From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1HKHjf-0003EU-Jp for qemu-devel@nongnu.org; Thu, 22 Feb 2007 12:28:03 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1HKHjd-0003Dd-Rn for qemu-devel@nongnu.org; Thu, 22 Feb 2007 12:28:03 -0500 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1HKHjd-0003DZ-KM for qemu-devel@nongnu.org; Thu, 22 Feb 2007 12:28:01 -0500 Received: from wx-out-0506.google.com ([66.249.82.234]) by monty-python.gnu.org with esmtp (Exim 4.52) id 1HKHjd-0004pC-BT for qemu-devel@nongnu.org; Thu, 22 Feb 2007 12:28:01 -0500 Received: by wx-out-0506.google.com with SMTP id i30so356046wxd for ; Thu, 22 Feb 2007 09:28:00 -0800 (PST) Message-ID: <45DDD29C.8070503@codemonkey.ws> Date: Thu, 22 Feb 2007 11:27:56 -0600 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] QEMU: VNC References: <200702220519.10448.luke-jr@utopios.org> <45DDC65A.2030001@codemonkey.ws> <200702221044.48581.luke@dashjr.org> In-Reply-To: <200702221044.48581.luke@dashjr.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Luke -Jr , qemu-devel@nongnu.org Luke -Jr wrote: > On Thursday 22 February 2007 10:35, you wrote: > >> I would be happy with a patch that allowed a password to be set from the >> monitor. Storing a password in a file on disk is, IMHO, ugly. If no >> one beats me to it, I'll probably write something up this weekend. >> > > That doesn't make it too simple to start a qemu session without a human > present. It also means there's a vulnerable window of time without a > password. > In my patch queue, I have a patch that adds a null VNC target along with another patch to allow you to change what the VNC server listens to in the monitor. I also have a small program that lets you execute monitor commands outside of QEMU (assuming the monitor is a unix socket). So, without human intervention, you would do: qemu -vnc null ... connect to monitor and set password connect to monitor and change vnc server to listen on :3 Regards, Anthony Liguori >> For real security, TLS integration is most certainly the way to go. I >> want to make sure anything we do though doesn't violate the RFB spec so >> we have to validate the the authentication ids are reserved and the >> protocol isn't violated in anyway (realizing there's no absolutely >> secure way to do RFB and still be compatible to the spec). >> > > Well, in theory I can use iptables to restrict connections only from an > individual local user (--uid-owner) and thus require SSH authentication, but > I'm not sure how simple that will be to do from Java... > >