From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1IG3Id-0004o9-LN
	for qemu-devel@nongnu.org; Tue, 31 Jul 2007 21:46:55 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1IG3Ib-0004mU-EB
	for qemu-devel@nongnu.org; Tue, 31 Jul 2007 21:46:54 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1IG3Ib-0004mH-48
	for qemu-devel@nongnu.org; Tue, 31 Jul 2007 21:46:53 -0400
Received: from wx-out-0506.google.com ([66.249.82.237])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1IG3Ia-0002Pw-FL
	for qemu-devel@nongnu.org; Tue, 31 Jul 2007 21:46:52 -0400
Received: by wx-out-0506.google.com with SMTP id h31so55199wxd
	for <qemu-devel@nongnu.org>; Tue, 31 Jul 2007 18:46:52 -0700 (PDT)
Message-ID: <46AFE609.1080601@codemonkey.ws>
Date: Tue, 31 Jul 2007 20:46:49 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] PATCH 3/8: VNC password authentication
References: <20070731192316.GI18730@redhat.com>
	<20070731192641.GL18730@redhat.com>
In-Reply-To: <20070731192641.GL18730@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org

Daniel P. Berrange wrote:
> This patch introduces support for VNC protocols upto 3.8 and with
> it, support for password based authentication. VNC's password based
> authentication is not entirely secure, but it is a standard and the
> RFB spec requires that all clients support it. The password can be
> provided by using the monitor 'change vnc :1' and it will prompt for
> a password to be entered. Passwords have upto 8 letters of context.
> Pressing 'enter' without entering any characters disables password
> auth in the server. NB, we need a custom copy of d3des here because
> VNC uses a 'special' modification of the algorithm. This d3des code
> is public domain & in all other VNC servers & clients.
>   

I think it may be better to have a command to explicitly set the vnc 
password.  Issuing "change vnc :1" just to change the password is a 
little awkward IMHO.

> -
> -    vnc_write_u32(vs, 1); /* None */
> -    vnc_flush(vs);
> -
> -    vnc_read_when(vs, protocol_client_init, 1);
> +    VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, vs->minor);
> +    if (vs->major != 3 ||
> +	(vs->minor != 3 &&
> +	 vs->minor != 7 &&
> +	 vs->minor != 8)) {
> +	VNC_DEBUG("Unsupported client version\n");
> +	vnc_write_u32(vs, VNC_AUTH_INVALID);
> +	vnc_flush(vs);
> +	vnc_client_error(vs);
> +	return 0;
> +    }
>   

A very popular VNC client uses 3.5 as the protocol version.  I believe 
the specification requires that 3.5 be treated at 3.3 because of that.

Regards,

Anthony Liguori