Re: [Qemu-devel] QEMU: VNC

[Daniel P. Berrange]

On Mon, Feb 19, 2007 at 12:41:53PM -0500, Christopher Olsen wrote:
> 
> On Monday 19 February 2007 12:30, Daniel P. Berrange wrote:
> > On Mon, Feb 19, 2007 at 03:11:15AM +0100, Johannes Schindelin wrote:
> > > Hi,
> > >
> > > On Sun, 18 Feb 2007, Anthony Liguori wrote:
> > > > Christopher Olsen wrote:
> > > > > Sorry I'll attempt to use the preferred patching method in the
> > > > > future..
> > > > >
> > > > > Secure vnc auth method the default built in method from
> > > >
> > > > We can't take a password from a command line.  Supporting VNC auth is
> > > > super easy otherwise.  I really think we need to have a config file
> > > > before we can do VNC passwords.
> > >
> > > No, you should not do VNC passwords. The default VNC password exchange is
> > > insecure and you should not lure users into believing in that false
> > > security.
> >
> > Sure it is insecure over an unencrypted network channel, but if you are
> > tunnelling the VNC connection over SSH, or have restricted it to only
> > bind to 127.0.0.1  then AFAIK it is just fine. So supporting VNC password
> > auth would allow users on a shared machine to secure the console from
> > other unprivileged users on the same box. Definitely useful over the
> > current situation where there's no way to secure even the local-only
> > case. For a serious general purpose authentication I'd like to see the
> > TLS protocol extension for VNC (as implemented in VeNCrypt) supported
> > allowing both secure auth & wire encryption.
> >
> > Dan.
> 
> I've Checked out the VeNCrypt.. Looks a little win32 oriented... 

Guess you missed the 'unix' directory - I have compiled both server & client
of VeNCrypt on Linux no trouble.

> I'm gathering the problem here is that VNC is spinning off in many 
> directions...  So any implementation on the QEMU side will of course marry it 
> to a particular VNC branch or I had an alternative idea..

I think the crux of the matter is that RealVNC sell a commercial version
of VNC which offers real encryption. So I'm guessing that's why they've
never merged any of the patches to do TLS encryption in the open source
codebase. All the patches for VNC + TLS i've seen posted are iterations
of each other - VeNCrypt is the most complete implenentation of any of
them, so the one I'd go for out of the all the choices. 

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|