[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in lib

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in lib

From:	Bug Watch Updater
Subject:	[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt
Date:	Fri, 27 Oct 2017 16:28:02 -0000

Launchpad has imported 3 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=667097.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2011-01-04T12:30:55+00:00 Neil wrote:

Description of problem:

The help for 'vnc_password' in qemu.conf states "An empty string will
still enable passwords, but be rejected by QEMU effectively preventing
any use of VNC.".

Yet if you set vnc_password="" then you can access the VNC console
without any password prompt at all - just as you can if the entry is
hashed out.

Version-Release number of selected component (if applicable):

libvirtd (libvirt) 0.8.3


How reproducible:

Every time by configuration

Steps to Reproduce:
1. Create a VNC console without a password.
2. Set vnc_password="" in /etc/libvirt/qemu.conf
3. Start up a guest and access the VNC console with a client. 
  
Actual results:

You get straight into the console with no prompts.


Expected results:

Should have come up with a prompt and rejected the access. Or the
instructions in the qemu.conf file need changing to take account of the
current behaviour.

Additional info:

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/2

------------------------------------------------------------------------
On 2011-01-04T12:48:32+00:00 Neil wrote:

Similarly if you set the passwd attribute to '' in the vnc graphics XML
stanza.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/3

------------------------------------------------------------------------
On 2011-01-07T14:45:34+00:00 Daniel wrote:

This is not a libvirt bug. This is caused by a flaw in particular QEMU
version you are using, which silently disables auth when the password is
set to "". This bug was introduced in QEMU in this bogus commit

commit 52c18be9e99dabe295321153fda7fce9f76647ac
Author: Zachary Amsden <address@hidden>
Date:   Thu Jul 30 00:15:01 2009 -1000

    When using stdio monitor and VNC display, one can set or clear a VNC
password; this should set or turn off VNC authentication as well.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197/comments/5


** Changed in: libvirt
       Status: Unknown => Invalid

** Changed in: libvirt
   Importance: Unknown => Medium

** Changed in: qemu-kvm
       Status: Unknown => Fix Released

** Changed in: qemu-kvm
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/697197

Title:
  Empty password allows access to VNC in libvirt

Status in libvirt:
  Invalid
Status in QEMU:
  Fix Released
Status in qemu-kvm:
  Fix Released
Status in libvirt package in Ubuntu:
  Invalid
Status in qemu-kvm package in Ubuntu:
  Fix Released
Status in libvirt source package in Lucid:
  Invalid
Status in qemu-kvm source package in Lucid:
  Fix Released
Status in libvirt source package in Maverick:
  Invalid
Status in qemu-kvm source package in Maverick:
  Fix Released
Status in libvirt source package in Natty:
  Invalid
Status in qemu-kvm source package in Natty:
  Fix Released
Status in libvirt source package in Karmic:
  Invalid
Status in qemu-kvm source package in Karmic:
  Fix Released
Status in qemu-kvm package in Debian:
  Fix Released

Bug description:
  The help in the /etc/libvirt/qemu.conf states

  "To allow access without passwords, leave this commented out. An empty
  string will still enable passwords, but be rejected by QEMU
  effectively preventing any use of VNC."

  yet setting:

  vnc_password=""

  allows access to the vnc console without any password prompt just as
  if it is hashed out completely.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: libvirt-bin 0.8.3-1ubuntu14
  ProcVersionSignature: Ubuntu 2.6.35-24.42-server 2.6.35.8
  Uname: Linux 2.6.35-24-server x86_64
  Architecture: amd64
  Date: Tue Jan  4 12:18:35 2011
  InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release amd64 
(20100816.2)
  ProcEnviron:
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libvirt

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/697197/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt, Bug Watch Updater <=
- [Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt, Bug Watch Updater, 2017/10/27

Prev by Date: Re: [Qemu-devel] [PATCHv4 00/13] sun4m: sparc32_dma tidy-ups
Next by Date: [Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt
Previous by thread: [Qemu-devel] [PATCH v7 0/5] arm: kinetis_mk64fn1m0 machine
Next by thread: [Qemu-devel] [Bug 697197] Re: Empty password allows access to VNC in libvirt
Index(es):
- Date
- Thread