at ps(1) output.
-usepw If no other password method was supplied on the command
line, first look for ~/.vnc/passwd and if found use it
with -rfbauth; next, look for ~/.vnc/passwdfile and
use it with -passwdfile; otherwise, prompt the user
for a password to create ~/.vnc/passwd and use it with
the -rfbauth option. If none of these succeed x11vnc
exits immediately.
-storepasswd pass file Store password "pass" as the VNC password in the
file "file". Once the password is stored the
program exits. Use the password via "-rfbauth file"
If called with no arguments, "x11vnc -storepasswd",
the user is prompted for a password and it is stored
in the file ~/.vnc/passwd. Called with one argument,
that will be the file to store the prompted password in.
-nopw Disable the big warning message when you use x11vnc
without some sort of password.
-accept string Run a command (possibly to prompt the user at the
X11 display) to decide whether an incoming client
should be allowed to connect or not. "string" is
an external command run via system(3) or some special
cases described below. Be sure to quote "string"
if it contains spaces, shell characters, etc. If the
external command returns 0 the client is accepted,
otherwise the client is rejected. See below for an
extension to accept a client view-only.
If x11vnc is running as root (say from inetd(8) or from
display managers xdm(1), gdm(1), etc), think about the
security implications carefully before supplying this
option (likewise for the -gone option).
Environment: The RFB_CLIENT_IP environment variable will
be set to the incoming client IP number and the port
in RFB_CLIENT_PORT (or -1 if unavailable). Similarly,
RFB_SERVER_IP and RFB_SERVER_PORT (the x11vnc side
of the connection), are set to allow identification
of the tcp virtual circuit. The x11vnc process
id will be in RFB_X11VNC_PID, a client id number in
RFB_CLIENT_ID, and the number of other connected clients
in RFB_CLIENT_COUNT. RFB_MODE will be "accept".
RFB_STATE will be PROTOCOL_VERSION, SECURITY_TYPE,
AUTHENTICATION, INITIALISATION, NORMAL, or UNKNOWN
indicating up to which state the client has achieved.
RFB_LOGIN_VIEWONLY will be 0, 1, or -1 (unknown).
RFB_USERNAME, RFB_LOGIN_TIME, and RFB_CURRENT_TIME may
also be set.
If "string" is "popup" then a builtin popup window
is used. The popup will time out after 120 seconds,
use "popup:N" to modify the timeout to N seconds
(use 0 for no timeout).
In the case of "popup" and when the -unixpw option
is specified, then a *second* window will be popped
up after the user successfully logs in via his UNIX
password. This time the user will be identified as
UNIX:username@hostname, the "UNIX:" prefix indicates
which user the viewer logged as via -unixpw. The first
popup is only for whether to allow him to even *try*
to login via unix password.
If "string" is "xmessage" then an xmessage(1)
invocation is used for the command. xmessage must be
installed on the machine for this to work.
Both "popup" and "xmessage" will present an option
for accepting the client "View-Only" (the client
can only watch). This option will not be presented if
-viewonly has been specified, in which case the entire
display is view only.
If the user supplied command is prefixed with something
like "yes:0,no:*,view:3 mycommand ..." then this
associates the numerical command return code with
the actions: accept, reject, and accept-view-only,
respectively. Use "*" instead of a number to indicate
the default action (in case the command returns an
unexpected value). E.g. "no:*" is a good choice.
Note that x11vnc blocks while the external command
or popup is running (other clients may see no updates
during this period). So a person sitting a the physical
display is needed to respond to an popup prompt. (use
a 2nd x11vnc if you lock yourself out).
More -accept tricks: use "popupmouse" to only allow
mouse clicks in the builtin popup to be recognized.
Similarly use "popupkey" to only recognize
keystroke responses. These are to help avoid the
user accidentally accepting a client by typing or
clicking. All 3 of the popup keywords can be followed
by +N+M to supply a position for the popup window.
The default is to center the popup window.
-afteraccept string As -accept, except to run a user supplied command after
a client has been accepted and authenticated. RFB_MODE
will be set to "afteraccept" and the other RFB_*
variables are as in -accept. Unlike -accept, the
command return code is not interpreted by x11vnc.
Example: -afteraccept 'killall xlock &'
-gone string As -accept, except to run a user supplied command when
a client goes away (disconnects). RFB_MODE will be
set to "gone" and the other RFB_* variables are as
in -accept. The "popup" actions apply as well.
Unlike -accept, the command return code is not
interpreted by x11vnc. Example: -gone 'xlock &'
-users list If x11vnc is started as root (say from inetd(8) or from
display managers xdm(1), gdm(1), etc), then as soon
as possible after connections to the X display are
established try to switch to one of the users in the
comma separated "list". If x11vnc is not running as
root this option is ignored.
Why use this option? In general it is not needed since
x11vnc is already connected to the X display and can
perform its primary functions. The option was added
to make some of the *external* utility commands x11vnc
occasionally runs work properly. In particular under
GNOME and KDE to implement the "-solid color" feature
external commands (gconftool-2 and dcop) unfortunately
must be run as the user owning the desktop session.
Since this option switches userid it also affects the
userid used to run the processes for the -accept and
-gone options. It also affects the ability to read
files for options such as -connect, -allow, and -remap
and also the ultra and tight filetransfer feature if
enabled. Note that the -connect file is also sometimes
written to.
