From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: Individual passwords for guest VNC servers ?
Date: Fri, 25 Aug 2006 01:44:36 +0100
Message-ID: <20060825004436.GL809@redhat.com>
References: <20060816181153.GC25831@redhat.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
In-Reply-To: <20060816181153.GC25831@redhat.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

On Wed, Aug 16, 2006 at 07:11:53PM +0100, Daniel P. Berrange wrote:
> The current implementation of the VNC server in qemu-dm appears to just
> leverage whatever password the root user has set in /root/.vnc/passwd.
> This doesn't really have very nice semantics if one migrates the domain
> over to a different host...which may not have same VNC password file.

Ok, so looking more closly I'm wrong here. The VNC server in qemu-dm
does not use a password at all - it sets the VNC auth protocol to None.

At the same time it binds to 0.0.0.0 - so any HVM guest running VNC
is completely unsecured, accessible to anyone who can route to the
Dom0 host unless you've firewalled off all the ports >= 5900 on the
machine. This looks like a pretty serious flaw to be fixed for 3.0.3 

> Has anyone given any thought to / written any patches to enable assignment
> of different passwords to individual guest's VNC servers. At its simplest
> one could just allow the crypt/md5 hash of the desired password to be
> supplied in the xm config file, or XenD SEXPR when creating a new domain
> and pass that hash through to qemu-dm to use instead of /root/.vnc/passwd

It appears that given the way the standard VNC challenge-response auth
scheme works there's no choice but to store the actual password - at very 
least using some reversible encryption - we can't simply store the hash
as one would with passwords for /etc/shadow.  There are other newer
auth schemes defined in VNC protocol, but its not clear whether these
have broad support amongst VNC viewer clients.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|