1Xvnc(1) Virtual Network Computing Xvnc(1)
2
3
4
6 Xvnc - the X VNC server
7
9 Xvnc [options] :display#
10
12 Xvnc is the X VNC (Virtual Network Computing) server. It is based on a
13 standard X server, but it has a "virtual" screen rather than a physical
14 one. X applications display themselves on it as if it were a normal X
15 display, but they can only be accessed via a VNC viewer - see
16 vncviewer(1).
17
18 So Xvnc is really two servers in one. To the applications it is an X
19 server, and to the remote VNC users it is a VNC server. By convention
20 we have arranged that the VNC server display number will be the same as
21 the X server display number, which means you can use eg. snoopy:2 to
22 refer to display 2 on machine "snoopy" in both the X world and the VNC
23 world.
24
25 The best way of starting Xvnc is via vncsession. This sets up the en‐
26 vironment appropriately and starts a desktop environment. See the man‐
27 ual page for vncsession(8) for more information.
28
29
31 Xvnc takes lots of options - running Xvnc -help gives a list. Many of
32 these are standard X server options, which are described in the
33 Xserver(1) manual page. In addition to options which can only be set
34 via the command-line, there are also "parameters" which can be set both
35 via the command-line and through the vncconfig(1) program.
36
37
38 -geometry widthxheight
39 Specify the size of the desktop to be created. Default is
40 1024x768.
41
42 -depth depth
43 Specify the pixel depth in bits of the desktop to be created.
44 Default is 24, other possible values are 16 and 32. Anything
45 else is likely to cause strange behaviour by applications and
46 may prevent the server from starting at all.
47
48 -pixelformat format
49 Specify pixel format for server to use (BGRnnn or RGBnnn). The
50 default for depth 16 is RGB565 and for depth 24 and 32 is
51 RGB888.
52
53 -interface IP address
54 Listen on interface. By default Xvnc listens on all available
55 interfaces.
56
57 -inetd This significantly changes Xvnc's behaviour so that it can be
58 launched from inetd. See the section below on usage with inetd.
59
60 -help List all the options and parameters
61
62
64 VNC parameters can be set both via the command-line and through the
65 vncconfig(1) program, and with a VNC-enabled Xorg server via Options
66 entries in the xorg.conf file.
67
68 Parameters can be turned on with -param or off with -param=0. Parame‐
69 ters which take a value can be specified as -param value. Other valid
70 forms are param=value -param=value --param=value. Parameter names are
71 case-insensitive.
72
73
74 -desktop desktop-name
75 Each desktop has a name which may be displayed by the viewer. It
76 defaults to "x11".
77
78 -rfbport port
79 Specifies the TCP port on which Xvnc listens for connections
80 from viewers (the protocol used in VNC is called RFB - "remote
81 framebuffer"). The default is 5900 plus the display number.
82
83 -UseIPv4
84 Use IPv4 for incoming and outgoing connections. Default is on.
85
86 -UseIPv6
87 Use IPv6 for incoming and outgoing connections. Default is on.
88
89 -rfbunixpath path
90 Specifies the path of a Unix domain socket on which Xvnc listens
91 for connections from viewers, instead of listening on a TCP
92 port.
93
94 -rfbunixmode mode
95 Specifies the mode of the Unix domain socket. The default is
96 0600.
97
98 -rfbwait time, -ClientWaitTimeMillis time
99 Time in milliseconds to wait for a viewer which is blocking the
100 server. This is necessary because the server is single-threaded
101 and sometimes blocks until the viewer has finished sending or
102 receiving a message - note that this does not mean an update
103 will be aborted after this time. Default is 20000 (20 seconds).
104
105 -rfbauth passwd-file, -PasswordFile passwd-file
106 Password file for VNC authentication. There is no default, you
107 should specify the password file explicitly. Password file
108 should be created with the vncpasswd(1) utility. The file is
109 accessed each time a connection comes in, so it can be changed
110 on the fly.
111
112 -AcceptCutText
113 Accept clipboard updates from clients. Default is on.
114
115 -MaxCutText bytes
116 The maximum size of a clipboard update that will be accepted
117 from a client. Default is 262144.
118
119 -SendCutText
120 Send clipboard changes to clients. Default is on.
121
122 -SendPrimary
123 Send the primary selection and cut buffer to the server as well
124 as the clipboard selection. Default is on.
125
126 -AcceptPointerEvents
127 Accept pointer press and release events from clients. Default is
128 on.
129
130 -AcceptKeyEvents
131 Accept key press and release events from clients. Default is on.
132
133 -AcceptSetDesktopSize
134 Accept requests to resize the size of the desktop. Default is
135 on.
136
137 -DisconnectClients
138 Disconnect existing clients if an incoming connection is non-
139 shared. Default is on. If DisconnectClients is false, then a new
140 non-shared connection will be refused while there is a client
141 active. When combined with NeverShared this means only one
142 client is allowed at a time.
143
144 -NeverShared
145 Never treat incoming connections as shared, regardless of the
146 client-specified setting. Default is off.
147
148 -AlwaysShared
149 Always treat incoming connections as shared, regardless of the
150 client-specified setting. Default is off.
151
152 -Protocol3.3
153 Always use protocol version 3.3 for backwards compatibility with
154 badly-behaved clients. Default is off.
155
156 -FrameRate fps
157 The maximum number of updates per second sent to each client. If
158 the screen updates any faster then those changes will be aggre‐
159 gated and sent in a single update to the client. Note that this
160 only controls the maximum rate and a client may get a lower rate
161 when resources are limited. Default is 60.
162
163 -CompareFB mode
164 Perform pixel comparison on framebuffer to reduce unnecessary
165 updates. Can be either 0 (off), 1 (always) or 2 (auto). Default
166 is 2.
167
168 -ZlibLevel level
169 Zlib compression level for ZRLE encoding (it does not affect
170 Tight encoding). Acceptable values are between 0 and 9. De‐
171 fault is to use the standard compression level provided by the
172 zlib(3) compression library.
173
174 -ImprovedHextile
175 Use improved compression algorithm for Hextile encoding which
176 achieves better compression ratios by the cost of using slightly
177 more CPU time. Default is on.
178
179 -SecurityTypes sec-types
180 Specify which security scheme to use for incoming connections.
181 Valid values are a comma separated list of None, VncAuth, Plain,
182 TLSNone, TLSVnc, TLSPlain, X509None, X509Vnc and X509Plain. De‐
183 fault is VncAuth,TLSVnc.
184
185 -Password password
186 Obfuscated binary encoding of the password which clients must
187 supply to access the server. Using this parameter is insecure,
188 use PasswordFile parameter instead.
189
190 -PlainUsers user-list
191 A comma separated list of user names that are allowed to authen‐
192 ticate via any of the "Plain" security types (Plain, TLSPlain,
193 etc.). Specify * to allow any user to authenticate using this
194 security type. Default is to deny all users.
195
196 -pam_service name, -PAMService name
197 PAM service name to use when authentication users using any of
198 the "Plain" security types. Default is vnc.
199
200 -X509Cert path
201 Path to a X509 certificate in PEM format to be used for all X509
202 based security types (X509None, X509Vnc, etc.).
203
204 -X509Key path
205 Private key counter part to the certificate given in X509Cert.
206 Must also be in PEM format.
207
208 -GnuTLSPriority priority
209 GnuTLS priority string that controls the TLS session’s handshake
210 algorithms. See the GnuTLS manual for possible values. For
211 GnuTLS < 3.6.3 the default value will be NORMAL to use upstream
212 default. For newer versions of GnuTLS system-wide crypto policy
213 will be used.
214
215 -UseBlacklist
216 Temporarily reject connections from a host if it repeatedly
217 fails to authenticate. Default is on.
218
219 -BlacklistThreshold count
220 The number of unauthenticated connection attempts allowed from
221 any individual host before that host is black-listed. Default
222 is 5.
223
224 -BlacklistTimeout seconds
225 The initial timeout applied when a host is first black-listed.
226 The host cannot re-attempt a connection until the timeout ex‐
227 pires. Default is 10.
228
229 -IdleTimeout seconds
230 The number of seconds after which an idle VNC connection will be
231 dropped. Default is 0, which means that idle connections will
232 never be dropped.
233
234 -MaxDisconnectionTime seconds
235 Terminate when no client has been connected for N seconds. De‐
236 fault is 0.
237
238 -MaxConnectionTime seconds
239 Terminate when a client has been connected for N seconds. De‐
240 fault is 0.
241
242 -MaxIdleTime seconds
243 Terminate after N seconds of user inactivity. Default is 0.
244
245 -QueryConnect
246 Prompts the user of the desktop to explicitly accept or reject
247 incoming connections. Default is off.
248
249 The vncconfig(1) program must be running on the desktop in order
250 for QueryConnect to be supported.
251
252 -QueryConnectTimeout seconds
253 Number of seconds to show the Accept Connection dialog before
254 rejecting the connection. Default is 10.
255
256 -localhost
257 Only allow connections from the same machine. Useful if you use
258 SSH and want to stop non-SSH connections from any other hosts.
259
260 -Log logname:dest:level
261 Configures the debug log settings. dest can currently be
262 stderr, stdout or syslog, and level is between 0 and 100, 100
263 meaning most verbose output. logname is usually * meaning all,
264 but you can target a specific source file if you know the name
265 of its "LogWriter". Default is *:stderr:30.
266
267 -RemapKeys mapping
268 Sets up a keyboard mapping. mapping is a comma-separated string
269 of character mappings, each of the form char->char, or
270 char<>char, where char is a hexadecimal keysym. For example, to
271 exchange the " and @ symbols you would specify the following:
272
273 RemapKeys=0x22<>0x40
274
275 -AvoidShiftNumLock
276 Key affected by NumLock often require a fake Shift to be in‐
277 serted in order for the correct symbol to be generated. Turning
278 on this option avoids these extra fake Shift events but may re‐
279 sult in a slightly different symbol (e.g. a Return instead of a
280 keypad Enter).
281
282 -RawKeyboard
283 Send keyboard events straight through and avoid mapping them to
284 the current keyboard layout. This effectively makes the keyboard
285 behave according to the layout configured on the server instead
286 of the layout configured on the client. Default is off.
287
288 -AllowOverride
289 Comma separated list of parameters that can be modified using
290 VNC extension. Parameters can be modified for example using
291 vncconfig(1) program from inside a running session.
292
293 Allowing override of parameters such as PAMService or Password‐
294 File can negatively impact security if Xvnc runs under different
295 user than the programs allowed to override the parameters.
296
297 When NoClipboard parameter is set, allowing override of SendCut‐
298 Text and AcceptCutText has no effect.
299
300 Default is desktop,AcceptPointerEvents,SendCutText,AcceptCut‐
301 Text,SendPrimary,SetPrimary.
302
303
305 By configuring the inetd(1) service appropriately, Xvnc can be launched
306 on demand when a connection comes in, rather than having to be started
307 manually. When given the -inetd option, instead of listening for TCP
308 connections on a given port it uses its standard input and standard
309 output. There are two modes controlled by the wait/nowait entry in the
310 inetd.conf file.
311
312 In the nowait mode, Xvnc uses its standard input and output directly as
313 the connection to a viewer. It never has a listening socket, so cannot
314 accept further connections from viewers (it can however connect out to
315 listening viewers by use of the vncconfig program). Further viewer
316 connections to the same TCP port result in inetd spawning off a new
317 Xvnc to deal with each connection. When the connection to the viewer
318 dies, the Xvnc and any associated X clients die. This behaviour is
319 most useful when combined with the XDMCP options -query and -once. An
320 typical example in inetd.conf might be (all on one line):
321
322 5950 stream tcp nowait nobody /usr/local/bin/Xvnc Xvnc -inetd
323 -query localhost -once securitytypes=none
324
325 In this example a viewer connection to :50 will result in a new Xvnc
326 for that connection which should display the standard XDM login screen
327 on that machine. Because the user needs to login via XDM, it is usu‐
328 ally OK to accept connections without a VNC password in this case.
329
330 In the wait mode, when the first connection comes in, inetd gives the
331 listening socket to Xvnc. This means that for a given TCP port, there
332 is only ever one Xvnc at a time. Further viewer connections to the
333 same port are accepted by the same Xvnc in the normal way. Even when
334 the original connection is broken, the Xvnc will continue to run. If
335 this is used with the XDMCP options -query and -once, the Xvnc and as‐
336 sociated X clients will die when the user logs out of the X session in
337 the normal way. It is important to use a VNC password in this case. A
338 typical entry in inetd.conf might be:
339
340 5951 stream tcp wait james /usr/local/bin/Xvnc Xvnc -inetd
341 -query localhost -once passwordFile=/home/james/.vnc/passwd
342
343 In fact typically, you would have one entry for each user who uses VNC
344 regularly, each of whom has their own dedicated TCP port which they
345 use. In this example, when user "james" connects to :51, he enters his
346 VNC password, then gets the XDM login screen where he logs in in the
347 normal way. However, unlike the previous example, if he disconnects,
348 the session remains persistent, and when he reconnects he will get the
349 same session back again. When he logs out of the X session, the Xvnc
350 will die, but of course a new one will be created automatically the
351 next time he connects.
352
353
355 vncconfig(1), vncpasswd(1), vncviewer(1), vncsession(8), Xserver(1),
356 inetd(1)
357 https://www.tigervnc.org
358
359
361 Tristan Richardson, RealVNC Ltd. and others.
362
363 VNC was originally developed by the RealVNC team while at Olivetti Re‐
364 search Ltd / AT&T Laboratories Cambridge. TightVNC additions were im‐
365 plemented by Constantin Kaplinsky. Many other people have since partic‐
366 ipated in development, testing and support. This manual is part of the
367 TigerVNC software suite.
368
369
370
371TigerVNC Xvnc(1)