[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] Individual passwords for guest VNC servers ?



Hi,

This patch enables password authentication to VNC console.


Specification:
  - This is only for HVM domain.
  - xend-config.sxp (for system-wide) and VM configuration files (for
    VM-specific) can have a VNC password description.
  - A HVM domain bringing up VNC console needs at least one password
    description ether in xend-config.sxp or its VM configuration file.
  - A VM-specific password takes effect if both system-wide and
    VM-specific passwords exist.
  - Password descriptions look like the following.  An empty string for
    vncpassword means no authentication.
        VM configuration file:  vncpasswd = 'string'
        xend-config.sxp      : (vncpasswd   'string')
  - A password has to be encoded in base64 format.  For example, you can
    obtain one by executing the next command.
        # cat ~/.vnc/passwd | uuencode -m passwd | head -2 | tail -1

Configuration examples:
  - No password authentication for all VNC consoles.
        --- xend-config.sxp ---
        (vncpasswd  '')
        -----------------------

  - Single common password for all VNC consoles.
        --- xend-config.sxp ---
        (vncpasswd 'PASSWORD')
        -----------------------

  - VM-specific password for vm1.
        --- vm1 config --------
        vncpasswd = "PASSWORD for vm1"
        -----------------------

Notes and request:
 - On log file permissions.
   Please mind logfile permissons since password are recorded in
   xend and qemu-dm logfiles, though they are not decoded.
 - On DES (Data Encryption Standard).
   Please check the copyright notes in d3des.h and d3des.c and the
   description that says "a portable, public domain, version of the Data
   Encryption Standard."
   I needed the DES module in standard VNC.  So I included these files
   without modification from VNC 4.1.1 source distribution for Unix
   platforms.

Other notes:
 - I tested that the following VNC clients successfully negotiated to
   the VNC console.
        VNC Viewer Free Edition 4.1.1 for X
        VNC Free Edition for Windows Version 4.1.2
        UltraVNC Win32 Viewer 1.0.2


Signed-off-by: Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>

Best regards,
Watanabe



On Thu, 31 Aug 2006 11:45:37 +0100, Ian Pratt wrote:
> > I take your point about security, I'll do as follows.
> > - vnc_passwd is not omissible.
> > - The domain cannot be created if there is no vnc_passwd.
> 
> It would also be good to be able to specify a system-wide vnc password
> in the xend-config.sxp that is overridden by individual guest configs. 
> 
> Thanks,
> Ian
> 
> > > On Thu, Aug 31, 2006 at 10:23:56AM +0900, Masami Watanabe wrote:
> > > > I'm thinking of adding the following protection to VNC console.
> > > > I know it's not perfect, nonetheless, it's far better than the
> current
> > > > no protection situation. Please comment.
> > > >
> > > > Specification:
> > > > - The same challenge-response auth scheme as standard VNC to be
> > available
> > > >   from VNC viewer (like RealVNC).
> > >
> > > Yeah, looking at the various clients, challenge-response is the only
> one
> > > we can really rely on being present - in fact its the only one
> supported
> > > by Fedora VNC client (RealVNC IIRC?) at all.
> > >
> > > > - The vnc password of each VM is described in the VM configuration
> > file.
> > > >   When omit the password, do not use authentification.
> > > >     ex) vnc_passwd = xxxxx
> > >
> > > I think we should be secure by default - if they omit the password
> then
> > > we should either generate one - and store it in xenstore, or refuse
> to
> > > activate VNC server. If we really really want to allow no passwords,
> then
> > > admin could have to explicitly request it with vnc_no_password=1
> > > in the config file - but my prefernce is still that we should flat
> out
> > > refuse to allow an empty password - in this day & day its just plain
> > wrong.
> > > RealVNC server for example, refuses to allow empty password.
> > >
> > > > - Where "xxxxx" is an uuencoded encrypted password, that is,
> > > >   you can get this value by
> > > >   # cat ~/.vnc/passwd | uuencode -m passwd
> > > >     (needs uuencode command: sharutils package)
> > >
> > > Perhaps base64 would be preferable - that's a standard part of Linux
> > > coreutils toolset, rather than an addon like uuencode is.
> > >
> > > Regards,
> > > Dan.
> > > --
> > > |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392
> 2496
> > -=|
> > > |=-           Perl modules: http://search.cpan.org/~danberr/
> > -=|
> > > |=-               Projects: http://freshmeat.net/~danielpb/
> > -=|
> > > |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B
> 9505
> > -=|
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xen-devel
> > 
> > 
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-devel

Attachment: vnc_auth.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.