So be careful with this option since in some situations
its use can decrease security.
In general the switch to a user will only take place
if the display can still be successfully opened as that
user (this is primarily to try to guess the actual owner
of the session). Example: "-users fred,wilma,betty".
Note that a malicious local user "barney" by
quickly using "xhost +" when logging in may possibly
get the x11vnc process to switch to user "fred".
What happens next?
Under display managers it may be a long time before
the switch succeeds (i.e. a user logs in). To instead
make it switch immediately regardless if the display
can be reopened prefix the username with the "+"
character. E.g. "-users +bob" or "-users +nobody".
The latter (i.e. switching immediately to user
"nobody") is the only obvious use of the -users option
that increases security.
Use the following notation to associate a group with
a user: user1.group1,user2.group2,... Note that
initgroups(2) will still be called first to try to
switch to ALL of a user's groups (primary and additional
groups). Only if that fails or it is not available
then the single group specified as above (or the user's
primary group if not specified) is switched to with
setgid(2). Use -env X11VNC_SINGLE_GROUP=1 to prevent
trying initgroups(2) and only switch to the single
group. This sort of setting is only really needed to
make the ultra or tight filetransfer permissions work
properly. This format applies to any comma separated list
of users, even the special "=" modes described below.
In -unixpw mode, if "-users unixpw=" is supplied
then after a user authenticates himself via the
-unixpw mechanism, x11vnc will try to switch to that
user as though "-users +username" had been supplied.
If you want to limit which users this will be done for,
provide them as a comma separated list after "unixpw="
Groups can also be specified as described above.
Similarly, in -ssl mode, if "-users sslpeer=" is
supplied then after an SSL client authenticates with his
cert (the -sslverify option is required for this) x11vnc
will extract a UNIX username from the "emailAddress"
field (username@hostname.com) of the "Subject" of the
x509 SSL cert and then try to switch to that user as
though "-users +username" had been supplied. If you
want to limit which users this will be done for, provide
them as a comma separated list after "sslpeer=".
Set the env. var X11VNC_SSLPEER_CN to use the Common
Name (normally a hostname) instead of the Email field.
NOTE: for sslpeer= mode the x11vnc administrator must
take care that any client certs he adds to -sslverify
have the intended UNIX username in the "emailAddress"
field of the cert. Otherwise a user may be able to
log in as another. This command can be of use in
checking: "openssl x509 -text -in file.crt", see the
"Subject:" line. Also, along with the normal RFB_*
env. vars. (see -accept) passed to external cmd=
commands, RFB_SSL_CLIENT_CERT will be set to the
client's x509 certificate string.
The sslpeer= mode can aid finding X sessions via the
FINDDISPLAY and FINDCREATEDISPLAY mechanisms.
To immediately switch to a user *before* connections
to the X display are made or any files opened use the
"=" character: "-users =bob". That user needs to
be able to open the X display and any files of course.
The special user "guess=" means to examine the utmpx
database (see who(1)) looking for a user attached to
the display number (from DISPLAY or -display option)
and try him/her. To limit the list of guesses, use:
"-users guess=bob,betty".
Even more sinister is the special user "lurk="
that means to try to guess the DISPLAY from the utmpx
login database as well. So it "lurks" waiting for
anyone to log into an X session and then connects to it.
Specify a list of users after the = to limit which users
will be tried. To enable a different searching mode, if
the first user in the list is something like ":0" or
":0-2" that indicates a range of DISPLAY numbers that
will be tried (regardless of whether they are in the
utmpx database) for all users that are logged in. Also
see the "-display WAIT:..." functionality. Examples:
"-users lurk=" and also "-users lurk=:0-1,bob,mary"
Be especially careful using the "guess=" and "lurk="
modes. They are not recommended for use on machines
with untrustworthy local users.
-noshm Do not use the MIT-SHM extension for the polling.
Remote displays can be polled this way: be careful this
can use large amounts of network bandwidth. This is
also of use if the local machine has a limited number
of shm segments and -onetile is not sufficient.
-flipbyteorder Sometimes needed if remotely polled host has different
endianness. Ignored unless -noshm is set.
-onetile Do not use the new copy_tiles() framebuffer mechanism,
just use 1 shm tile for polling. Limits shm segments
used to 3.
-solid [color] To improve performance, when VNC clients are connected
try to change the desktop background to a solid color.
The [color] is optional: the default color is "cyan4".
For a different one specify the X color (rgb.txt name,
e.g. "darkblue" or numerical "#RRGGBB").
Currently this option only works on GNOME, KDE, CDE,
and classic X (i.e. with the background image on the
root window). The "gconftool-2" and "dcop" external
commands are run for GNOME and KDE respectively.
Other desktops won't work, e.g. Xfce (send us the
corresponding commands if you find them). If x11vnc is
running as root (inetd(8) or gdm(1)), the -users option
may be needed for GNOME and KDE. If x11vnc guesses
your desktop incorrectly, you can force it by prefixing
color with "gnome:", "kde:", "cde:" or "root:".
-blackout string Black out rectangles on the screen. "string" is a
comma separated list of WxH+X+Y type geometries for