From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: Individual passwords for guest VNC servers ?
Date: Thu, 31 Aug 2006 02:38:40 +0100
Message-ID: <20060831013840.GB22345@redhat.com>
References: <20060816181153.GC25831@redhat.com>
	<20060825004436.GL809@redhat.com>
	<JC2006083110235610.59547031@jp.fujitsu.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
In-Reply-To: <JC2006083110235610.59547031@jp.fujitsu.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Masami Watanabe <masami.watanabe@jp.fujitsu.com>
Cc: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

On Thu, Aug 31, 2006 at 10:23:56AM +0900, Masami Watanabe wrote:
> I'm thinking of adding the following protection to VNC console.
> I know it's not perfect, nonetheless, it's far better than the current
> no protection situation. Please comment.
> 
> Specification:
> - The same challenge-response auth scheme as standard VNC to be available
>   from VNC viewer (like RealVNC).

Yeah, looking at the various clients, challenge-response is the only one
we can really rely on being present - in fact its the only one supported
by Fedora VNC client (RealVNC IIRC?) at all. 

> - The vnc password of each VM is described in the VM configuration file.
>   When omit the password, do not use authentification.
>     ex) vnc_passwd = xxxxx

I think we should be secure by default - if they omit the password then
we should either generate one - and store it in xenstore, or refuse to
activate VNC server. If we really really want to allow no passwords, then
admin could have to explicitly request it with vnc_no_password=1
in the config file - but my prefernce is still that we should flat out 
refuse to allow an empty password - in this day & day its just plain wrong.
RealVNC server for example, refuses to allow empty password.

> - Where "xxxxx" is an uuencoded encrypted password, that is,
>   you can get this value by
>   # cat ~/.vnc/passwd | uuencode -m passwd
>     (needs uuencode command: sharutils package)

Perhaps base64 would be preferable - that's a standard part of Linux
coreutils toolset, rather than an addon like uuencode is.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|