Xen project Mailing List

Re: [Xen-devel] [PATCH] vnclisten for HVM vnc

To: Ian Pratt <m+Ian.Pratt@xxxxxxxxxxxx>

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

Date: Fri, 29 Sep 2006 18:24:01 +0100

Cc: Jeremy Katz <katzj@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 29 Sep 2006 10:24:47 -0700

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Wed, Sep 27, 2006 at 09:40:57PM +0100, Ian Pratt wrote: > > > > IMHO, we should only listen on 127.0.0.1 by default - > particularly > > since > > > > the Xen 3.0.3 release isn't going to have password authentication > on > > the > > > > VNC servers yet :-( It'll be all too easy for someone to turn on > VNC > > > > in the guest config & not realize they just opened themselves up > to any > > > > person on the network by default. That kind of default insecure > > behaviour > > > > is best left in the Windows world > > > > > > I don't necessarily disagree, but changing the semantics like that > felt > > > a little bit ugly to me -- it definitely leads to a case where going > > > from 3.0.2 -> 3.0.3 would break configurations users were actively > > > using. > > > > It is a painful problem I agree, but I think the security benefit is > worth > > the pain of breaking user's existing configs. Its not a difficult task > for > > users to re-enable the wide-open-to-anyone config if they really do > need > > it. > > I agree too: we should listen on 127.0.0.1 by default. Ok, attached is an adaptation of Jeremy's initial patch to do this. The logic for determining which interface to listen on goes like this: - If 'vnclisten' is set in guest config, use that (can use 0.0.0.0 to indicate all interfaces) - If 'vnc-listen' is set in /etc/xen/xend-config.sxp, use that (again can set it to 0.0.0.0 to listen on all interfaces by default) - Else use 127.0.0.1 So, this makes VNC local only by default using 127.0.0.1. Anyone who wants the old behaviour can just change xend-config.sxp setting... (vnc-listen '0.0.0.0') ...which will affect all guests without an explicit setting. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

Attachment: xen-vnclisten-2.patch
Description: Text document

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.