WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] ioemu: empty vnc passwd

from [John Levon] [Permanent Link][Original]
To: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Subject: Re: [Xen-devel] ioemu: empty vnc passwd
From: John Levon <levon@xxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jan 2008 17:56:18 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, Samuel Thibault <samuel.thibault@xxxxxxxxxxxxx>
Delivery-date: Wed, 23 Jan 2008 09:57:10 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20080123174338.GE17258@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <20080123161130.GD5188@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20080123163555.GF24352@xxxxxxxxxx> <20080123172614.GD18326@xxxxxxxxxxxxxxxxxxxxxxx> <20080123173341.GD17258@xxxxxxxxxx> <20080123173820.GE18326@xxxxxxxxxxxxxxxxxxxxxxx> <20080123174338.GE17258@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i 
On Wed, Jan 23, 2008 at 05:43:38PM +0000, Daniel P. Berrange wrote:

> > Except on Solaris we don't have such a default - the user's forced to
> > set something (there doesn't seem to be even a vaguely secure default?)
> 
> There's no sane default for VNC passwords - whether you have on or not
> its still basically insecure due to design of the VNC auth, hence the
> config just defaults to '' & 127.0.0.1 which is as good as you'll get 
> for VNC over TCP. 

So the only sane default is "don't let it work at all", right? Which is
what we're doing.

> If we wanted a real secure out of the box setup, we'd need to make XenD 
> only expose the VNC server as a UNIX domain socket, so that access can
> be restricted to root.

Yep, like you mentioned on IRC.

> Of course no VNC client knows how to connect to a VNC 

But of course :) sigh.

> server over a UNIX domain socket directly. You can use netcat + ssh to
> tunnel to/from a remote host. I could also extend GTK-VNC & virt-manager
> and/or virt-viewer to support it pretty easily.

Both of those support the encryption extension already though, if I
understand it right - and that seems sane enough.

regards
john

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [PATCH] ioemu: directly project all memory on x86_64, Keir Fraser
Next by Date:  Re: [Xen-devel] ioemu: empty vnc passwd, Daniel P. Berrange
Previous by Thread:  Re: [Xen-devel] ioemu: empty vnc passwd, Daniel P. Berrange
Next by Thread:  Re: [Xen-devel] ioemu: empty vnc passwd, Daniel P. Berrange
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy