Here is the SSVNC README:
       Enhanced TightVNC Viewer (SSVNC: SSL/SSH VNC viewer)

Copyright (c) 2006-2010 Karl J. Runge 
All rights reserved.

These bundles provide 1) An enhanced TightVNC Viewer on Unix, 2) Binaries
for many Operating Systems (including Windows and Mac OS X) for your
convenience, 3) Wrapper scripts and a GUI for gluing them all together.

One can straight-forwardly download all of the components and get them
to work together by oneself: this bundle is mostly for your convenience
to combine and wrap together the freely available software.

Bundled software co-shipped is copyright and licensed by others.
See these sites and related ones for more information:

Note: Some of the binaries included contain cryptographic software that
you may not be allowed to download, use, or redistribute.  Please check
your situation first before downloading any of these bundles.  See the
survey for useful

All work done by Karl J. Runge in this project is
Copyright (c) 2006-2008 Karl J. Runge and is licensed under the GPL as
described in the file COPYING in this directory.

All the files and information in this project are provided "AS IS"
without any warranty of any kind.  Use them at your own risk.


This bundle contains a convenient collection of enhanced TightVNC
viewers and stunnel binaries for different flavors of Unix and wrapper
scripts and a GUI front-end to glue them together.  Automatic SSL and
SSH encryption tunnelling is provided.

A Windows SSL wrapper for the bundled TightVNC binary and other utilities
are provided.  (Launch ssvnc.exe in the Windows subdirectory).

The short name of the project is "ssvnc" for SSL/SSH VNC Viewer.

It is a self-contained bundle, you could carry it around on, say,
a USB memory stick for secure VNC viewing from almost any machine,
Unix, Mac, or Windows.


The enhanced TightVNC viewer features are:

	- SSL support for connections using the bundled stunnel program.

	- Automatic SSH connections from the GUI (ssh must already be
	  installed on Unix; bundled plink is used on Windows)

	- Ability to Save and Load VNC profiles for different hosts.

	- You can also use your own VNC Viewer, e.g. UltraVNC or RealVNC,
	  with the front-end GUI or scripts if you like.

	- Create or Import SSL Certificates and Private Keys.

	- Reverse (viewer listening) VNC connections via SSL and SSH.

	- VeNCrypt SSL/TLS VNC encryption support (used by VeNCrypt,
	  QEMU, ggi, libvirt/virt-manager/xen, vinagre/gvncviewer/gtk-vnc)

	- ANONTLS SSL/TLS VNC encryption support (used by Vino)

	- VeNCrypt and ANONTLS are also enabled for any 3rd party VNC
	  Viewer (e.g. RealVNC, TightVNC, UltraVNC ...) on Unix, MacOSX,
	  and Windows via the provided SSVNC VeNCrypt Viewer Bridge tool
	  (use 'Change VNC Viewer' to select the one you want.)

	- Support for Web Proxies, SOCKS Proxies, and the UltraVNC
	  repeater proxy (e.g. repeater://host:port+ID:1234). Multiple
	  proxies may be chained together (3 max).

	- Support for SSH Gateway connections and non-standard SSH ports.

	- Automatic Service tunnelling via SSH for CUPS and SMB Printing,
	  ESD/ARTSD Audio, and SMB (Windows/Samba) filesystem mounting.

	- Sets up any additional SSH port redirections that you want.

	- Zeroconf (aka Bonjour) is used on Unix and Mac OS X to find
	  VNC servers on your local network if the avahi-browse or dns-sd
	  program is available and in your PATH.

        - Port Knocking for "closed port" SSH/SSL connections.  In addition
          to a simple fixed port sequence and one-time-pad implementation,
          a hook is also provided to run any port knocking client before a

	- Support for native MacOS X usage with bundled Chicken of the
	  VNC viewer (the Unix X11 viewer is also provided for MacOS X,
	  and is better IMHO).

	- Dynamic VNC Server Port determination and redirection (using
	  ssh's builtin SOCKS proxy, -D) for servers like x11vnc that
	  print out PORT= at startup.

        - Unix Username and Password entry for use with "x11vnc -unixpw"
	  type login dialogs.

	- Simplified mode launched by command "sshvnc" that is SSH Only.

	- Simplified mode launched by command "tsvnc" that provides a VNC
	  "Terminal Services" mode (uses x11vnc on the remote side).

	(the following features only apply to the bundled Unix tightvnc viewer
        including MacOS X)

	- rfbNewFBSize VNC support (screen resizing)

	- Client-side Scaling of the Viewer.

	- ZRLE VNC encoding support (RealVNC's encoding)

	- Support for the ZYWRLE encoding, a wavelet based extension to
	  ZRLE to improve compression of motion video and photo regions.

	- TurboVNC support (VirtualGL's modified TightVNC encoding;
	  requires TurboJPEG library)

        - Pipelined Updates of the framebuffer as in TurboVNC (asks for
          the next update before the current one has finished downloading;
          this gives some speedup on high latency connections.)

	- Cursor alphablending with x11vnc at 32bpp (-alpha option)

	- Option "-unixpw ..." for use with "x11vnc -unixpw" login dialogs.

	- Support for UltraVNC extensions: Single Window, Disable
	  Server-side Input, 1/n Server side scaling, Text Chat (shell
	  terminal UI). Both UltraVNC and x11vnc servers support these

	- UltraVNC File Transfer via an auxiliary Java helper program
	  (java must be in $PATH). Note that the x11vnc server supports
	  UltraVNC file transfer.

	- Connection support for the UltraVNC repeater proxy (-repeater

	- Support for UltraVNC Single Click operation. (both unencrypted:
	  SC I, and SSL encrypted: SC III)

        - Support for UltraVNC DSM Encryption Plugin mode. (ARC4 and
          AESV2, MSRC4, and SecureVNC)

        - Support for UltraVNC MS-Logon authentication (NOTE: the
          UltraVNC MS-Logon key exchange implementation is very weak; an
          eavesdropper on the network can recover your Windows password
          easily in a few seconds; you need to use an additional encrypted
          tunnel with MS-Logon.)

        - Support for symmetric encryption (including blowfish and 3des
          ciphers) to Non-UltraVNC Servers. Any server using the same
          encryption method will work, e.g.:  x11vnc -enc blowfish:./my.key

	- Instead of hostname:display one can also supply "exec=command
	  args..." to connect the viewer to the stdio of an external command
	  (e.g. stunnel or socat) rather than using a TCP/IP socket. Unix
	  domain sockets, e.g. /path/to/unix/socket, and a previously
	  opened file descriptor fd=0, work too.

        - Local Port Protections for STUNNEL and SSH: avoid having for
          long periods of time a listening port on the the local (VNC
          viewer) side that redirects to the remote side.

	- Reverse (viewer listening) VNC connections can show a
	  Popup dialog asking whether to accept the connection or not
	  (-acceptpopup.) The extra info provided by UltraVNC Single Click
	  reverse connections is also supported (-acceptpopupsc)

	- Extremely low color modes: 64 and 8 colors in 8bpp
	  (-use64/-bgr222, -use8/-bgr111)

	- Medium color mode: 16bpp mode even for 32bpp Viewer display

	- x11vnc's client-side caching -ncache method cropping option
	  (-ycrop n). This will "hide" the large pixel buffer cache
	  below the actual display. Set to actual height or use -1 for
	  autodetection (tall screens are autodetected by default).

        - Escape Keys: enable a set of modifier keys so when they
          are all pressed down you can invoke Popup menu actions via
          keystrokes. I.e., a set of 'Hot Keys'. One can also pan (move)
          the desktop inside the viewport via Arrow keys or a mouse drag.

	- Scrollbar width setting: -sbwidth n, the default is very thin,
	  2 pixels, for less distracting -ycrop usage.

	- Selection text sending and receiving can be fine-tuned with the
	  -sendclipboard, -sendalways, and -recvtext options.

	- TightVNC compression and quality levels are automatically set
	  based on observed network latency (n.b. not bandwidth.)

	- Improvements to the Popup menu, all of these can now be changed
	  dynamically via the menu: ViewOnly, Toggle Bell, CursorShape
	  updates, X11 Cursor, Cursor Alphablending, Toggle Tight/ZRLE,
	  Toggle JPEG, FullColor/16bpp/8bpp (256/64/8 colors), Greyscale
	  for low color modes, Scaling the Viewer resolution, Escape Keys,
	  Pipeline Updates, and others, including UltraVNC extensions.

	- Maintains its own BackingStore if the X server does not

	- The default for localhost:0 connections is not raw encoding
	  (local machine). Default assumes you are using SSH tunnel. Use
	  -rawlocal to revert.

	- XGrabServer support for fullscreen mode, for old window managers
	  (-grab/-graball option).

	- Fix for Popup menu positioning for old window managers
	  (-popupfix option).

	- Run vncviewer -help for all options.

The list of software bundled in the archive files:

        TightVNC Viewer           (windows, unix, macosx)
        Chicken of the VNC Viewer (macosx)
        Stunnel                   (windows, unix, macosx)
        Putty/Plink/Pageant       (windows)
        OpenSSL                   (windows)
        esound                    (windows)

These are all self-contained in the bundle directory: they will not be
installed on your system.  Just un-zip or un-tar the file you downloaded
and run it straight from its directory.

Quick Start:

Unix and Mac OS X:

    Inside a Terminal do something like the following.

    Unpack the archive:

        % gzip -dc ssvnc-1.0.29.tar.gz | tar xvf -

    Run the GUI:

        % ./ssvnc/Unix/ssvnc               (for Unix)

        % ./ssvnc/MacOSX/ssvnc             (for Mac OS X)

    The smaller file "ssvnc_no_windows-1.0.29.tar.gz"
    could have been used as well.

    On MacOSX you could also click on the SSVNC app icon in the Finder.

    On MacOSX if you don't like the Chicken of the VNC (e.g. no local
    cursors, no screen size rescaling, and no password prompting), and you
    have the XDarwin X server installed, you can set DISPLAY before starting
    ssvnc (or type DISPLAY=... in Host:Disp and hit Return).  Then our
    enhanced TightVNC viewer will be used instead of COTVNC.
    Update: there is now a 'Use X11 vncviewer on MacOSX' under Options ...

    If you want a SSH-only tool (without the distractions of SSL) run
    the command:


    instead of "ssvnc".  Or click "SSH-Only Mode" under Options.
    Control-h will toggle between the two modes.

    If you want a simple VNC Terminal Services only mode (requires x11vnc
    on the remote server) run the command:


    instead of "ssvnc".  Or click "Terminal Services" under Options.
    Control-t will toggle between the two modes.

    "tsvnc profile-name" and "tsvnc user@hostname" work too.

Unix/MacOSX Install:

    There is no standard install for the bundles, but you can make
    symlinks like so:

	cd /a/directory/in/PATH
	ln -s /path/to/ssvnc/bin/{s,t}* .

    Or put /path/to/ssvnc/bin, /path/to/ssvnc/Unix, or /path/to/ssvnc/MacOSX
    in your PATH.

    For the conventional source tarball it will compile and install, e.g.:

       gzip -dc ssvnc-1.0.29.src.tar.gz | tar xvf -
       cd ssvnc-1.0.29
       make config
       make all
       make PREFIX=/my/install/dir install

    then have /my/install/dir/bin in your PATH.


    Unzip, using WinZip or a similar utility, the zip file:

    Run the GUI, e.g.:

	Start -> Run -> Browse

    and then navigate to


    select Open, and then OK to launch it.

    The smaller file ""
    could have been used as well.

    You can make a Windows shortcut to this program if you want to.

    See the Windows/README.txt for more info.

    If you want a SSH-only tool (without the distractions of SSL) run
    the command:


    Or click "SSH-Only Mode" under Options.

    If you want a simple VNC Terminal Services only mode (requires x11vnc
    on the remote server) run the command:


    Or click "Terminal Services" under Options.  Control-t will toggle
    between the two modes.  "tsvnc profile-name" and "tsvnc user@hostname"
    work too.

Important Note for Windows Vista: One user reports that on Windows Vista
if you move or extract the "ssvnc" folder down to the "Program Files"
folder you will be prompted to do this as the Administrator. But then
when you start up ssvnc, as a regular user, it cannot create files in
that folder and so it fails to run properly. We recommend to not copy
or extract the "ssvnc" folder into "Program Files". Rather, extract
it to somewhere you have write permission (e.g. C:\ or your User dir)
and create a Shortcut to ssvnc.exe on the desktop.  A user reports that
SSVNC works properly in remote helpdesk mode using UltraVNC Single-click
in Windows Vista.

If you must put a launcher file down in "Program Files", perhaps an
"ssvnc.bat" that looks like this:

cd \ssvnc\Windows


If you don't care for SSL and the distractions it provides in the GUI,
run "sshvnc" (unix/macosx) or "sshvnc.bat" (windows) to run an SSH only
version of the GUI.

Terminal Services Mode

There is an even simpler mode that uses x11vnc on the remote side for the
session finding and management.  Run "tsvnc" (unix/macosx) or "tsvnc.bat"
(windows) to run the Terminal Services version of the GUI.

Bundle Info:

The bundle files unpack a directory/folder named: ssvnc

It contains these programs to launch the GUI:

        Windows/ssvnc.exe        for Windows
        MacOSX/ssvnc             for Mac OS X
        Unix/ssvnc               for Unix

(the Mac OS X and Unix launchers are simply links to the bin directory).

Your bundle file should have included binaries for many OS's: Linux,
Solaris, FreeBSD, etc.  Unpack your archive and see the subdirectories of


for the ones that were shipped in this project, e.g. ./bin/Linux.i686
Run "uname -sm" to see your OS+arch combination (n.b. all Linux x86 are
mapped to Linux.i686).   (See the ./bin/ssvnc_cmd -h output for how to
override platform autodection via the UNAME env. var).

Memory Stick Usage:

If you create a directory named "Home" in that toplevel ssvnc directory
then that will be used as the base for storing VNC profiles and
certificates.  Also, for convenience, if you first run the command with
"." as an argument (e.g. "ssvnc .") it will automatically create that
"Home" directory for you.  This is handy if you want to place SSVNC
on a USB flash drive that you carry around for mobile use and you want
the profiles you create to stay with the drive (otherwise you'd have to
browse to the drive directory each time you load or save).

One user on Windows created a BAT file to launch SSVNC and needed to
do this to get the Home directory correct:

cd \ssvnc\Windows
start \ssvnc\Windows\ssvnc.exe

(an optional profile name can be supplied to the ssvnc.exe line)

WARNING: if you use ssvnc from an "Internet Cafe", i.e.  an untrusted
computer, an intruder may be capturing keystrokes etc.

External Dependencies:

On Windows everything is included.  Let us know if you find otherwise.

On Unix depending on what you do you need these programs installed:
	- basic unix utilities (sh, ls, cat, awk, sed, etc..)
	- tcl/tk (wish interpreter)
	- xterm
	- perl
	- ssh
	- openssl

    Lesser used ones: netcat, esd/artsd, smbclient, smbmount, cups
On Mac OS X depending on what you do you need these programs installed:
	- basic unix utilities (sh, ls, cat, awk, sed, etc..)
	- tcl/tk (wish interpreter)
	- Terminal
	- perl
	- ssh
	- openssl

    Lesser used ones: netcat, smbclient, cups

Most Mac OS X and Unix OS come with the main components installed. 
See the README.src for a more detailed description of dependencies.

TurboVNC Support:

TurboVNC is supported in an experimental way.  To it build via the
build.unix script described in the next section, do something like:

	env TURBOVNC='-L/DIR -Xlinker --rpath=/DIR -lturbojpeg' ./build.unix

where you replace /DIR with the directory where the
is installed.

You may not need to set rpath if is installed in a
standard location or you use LD_LIBRARY_PATH to point to it.

See the turbovnc/README in the vnc_unixsrc/vncviewer directory for
more info.  You can find it in the ssvnc source tarball and also


More TurboVNC features will be enabled in the future.

