|
From: | Fabrice Bellard |
Subject: | Re: [Qemu-devel] QEMU: VNC |
Date: | Mon, 19 Feb 2007 23:52:54 +0100 |
User-agent: | Thunderbird 1.5.0.9 (X11/20070212) |
Daniel P. Berrange wrote:
On Mon, Feb 19, 2007 at 12:41:53PM -0500, Christopher Olsen wrote:On Monday 19 February 2007 12:30, Daniel P. Berrange wrote:I've Checked out the VeNCrypt.. Looks a little win32 oriented...On Mon, Feb 19, 2007 at 03:11:15AM +0100, Johannes Schindelin wrote:Hi, On Sun, 18 Feb 2007, Anthony Liguori wrote:Christopher Olsen wrote:Sorry I'll attempt to use the preferred patching method in the future.. Secure vnc auth method the default built in method fromWe can't take a password from a command line. Supporting VNC auth is super easy otherwise. I really think we need to have a config file before we can do VNC passwords.No, you should not do VNC passwords. The default VNC password exchange is insecure and you should not lure users into believing in that false security.Sure it is insecure over an unencrypted network channel, but if you are tunnelling the VNC connection over SSH, or have restricted it to only bind to 127.0.0.1 then AFAIK it is just fine. So supporting VNC password auth would allow users on a shared machine to secure the console from other unprivileged users on the same box. Definitely useful over the current situation where there's no way to secure even the local-only case. For a serious general purpose authentication I'd like to see the TLS protocol extension for VNC (as implemented in VeNCrypt) supported allowing both secure auth & wire encryption. Dan.Guess you missed the 'unix' directory - I have compiled both server & client of VeNCrypt on Linux no trouble.I'm gathering the problem here is that VNC is spinning off in many directions... So any implementation on the QEMU side will of course marry it to a particular VNC branch or I had an alternative idea..I think the crux of the matter is that RealVNC sell a commercial version of VNC which offers real encryption. So I'm guessing that's why they've never merged any of the patches to do TLS encryption in the open source codebase. All the patches for VNC + TLS i've seen posted are iterations of each other - VeNCrypt is the most complete implenentation of any ofthem, so the one I'd go for out of the all the choices.
On the technical side, adding OpenSSL support in the current VNC implementation is QEMU seems easy (OpenSSL has a non blocking API which can be used with the current callback API).
Fabrice.
[Prev in Thread] | Current Thread | [Next in Thread] |