tigervnc/unix/xserver/hw/vnc/Xvnc.man

.TH Xvnc 1 "" "TigerVNC" "Virtual Network Computing"
.SH NAME
Xvnc \- the X VNC server 
.SH SYNOPSIS
.B Xvnc
.RI [ options ] 
.RI : display#
.SH DESCRIPTION
.B Xvnc
is the X VNC (Virtual Network Computing) server.  It is based on a standard X
server, but it has a "virtual" screen rather than a physical one.  X
applications display themselves on it as if it were a normal X display, but
they can only be accessed via a VNC viewer - see \fBvncviewer\fP(1).

So Xvnc is really two servers in one. To the applications it is an X server,
and to the remote VNC users it is a VNC server. By convention we have arranged
that the VNC server display number will be the same as the X server display
number, which means you can use eg. snoopy:2 to refer to display 2 on machine
"snoopy" in both the X world and the VNC world.

The best way of starting \fBXvnc\fP is via \fBvncsession\fP.  This sets up the
environment appropriately and starts a desktop environment. See the manual
page for \fBvncsession\fP(8) for more information.

.SH OPTIONS
.B Xvnc
takes lots of options - running \fBXvnc -help\fP gives a list.  Many of these
are standard X server options, which are described in the \fBXserver\fP(1)
manual page.  In addition to options which can only be set via the
command-line, there are also "parameters" which can be set both via the
command-line and through the \fBvncconfig\fP(1) program.

.TP
.B \-geometry \fIwidth\fPx\fIheight\fP
Specify the size of the desktop to be created. Default is 1024x768.
.
.TP
.B \-depth \fIdepth\fP
Specify the pixel depth in bits of the desktop to be created. Default is 24,
other possible values are 16 and 32. Anything else is likely to cause strange
behaviour by applications and may prevent the server from starting at all.
.
.TP
.B \-pixelformat \fIformat\fP
Specify pixel format for server to use (BGRnnn or RGBnnn). The default for
depth 16 is RGB565 and for depth 24 and 32 is RGB888.
.
.TP
.B \-interface \fIIP address\fP
Listen on interface. By default Xvnc listens on all available interfaces.
.
.TP
.B \-inetd 
This significantly changes Xvnc's behaviour so that it can be launched from
inetd.  See the section below on usage with inetd.
.
.TP
.B \-help
List all the options and parameters

.SH PARAMETERS
VNC parameters can be set both via the command-line and through the
\fBvncconfig\fP(1) program, and with a VNC-enabled Xorg server via Options
entries in the xorg.conf file.

Parameters can be turned on with -\fIparam\fP or off with
-\fIparam\fP=0.  Parameters which take a value can be specified as
-\fIparam\fP \fIvalue\fP.  Other valid forms are \fIparam\fP\fB=\fP\fIvalue\fP
-\fIparam\fP=\fIvalue\fP --\fIparam\fP=\fIvalue\fP.  Parameter names are
case-insensitive.

.TP
.B \-desktop \fIdesktop-name\fP
Each desktop has a name which may be displayed by the viewer. It defaults to
"<user>@<hostname>".
.
.TP
.B \-rfbport \fIport\fP
Specifies the TCP port on which Xvnc listens for connections from viewers (the
protocol used in VNC is called RFB - "remote framebuffer").  The default is
5900 plus the display number. Specify \fB-1\fP to disable listening on a TCP
port.
.
.TP
.B \-UseIPv4
Use IPv4 for incoming and outgoing connections. Default is on.
.
.TP
.B \-UseIPv6
Use IPv6 for incoming and outgoing connections. Default is on.
.
.TP
.B \-rfbunixpath \fIpath\fP
Specifies the path of a Unix domain socket on which Xvnc listens for
connections from viewers.
.
.TP
.B \-rfbunixmode \fImode\fP
Specifies the mode of the Unix domain socket.  The default is 0600.
.
.TP
.B \-rfbauth \fIpasswd-file\fP, \-PasswordFile \fIpasswd-file\fP
Password file for VNC authentication.  There is no default, you should
specify the password file explicitly.  Password file should be created with
the \fBvncpasswd\fP(1) utility.  The file is accessed each time a connection
comes in, so it can be changed on the fly.
.
.TP
.B \-AcceptCutText
Accept clipboard updates from clients. Default is on.
.
.TP
.B \-MaxCutText \fIbytes\fP
The maximum size of a clipboard update that will be accepted from a client.
Default is \fB262144\fP.
.
.TP
.B \-SendCutText
Send clipboard changes to clients. Default is on.
.
.TP
.B \-SendPrimary
Send the primary selection and cut buffer to the server as well as the
clipboard selection. Default is on.
.
.TP
.B \-AcceptPointerEvents
Accept pointer press and release events from clients. Default is on.
.
.TP
.B \-AcceptKeyEvents
Accept key press and release events from clients. Default is on.
.
.TP
.B \-AcceptSetDesktopSize
Accept requests to resize the size of the desktop. Default is on.
.
.TP
.B \-DisconnectClients
Disconnect existing clients if an incoming connection is non-shared. Default is
on. If \fBDisconnectClients\fP is false, then a new non-shared connection will
be refused while there is a client active.  When combined with
\fBNeverShared\fP this means only one client is allowed at a time.
.
.TP
.B \-NeverShared
Never treat incoming connections as shared, regardless of the client-specified
setting. Default is off.
.
.TP
.B \-AlwaysShared
Always treat incoming connections as shared, regardless of the client-specified
setting. Default is off.
.
.TP
.B \-Protocol3.3
Always use protocol version 3.3 for backwards compatibility with badly-behaved
clients. Default is off.
.
.TP
.B \-FrameRate \fIfps\fP
The maximum number of updates per second sent to each client. If the screen
updates any faster then those changes will be aggregated and sent in a single
update to the client. Note that this only controls the maximum rate and a
client may get a lower rate when resources are limited. Default is \fB60\fP.
.
.TP
.B \-CompareFB \fImode\fP
Perform pixel comparison on framebuffer to reduce unnecessary updates. Can
be either \fB0\fP (off), \fB1\fP (always) or \fB2\fP (auto). Default is
\fB2\fP.
.
.TP
.B \-ZlibLevel \fIlevel\fP
Zlib compression level for ZRLE encoding (it does not affect Tight encoding).
Acceptable values are between 0 and 9.  Default is to use the standard
compression level provided by the \fBzlib\fP(3) compression library.
.
.TP
.B \-ImprovedHextile
Use improved compression algorithm for Hextile encoding which achieves better
compression ratios by the cost of using slightly more CPU time.  Default is
on.
.
.TP
.B \-SecurityTypes \fIsec-types\fP
Specify which security scheme to use for incoming connections.  Valid values
are a comma separated list of \fBNone\fP, \fBVncAuth\fP, \fBPlain\fP,
\fBTLSNone\fP, \fBTLSVnc\fP, \fBTLSPlain\fP, \fBX509None\fP, \fBX509Vnc\fP,
\fBX509Plain\fP, \fBRA2\fP, \fBRA2ne\fP, \fBRA2_256\fP and \fBRA2ne_256\fP.
Default is \fBVncAuth,RA2_256,RA2,RA2ne_256,RA2ne,TLSVnc\fP.
.
.TP
.B \-Password \fIpassword\fP
Obfuscated binary encoding of the password which clients must supply to
access the server.  Using this parameter is insecure, use \fBPasswordFile\fP
parameter instead.
.
.TP
.B \-PlainUsers \fIuser-list\fP
A comma separated list of user names that are allowed to authenticate via
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
to allow any user to authenticate using this security type. Default is to
deny all users.
.
.TP
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
PAM service name to use when authentication users using any of the "Plain"
security types. Default is \fBvnc\fP.
.
.TP
.B \-X509Cert \fIpath\fP
Path to a X509 certificate in PEM format to be used for all X509 based
security types (X509None, X509Vnc, etc.).
.
.TP
.B \-X509Key \fIpath\fP
Private key counter part to the certificate given in \fBX509Cert\fP. Must
also be in PEM format.
.
.TP
.B \-GnuTLSPriority \fIpriority\fP
GnuTLS priority string that controls the TLS session’s handshake algorithms.
See the GnuTLS manual for possible values. For GnuTLS < 3.6.3 the default
value will be \fBNORMAL\fP to use upstream default. For newer versions
of GnuTLS system-wide crypto policy will be used.
.
.TP
.B \-RSAKey \fIpath\fP
Path to the RSA key for the RSA-AES security types (\fBRA2\fP, \fBRA2ne\fP,
\fBRA2_256\fP and \fBRA2ne_256\fP) in PEM format.
.
.TP
.B \-RequireUsername
Require username for the RSA-AES security types. Default is off.
.
.TP
.B \-UseBlacklist
Temporarily reject connections from a host if it repeatedly fails to
authenticate. Default is on.
.
.TP
.B \-BlacklistThreshold \fIcount\fP
The number of unauthenticated connection attempts allowed from any individual
host before that host is black-listed.  Default is 5.
.
.TP
.B \-BlacklistTimeout \fIseconds\fP
The initial timeout applied when a host is first black-listed.  The host
cannot re-attempt a connection until the timeout expires.  Default is 10.
.
.TP
.B \-IdleTimeout \fIseconds\fP
The number of seconds after which an idle VNC connection will be dropped.
Default is 0, which means that idle connections will never be dropped.
.
.TP
.B \-MaxDisconnectionTime \fIseconds\fP
Terminate when no client has been connected for \fIN\fP seconds.  Default is
0.
.
.TP
.B \-MaxConnectionTime \fIseconds\fP
Terminate when a client has been connected for \fIN\fP seconds.  Default is
0.
.
.TP
.B \-MaxIdleTime \fIseconds\fP
Terminate after \fIN\fP seconds of user inactivity.  Default is 0.
.
.TP
.B \-QueryConnect
Prompts the user of the desktop to explicitly accept or reject incoming
connections. Default is off.

The \fBvncconfig\fP(1) program must be running on the desktop in order for
QueryConnect to be supported.
.
.TP
.B \-QueryConnectTimeout \fIseconds\fP
Number of seconds to show the Accept Connection dialog before rejecting the
connection.  Default is \fB10\fP.
.
.TP
.B \-localhost
Only allow connections from the same machine. Useful if you use SSH and want to
stop non-SSH connections from any other hosts.
.
.TP
.B \-Log \fIlogname\fP:\fIdest\fP:\fIlevel\fP
Configures the debug log settings.  \fIdest\fP can currently be \fBstderr\fP,
\fBstdout\fP or \fBsyslog\fP, and \fIlevel\fP is between 0 and 100, 100 meaning
most verbose output.  \fIlogname\fP is usually \fB*\fP meaning all, but you can
target a specific source file if you know the name of its "LogWriter".  Default
is \fB*:stderr:30\fP.
.
.TP
.B \-RemapKeys \fImapping
Sets up a keyboard mapping.
.I mapping
is a comma-separated string of character mappings, each of the form
.IR char -> char ,
or
.IR char <> char ,
where
.I char
is a hexadecimal keysym. For example, to exchange the " and @ symbols you would specify the following:

.RS 10
RemapKeys=0x22<>0x40
.RE
.
.TP
.B \-AvoidShiftNumLock
Key affected by NumLock often require a fake Shift to be inserted in order
for the correct symbol to be generated. Turning on this option avoids these
extra fake Shift events but may result in a slightly different symbol
(e.g. a Return instead of a keypad Enter).
.
.TP
.B \-RawKeyboard
Send keyboard events straight through and avoid mapping them to the current
keyboard layout. This effectively makes the keyboard behave according to the
layout configured on the server instead of the layout configured on the
client. Default is off.
.
.TP
.B \-AllowOverride
Comma separated list of parameters that can be modified using VNC extension.
Parameters can be modified for example using \fBvncconfig\fP(1) program from
inside a running session.

Allowing override of parameters such as \fBPAMService\fP or \fBPasswordFile\fP
can negatively impact security if Xvnc runs under different user than the
programs allowed to override the parameters.

When \fBNoClipboard\fP parameter is set, allowing override of \fBSendCutText\fP
and \fBAcceptCutText\fP has no effect.

Default is \fBdesktop,AcceptPointerEvents,SendCutText,AcceptCutText,SendPrimary,SetPrimary\fP.

.SH USAGE WITH INETD
By configuring the \fBinetd\fP(1) service appropriately, Xvnc can be launched
on demand when a connection comes in, rather than having to be started
manually.  When given the \fB-inetd\fP option, instead of listening for TCP
connections on a given port it uses its standard input and standard output.
There are two modes controlled by the wait/nowait entry in the inetd.conf file.

In the nowait mode, Xvnc uses its standard input and output directly as the
connection to a viewer.  It never has a listening socket, so cannot accept
further connections from viewers (it can however connect out to listening
viewers by use of the vncconfig program).  Further viewer connections to the
same TCP port result in inetd spawning off a new Xvnc to deal with each
connection.  When the connection to the viewer dies, the Xvnc and any
associated X clients die.  This behaviour is most useful when combined with the
XDMCP options -query and -once.  An typical example in inetd.conf might be (all
on one line):

5950   stream   tcp nowait nobody  /usr/local/bin/Xvnc Xvnc -inetd -query
localhost -once securitytypes=none

In this example a viewer connection to :50 will result in a new Xvnc for that
connection which should display the standard XDM login screen on that machine.
Because the user needs to login via XDM, it is usually OK to accept connections
without a VNC password in this case.

In the wait mode, when the first connection comes in, inetd gives the listening
socket to Xvnc.  This means that for a given TCP port, there is only ever one
Xvnc at a time.  Further viewer connections to the same port are accepted by
the same Xvnc in the normal way.  Even when the original connection is broken,
the Xvnc will continue to run.  If this is used with the XDMCP options -query
and -once, the Xvnc and associated X clients will die when the user logs out of
the X session in the normal way.  It is important to use a VNC password in this
case.  A typical entry in inetd.conf might be:

5951   stream   tcp wait   james     /usr/local/bin/Xvnc Xvnc -inetd -query localhost -once passwordFile=/home/james/.vnc/passwd

In fact typically, you would have one entry for each user who uses VNC
regularly, each of whom has their own dedicated TCP port which they use.  In
this example, when user "james" connects to :51, he enters his VNC password,
then gets the XDM login screen where he logs in in the normal way.  However,
unlike the previous example, if he disconnects, the session remains persistent,
and when he reconnects he will get the same session back again.  When he logs
out of the X session, the Xvnc will die, but of course a new one will be
created automatically the next time he connects.

.SH SEE ALSO
.BR vncconfig (1),
.BR vncpasswd (1),
.BR vncviewer (1),
.BR vncsession (8),
.BR Xserver (1),
.BR inetd (1)
.br
https://www.tigervnc.org

.SH AUTHOR
Tristan Richardson, RealVNC Ltd. and others.

VNC was originally developed by the RealVNC team while at Olivetti
Research Ltd / AT&T Laboratories Cambridge.  TightVNC additions were
implemented by Constantin Kaplinsky. Many other people have since
participated in development, testing and support. This manual is part
of the TigerVNC software suite.