if there is a vote... I vote for the added functionality... Jerry
On Thu, 2004-10-21 at 13:24, Anon Sricharoenchai wrote: > Hi, realvnc developer team, > > I would like to submit my patch for realvnc to have some features in > communicating RFB protocol via a unix socket file. Communicating this way is > useful to create VNC application with a behavior like a program called > "screen". With these features, it can be further developed to be easy to use > as the windows terminal service (or remote desktop protocol (RDP)) system. > These features also introduce a new approach to implement ssl support on RFB > (by now, only support on UNIX system) without any ssh tunneling. > > The patch is available at, > http://linux.thai.net/plone/Members/ans/release/EasyVNC/vnc-4.0-unixsrc.unix-socket-attaching.2004-10-17.patch > (Visit http://linux.thai.net/plone/Members/ans/release/EasyVNC/ for other stuff > related to the patch). > > Now, let's see how it work. > (I hope realvnc team can accept my patch after reading the following articles) > > > This patch introduces the new features in VNC on a UNIX-like system. The first > is the fundamental feature of "vncviewer" and "Xvnc", in connecting to and > listening on the unix socket file, respectively. For example, > > $ rm -f /tmp/v1.socket > $ Xvnc :1 -unixSocket=/tmp/v1.socket -securityTypes=None & > > By this command, "Xvnc" will listen on the unix socket path, "/tmp/v1.socket", > rather than on the internet socket. To connect to that unix socket path, > > $ vncviewer unix/:/tmp/v1.socket > > where "unix/" specifies the transport type. If not specified, the default > transport type will be "auto/". The "auto/" transport type will first try the > conventional "tcp/" transport type, and then other appropriate transport type > which will be described later (This transport format is setup from the idea of > the font path format in the X windows system). > > The use of this unix socket will allow the VNC client to attach (locally) to > the VNC server via unix socket path. This connection will be secure without > the need of any RFB authentication, because the security will be setup using > the owner and permissions of that unix socket path. > > By this idea, it can be further improved to have the ability to securely attach > to the VNC server (that listening on some unix socket file) on remote machine > over the network via "ssh" command. The idea is to get the RFB connection on > the remote machine via "ssh" standard input/output. So "vncviewer" is required > to have the ability to connect to the RFB via "ssh" (or any command) standard > input/output (This ability can be compared to the "--plugin" options of the > "fetchmail" program). The transport type, "stdio/", is then designed for this > requirement. > > $ vncviewer stdio/:"<command> <args>" > $ vncviewer stdio/:"ssh -x -C -T [EMAIL PROTECTED] <remote command>" > > The <remote command> will be the command on the remote_host that attach the > unix socket file (currently listened by some VNC server on that host) to the > "ssh" standard input/output, so that "vncviewer" can continue to communicate > the RFB protocol on those standard input/output. > > The next task is to implement the command that attach the unix socket file to > the standard input/output on the remote host. I've chosen the existing > "vncserver" script to do this task, by adding the option "-attach". On the > remote host, > > $ vncserver -attach -unix :1 > RFB 003.008 > > The script will attach the unix socket path, $HOME/.vnc/host:1.socket, to the > standard input/output. The "-unix" option is to tell it to attach to the unix > socket (If no "-unix" option specified, the script will first try to attach to > the conventional TCP socket on local VNC port (5901 in this case), and then try > the unix socket path, if the requested TCP port is not available). The command > to connect VNC on remote host, then, can be, > > $ vncviewer stdio/:"ssh [EMAIL PROTECTED] -x -C -T vncserver -attach -unix :1" > > VNC viewer for X version 4.0 - built Oct 13 2004 15:33:07 > Copyright (C) 2002-2004 RealVNC Ltd. > See http://www.realvnc.com for information on VNC. > > Wed Oct 13 18:35:00 2004 > CConn: connected via command 'ssh [EMAIL PROTECTED] -x -C -T vncserver > -attach -unix :1' > [EMAIL PROTECTED]'s password: <key ssh password here> > > Wed Oct 13 18:35:01 2004 > CConnection: Server supports RFB protocol version 3.8 > CConnection: Using RFB protocol version 3.8 > TXImage: Using default colormap and visual, TrueColor, depth 24. > CConn: Using pixel format depth 6 (8bpp) rgb222 > CConn: Using ZRLE encoding > > Specifying the above "vncviewer" options is too long, so another transport type > named "ssh/" was added. > > $ vncviewer ssh/[EMAIL PROTECTED]:1 > > VNC viewer for X version 4.0 - built Oct 13 2004 15:33:07 > Copyright (C) 2002-2004 RealVNC Ltd. > See http://www.realvnc.com for information on VNC. > > Wed Oct 13 18:39:43 2004 > CConn: connected to host [EMAIL PROTECTED]:1, via ssh > [EMAIL PROTECTED]'s password: <key ssh password here> > > Wed Oct 13 18:39:45 2004 > CConnection: Server supports RFB protocol version 3.8 > CConnection: Using RFB protocol version 3.8 > TXImage: Using default colormap and visual, TrueColor, depth 24. > CConn: Using pixel format depth 6 (8bpp) rgb222 > CConn: Using ZRLE encoding > CConn: Throughput 1595 kbit/s - changing to full colour > CConn: Using pixel format depth 24 (32bpp) little-endian rgb888 > CConn: Throughput 3178 kbit/s - changing to hextile encoding > CConn: Using hextile encoding > > The "ssh/" transport will do all things necessary to attach to the remote_host, > that is equivalent to the use of, > > $ vncviewer stdio/:"ssh [EMAIL PROTECTED] -x -C -T vncserver -attachonly :1" > > The option "-attachonly" to the "vncserver" script is like "-attach" except > that it will not create any new VNC session. > > Notes that the command "vncserver -attach -unix :1" will also create the new > VNC session, ":1" (listening on the unix socket path, > $HOME/.vnc/host:1.socket), before attaching to that session, if the session > doesn't exist or haven't yet been created (Notice that this is the basic task > of the original "vncserver" script). The option "-attachonly" will be used to > force the script not to create a new VNC session, eventhough the session > doesn't exist. > > Note: The "-attachonly" option implies the "-attach" option. > Note: The command "vncserver -unix :1" will create new VNC session listening on > unix socket file, without attaching it to the standard input/output. > > Applying the option "-createSession" to "vncviewer" command will tell the > remote host to auto create the new VNC session (on the first connection), by > passing the option "-attach" (rather than "-attachonly") to "vncserver" > script. Then the command, > > $ vncviewer -createSession ssh/[EMAIL PROTECTED]:1 > > is equivalent to, > > $ vncviewer stdio/:"ssh [EMAIL PROTECTED] -x -C -T vncserver -attach -unix :1" > > (Notice that it also pass the "-unix" option to force it to create session > listening on a unix socket file, rather than TCP socket. Without > "-createSession", it will pass to "vncserver" the option, "-attachonly" without > "-unix" option, for the script to auto detect the transport type that the > (existing) requested session is currently listening on). Now, let's see how > "-createSession" work, > > $ vncviewer -createSession ssh/[EMAIL PROTECTED]:1 > > VNC viewer for X version 4.0 - built Oct 14 2004 10:23:45 > Copyright (C) 2002-2004 RealVNC Ltd. > See http://www.realvnc.com for information on VNC. > > Thu Oct 14 10:48:32 2004 > CConn: connected to host [EMAIL PROTECTED]:1, via ssh > [EMAIL PROTECTED]'s password: <key ssh password here> > > New 'remote_host:1 (remote_host)' desktop is remote_host:1 > > Starting applications specified in /home/user/.vnc/xstartup > Log file is /home/user/.vnc/user:1.log > > > Thu Oct 14 10:48:38 2004 > CConnection: Server supports RFB protocol version 3.8 > CConnection: Using RFB protocol version 3.8 > TXImage: Using default colormap and visual, TrueColor, depth 24. > CConn: Using pixel format depth 6 (8bpp) rgb222 > CConn: Using ZRLE encoding > > The above command tells the remote_host to create and attach to the VNC > session, ":1". > > To be more convenient, the "auto/" transport type was introduced. This > transport will try to detect the current transport type the server are > listening to. It will first try to connect using the conventional "tcp/" > transport type. If the "tcp/" transport fail, it will do the next step. > > Note: The connection address "auto/remote_host:1" is equivalent to > "tcp/remote_host:1", if the server is listening on the appropriate VNC > port of the "tcp/" transport. > > In "auto/" transport mode, if the "tcp/" transport of the requested session is > not available, it will then connect using "ssh/" transport. > > $ vncviewer auto/remote_host:1 > > VNC viewer for X version 4.0 - built Oct 13 2004 19:26:34 > Copyright (C) 2002-2004 RealVNC Ltd. > See http://www.realvnc.com for information on VNC. > > Wed Oct 13 20:17:14 2004 > CConn: connected to host remote_host:1, via ssh > [EMAIL PROTECTED]'s password: <key ssh password here> > > Wed Oct 13 20:17:16 2004 > CConnection: Server supports RFB protocol version 3.8 > CConnection: Using RFB protocol version 3.8 > TXImage: Using default colormap and visual, TrueColor, depth 24. > CConn: Using