Re: [Xen-devel] [PATCH] vnclisten for HVM vnc
On Wed, Sep 27, 2006 at 09:40:57PM +0100, Ian Pratt wrote:
> > > > IMHO, we should only listen on 127.0.0.1 by default -
> > since
> > > > the Xen 3.0.3 release isn't going to have password authentication
> > the
> > > > VNC servers yet :-( It'll be all too easy for someone to turn on
> > > > in the guest config & not realize they just opened themselves up
> to any
> > > > person on the network by default. That kind of default insecure
> > behaviour
> > > > is best left in the Windows world
> > >
> > > I don't necessarily disagree, but changing the semantics like that
> > > a little bit ugly to me -- it definitely leads to a case where going
> > > from 3.0.2 -> 3.0.3 would break configurations users were actively
> > > using.
> > It is a painful problem I agree, but I think the security benefit is
> > the pain of breaking user's existing configs. Its not a difficult task
> > users to re-enable the wide-open-to-anyone config if they really do
> > it.
> I agree too: we should listen on 127.0.0.1 by default.
Ok, attached is an adaptation of Jeremy's initial patch to do this.
The logic for determining which interface to listen on goes like this:
- If 'vnclisten' is set in guest config, use that (can use 0.0.0.0 to
indicate all interfaces)
- If 'vnc-listen' is set in /etc/xen/xend-config.sxp, use that
(again can set it to 0.0.0.0 to listen on all interfaces by
- Else use 127.0.0.1
So, this makes VNC local only by default using 127.0.0.1. Anyone who wants
the old behaviour can just change xend-config.sxp setting...
...which will affect all guests without an explicit setting.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
Description: Text document
Xen-devel mailing list