Xen 		  
Home About Xen.org Xen Xen Summit Wiki Mailing List Bug Tracker Xen Downloads
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Individual passwords for guest VNC servers ?

from [Masami Watanabe] [Permanent Link][Original]
To: "Daniel P. Berrange" <berrange@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Individual passwords for guest VNC servers ?
From: Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>
Date: Thu, 31 Aug 2006 10:23:56 +0900
Cc: masami.watanabe@xxxxxxxxxxxxxx
Delivery-date: Wed, 30 Aug 2006 18:22:11 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20060825004436.GL809@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <20060816181153.GC25831@xxxxxxxxxx> <20060825004436.GL809@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
I'm thinking of adding the following protection to VNC console.
I know it's not perfect, nonetheless, it's far better than the current
no protection situation. Please comment.

Specification:
- The same challenge-response auth scheme as standard VNC to be available
  from VNC viewer (like RealVNC).
- The vnc password of each VM is described in the VM configuration file.
  When omit the password, do not use authentification.
    ex) vnc_passwd = xxxxx
- Where "xxxxx" is an uuencoded encrypted password, that is,
  you can get this value by
  # cat ~/.vnc/passwd | uuencode -m passwd
    (needs uuencode command: sharutils package)


Watanabe.


> On Wed, Aug 16, 2006 at 07:11:53PM +0100, Daniel P. Berrange wrote:
> > The current implementation of the VNC server in qemu-dm appears to just
> > leverage whatever password the root user has set in /root/.vnc/passwd.
> > This doesn't really have very nice semantics if one migrates the domain
> > over to a different host...which may not have same VNC password file.
> 
> Ok, so looking more closly I'm wrong here. The VNC server in qemu-dm
> does not use a password at all - it sets the VNC auth protocol to None.
> 
> At the same time it binds to 0.0.0.0 - so any HVM guest running VNC
> is completely unsecured, accessible to anyone who can route to the
> Dom0 host unless you've firewalled off all the ports >= 5900 on the
> machine. This looks like a pretty serious flaw to be fixed for 3.0.3 
> 
> > Has anyone given any thought to / written any patches to enable assignment
> > of different passwords to individual guest's VNC servers. At its simplest
> > one could just allow the crypt/md5 hash of the desired password to be
> > supplied in the xm config file, or XenD SEXPR when creating a new domain
> > and pass that hash through to qemu-dm to use instead of /root/.vnc/passwd
> 
> It appears that given the way the standard VNC challenge-response auth
> scheme works there's no choice but to store the actual password - at very 
> least using some reversible encryption - we can't simply store the hash
> as one would with passwords for /etc/shadow.  There are other newer
> auth schemes defined in VNC protocol, but its not clear whether these
> have broad support amongst VNC viewer clients.
> 
> Dan.
> -- 
> |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
> |=-           Perl modules: http://search.cpan.org/~danberr/              -=|
> |=-               Projects: http://freshmeat.net/~danielpb/               -=|
> |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [PATCH] wrong accounting in direct_remap_pfn_range, Keir Fraser
Next by Date:  Re: [Xen-devel] [PATCH] wrong accounting in direct_remap_pfn_range, Steven Rostedt
Previous by Thread:  [Xen-devel] Re: Individual passwords for guest VNC servers ?, Daniel P. Berrange
Next by Thread:  Re: [Xen-devel] Individual passwords for guest VNC servers ?, Daniel P. Berrange
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , XenSource, Inc. All rights reserved. Note: the xen.org trademark policy
is changing. For information please email legalxen.org, Legal and Privacy