On Wednesday 23 January 2008 17:28:11 Daniel P. Berrange wrote:
> On Wed, Jan 23, 2008 at 05:19:33PM +0100, Christoph Egger wrote:
> > If we do a debug build let us assume we are in a testing environment.
> > There an empty vnc password is ok.
> > If we don't make a debug build, let us assume we are in a production
> > environment where an empty vnc password is a security risk.
>
> That logic is flawed. VNC may be configured to use TLS +x509 certificates
> which provide real security. A VNC passwd is not really very credible
> security whether its zero or 8 chars in length. It shouldn't try to
> second guess what an admin wants.
That's right. vnc-auth is nothing. TLS (vnc security type 18) and
Tight (vnc security type 16) are much better.
> VNC password authentication is turned on / off via the ',passwd' flag on
> the -vnc command line to QEMU. If password auth is on, and a zero length
> string is found as a password, then all logins are completely disabled -
> the VNC password auth code will fail all logins. If passwd auth is off on
> the command line, then any password stored in xenstore is irrelevant, no
> matter what length it is.
>
> Dan.
--
AMD Saxony, Dresden, Germany
Operating System Research Center
Legal Information:
AMD Saxony Limited Liability Company & Co. KG
Sitz (Geschäftsanschrift):
Wilschdorfer Landstr. 101, 01109 Dresden, Deutschland
Registergericht Dresden: HRA 4896
vertretungsberechtigter Komplementär:
AMD Saxony LLC (Sitz Wilmington, Delaware, USA)
Geschäftsführer der AMD Saxony LLC:
Dr. Hans-R. Deppe, Thomas McCoy
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home