From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1HJHN7-0008II-Lg for qemu-devel@nongnu.org; Mon, 19 Feb 2007 17:52:37 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1HJHN6-0008HC-0p for qemu-devel@nongnu.org; Mon, 19 Feb 2007 17:52:37 -0500 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1HJHN5-0008H8-Rd for qemu-devel@nongnu.org; Mon, 19 Feb 2007 17:52:35 -0500 Received: from sp604003mt.neufgp.fr ([84.96.92.56] helo=smTp.neuf.fr) by monty-python.gnu.org with esmtp (Exim 4.52) id 1HJHN5-0006Vt-Ey for qemu-devel@nongnu.org; Mon, 19 Feb 2007 17:52:35 -0500 Received: from [84.102.211.174] by sp604003mt.gpm.neuf.ld (Sun Java System Messaging Server 6.2-5.05 (built Feb 16 2006)) with ESMTP id <0JDQ009QSFJCDZM0@sp604003mt.gpm.neuf.ld> for qemu-devel@nongnu.org; Mon, 19 Feb 2007 23:52:24 +0100 (CET) Date: Mon, 19 Feb 2007 23:52:54 +0100 From: Fabrice Bellard Subject: Re: [Qemu-devel] QEMU: VNC In-reply-to: <20070219190929.GT31525@redhat.com> Message-id: <45DA2A46.1080105@bellard.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT References: <200702161402.23660.cwolsen@domainatlantic.com> <20070219173005.GQ31525@redhat.com> <200702191241.54042.cwolsen@domainatlantic.com> <20070219190929.GT31525@redhat.com> Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Daniel P. Berrange wrote: > On Mon, Feb 19, 2007 at 12:41:53PM -0500, Christopher Olsen wrote: >> On Monday 19 February 2007 12:30, Daniel P. Berrange wrote: >>> On Mon, Feb 19, 2007 at 03:11:15AM +0100, Johannes Schindelin wrote: >>>> Hi, >>>> >>>> On Sun, 18 Feb 2007, Anthony Liguori wrote: >>>>> Christopher Olsen wrote: >>>>>> Sorry I'll attempt to use the preferred patching method in the >>>>>> future.. >>>>>> >>>>>> Secure vnc auth method the default built in method from >>>>> We can't take a password from a command line. Supporting VNC auth is >>>>> super easy otherwise. I really think we need to have a config file >>>>> before we can do VNC passwords. >>>> No, you should not do VNC passwords. The default VNC password exchange is >>>> insecure and you should not lure users into believing in that false >>>> security. >>> Sure it is insecure over an unencrypted network channel, but if you are >>> tunnelling the VNC connection over SSH, or have restricted it to only >>> bind to 127.0.0.1 then AFAIK it is just fine. So supporting VNC password >>> auth would allow users on a shared machine to secure the console from >>> other unprivileged users on the same box. Definitely useful over the >>> current situation where there's no way to secure even the local-only >>> case. For a serious general purpose authentication I'd like to see the >>> TLS protocol extension for VNC (as implemented in VeNCrypt) supported >>> allowing both secure auth & wire encryption. >>> >>> Dan. >> I've Checked out the VeNCrypt.. Looks a little win32 oriented... > > Guess you missed the 'unix' directory - I have compiled both server & client > of VeNCrypt on Linux no trouble. > >> I'm gathering the problem here is that VNC is spinning off in many >> directions... So any implementation on the QEMU side will of course marry it >> to a particular VNC branch or I had an alternative idea.. > > I think the crux of the matter is that RealVNC sell a commercial version > of VNC which offers real encryption. So I'm guessing that's why they've > never merged any of the patches to do TLS encryption in the open source > codebase. All the patches for VNC + TLS i've seen posted are iterations > of each other - VeNCrypt is the most complete implenentation of any of > them, so the one I'd go for out of the all the choices. On the technical side, adding OpenSSL support in the current VNC implementation is QEMU seems easy (OpenSSL has a non blocking API which can be used with the current callback API). Fabrice.