Hi Jan Thank you for the report. I have now tested this myself. I purged all vnc software installed, installed tightvncserver, run tightvncserver and then run vncpasswd to set a password. I failed to reproduce the problem. I'm asked for a password.
So the question is what you did differently. Can it be so that you have some other vncpasswd software as an alternative and that happen to not be updating the same things? Best regards // Ola On Mon, 31 Dec 2018 at 15:33, Jan Christoph Terasa <christ...@kohlio.de> wrote: > Package: tightvncserver > Version: 1:1.3.9-9 > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > I installed tightvncserver on my VPS machine via apt. This did set up > tightvncserver as an alternative for vncserver. Using a normal user > account and > starting vncserver for the first time asks for a 8-letter password. My > assumption > is this password will be used to authenticate users when connecting to the > vnc > server. > > After starting the vnc server via vncserver script, it is served on port > 5901. > On the client machine I use vinagre to connect to the server on port 5901. > When > connecting, I am not asked for a password, but rather directly taken to > the X > session. I would have expected the server to ask for the password I > specified > earlier. > > As a workaround, to ensure the integrity of the system, I set up iptable > rules to > not allow direct WAN connections to this port, but only allow local > connections > and use an SSH tunnel for connecting to the vnc server. > > > kind regards, > Christoph > > > -- System Information: > Debian Release: buster/sid > APT prefers oldstable-updates > APT policy: (500, 'oldstable-updates'), (500, 'testing'), (500, > 'oldstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.14.17-xxxx-std-ipv6-64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US:en (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > > Versions of packages tightvncserver depends on: > ii libc6 2.27-8 > ii libjpeg62-turbo 1:1.5.2-2+b1 > ii libx11-6 2:1.6.7-1 > ii libxext6 2:1.3.3-1+b2 > ii perl 5.28.0-3 > ii x11-common 1:7.7+19 > ii x11-utils 7.7+4 > ii xauth 1:1.0.10-1 > ii xserver-common 2:1.20.3-1 > ii zlib1g 1:1.2.11.dfsg-1 > > Versions of packages tightvncserver recommends: > ii x11-xserver-utils 7.7+8 > ii xfonts-base 1:1.0.4+nmu1 > > Versions of packages tightvncserver suggests: > pn tightvnc-java <none> > > -- no debconf information > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