pixel format depth 6 (8bpp) rgb222 > CConn: Using ZRLE encoding > > Note: The connection address "auto/remote_host:1" is equivalent to > "ssh/remote_host:1", if the server is not listening on the "tcp/" > transport. > > Specifying the user name is also valid in "auto/" transport mode, > > $ vncviewer auto/[EMAIL PROTECTED]:1" > > Note: The connection address "auto/[EMAIL PROTECTED]:1" is equivalent to > "ssh/[EMAIL PROTECTED]:1", if the server is not listening on the "tcp/" > transport. > > Using the "auto/" transport without specifying [EMAIL PROTECTED], for example, > > $ vncviewer auto/:1 > > or, if it is "localhost", > > $ vncviewer auto/localhost:1 > > will let "vncviewer" to attach itself, directly, via the local command, > "vncserver -attachonly :1" using "stdio/" transport, rather than via "ssh" > command in the "ssh/" transport. > > $ vncviewer auto/:1 > > VNC viewer for X version 4.0 - built Oct 13 2004 19:26:34 > Copyright (C) 2002-2004 RealVNC Ltd. > See http://www.realvnc.com for information on VNC. > > Wed Oct 13 19:33:54 2004 > CConn: attached to :1 > CConnection: Server supports RFB protocol version 3.8 > CConnection: Using RFB protocol version 3.8 > TXImage: Using default colormap and visual, TrueColor, depth 24. > CConn: Using pixel format depth 6 (8bpp) rgb222 > CConn: Using ZRLE encoding > CConn: Throughput 21111 kbit/s - changing to hextile encoding > CConn: Throughput 21111 kbit/s - changing to full colour > CConn: Using pixel format depth 24 (32bpp) little-endian rgb888 > CConn: Using hextile encoding > > Note: The connection address "auto/:1" or "auto/localhost:1" is equivalent to > stdio/:"vncserver -attachonly :1", if the server is not listening on the > "tcp/" transport. > > By default, if no transport type specified in the "vncviewer" command line, it > will assume the "auto/" transport. > > To let the remote host to search for a new free session to create, use the > magic session number ":0" with "-createSession" option like this, > > $ vncviewer auto/[EMAIL PROTECTED]:0 -createSession > > or, > > $ vncviewer [EMAIL PROTECTED]:0 -createSession > > VNC viewer for X version 4.0 - built Oct 14 2004 10:23:45 > Copyright (C) 2002-2004 RealVNC Ltd. > See http://www.realvnc.com for information on VNC. > > Thu Oct 14 11:53:59 2004 > CConn: connected to host [EMAIL PROTECTED]:?, via ssh > [EMAIL PROTECTED]'s password: <key ssh password here> > > New 'remote_host:1 (remote_host)' desktop is remote_host:1 > > Starting applications specified in /home/user/.vnc/xstartup > Log file is /home/user/.vnc/user:1.log > > > Thu Oct 14 11:54:07 2004 > CConnection: Server supports RFB protocol version 3.8 > CConnection: Using RFB protocol version 3.8 > TXImage: Using default colormap and visual, TrueColor, depth 24. > CConn: Using pixel format depth 6 (8bpp) rgb222 > CConn: Using ZRLE encoding > > Notes that when using ":0" connect to a win32 server, it will work as a usual > conventional "tcp/" transport (rather than working as a magic session), because > the "auto/" transport will detect the TCP connection first. > > > Strong point > ============ > The benefit of this connection paradigm (the connection via unix socket) are, > 1. Secure connection : All conversation will be encrypted via secure shell. > 2. Secure authentication : Authenticate using ssh password rather VNC password. > The VNC system stores in the file, the password that is decryptable, while > secure shell use the UNIX system password which is undecryptable. > 3. Centralize authentication : No need to have seperate VNC password. It use > the same authentication system (via secure shell) as the UNIX authentication > on the remote host. > 4. Trust the session owner : When the user connect to his own sesssion on the > same host, the client can connect to the unix socket file without any RFB > authentication, because the one having the right permission on the socket > file is trusted. This then can get rid of the unnecessary authentication on > his own userspace. > 5. Easy to use : Using the option "-createSession" to "vncviewer" can tell the > server to create the requested session before establishing the RFB > protocol. So, the users have no need to get some separate shells on the > remote host to create a new session himself. > 6. Future direction : This introduces the possibility to implement the session > manager (as described below in "Future work" section) or something that is > easy to use as a windows terminal service system. > > Note: The item 4, 5, and 6 have some concepts alike to the concept of the > "screen" program. > > > Weak point > ========== > 1. Only work on a UNIX-like system : Now, there's no any idea to implement VNC > server with these mentioned