WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] [PATCH] vnclisten for HVM vnc

To: "Daniel P. Berrange" <berrange@xxxxxxxxxx>, "Jeremy Katz" <katzj@xxxxxxxxxx>
Subject: RE: [Xen-devel] [PATCH] vnclisten for HVM vnc
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Wed, 27 Sep 2006 21:40:57 +0100
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 27 Sep 2006 13:41:42 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <1157216132.2805.4.camel@xxxxxxxxxxxxxx><1159385776.16252.17.camel@xxxxxxxxxxxxxxxxxxxxxxxxxx><20060927194202.GP20056@xxxxxxxxxx><1159387052.16252.20.camel@xxxxxxxxxxxxxxxxxxxxxxxxxx> <20060927200239.GS20056@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcbicCDYj6q2BjO9Q+SJJrWkv9OzQwABQGmA
Thread-topic: [Xen-devel] [PATCH] vnclisten for HVM vnc
> > > IMHO, we should only listen on 127.0.0.1  by default -
particularly
> since
> > > the Xen 3.0.3 release isn't going to have password authentication
on
> the
> > > VNC servers yet :-(   It'll be all too easy for someone to turn on
VNC
> > > in the guest config & not realize they just opened themselves up
to any
> > > person on the network by default. That kind of default insecure
> behaviour
> > > is best left in the Windows world
> >
> > I don't necessarily disagree, but changing the semantics like that
felt
> > a little bit ugly to me -- it definitely leads to a case where going
> > from 3.0.2 -> 3.0.3 would break configurations users were actively
> > using.
> 
> It is a painful problem I agree, but I think the security benefit is
worth
> the pain of breaking user's existing configs. Its not a difficult task
for
> users to re-enable the wide-open-to-anyone config if they really do
need
> it.

I agree too: we should listen on 127.0.0.1 by default.

Ian





_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel