[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] Individual passwords for guest VNC servers ?


>   - A password has to be encoded in base64 format.  For example, you
can
>     obtain one by executing the next command.
>         # cat ~/.vnc/passwd | uuencode -m passwd | head -2 | tail -1

Nice work.

Didn't someone suggest that there was some better tool than uunecode for
getting the password printable? One that was in the 'base' of most
distros? (which I don't think uuencode is)

It would be nice if we had a script that invoked the 'vncpasswd' and the
above encoding to print the string to cut and paste.

Thanks,
Ian

 
> Configuration examples:
>   - No password authentication for all VNC consoles.
>         --- xend-config.sxp ---
>         (vncpasswd  '')
>         -----------------------
> 
>   - Single common password for all VNC consoles.
>         --- xend-config.sxp ---
>         (vncpasswd 'PASSWORD')
>         -----------------------
> 
>   - VM-specific password for vm1.
>         --- vm1 config --------
>         vncpasswd = "PASSWORD for vm1"
>         -----------------------
> 
> Notes and request:
>  - On log file permissions.
>    Please mind logfile permissons since password are recorded in
>    xend and qemu-dm logfiles, though they are not decoded.
>  - On DES (Data Encryption Standard).
>    Please check the copyright notes in d3des.h and d3des.c and the
>    description that says "a portable, public domain, version of the
Data
>    Encryption Standard."
>    I needed the DES module in standard VNC.  So I included these files
>    without modification from VNC 4.1.1 source distribution for Unix
>    platforms.
> 
> Other notes:
>  - I tested that the following VNC clients successfully negotiated to
>    the VNC console.
>         VNC Viewer Free Edition 4.1.1 for X
>         VNC Free Edition for Windows Version 4.1.2
>         UltraVNC Win32 Viewer 1.0.2
> 
> 
> Signed-off-by: Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>
> 
> Best regards,
> Watanabe
> 
> 
> 
> On Thu, 31 Aug 2006 11:45:37 +0100, Ian Pratt wrote:
> > > I take your point about security, I'll do as follows.
> > > - vnc_passwd is not omissible.
> > > - The domain cannot be created if there is no vnc_passwd.
> >
> > It would also be good to be able to specify a system-wide vnc
password
> > in the xend-config.sxp that is overridden by individual guest
configs.
> >
> > Thanks,
> > Ian
> >
> > > > On Thu, Aug 31, 2006 at 10:23:56AM +0900, Masami Watanabe wrote:
> > > > > I'm thinking of adding the following protection to VNC
console.
> > > > > I know it's not perfect, nonetheless, it's far better than the
> > current
> > > > > no protection situation. Please comment.
> > > > >
> > > > > Specification:
> > > > > - The same challenge-response auth scheme as standard VNC to
be
> > > available
> > > > >   from VNC viewer (like RealVNC).
> > > >
> > > > Yeah, looking at the various clients, challenge-response is the
only
> > one
> > > > we can really rely on being present - in fact its the only one
> > supported
> > > > by Fedora VNC client (RealVNC IIRC?) at all.
> > > >
> > > > > - The vnc password of each VM is described in the VM
configuration
> > > file.
> > > > >   When omit the password, do not use authentification.
> > > > >     ex) vnc_passwd = xxxxx
> > > >
> > > > I think we should be secure by default - if they omit the
password
> > then
> > > > we should either generate one - and store it in xenstore, or
refuse
> > to
> > > > activate VNC server. If we really really want to allow no
passwords,
> > then
> > > > admin could have to explicitly request it with vnc_no_password=1
> > > > in the config file - but my prefernce is still that we should
flat
> > out
> > > > refuse to allow an empty password - in this day & day its just
plain
> > > wrong.
> > > > RealVNC server for example, refuses to allow empty password.
> > > >
> > > > > - Where "xxxxx" is an uuencoded encrypted password, that is,
> > > > >   you can get this value by
> > > > >   # cat ~/.vnc/passwd | uuencode -m passwd
> > > > >     (needs uuencode command: sharutils package)
> > > >
> > > > Perhaps base64 would be preferable - that's a standard part of
Linux
> > > > coreutils toolset, rather than an addon like uuencode is.
> > > >
> > > > Regards,
> > > > Dan.
> > > > --
> > > > |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978
392
> > 2496
> > > -=|
> > > > |=-           Perl modules: http://search.cpan.org/~danberr/
> > > -=|
> > > > |=-               Projects: http://freshmeat.net/~danielpb/
> > > -=|
> > > > |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742
7D3B
> > 9505
> > > -=|
> > > >
> > > > _______________________________________________
> > > > Xen-devel mailing list
> > > > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > > > http://lists.xensource.com/xen-devel
> > >
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.