WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] ioemu: empty vnc passwd

On Wed, Jan 23, 2008 at 05:43:38PM +0000, Daniel P. Berrange wrote:

> > Except on Solaris we don't have such a default - the user's forced to
> > set something (there doesn't seem to be even a vaguely secure default?)
> 
> There's no sane default for VNC passwords - whether you have on or not
> its still basically insecure due to design of the VNC auth, hence the
> config just defaults to '' & 127.0.0.1 which is as good as you'll get 
> for VNC over TCP. 

So the only sane default is "don't let it work at all", right? Which is
what we're doing.

> If we wanted a real secure out of the box setup, we'd need to make XenD 
> only expose the VNC server as a UNIX domain socket, so that access can
> be restricted to root.

Yep, like you mentioned on IRC.

> Of course no VNC client knows how to connect to a VNC 

But of course :) sigh.

> server over a UNIX domain socket directly. You can use netcat + ssh to
> tunnel to/from a remote host. I could also extend GTK-VNC & virt-manager
> and/or virt-viewer to support it pretty easily.

Both of those support the encryption extension already though, if I
understand it right - and that seems sane enough.

regards
john

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel