NAME

Xtigervnc - the X VNC server

SYNOPSIS

Xtigervnc [options] :display#

DESCRIPTION

Xtigervnc is the X VNC (Virtual Network Computing) server. It is based on a standard X server, but it has a "virtual" screen rather than a physical one. X applications display themselves on it as if it were a normal X display, but they can only be accessed via a VNC viewer - see xtigervncviewer(1).
 
So Xtigervnc is really two servers in one. To the applications it is an X server, and to the remote VNC users it is a VNC server. By convention we have arranged that the VNC server display number will be the same as the X server display number, which means you can use eg. snoopy:2 to refer to display 2 on machine "snoopy" in both the X world and the VNC world.
 
The best way of starting Xtigervnc is via tigervncsession. This sets up the environment appropriately and starts a desktop environment. See the manual page for tigervncsession(8) for more information.
 

OPTIONS

Xtigervnc takes lots of options - running Xtigervnc -help gives a list. Many of these are standard X server options, which are described in the Xserver(1) manual page. In addition to options which can only be set via the command-line, there are also "parameters" which can be set both via the command-line and through the tigervncconfig(1) program.
 
-geometry widthxheight
Specify the size of the desktop to be created. Default is 1024x768.
-depth depth
Specify the pixel depth in bits of the desktop to be created. Default is 24, other possible values are 16 and 32. Anything else is likely to cause strange behaviour by applications and may prevent the server from starting at all.
-pixelformat format
Specify pixel format for server to use (BGRnnn or RGBnnn). The default for depth 16 is RGB565 and for depth 24 and 32 is RGB888.
-interface IP address
Listen on interface. By default Xtigervnc listens on all available interfaces.
-inetd
This significantly changes Xtigervnc's behaviour so that it can be launched from inetd. See the section below on usage with inetd.
-help
List all the options and parameters

PARAMETERS

VNC parameters can be set both via the command-line and through the tigervncconfig(1) program, and with a VNC-enabled Xorg server via Options entries in the xorg.conf file.
 
Parameters can be turned on with - param or off with - param=0. Parameters which take a value can be specified as - param value. Other valid forms are param=value - param=value -- param=value. Parameter names are case-insensitive.
 
-desktop desktop-name
Each desktop has a name which may be displayed by the viewer. It defaults to "<user>@<hostname>".
-rfbport port
Specifies the TCP port on which Xtigervnc listens for connections from viewers (the protocol used in VNC is called RFB - "remote framebuffer"). The default is 5900 plus the display number. Specify -1 to disable listening on a TCP port.
-UseIPv4
Use IPv4 for incoming and outgoing connections. Default is on.
-UseIPv6
Use IPv6 for incoming and outgoing connections. Default is on.
-rfbunixpath path
Specifies the path of a Unix domain socket on which Xtigervnc listens for connections from viewers.
-rfbunixmode mode
Specifies the mode of the Unix domain socket. The default is 0600.
-rfbauth passwd-file, -PasswordFile passwd-file
Password file for VNC authentication. There is no default, you should specify the password file explicitly. Password file should be created with the tigervncpasswd(1) utility. The file is accessed each time a connection comes in, so it can be changed on the fly.
-AcceptCutText
Accept clipboard updates from clients. Default is on.
-MaxCutText bytes
The maximum size of a clipboard update that will be accepted from a client. Default is 262144.
-SendCutText
Send clipboard changes to clients. Default is on.
-SendPrimary
Send the primary selection and cut buffer to the server as well as the clipboard selection. Default is on.
-AcceptPointerEvents
Accept pointer press and release events from clients. Default is on.
-AcceptKeyEvents
Accept key press and release events from clients. Default is on.
-AcceptSetDesktopSize
Accept requests to resize the size of the desktop. Default is on.
-DisconnectClients
Disconnect existing clients if an incoming connection is non-shared. Default is on. If DisconnectClients is false, then a new non-shared connection will be refused while there is a client active. When combined with NeverShared this means only one client is allowed at a time.
-NeverShared
Never treat incoming connections as shared, regardless of the client-specified setting. Default is off.
-AlwaysShared
Always treat incoming connections as shared, regardless of the client-specified setting. Default is off.
-Protocol3.3
Always use protocol version 3.3 for backwards compatibility with badly-behaved clients. Default is off.
-FrameRate fps
The maximum number of updates per second sent to each client. If the screen updates any faster then those changes will be aggregated and sent in a single update to the client. Note that this only controls the maximum rate and a client may get a lower rate when resources are limited. Default is 60.
-CompareFB mode
Perform pixel comparison on framebuffer to reduce unnecessary updates. Can be either 0 (off), 1 (always) or 2 (auto). Default is 2.
-ZlibLevel level
Zlib compression level for ZRLE encoding (it does not affect Tight encoding). Acceptable values are between 0 and 9. Default is to use the standard compression level provided by the zlib(3) compression library.
-ImprovedHextile
Use improved compression algorithm for Hextile encoding which achieves better compression ratios by the cost of using slightly more CPU time. Default is on.
-SecurityTypes sec-types
Specify which security scheme to use for incoming connections. Valid values are a comma separated list of None, VncAuth, Plain, TLSNone, TLSVnc, TLSPlain, X509None, X509Vnc and X509Plain. Default is VncAuth,TLSVnc.
-Password password
Obfuscated binary encoding of the password which clients must supply to access the server. Using this parameter is insecure, use PasswordFile parameter instead.
-PlainUsers user-list
A comma separated list of user names that are allowed to authenticate via any of the "Plain" security types (Plain, TLSPlain, etc.). Specify * to allow any user to authenticate using this security type. Default is to deny all users.
-pam_service name, -PAMService name
PAM service name to use when authentication users using any of the "Plain" security types. Default is vnc.
-X509Cert path
Path to a X509 certificate in PEM format to be used for all X509 based security types (X509None, X509Vnc, etc.).
-X509Key path
Private key counter part to the certificate given in X509Cert. Must also be in PEM format.
-GnuTLSPriority priority
GnuTLS priority string that controls the TLS session’s handshake algorithms. See the GnuTLS manual for possible values. For GnuTLS < 3.6.3 the default value will be NORMAL to use upstream default. For newer versions of GnuTLS system-wide crypto policy will be used.
-UseBlacklist
Temporarily reject connections from a host if it repeatedly fails to authenticate. Default is on.
-BlacklistThreshold count
The number of unauthenticated connection attempts allowed from any individual host before that host is black-listed. Default is 5.
-BlacklistTimeout seconds
The initial timeout applied when a host is first black-listed. The host cannot re-attempt a connection until the timeout expires. Default is 10.
-IdleTimeout seconds
The number of seconds after which an idle VNC connection will be dropped. Default is 0, which means that idle connections will never be dropped.
-MaxDisconnectionTime seconds
Terminate when no client has been connected for N seconds. Default is 0.
-MaxConnectionTime seconds
Terminate when a client has been connected for N seconds. Default is 0.
-MaxIdleTime seconds
Terminate after N seconds of user inactivity. Default is 0.
-QueryConnect
Prompts the user of the desktop to explicitly accept or reject incoming connections. Default is off. The tigervncconfig(1) program must be running on the desktop in order for QueryConnect to be supported.
-QueryConnectTimeout seconds
Number of seconds to show the Accept Connection dialog before rejecting the connection. Default is 10.
-localhost
Only allow connections from the same machine. Useful if you use SSH and want to stop non-SSH connections from any other hosts.
-Log logname:dest:level
Configures the debug log settings. dest can currently be stderr, stdout or syslog, and level is between 0 and 100, 100 meaning most verbose output. logname is usually * meaning all, but you can target a specific source file if you know the name of its "LogWriter". Default is *:stderr:30.
-RemapKeys mapping
Sets up a keyboard mapping. mapping is a comma-separated string of character mappings, each of the form char->char, or char<>char, where char is a hexadecimal keysym. For example, to exchange the " and @ symbols you would specify the following:
RemapKeys=0x22<>0x40
-AvoidShiftNumLock
Key affected by NumLock often require a fake Shift to be inserted in order for the correct symbol to be generated. Turning on this option avoids these extra fake Shift events but may result in a slightly different symbol (e.g. a Return instead of a keypad Enter).
-RawKeyboard
Send keyboard events straight through and avoid mapping them to the current keyboard layout. This effectively makes the keyboard behave according to the layout configured on the server instead of the layout configured on the client. Default is off.
-AllowOverride
Comma separated list of parameters that can be modified using VNC extension. Parameters can be modified for example using tigervncconfig(1) program from inside a running session. Allowing override of parameters such as PAMService or PasswordFile can negatively impact security if Xtigervnc runs under different user than the programs allowed to override the parameters. When NoClipboard parameter is set, allowing override of SendCutText and AcceptCutText has no effect. Default is desktop,AcceptPointerEvents,SendCutText,AcceptCutText,SendPrimary,SetPrimary.

USAGE WITH INETD

By configuring the inetd(1) service appropriately, Xtigervnc can be launched on demand when a connection comes in, rather than having to be started manually. When given the -inetd option, instead of listening for TCP connections on a given port it uses its standard input and standard output. There are two modes controlled by the wait/nowait entry in the inetd.conf file.
 
In the nowait mode, Xtigervnc uses its standard input and output directly as the connection to a viewer. It never has a listening socket, so cannot accept further connections from viewers (it can however connect out to listening viewers by use of the tigervncconfig program). Further viewer connections to the same TCP port result in inetd spawning off a new Xtigervnc to deal with each connection. When the connection to the viewer dies, the Xtigervnc and any associated X clients die. This behaviour is most useful when combined with the XDMCP options -query and -once. An typical example in inetd.conf might be (all on one line):
 
5950 stream tcp nowait nobody /usr/local/bin/Xtigervnc Xtigervnc -inetd -query localhost -once securitytypes=none
 
In this example a viewer connection to :50 will result in a new Xtigervnc for that connection which should display the standard XDM login screen on that machine. Because the user needs to login via XDM, it is usually OK to accept connections without a VNC password in this case.
 
In the wait mode, when the first connection comes in, inetd gives the listening socket to Xtigervnc. This means that for a given TCP port, there is only ever one Xtigervnc at a time. Further viewer connections to the same port are accepted by the same Xtigervnc in the normal way. Even when the original connection is broken, the Xtigervnc will continue to run. If this is used with the XDMCP options -query and -once, the Xtigervnc and associated X clients will die when the user logs out of the X session in the normal way. It is important to use a VNC password in this case. A typical entry in inetd.conf might be:
 
5951 stream tcp wait james /usr/local/bin/Xtigervnc Xtigervnc -inetd -query localhost -once passwordFile=/home/james/.vnc/passwd
 
In fact typically, you would have one entry for each user who uses VNC regularly, each of whom has their own dedicated TCP port which they use. In this example, when user "james" connects to :51, he enters his VNC password, then gets the XDM login screen where he logs in in the normal way. However, unlike the previous example, if he disconnects, the session remains persistent, and when he reconnects he will get the same session back again. When he logs out of the X session, the Xtigervnc will die, but of course a new one will be created automatically the next time he connects.
 

SEE ALSO

tigervncconfig(1), tigervncpasswd(1), xtigervncviewer(1), tigervncsession(8), Xserver(1), inetd(1)
 
https://www.tigervnc.org
 

AUTHOR

Tristan Richardson, RealVNC Ltd. and others.
 
VNC was originally developed by the RealVNC team while at Olivetti Research Ltd / AT&T Laboratories Cambridge. TightVNC additions were implemented by Constantin Kaplinsky. Many other people have since participated in development, testing and support. This manual is part of the TigerVNC software suite.

Recommended readings

Pages related to Xtigervnc you should read also:
Xserver(1) inetd(1) tigervncconfig(1) tigervncpasswd(1) tigervncsession(8) xtigervncviewer(1) zlib(3)

Questions & Answers

Helpful answers and articles about Xtigervnc you may found on these sites:
Stack Overflow Server Fault Super User Unix & Linux Ask Ubuntu Network Engineering DevOps Raspberry Pi Webmasters Google Search