WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] Individual passwords for guest VNC servers ?

from [Ian Pratt] [Permanent Link][Original]
To: "Masami Watanabe" <masami.watanabe@xxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] Individual passwords for guest VNC servers ?
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Fri, 22 Sep 2006 13:49:41 +0100
Delivery-date: Fri, 22 Sep 2006 05:50:16 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D572606@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <JB2006092221043832.34149296@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcbePxNnJtPGPxHqSMi/inxMkFzgPgABJqnw
Thread-topic: [Xen-devel] Individual passwords for guest VNC servers ? 

>   - A password has to be encoded in base64 format.  For example, you
can
>     obtain one by executing the next command.
>         # cat ~/.vnc/passwd | uuencode -m passwd | head -2 | tail -1

Nice work.

Didn't someone suggest that there was some better tool than uunecode for
getting the password printable? One that was in the 'base' of most
distros? (which I don't think uuencode is)

It would be nice if we had a script that invoked the 'vncpasswd' and the
above encoding to print the string to cut and paste.

Thanks,
Ian

 
> Configuration examples:
>   - No password authentication for all VNC consoles.
>         --- xend-config.sxp ---
>         (vncpasswd  '')
>         -----------------------
> 
>   - Single common password for all VNC consoles.
>         --- xend-config.sxp ---
>         (vncpasswd 'PASSWORD')
>         -----------------------
> 
>   - VM-specific password for vm1.
>         --- vm1 config --------
>         vncpasswd = "PASSWORD for vm1"
>         -----------------------
> 
> Notes and request:
>  - On log file permissions.
>    Please mind logfile permissons since password are recorded in
>    xend and qemu-dm logfiles, though they are not decoded.
>  - On DES (Data Encryption Standard).
>    Please check the copyright notes in d3des.h and d3des.c and the
>    description that says "a portable, public domain, version of the
Data
>    Encryption Standard."
>    I needed the DES module in standard VNC.  So I included these files
>    without modification from VNC 4.1.1 source distribution for Unix
>    platforms.
> 
> Other notes:
>  - I tested that the following VNC clients successfully negotiated to
>    the VNC console.
>         VNC Viewer Free Edition 4.1.1 for X
>         VNC Free Edition for Windows Version 4.1.2
>         UltraVNC Win32 Viewer 1.0.2
> 
> 
> Signed-off-by: Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>
> 
> Best regards,
> Watanabe
> 
> 
> 
> On Thu, 31 Aug 2006 11:45:37 +0100, Ian Pratt wrote:
> > > I take your point about security, I'll do as follows.
> > > - vnc_passwd is not omissible.
> > > - The domain cannot be created if there is no vnc_passwd.
> >
> > It would also be good to be able to specify a system-wide vnc
password
> > in the xend-config.sxp that is overridden by individual guest
configs.
> >
> > Thanks,
> > Ian
> >
> > > > On Thu, Aug 31, 2006 at 10:23:56AM +0900, Masami Watanabe wrote:
> > > > > I'm thinking of adding the following protection to VNC
console.
> > > > > I know it's not perfect, nonetheless, it's far better than the
> > current
> > > > > no protection situation. Please comment.
> > > > >
> > > > > Specification:
> > > > > - The same challenge-response auth scheme as standard VNC to
be
> > > available
> > > > >   from VNC viewer (like RealVNC).
> > > >
> > > > Yeah, looking at the various clients, challenge-response is the
only
> > one
> > > > we can really rely on being present - in fact its the only one
> > supported
> > > > by Fedora VNC client (RealVNC IIRC?) at all.
> > > >
> > > > > - The vnc password of each VM is described in the VM
configuration
> > > file.
> > > > >   When omit the password, do not use authentification.
> > > > >     ex) vnc_passwd = xxxxx
> > > >
> > > > I think we should be secure by default - if they omit the
password
> > then
> > > > we should either generate one - and store it in xenstore, or
refuse
> > to
> > > > activate VNC server. If we really really want to allow no
passwords,
> > then
> > > > admin could have to explicitly request it with vnc_no_password=1
> > > > in the config file - but my prefernce is still that we should
flat
> > out
> > > > refuse to allow an empty password - in this day & day its just
plain
> > > wrong.
> > > > RealVNC server for example, refuses to allow empty password.
> > > >
> > > > > - Where "xxxxx" is an uuencoded encrypted password, that is,
> > > > >   you can get this value by
> > > > >   # cat ~/.vnc/passwd | uuencode -m passwd
> > > > >     (needs uuencode command: sharutils package)
> > > >
> > > > Perhaps base64 would be preferable - that's a standard part of
Linux
> > > > coreutils toolset, rather than an addon like uuencode is.
> > > >
> > > > Regards,
> > > > Dan.
> > > > --
> > > > |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978
392
> > 2496
> > > -=|
> > > > |=-           Perl modules: http://search.cpan.org/~danberr/
> > > -=|
> > > > |=-               Projects: http://freshmeat.net/~danielpb/
> > > -=|
> > > > |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742
7D3B
> > 9505
> > > -=|
> > > >
> > > > _______________________________________________
> > > > Xen-devel mailing list
> > > > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > > > http://lists.xensource.com/xen-devel
> > >
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] missing use of FOREIGNDOM?, Jan Beulich
Next by Date:  RE: [Xen-devel] Xen talk to TPM, Petersson, Mats
Previous by Thread:  RE: [Xen-devel] Individual passwords for guest VNC servers ?, Masami Watanabe
Next by Thread:  Re: [Xen-devel] Individual passwords for guest VNC servers ?, Daniel P. Berrange
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy