From: "Daniel P. Berrange" <berrange@redhat.com>
To: Jeremy Katz <katzj@redhat.com>
Cc: xen-devel <xen-devel@lists.xensource.com>
Subject: Re: [PATCH] vnclisten for HVM vnc
Date: Wed, 27 Sep 2006 21:02:39 +0100 [thread overview]
Message-ID: <20060927200239.GS20056@redhat.com> (raw)
In-Reply-To: <1159387052.16252.20.camel@orodruin.boston.redhat.com>
On Wed, Sep 27, 2006 at 03:57:31PM -0400, Jeremy Katz wrote:
> On Wed, 2006-09-27 at 20:42 +0100, Daniel P. Berrange wrote:
> > On Wed, Sep 27, 2006 at 03:36:16PM -0400, Jeremy Katz wrote:
> > > On Sat, 2006-09-02 at 12:55 -0400, Jeremy Katz wrote:
> > > > Implement a 'vnclisten' option to limit the interface that the VNC
> > > > server from qemu listens on. This leaves the default behavior as
> > > > listening on all interfaces.
> > > >
> > > > Signed-off-by: Jeremy Katz <katzj@redhat.com>
> > >
> > > danpb said something about this and it reminded me I never saw any
> > > feedback.... Bueller? :-)
> >
> > IMHO, we should only listen on 127.0.0.1 by default - particularly since
> > the Xen 3.0.3 release isn't going to have password authentication on the
> > VNC servers yet :-( It'll be all too easy for someone to turn on VNC
> > in the guest config & not realize they just opened themselves up to any
> > person on the network by default. That kind of default insecure behaviour
> > is best left in the Windows world
>
> I don't necessarily disagree, but changing the semantics like that felt
> a little bit ugly to me -- it definitely leads to a case where going
> from 3.0.2 -> 3.0.3 would break configurations users were actively
> using.
It is a painful problem I agree, but I think the security benefit is worth
the pain of breaking user's existing configs. Its not a difficult task for
users to re-enable the wide-open-to-anyone config if they really do need
it.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
next prev parent reply other threads:[~2006-09-27 20:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-02 16:55 [PATCH] vnclisten for HVM vnc Jeremy Katz
2006-09-27 19:36 ` Jeremy Katz
2006-09-27 19:42 ` Daniel P. Berrange
2006-09-27 19:57 ` Jeremy Katz
2006-09-27 20:02 ` Daniel P. Berrange [this message]
2006-09-27 20:40 ` Ian Pratt
2006-09-29 17:24 ` Daniel P. Berrange
2006-09-29 18:03 ` Anthony Liguori
2006-09-29 19:02 ` Daniel P. Berrange
2006-09-29 19:43 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060927200239.GS20056@redhat.com \
--to=berrange@redhat.com \
--cc=katzj@redhat.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.