[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] RE: [PATCH][Take 2] VNC authentification



> > Why even bother encrypting the password?  We're using a well known
DES
> > key so there is no security here.  A user must still take
appropriate
> > precautions to protect the config files.  In fact, I think munging
the
> > password like this gives a false sense of security.
> 
> Yeah, we really need to chmod 700 the /etc/xen directory to protect
> the passwords.  Once this is done, there isn't much to be gained
> from encryption in the file itself except for obfuscating it from
> the benign casual observer. Using plain text in the config file would
> make life easier to tools too, because they won't have to carry about
> this VNC-specific DES encryption routine just to create passwds in the
> guest config

Yep, let's change the permissions and use plain text passwords. No point
giving people a false sense of security.

Ian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.