WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: RE : Re: [Xen-users] XEN domUs and X11 (maybe not Xen-related)

To: Frédérique Da Luene <frederique_daluene@xxxxxxxx>
Subject: Re: RE : Re: [Xen-users] XEN domUs and X11 (maybe not Xen-related)
From: Nico Kadel-Garcia <nkadel@xxxxxxxxx>
Date: Thu, 17 Jan 2008 22:47:59 +0000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 17 Jan 2008 14:48:36 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=O9VySyvKHQGsBNQVYRMZdm1+1HhxmW5Wb2OqnVDUB8Y=; b=Tn80PzwPAeXiUli8jd/hiLfjIyrwXHHVOGEmVILnRoPuio74wHOQsRkTbrfTMUZxk8oCzTWM8SX+BGR5GUn3i08H0o/MJ4u/LAyQMWjdUTKv+TJxYT3GJE6StDsXStyibHvDIllVC2ohem017JjtHqU25F9aqKEvtDn0f7cf7qg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=GT8sin497ReFNfgHRg1/DOwN6Mcdqd0W2xQXfn2PvN3UfXEN0/A5e8z5b7coYu08aYpJSyEO+c5taEGoyG9Zd+MGhRoYBKYNIhmWtZn1/ExsLrgaqFhryJBRNhegj/1xbSjopuGSNsGVFm0tKvb++yzrzWN0iFkvttxyuvvY+kM=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <877300.99685.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <877300.99685.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)
Frédérique Da Luene wrote:
Hi Nico,

--- Nico Kadel-Garcia <nkadel@xxxxxxxxx> a écrit :

Or, if you feel the need, you can use the vncviewer built into Xen itself, but this presents other
management and security issues.

And what are those security issues (you can point me
to some reference docs on the 'net, of course).

Tia,

FdL
No need: I wrote the SunOS port for VNC years ago.

1: VNC sessions do not necessarily close the X session running on the VNC server when they disconnect. In fact, configured appropriately, multiple people can share the same session, and it'll stay open and active until the last person disconnects, even if it's set to auto-logout. 2: Since that session is still open, anyone who gets the VNC access or VNC password now potentially has access to any open consoles on the VNC server.

This is a serious security issue with lots of VNC based tools, such as most remote KVM's. It mandates that you use a good screenlock on the VNC server's X session, in case you walk away and come back. Xen default setups attempt to deal with this somewhat by restricting those VNC clients to access from the Dom0 itself. But woe betide the admin who opens it up for remote management and fails to protect their X session!


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>