features on a win32 system, but it is possible > to implement a win32 client to have the "auto/" and "ssh/" connection to VNC > server on a UNIX-like system. > 2. No HTTP connection : For security reason, the HTTP connection will be > disabled in unix socket listening mode, because the server side will be > configured to have no RFB password. > > > Future work > =========== > 1. Implement the win32 client to support "auto/" and "ssh/" transport. The > "ssh/" transport may be implemented on win32 by merging the ssh client code > (may be the code from "putty"). > 2. Implement VNC session manager to list all existing session upon connect. > The session manager may be an X client program and the magic session ":0" > may be used to display this program. After the user have selected an > session (available in the list), the session manager will then connect to > that selected session (may be via another vncviewer program on the remote > host. Another approach is to tell the current display to attach itself to > the requested session, alike to the concept in "screen" program in attaching > the tty session). Something that has the basic user-oriented behavior like > the windows terminal service may be implemented. > 3. Add to "vncviewer", the ability to pass some "Xvnc" specific options such > as, "-geometry", "-depth", etc. > > > Appendix > ======== > The following is the summary of "vncviewer" transport type. > > $ vncviewer -h > > VNC viewer for X version 4.0 - built Oct 13 2004 19:26:34 > Copyright (C) 2002-2004 RealVNC Ltd. > See http://www.realvnc.com for information on VNC. > > usage: vncviewer [parameters] [transport/][host:displayNum] [parameters] > vncviewer [parameters] -listen [port] [parameters] > > The transport can be one of tcp, unix, stdio, ssh, or auto (default=auto) > > tcp/[host:displayNum] - The conventional transport type > unix/:unixSocketPath - The path to unix socket to connect and establish > the RFB protocol > stdio/:commandLine - Connect to the RFB protocol via the standard > input/output of this command line > ssh/[EMAIL PROTECTED]:displayNum] - Something like > stdio/:"ssh [EMAIL PROTECTED] vncserver -attach > :displayNum" > auto/[EMAIL PROTECTED]:displayNum] - Auto detect > > Parameters can be turned on with -<param> or off with -<param>=0 > Parameters which take a value can be specified as -<param> <value> > Other valid forms are <param>=<value> -<param>=<value> --<param>=<value> > Parameter names are case-insensitive. The parameters are: > > name - The X window name (default=) > MenuKey - The key which brings up the popup menu (default=F8) > DebugDelay - Milliseconds to display inverted pixel data - a debugging > feature (default=0) > CreateSession - Create new VNC session, if the requested session does not > exist (default=0) > display - The X display (default=) > geometry - X geometry specification (default=) > listen - Listen for connections from VNC servers (default=0) > SendPrimary - Send the primary selection and cut buffer to the server as > well as the clipboard selection (default=1) > SendClipboard - Send clipboard changes to the server (default=1) > AcceptClipboard - Accept clipboard changes from the server (default=1) > Shared - Don't disconnect other viewers upon connection - share the > desktop instead (default=0) > ViewOnly - Don't send any mouse or keyboard events to the server > (default=0) > FullScreen - Full screen mode (default=0) > PreferredEncoding - Preferred encoding to use (ZRLE, hextile or raw) - > implies AutoSelect=0 (default=) > LowColourLevel - Colour level to use on slow connections. 0 = Very Low (8 > colours), 1 = Low (64 colours), 2 = Medium (256 colours) > (default=1) > FullColor - Alias for FullColour > FullColour - Use full colour - otherwise low colour level is used until > AutoSelect decides the link is fast enough (default=0) > AutoSelect - Auto select pixel format and encoding (default=1) > DotWhenNoCursor - Show the dot cursor when the server sends an invisible > cursor (default=1) > UseLocalCursor - Render the mouse cursor locally (default=1) > passwd - Alias for PasswordFile > PasswordFile - Password file for VNC authentication (default=) > WMDecorationHeight - Height of window manager decoration around a window > (default=24) > WMDecorationWidth - Width of window manager decoration around a window > (default=6) > PointerEventInterval - Time in milliseconds to rate-limit successive pointer > events (default=0) > Log - Specifies which log output should be directed to which > target logger, and the level of output to log. Format is > <log>:<target>:<level>[, ...]. (default=) > ZlibLevel - Zlib compression level (default=-1) > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
