1Xvnc(1) Virtual Network Computing Xvnc(1)
2
6 Xvnc - the X VNC server
7
9 Xvnc [options] :display#
10
12 Xvnc is the X VNC (Virtual Network Computing) server. It is based on a
13 standard X server, but it has a "virtual" screen rather than a physical
14 one. X applications display themselves on it as if it were a normal X
15 display, but they can only be accessed via a VNC viewer - see
16 vncviewer(1).
17 So Xvnc is really two servers in one. To the applications it is an X
19 server, and to the remote VNC users it is a VNC server. By convention
20 we have arranged that the VNC server display number will be the same as
21 the X server display number, which means you can use eg. snoopy:2 to
22 refer to display 2 on machine "snoopy" in both the X world and the VNC
23 world.
24 The best way of starting Xvnc is via the vncserver script. This sets
26 up the environment appropriately and runs some X applications to get
27 you going. See the manual page for vncserver(1) for more information.
28
31 Xvnc takes lots of options - running Xvnc -help gives a list. Many of
32 these are standard X server options, which are described in the
33 Xserver(1) manual page. In addition to options which can only be set
34 via the command-line, there are also "parameters" which can be set both
35 via the command-line and through the vncconfig(1) program.
36 -geometry widthxheight
39 Specify the size of the desktop to be created. Default is
40 1024x768.
41 -depth depth
43 Specify the pixel depth in bits of the desktop to be created.
44 Default is 24, other possible values are 8, 15, and 16 - any‐
45 thing else is likely to cause strange behaviour by applications.
46 -pixelformat format
48 Specify pixel format for server to use (BGRnnn or RGBnnn). The
49 default for depth 8 is BGR233 (meaning the most significant two
50 bits represent blue, the next three green, and the least signif‐
51 icant three represent red), the default for depth 16 is RGB565
52 and for depth 24 is RGB888.
53 -interface IP address
55 Listen on interface. By default Xvnc listens on all available
56 interfaces.
57 -inetd This significantly changes Xvnc's behaviour so that it can be
59 launched from inetd. See the section below on usage with inetd.
60 -help List all the options and parameters
62
65 VNC parameters can be set both via the command-line and through the
66 vncconfig(1) program, and with a VNC-enabled Xorg server via Options
67 entries in the xorg.conf file.
68 Parameters can be turned on with -param or off with -param=0. Parame‐
70 ters which take a value can be specified as -param value. Other valid
71 forms are param=value -param=value --param=value. Parameter names are
72 case-insensitive.
73 -desktop desktop-name
76 Each desktop has a name which may be displayed by the viewer. It
77 defaults to "x11".
78 -rfbport port
80 Specifies the TCP port on which Xvnc listens for connections
81 from viewers (the protocol used in VNC is called RFB - "remote
82 framebuffer"). The default is 5900 plus the display number.
83 -UseIPv4
85 Use IPv4 for incoming and outgoing connections. Default is on.
86 -UseIPv6
88 Use IPv6 for incoming and outgoing connections. Default is on.
89 -rfbunixpath path
91 Specifies the path of a Unix domain socket on which Xvnc listens
92 for connections from viewers, instead of listening on a TCP
93 port.
94 -rfbunixmode mode
96 Specifies the mode of the Unix domain socket. The default is
97 0600.
98 -rfbwait time, -ClientWaitTimeMillis time
100 Time in milliseconds to wait for a viewer which is blocking the
101 server. This is necessary because the server is single-threaded
102 and sometimes blocks until the viewer has finished sending or
103 receiving a message - note that this does not mean an update
104 will be aborted after this time. Default is 20000 (20 seconds).
105 -rfbauth passwd-file, -PasswordFile passwd-file
107 Password file for VNC authentication. There is no default, you
108 should specify the password file explicitly. Password file
109 should be created with the vncpasswd(1) utility. The file is
110 accessed each time a connection comes in, so it can be changed
111 on the fly.
112 -AcceptCutText
114 Accept clipboard updates from clients. Default is on.
115 -MaxCutText bytes
117 The maximum size of a clipboard update that will be accepted
118 from a client. Default is 262144.
119 -SendCutText
121 Send clipboard changes to clients. Default is on.
122 -SendPrimary
124 Send the primary selection and cut buffer to the server as well
125 as the clipboard selection. Default is on.
126 -AcceptPointerEvents
128 Accept pointer press and release events from clients. Default is
129 on.
130 -AcceptKeyEvents
132 Accept key press and release events from clients. Default is on.
133 -AcceptSetDesktopSize
135 Accept requests to resize the size of the desktop. Default is
136 on.
137 -DisconnectClients
139 Disconnect existing clients if an incoming connection is non-
140 shared. Default is on. If DisconnectClients is false, then a new
141 non-shared connection will be refused while there is a client
142 active. When combined with NeverShared this means only one
143 client is allowed at a time.
144 -NeverShared
146 Never treat incoming connections as shared, regardless of the
147 client-specified setting. Default is off.
148 -AlwaysShared
150 Always treat incoming connections as shared, regardless of the
151 client-specified setting. Default is off.
152 -Protocol3.3
154 Always use protocol version 3.3 for backwards compatibility with
155 badly-behaved clients. Default is off.
156 -FrameRate fps
158 The maximum number of updates per second sent to each client. If
159 the screen updates any faster then those changes will be aggre‐
160 gated and sent in a single update to the client. Note that this
161 only controls the maximum rate and a client may get a lower rate
162 when resources are limited. Default is 60.
163 -CompareFB mode
165 Perform pixel comparison on framebuffer to reduce unnecessary
166 updates. Can be either 0 (off), 1 (always) or 2 (auto). Default
167 is 2.
168 -ZlibLevel level
170 Zlib compression level for ZRLE encoding (it does not affect
171 Tight encoding). Acceptable values are between 0 and 9.
172 Default is to use the standard compression level provided by the
173 zlib(3) compression library.
174 -ImprovedHextile
176 Use improved compression algorithm for Hextile encoding which
177 achieves better compression ratios by the cost of using slightly
178 more CPU time. Default is on.
179 -SecurityTypes sec-types
181 Specify which security scheme to use for incoming connections.
182 Valid values are a comma separated list of None, VncAuth, Plain,
183 TLSNone, TLSVnc, TLSPlain, X509None, X509Vnc and X509Plain.
184 Default is VncAuth,TLSVnc.
185 -Password password
187 Obfuscated binary encoding of the password which clients must
188 supply to access the server. Using this parameter is insecure,
189 use PasswordFile parameter instead.
190 -PlainUsers user-list
192 A comma separated list of user names that are allowed to authen‐
193 ticate via any of the "Plain" security types (Plain, TLSPlain,
194 etc.). Specify * to allow any user to authenticate using this
195 security type. Default is to deny all users.
196 -pam_service name, -PAMService name
198 PAM service name to use when authentication users using any of
199 the "Plain" security types. Default is vnc.
200 -X509Cert path
202 Path to a X509 certificate in PEM format to be used for all X509
203 based security types (X509None, X509Vnc, etc.).
204 -X509Key path
206 Private key counter part to the certificate given in X509Cert.
207 Must also be in PEM format.
208 -GnuTLSPriority priority
210 GnuTLS priority string that controls the TLS session’s handshake
211 algorithms. See the GnuTLS manual for possible values. Default
212 is NORMAL.
213 -UseBlacklist
215 Temporarily reject connections from a host if it repeatedly
216 fails to authenticate. Default is on.
217 -BlacklistThreshold count
219 The number of unauthenticated connection attempts allowed from
220 any individual host before that host is black-listed. Default
221 is 5.
222 -BlacklistTimeout seconds
224 The initial timeout applied when a host is first black-listed.
225 The host cannot re-attempt a connection until the timeout
226 expires. Default is 10.
227 -IdleTimeout seconds
229 The number of seconds after which an idle VNC connection will be
230 dropped. Default is 0, which means that idle connections will
231 never be dropped.
232 -MaxDisconnectionTime seconds
234 Terminate when no client has been connected for N seconds.
235 Default is 0.
236 -MaxConnectionTime seconds
238 Terminate when a client has been connected for N seconds.
239 Default is 0.
240 -MaxIdleTime seconds
242 Terminate after N seconds of user inactivity. Default is 0.
243 -QueryConnect
245 Prompts the user of the desktop to explicitly accept or reject
246 incoming connections. Default is off.
247 The vncconfig(1) program must be running on the desktop in order
249 for QueryConnect to be supported.
250 -QueryConnectTimeout seconds
252 Number of seconds to show the Accept Connection dialog before
253 rejecting the connection. Default is 10.
254 -localhost
256 Only allow connections from the same machine. Useful if you use
257 SSH and want to stop non-SSH connections from any other hosts.
258 -Log logname:dest:level
260 Configures the debug log settings. dest can currently be
261 stderr, stdout or syslog, and level is between 0 and 100, 100
262 meaning most verbose output. logname is usually * meaning all,
263 but you can target a specific source file if you know the name
264 of its "LogWriter". Default is *:stderr:30.
265 -RemapKeys mapping
267 Sets up a keyboard mapping. mapping is a comma-separated string
268 of character mappings, each of the form char->char, or
269 char<>char, where char is a hexadecimal keysym. For example, to
270 exchange the " and @ symbols you would specify the following:
271 RemapKeys=0x22<>0x40
273 -AvoidShiftNumLock
275 Key affected by NumLock often require a fake Shift to be
276 inserted in order for the correct symbol to be generated. Turn‐
277 ing on this option avoids these extra fake Shift events but may
278 result in a slightly different symbol (e.g. a Return instead of
279 a keypad Enter).
280 -RawKeyboard
282 Send keyboard events straight through and avoid mapping them to
283 the current keyboard layout. This effectively makes the keyboard
284 behave according to the layout configured on the server instead
285 of the layout configured on the client. Default is off.
286 -AllowOverride
288 Comma separated list of parameters that can be modified using
289 VNC extension. Parameters can be modified for example using
290 vncconfig(1) program from inside a running session.
291 Allowing override of parameters such as PAMService or Password‐
293 File can negatively impact security if Xvnc runs under different
294 user than the programs allowed to override the parameters.
295 When NoClipboard parameter is set, allowing override of SendCut‐
297 Text and AcceptCutText has no effect.
298 Default is desktop,AcceptPointerEvents,SendCutText,AcceptCut‐
300 Text,SendPrimary,SetPrimary.
301
304 By configuring the inetd(1) service appropriately, Xvnc can be launched
305 on demand when a connection comes in, rather than having to be started
306 manually. When given the -inetd option, instead of listening for TCP
307 connections on a given port it uses its standard input and standard
308 output. There are two modes controlled by the wait/nowait entry in the
309 inetd.conf file.
310 In the nowait mode, Xvnc uses its standard input and output directly as
312 the connection to a viewer. It never has a listening socket, so cannot
313 accept further connections from viewers (it can however connect out to
314 listening viewers by use of the vncconfig program). Further viewer
315 connections to the same TCP port result in inetd spawning off a new
316 Xvnc to deal with each connection. When the connection to the viewer
317 dies, the Xvnc and any associated X clients die. This behaviour is
318 most useful when combined with the XDMCP options -query and -once. An
319 typical example in inetd.conf might be (all on one line):
320 5950 stream tcp nowait nobody /usr/local/bin/Xvnc Xvnc -inetd
322 -query localhost -once securitytypes=none
323 In this example a viewer connection to :50 will result in a new Xvnc
325 for that connection which should display the standard XDM login screen
326 on that machine. Because the user needs to login via XDM, it is usu‐
327 ally OK to accept connections without a VNC password in this case.
328 In the wait mode, when the first connection comes in, inetd gives the
330 listening socket to Xvnc. This means that for a given TCP port, there
331 is only ever one Xvnc at a time. Further viewer connections to the
332 same port are accepted by the same Xvnc in the normal way. Even when
333 the original connection is broken, the Xvnc will continue to run. If
334 this is used with the XDMCP options -query and -once, the Xvnc and
335 associated X clients will die when the user logs out of the X session
336 in the normal way. It is important to use a VNC password in this case.
337 A typical entry in inetd.conf might be:
338 5951 stream tcp wait james /usr/local/bin/Xvnc Xvnc -inetd
340 -query localhost -once passwordFile=/home/james/.vnc/passwd
341 In fact typically, you would have one entry for each user who uses VNC
343 regularly, each of whom has their own dedicated TCP port which they
344 use. In this example, when user "james" connects to :51, he enters his
345 VNC password, then gets the XDM login screen where he logs in in the
346 normal way. However, unlike the previous example, if he disconnects,
347 the session remains persistent, and when he reconnects he will get the
348 same session back again. When he logs out of the X session, the Xvnc
349 will die, but of course a new one will be created automatically the
350 next time he connects.
351
354 vncconfig(1), vncpasswd(1), vncserver(1), vncviewer(1), Xserver(1),
355 inetd(1)
356 https://www.tigervnc.org
357
360 Tristan Richardson, RealVNC Ltd. and others.
361 VNC was originally developed by the RealVNC team while at Olivetti
363 Research Ltd / AT&T Laboratories Cambridge. TightVNC additions were
364 implemented by Constantin Kaplinsky. Many other people have since par‐
365 ticipated in development, testing and support. This manual is part of
366 the TigerVNC software suite.
367TigerVNC Xvnc(1)