[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] ioemu: empty vnc passwd

On Wednesday 23 January 2008 17:28:11 Daniel P. Berrange wrote:
> On Wed, Jan 23, 2008 at 05:19:33PM +0100, Christoph Egger wrote:
> > If we do a debug build let us assume we are in a testing environment.
> > There an empty vnc password is ok.
> > If we don't make a debug build, let us assume we are in a production
> > environment where an empty vnc password is a security risk.
> That logic is flawed. VNC may be configured to use TLS +x509 certificates
> which provide real security. A VNC passwd is not really very credible
> security whether its zero or 8 chars in length. It shouldn't try to
> second guess what an admin wants.

That's right. vnc-auth is nothing. TLS (vnc security type 18) and
Tight (vnc security type 16) are much better.

> VNC password authentication is turned on / off via the ',passwd' flag on
> the -vnc command line to QEMU. If password auth is on, and a zero length
> string is found as a password, then all logins are completely disabled -
> the VNC password auth code will fail all logins. If passwd auth is off on
> the  command line, then any password stored in xenstore is irrelevant, no
> matter what length it is.
> Dan.

AMD Saxony, Dresden, Germany
Operating System Research Center

Legal Information:
AMD Saxony Limited Liability Company & Co. KG
Sitz (Geschäftsanschrift):
   Wilschdorfer Landstr. 101, 01109 Dresden, Deutschland
Registergericht Dresden: HRA 4896
vertretungsberechtigter Komplementär:
   AMD Saxony LLC (Sitz Wilmington, Delaware, USA)
Geschäftsführer der AMD Saxony LLC:
   Dr. Hans-R. Deppe, Thomas McCoy

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.