If you need to Build:

If your OS/arch is not included or the provided binary has the wrong
library dependencies, etc. the script "build.unix" may be able to
successfully build on for you and deposit the binaries down in ./bin/...
using the included source code.  It is a hack but usually works.

You MUST run the build.unix script from this directory (that this toplevel
README is in, i.e "ssvnc") and like this:


To use custom locations for libraries see the LDFLAGS_OS and CPPFLAGS_OS
description at the top of the build.unix script.

You can set these env. vars to customize the build:

	SSVNC_BUILD_NO_STATIC=1        do not try to statically link libs
	SSVNC_BUILD_FORCE_OVERWRITE=1  do not prompt about existing binaries
	SSVNC_BUILD_SKIP_VIEWER=1      do not build vncviewer
	SSVNC_BUILD_SKIP_STUNNEL=1     do not build stunnel
	SSVNC_BUILD_ULTRAFTP=1         only build the file xfer helper jar

here is an example to build only the vncviewer and with normal library
linking (and in a more or less automated way):


Feel free to ask us if you need help running ./build.unix

Convential Build:

A more conventional source tarball is provided in ssvnc-x.y.z.src.tar.gz.
It uses a more or less familiar 'make config; make all; make PREFIX=path install'
method.  It does not include stunnel, so that must be installed on the
system separately.

The programs:

Unpack your archive, and you will see "bin", "Windows", "src" directories
and other files.  The command line wrapper scripts: 


are the main programs that are run and will try to autodetect your OS+arch
combination and if binaries are present for it automatically use them.
(if not found try the running the build.unix script).

If you prefer a GUI to prompt for parameters and then start ssvnc_cmd
you can run this instead:


this is the same GUI that is run on Windows (the ssvnc.exe).
There are also:

	./bin/sshvnc	(SSH-Only)
	./bin/tsvnc	(Terminal Services Mode)

For convenience, you can make symlinks from a directory in your PATH to
any of the 3 programs above you wish to run.  That is all you usually
need to do for it to pick up all of the binaries, utils, etc. E.g.
assuming $HOME/bin is in your $PATH:

	cd $HOME/bin
	ln -s /path/to/ssvnc/bin/{s,t}* .

(note the "." at the end). The above commands is basically the way to
"install" this on Unix or MacOS X.

Also links to the GUI launcher script are provided in:


and sshvnc and tsvnc.  You could also put the Unix or MacOSX directory
in your PATH.

On Windows unpack your archive and run:



The following assume you are in the toplevel directory of the
archive you unpacked.

Use enhanced TightVNC unix viewer to connect to x11vnc via SSL:

	./bin/ssvnc_cmd   far-away.east:0

	./bin/tightvncviewer -ssl  far-away.east:0   (same)

	./bin/ssvnc                                  (start GUI launcher)

Use enhanced TightVNC unix viewer without SSL:

	./bin/tightvncviewer far-away.east:0

Use SSL to connect to a x11vnc server, and also verify the server's
identity using the SSL Certificate in the file ./x11vnc.pem:

	./bin/ssvnc_cmd -alpha -verify ./x11vnc.pem far-away.east:0

(also turns on the viewer-side cursor alphablending hack). 

Brief description of the subdirectories:

	./bin/util		some utility scripts, e.g. ss_vncviewer
				and ssvnc.tcl

	./src			source code and patches.
	./src/zips		zip files of source code and binaries.

	./src/vnc_unixsrc	unpacked tightvnc source code tree.
	./src/stunnel-4.14	unpacked stunnel source code tree.
	./src/patches		patches to TightVNC viewer for the new
				features on Unix (used by build.unix).
	./src/tmp		temporary build dir for build.unix
				(the last four are used by build.unix)

	./man			man pages for TightVNC viewer and stunnel.

	./Windows		Stock TightVNC viewer and Stunnel, Openssl
				etc Windows binaries. ssvnc.exe is the
				program to run.

	./MacOSX		contains an unpacked Chicken of the VNC
				viewer and a symlink to ssvnc.

	./Unix			contains a symlink to ssvnc.

Depending on which bundle you use not all of the above may be present.
The smallest bundles with binaries are:   Windows
	ssvnc_no_windows-1.x.y.tar.gz  Unix and MacOSX

however, the tiny scripts only one (only 60KB) will run properly on Unix
as long as you install external vncviewer and stunnel packages:


Untrusted Local Users:

    *IMPORTANT WARNING*:  If you run SSVNC on a workstation or computer
    that other users can log into and you DO NOT TRUST these users
    (it is a shame but sometimes one has to work in an environment like
    this), then please note the following warning.

    By 'do not trust' we mean they might try to gain access to remote
    machines you connect to via SSVNC.  Note that an untrusted local
    user can often obtain root access in a short amount of time; if a
    user has achieved that, then all bets are off for ANYTHING that you
    do on the workstation.  It is best to get rid of Untrusted Local
    Users as soon as possible.

    Both the SSL and SSH tunnels set up by SSVNC listen on certain ports
    on the 'localhost' address and redirect TCP connections to the remote
    machine; usually the VNC server running there (but it could also be
    another service, e.g. CUPS printing).  These are the stunnel(8) SSL
    redirection and the ssh(1) '-L' port redirection.  Because 'localhost'
    is used only users or programs on the same workstation that is
    running SSVNC can connect to these ports, however this includes any
    local users (not just the user running SSVNC.)

    If the untrusted local user tries to connect to these ports, he may
    succeed in varying degrees to gain access to the remote machine.
    We now list some safeguards one can put in place to try to make this
    more difficult to achieve.

    It probably pays to have the VNC server require a password, even
    though there has already been SSL or SSH authentication (via
    certificates or passwords).  In general if the VNC Server requires
    SSL authentication of the viewer that helps, unless the untrusted
    local user has gained access to your SSVNC certificate keys.

    If the VNC server is configured to only allow one viewer connection
    at a time, then the window of opportunity that the untrusted local
    user can use is greatly reduced: he might only have a second or two
    between the tunnel being set up and the SSVNC vncviewer connecting
    to it (i.e. if the VNC server only allows a single connection, the
    untrusted local user cannot connect once your session is established).
    Similarly, when you disconnect the tunnel is torn down quickly and
    there is little or no window of opportunity to connect (e.g. x11vnc
    in its default mode exits after the first client disconnects).

    Also for SSL tunnelling with stunnel(8) on Unix using one of the SSVNC
    prebuilt 'bundles', a patched stunnel is provided that denies all
    connections after the first one, and exits when the first one closes.
    This is not true if the system installed stunnel(8) is used and is
    not true when using SSVNC on Windows.

    The following are two experimental features that are added to SSVNC
    to improve the situation for the SSL/stunnel case.  Set them via
    Options -> Advanced -> "STUNNEL Local Port Protections".

    1) For SSL tunnelling with stunnel(8) on Unix there is a setting
       'Use stunnel EXEC mode' (experimental) that will try to exec(2)
       stunnel instead of using a listening socket.  This will require
       using the specially modified vncviewer unix viewer provided
       by SSVNC.  If this mode proves stable it will become the default.

    2) For SSL tunnelling with stunnel(8) on Unix there is a setting
       'Use stunnel IDENT check' (experimental) to limit socket
       connections to be from you (this assumes the untrusted local
       user has not become root on your workstation and has modified
       your local IDENT check service; if he has you have much bigger
       problems to worry about...)

    There is also one simple LD_PRELOAD trick for SSH to limit the number
    of accepted port redirection connections.  This makes the window of
    time the untrusted local user can connect to the tunnel much smaller.
    Enable it via Options -> Advanced -> "SSH Local Port Protections".
    You will need to have the file in your SSVNC package.

    The main message is to 'Watch your Back' when you connect via the
    SSVNC tunnels and there are users you don't trust on your workstation.
    The same applies to ANY use of SSH '-L' port redirections or outgoing
    stunnel SSL redirection services.

Help and Info:

For more help on other options and usage patterns run these:

	./bin/ssvnc_cmd -h
	./bin/util/ss_vncviewer -h

See also:
	x11vnc -h | more