WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] Individual passwords for guest VNC servers ?

from [Masami Watanabe] [Permanent Link][Original]
To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-devel] Individual passwords for guest VNC servers ?
From: Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>
Date: Fri, 22 Sep 2006 21:04:38 +0900
Cc: masami.watanabe@xxxxxxxxxxxxxx
Delivery-date: Fri, 22 Sep 2006 05:02:20 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <A95E2296287EAD4EB592B5DEEFCE0E9D572606@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D572606@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
Hi,

This patch enables password authentication to VNC console.


Specification:
  - This is only for HVM domain.
  - xend-config.sxp (for system-wide) and VM configuration files (for
    VM-specific) can have a VNC password description.
  - A HVM domain bringing up VNC console needs at least one password
    description ether in xend-config.sxp or its VM configuration file.
  - A VM-specific password takes effect if both system-wide and
    VM-specific passwords exist.
  - Password descriptions look like the following.  An empty string for
    vncpassword means no authentication.
        VM configuration file:  vncpasswd = 'string'
        xend-config.sxp      : (vncpasswd   'string')
  - A password has to be encoded in base64 format.  For example, you can
    obtain one by executing the next command.
        # cat ~/.vnc/passwd | uuencode -m passwd | head -2 | tail -1

Configuration examples:
  - No password authentication for all VNC consoles.
        --- xend-config.sxp ---
        (vncpasswd  '')
        -----------------------

  - Single common password for all VNC consoles.
        --- xend-config.sxp ---
        (vncpasswd 'PASSWORD')
        -----------------------

  - VM-specific password for vm1.
        --- vm1 config --------
        vncpasswd = "PASSWORD for vm1"
        -----------------------

Notes and request:
 - On log file permissions.
   Please mind logfile permissons since password are recorded in
   xend and qemu-dm logfiles, though they are not decoded.
 - On DES (Data Encryption Standard).
   Please check the copyright notes in d3des.h and d3des.c and the
   description that says "a portable, public domain, version of the Data
   Encryption Standard."
   I needed the DES module in standard VNC.  So I included these files
   without modification from VNC 4.1.1 source distribution for Unix
   platforms.

Other notes:
 - I tested that the following VNC clients successfully negotiated to
   the VNC console.
        VNC Viewer Free Edition 4.1.1 for X
        VNC Free Edition for Windows Version 4.1.2
        UltraVNC Win32 Viewer 1.0.2


Signed-off-by: Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>

Best regards,
Watanabe



On Thu, 31 Aug 2006 11:45:37 +0100, Ian Pratt wrote:
> > I take your point about security, I'll do as follows.
> > - vnc_passwd is not omissible.
> > - The domain cannot be created if there is no vnc_passwd.
> 
> It would also be good to be able to specify a system-wide vnc password
> in the xend-config.sxp that is overridden by individual guest configs. 
> 
> Thanks,
> Ian
> 
> > > On Thu, Aug 31, 2006 at 10:23:56AM +0900, Masami Watanabe wrote:
> > > > I'm thinking of adding the following protection to VNC console.
> > > > I know it's not perfect, nonetheless, it's far better than the
> current
> > > > no protection situation. Please comment.
> > > >
> > > > Specification:
> > > > - The same challenge-response auth scheme as standard VNC to be
> > available
> > > >   from VNC viewer (like RealVNC).
> > >
> > > Yeah, looking at the various clients, challenge-response is the only
> one
> > > we can really rely on being present - in fact its the only one
> supported
> > > by Fedora VNC client (RealVNC IIRC?) at all.
> > >
> > > > - The vnc password of each VM is described in the VM configuration
> > file.
> > > >   When omit the password, do not use authentification.
> > > >     ex) vnc_passwd = xxxxx
> > >
> > > I think we should be secure by default - if they omit the password
> then
> > > we should either generate one - and store it in xenstore, or refuse
> to
> > > activate VNC server. If we really really want to allow no passwords,
> then
> > > admin could have to explicitly request it with vnc_no_password=1
> > > in the config file - but my prefernce is still that we should flat
> out
> > > refuse to allow an empty password - in this day & day its just plain
> > wrong.
> > > RealVNC server for example, refuses to allow empty password.
> > >
> > > > - Where "xxxxx" is an uuencoded encrypted password, that is,
> > > >   you can get this value by
> > > >   # cat ~/.vnc/passwd | uuencode -m passwd
> > > >     (needs uuencode command: sharutils package)
> > >
> > > Perhaps base64 would be preferable - that's a standard part of Linux
> > > coreutils toolset, rather than an addon like uuencode is.
> > >
> > > Regards,
> > > Dan.
> > > --
> > > |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392
> 2496
> > -=|
> > > |=-           Perl modules: http://search.cpan.org/~danberr/
> > -=|
> > > |=-               Projects: http://freshmeat.net/~danielpb/
> > -=|
> > > |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B
> 9505
> > -=|
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xen-devel
> > 
> > 
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-devel

Attachment: vnc_auth.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] [PATCH] Vnet support for architectures without socketcall, Mike Wray
Next by Date:  [XenPPC] [PATCH][RFC] New command: xm pcpu-list, Masaki Kanno
Previous by Thread:  [Xen-devel] [PATCH] Vnet support for architectures without socketcall, Mike Wray
Next by Thread:  RE: [Xen-devel] Individual passwords for guest VNC servers ?, Ian Pratt
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy