RE: VNC Security
I am wondering why expose VNC over the internet in the first place, really. It's my opinion that VNC is really only good for LAN's. Why not use VPN to secure your connection to the remote network before starting VNC sessions? It's much easier to set up on a LAN where you need VNC access to 200 computers than setting up SSH over the Internet! I can concede that VNC data should be encrypted in some way when traveling the Internet but why do people set up VNC over SSH on local networks? That really makes very little sense to me. If your network is so insecure that you're worried about your VNC traffic being hacked, you've got some pretty big problems! I connect to a network via VPN and others I connect using encrypted RDP sessions. Once I've made those connections, I can safely use VNC on the remote networks. Why waste all of this time with SSH on Windows computers all over the network when VPN and RDP is so easy to set up? Yea, William did have a better search phrase than I did. That utility does have limitations and flaws, though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sean Kamath Sent: Tuesday, April 19, 2005 4:45 PM To: William Hooper Cc: vnc-list@realvnc.com Subject: Re: VNC Security [In a message on Tue, 19 Apr 2005 10:53:09 EDT, "William Hooper" wrote:] >Steve Bostedor wrote: >[snip] >> I've scoured the web out of this curiosity, looking for a tool to >> put VNC packets together into something useful for a hacker. There's >> nothing. Nada. > >Fifth hit on Google for: vnc capture playback > >http://users.tpg.com.au/bdgcvb/chaosreader.html Google is your friend. Of course, knowing the right phrase or keywords makes it nice. ;-) That's a very interesting tool, which should put the fear of the Internet in everyone. . . Another reason for tunneling VNC over SSH is this: My firewall only exposes a select few protocols to the outside world. If it weren't for the fact I have to support other people, I'd likely ONLY have SSH exposed to the world. Instead I have to have POP/IMAP, SMTP, etc. . . The fewer things you expose to the outside Big Bad World, the better. Sean ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
Your plan is pretty typical and is pretty much what I advise to my clients. Keep it off when it's not being used and change the password often. On secured local LANS, it's ok to leave it running 24/7 as long as the remote server has the desktop locked or logged off. This is the REalVNC, though. I'm not sure the UltraVNC file transfer function is still functional if the workstation is locked. I'll have to try that and see. If it is still functional, I'd suggest not usng that on any server that you want to leave VNC running 24/7 on at all. -Original Message- From: Bart Crijns [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 5:15 PM To: Andy Bruce - softwareAB Cc: Steve Bostedor; security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security Andy Bruce - softwareAB wrote: > 5. Tell them to turn off port forwarding from the router (if they > could grok it), or just have them connect their PC back to the router > and their router back to the cable/dsl modem. In either case, 5900 > isn't available to the outside world so there's no risk even if they > were running VNC in service-mode. Another (very easy) way to make these connections more secure with those users is the following: I'm using UltraVNC, so I'm not certain that everything is possible in other VNC variants. - set a very long and very difficult password for the server (it will never be used anyway in this approach) - disable the 'accept socket connections' checkbox in the server properties (may be UltraVNC only) - when the users need assistance let them start the server, and instead of connecting to their PC, you start the viewer in listen mode - tell them your IP, and have them add a client throug the system tray icon's menu, and have them enter your IP when requested. You'll need to have your router setup for port forwarding to the ports for the listening viewer... That way noone needs to know their password, and with UltraVNC the server isn't even accepting connections in the unlikely event that the password is known by someone. No password is transmitted, and the only thing that could be captured is the data sent during the VNC session, which isn't too much of a problem in most cases when helping someone out. Furthermore, no incoming ports need to be opened on their router, because most users aren't really capable of changing that themselves. Of course, when connecting to my own PC via VNC, I use a SSH tunnel. > Am I missing something here? Other than the fact that in the unlikely event of someone malignant actually taking over their PC, you'll be the one who's blamed... no :-) I think the method I described is a bit safer, and also very easy to explain to the person at the other end of the line. If I may have missed something in my plan, please correct me. Kind Regards, Bart Crijns ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
Joshua, Please see my reply to Alexander. It addresses some of what you said here. I disagree that VNC should be avoided completely, though. It's not THAT insecure! I will go out on a limb and say that about 90% of the pop3 users in the world use plain text passwords. Encrypted passwords aren't really that common and most ISP's don't require that home users encrypt their passwords. Do you use FTP? Maybe you tripple encrypt your FTP data or just avoid FTP completely just like VNC, but I'll go out on a limb again and guess that at least 95% of FTP users in the world send the username and password in plain text and unencrypted. I'll also guess that at least 30% of them use the same username and password for their FTP account as they do for numerous other functions. Maybe even their encrypted Pop3 account. ;) The reply to Alexander explains my question further. -Original Message- From: Joshua Berry [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 6:43 PM To: Andy Bruce - softwareAB; Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: RE: VNC Security To the original poster: It is my *opinion* that using VNC should be avoided completely. The last time that I used VNC it only support a password, and no user name. This leaves only the password to brute-force, considerably lessening the time needed to break in. Also, you are making the assumption that everyone uses plain text POP, I only use POP over SSL, IMAP over SSL or HTTPS to access my email. Also, this is not a good example because POP user accounts/passwords only give you someone's email, a VNC password will give you full access to the server/desktop it is running on. The passwords can be sniffed on your local network or they can be sniffed on the network that the server/desktop you are connecting to resides on. If this is a critical box, then now anyone that can sniff the network can also gain a login to this box to do whatever they want. I believe that VNC includes SSL or some other decent means of encryption now. To the first follow up poster: a. Somebody just needs to get the password in that 20 minute interchange, which is not too hard if they are only sniffing for X sessions. They can just dump that to a file and leave it running until it picks something up. Also, you can setup something to probe the box on that port, so the next time VNC is enabled they can login. I am curious how you would notice someone sniffing the network? I only see this as being possible if the host was running linux/unix and forwarding their syslogs to you, so that you could see when a NIC entered promiscuous mode. Lastly: I have seen several VNC exploits available over the years, so this is just a whole new service that you are exposing to risk that you often don't need to (because if it is Linux you have SSH, and if it is a windows box you have Terminal Services) -Original Message- From: Andy Bruce - softwareAB [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 7:55 AM To: Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security This is a very interesting question to me. In my own case, I do have SSH setup thru Cygwin (http://www.cygwin.com/) for my local network and I use VNC thru that connection when I need to manage my own stuff remotely. However, I have to admit that when I use VNC to aid remote clients (which happens quite frequently) I don't worry about encryption whatsoever. FWIW, here's my approach: 1. I don't even try to explain setting up an SSH daemon to them. I simply have them install the VNC server in user-mode and start it. 2. If I can't explain to them in 5 min or less how to do port forwarding, I just have them connect directly to their cable/dsl modem. 3. Get the debugging and/or support done. 4. Have them stop the VNC server. Since it isn't running as a service, it won't start up next time and so won't be a security risk. 5. Tell them to turn off port forwarding from the router (if they could grok it), or just have them connect their PC back to the router and their router back to the cable/dsl modem. In either case, 5900 isn't available to the outside world so there's no risk even if they were running VNC in service-mode. I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong: a. "Somebody" is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends! b. I have never captured the data shared between client and server (screen/UI deltas) and so have no idea if these pose a security risk or not. c. While the VNC server is running and they are connected to the internet (port forwarding has the same problem as direct connect) a port sniffer detects that 5
RE: VNC Security
Thank you for the reply, Alexander. I understand exactly what you're trying to say. I'm not sure if you fully understand what I was saying and its probably my fault for not making it clear enough. You seemed to concentrate on how easy it is to do things with the VNC packets once you've sniffed the packets. You say that you've sniffed the packets before but have you ever sniffed packets from a network outside of your own LAN? How about on your LAN but on another switch port? What I was trying to discuss is how real the threat is that someone outside of your network will actually get to sniff enough of and the correct sequence of your packets to do the things that you where able to do by sniffing the packets on your local segment. You're basically breaking into your own house by using your own keys in the scenario that you provided. How realistic is it for someone in India to sniff my packets going from a server in Detroit, MI to a server in Jackson, MI? How realistic is it for him to actually get usable data? It's Easy to say that if there's a way into your network, you're insecure but there's a way into your house .. is your house insecure? Is VNC really the low hanging fruit in my scenario. I know that you all are very specific and technical, so I'll spell out an exact scenario which happens to be the most common usage of VNC in companies. * John Doe is getting an error message on his computer and calls the help desk a city away for help. * Helpdesk tells John to double-click on the VNC icon on his desktop that starts the server * Helpdesk connects to Johns computer and takes about 10 minutes to resolve the problem * Helpdesk person kills the VNC server on the remote computer and the connection is terminated --- I understand that Security is very important but it's also very important to not go Barney Fife and start drawing the gun on everything that moves if you get what I mean. What are the odds that some guy in Florida is going to sniff that 10 minute session and get into the network? My answer is 1 in at least 10 million. The guy in Florida would have to have already compromised a computer on either of the networks that happened to be plugged into a HUB (Not a switch) that either of the computers are plugged into ~OR~ he would have had to hack one of the routers close to either one of them to send packets to him as a man in the middle attack of sorts. Both of these are a bit extreme for VNC data theft, don't you think? If you do all of that, isn't there a bunch of much bigger prizes at your fingertips than VNC data?! Now are you starting to see what I'm saying? The successful exploits that must be done to get someone's VNC packet stream would land you access to things far greater than just the VNC data and who would waste the time with VNC data at that point? Go for the gold, you're already in someplace pretty good at that point. The only EASY way that I know of to sniff someone's packets are to either be on a hub with the remote computers or to have a Trojan on one of the computers. Does someone know of an easy way other than that? Easier than just hacking into the company other ways that do not involve VNC? - Steve -Original Message- From: Alexander Bolante [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 6:25 PM To: Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security IMHO NOTE: For obvious reasons that VNC provides remote access to your machine, Security is key (period). I'm assuming this thread does NOT pertain to your COMPANY LAN, because if it does, the answer to your question, "Why should I secure VNC over SSH?" is clearly...SOX compliance... OTHERWISE: Bottom line is -- if you DO NOT have any sensitive data to secure, it's your prerogative to determine what lengths you want to take to protect that data. Why do I tunnel VNC over SSH? To deal with the uncertainty of potential security flaws and risks... (SB wrote) What are the real risks of not securing VNC traffic? It depends... The only caveat I see in not securing VNC traffic is...network eavesdropping We already know that all VNC traffic between client and server is unencrypted after authentication. That's a problem if you're moving sensitive data. I've used a sniffer on a VNC session before. The traffic was compressed, so it was still difficult to understand and breakdown the data from the sniffer, BUT data passed in clear text e.g. usernames, birthdate, home address, etc. could be useful ***depending on the malicious user's intentions***. And because we often do NOT know what a malicious user's intentions are, we mitigate that uncertainty by adding another layer of security/defense in depth...tunneling VNC over SSH in order to secure communication and not leave ports open for scanning; using TCP wrappers to provide access control on a per-IP address basis, etc. On 4/19/05, Steve Bosted
Re: VNC Security
[In a message on Tue, 19 Apr 2005 10:53:09 EDT, "William Hooper" wrote:] >Steve Bostedor wrote: >[snip] >> I've scoured the web out of this curiosity, looking for a tool to >> put VNC packets together into something useful for a hacker. There's >> nothing. Nada. > >Fifth hit on Google for: vnc capture playback > >http://users.tpg.com.au/bdgcvb/chaosreader.html Google is your friend. Of course, knowing the right phrase or keywords makes it nice. ;-) That's a very interesting tool, which should put the fear of the Internet in everyone. . . Another reason for tunneling VNC over SSH is this: My firewall only exposes a select few protocols to the outside world. If it weren't for the fact I have to support other people, I'd likely ONLY have SSH exposed to the world. Instead I have to have POP/IMAP, SMTP, etc. . . The fewer things you expose to the outside Big Bad World, the better. Sean ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Install vnc over telnet without password
Hi Wez, thank you for the quick response. > In order to have started the telnet daemon, you will also > have Administrator > rights and access to the machine's file system using > Windows File Sharing > and to its registry, so you can use those to install the > VNC files to the > machine. Maybe I expressed it a bit unclearly: I do have all those possibilites, and yes, I do have administrator access. Is it sufficient to just copy the unpacked files in a directory and call them from the telnet command line? How do I go about setting the password, or set the "no authentication" value in the registry? Regards, Uwe ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Install vnc over telnet without password
Uwe, In order to have started the telnet daemon, you will also have Administrator rights and access to the machine's file system using Windows File Sharing and to its registry, so you can use those to install the VNC files to the machine. Alternatively, if you have VNC Enterprise Edition then you can use the VNC Deployment Tool to install and configure the software remotely. Regards, Wez @ RealVNC Ltd. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Uwe E. Bilger > Sent: 19 April 2005 17:33 > To: vnc-list@realvnc.com > Subject: Install vnc over telnet without password > > Dear all, > > I would like to install VNC on a headless windows2000 professional > workstation. All access I have is telnet (which I can start with the > computer manager remotely) and browser access, i.e. I can drag and > drop programs on the other computer. > > If I see this correctly, I'd need instructions on > a) how to install vnc with only telnet access available, and > b) how to set the password over the commandline, or initially have VNC > not require authentication. > > Any help is greatly appreciated. > > Regards, > > Uwe > ___ > VNC-List mailing list > VNC-List@realvnc.com > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Install vnc over telnet without password
Dear all, I would like to install VNC on a headless windows2000 professional workstation. All access I have is telnet (which I can start with the computer manager remotely) and browser access, i.e. I can drag and drop programs on the other computer. If I see this correctly, I'd need instructions on a) how to install vnc with only telnet access available, and b) how to set the password over the commandline, or initially have VNC not require authentication. Any help is greatly appreciated. Regards, Uwe ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: unorthodox web application
The problem with what you are doing is that vnc (on windows) only has one desktop. THat means that even though multiple ppl can connect at once they will all be controlling a single mouse, keyboard and screen. So if you just made it vnc it would work as a single user remote system. In order to make it multi-user you really need to design the app for multi-user. ANgelo On 4/18/05, Steve Feaster <[EMAIL PROTECTED]> wrote: > I am interested in placing a Windows desktop application I have made on my > server and then allowing clients to use the application by using VNC to log > into the server. The appication is for a single user, so my initial idea is > to have a specified number of threads of the application available for the > same number of users. I'm guessing this is a strange way of doing things, but > I'm looking for a quick and easy way to make the desktop application I have > designed availabe for a "web app". > > I'm new to this sort of thing, so if anyone has any ideas or suggestions I > would really appreciate it. Even just where to start would be helpful! Or if > this path is more work than redesigning the application to be a common web app > then please let me know. > ___ > VNC-List mailing list > VNC-List@realvnc.com > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC connection
It doesn't see RFB on "telent 127.0.0.1 5900"? are the VncOptions Set to listen on port 5900? It does sound like something is blocking vnc from listening on this port. Did you try this with anti-vir disabled, windows firewall disabled, etc? --Angelo On 4/19/05, James Weatherall <[EMAIL PROTECTED]> wrote: > Scott, > > Unless I've missed a mail somewhere, Michael isn't using EchoVNC. It's most > likely that his server is either configured to only accept connections from > the local host, configured for a different port than 5900 or was unable to > listen for connections for some reason. > > Cheers, > > Wez @ RealVNC Ltd. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Scott C. Best > > Sent: 18 April 2005 18:54 > > To: vnc-list@realvnc.com > > Cc: [EMAIL PROTECTED] > > Subject: Re: VNC connection > > > > Michael: > > > > Heya. So what does the UI of EchoVNC report when you install > > it alongside your RealVNC Server? It will try to detect your > > VNC server > > listening on the loopback interface (127.0.0.1). If it can detect a > > VNC server, you should be able to make VNC connections with it. > > > > -Scott > > > > PS: We updated EchoVNC to 1.1 this weekend, making it more compatible > > with the RealVNC 4.x releases. http://www.echovnc.com > > > > > > > Done the port forward. > > > > > > Tried disabling Norton. > > > > > > Firewall is permanently off. > > > > > > Still no response on 5900? > > > > > > Regards > > > > > > Michael Bentley > > ___ > > VNC-List mailing list > > VNC-List@realvnc.com > > To remove yourself from the list visit: > > http://www.realvnc.com/mailman/listinfo/vnc-list > ___ > VNC-List mailing list > VNC-List@realvnc.com > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
Steve Bostedor wrote: [snip] > I've scoured the web out of this curiosity, looking for a tool to > put VNC packets together into something useful for a hacker. There's > nothing. Nada. Fifth hit on Google for: vnc capture playback http://users.tpg.com.au/bdgcvb/chaosreader.html -- William Hooper ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: X authentication
hmmm.. It needed not be as complex as hacking the vncserver perl script. vncserver script creates the cookie file and passes it to the Xvnc server it launches as the auth parameter Also, you can use vncserver to override this behaviour by passing your own xauth file. So if you could say # vncserver -auth /home//.Xauthority The Xvnc will use the Xauthority file in the user's home directory. Now if you run from your shell # DISPLAY=:1 XAUTHORITY=/home//.Xauthority This should work for you. Also, try this without XAUTHORITY option, as that may be the default value anyway. Vamsi >>> "Robert Echlin" <[EMAIL PROTECTED]> 04/19/05 7:06 PM >>> > -Original Message- > From: Dave Love [mailto:[EMAIL PROTECTED] > Sent: Monday, April 18, 2005 1:41 PM > To: Robert Echlin > Cc: vnc-list@realvnc.com > Subject: Re: X authentication > > "Robert Echlin" <[EMAIL PROTECTED]> writes: > > > every copy of bash that I run generates a different XAUTHORITY ... > Presumably your setup is different, but normally Fedora 3 running gdm > puts xauth cookies for the console in /var/gdm/:0.Xauth, > i.e. something like this will work (as root) with VNC on 0.0: > > # DISPLAY=:0.0 XAUTHORITY=/var/gdm/:0.Xauth vncconfig -list I am not running VNC on :0, as confirmed by variations of your command: (sudo did not work - it assumed that DISPLAY was an executable) >su root -c "DISPLAY=:0 XAUTHORITY=/var/gdm/:0.Xauth vncconfig -list >Password: >No VNC extension on display :0 >DISPLAY=:0.0 XAUTHORITY=/home/builder/.XauthVG!zFg vncconfig -list >No VNC extension on display :0 -- Thanks, Vamsi, for the ps parameters "ps ax | grep Xvnc" - it showed (partial list) >Xvnc :1 ... -auth /home/builder/.Xauthority ... This confirms VNC's display and Xauth file >DISPLAY=:1 XAUTHORITY=/home/builder/.Xauthority vncconfig -list (result = long list of names, one per line, including: localhost,desktop, rfbport,rfbwait, httpPort, httpd, rfbauth, PasswordFile) There are no listings in /var/gdm that include a ":1". However, it looks like I can manually run my programs in :1 from :0 using a command line that sets DISPLAY and XAUTHORITY before the main program is run. Thank you, Dave! Since the /var/gdm stuff is only useful for root processes, I can see why a bash process might be given a copy of it with a unique name. How early are the Xauth files created in /var/gdm? Would they be available to a script run from /etc/rc.d/rc.local, or is there a race condition? I could use sudo to make a copy of the Xauth file in /var/gdm to replace /home/builder/.Xauthority before running vncserver. Would that give it the same cookie as the :0 (regular X) display? Or is it replaced by vncserver, so that I would have to hack the vncserver perl script to do this? Anyway, assigning DISPLAY and XAUTHORITY on the command line looks like it will work for me. Robert ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Enterprise Edition for Unix
Mike, compare pricing to an X server package like eXceed or Reflection/X and I'm sure you'll find the price very nice, indeed. Especially considering that tring to run a typical X package over a WAN or other slow network is damn near impossible! The free version works fine - for the Enterprise, you are paying for extra features. We consider the pricing of Enterprise to be a steal! I, too, missed any announcement of the Enterprise version for Unix, if indeed there was one... Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Miller Sent: Monday, April 18, 2005 8:57 PM To: VNC List Subject: VNC Enterprise Edition for Unix On Mon, 18 Apr 2005, Lou Kamenov wrote: > Is there such thing as VNC Enterprise Edition for FreeBSD, theres one > for Linux alright? Thanks for pointing out that the Unix Enterprise Editions (Solaris, Linux and HP/UX) are now available. If there was an announcement, I missed it. I am a little disappointed at the per-unix-desktop licensing scheme. For one desktop I would pay $50. For ten I would pay $39.00 each. For 100, I would pay $17.40 each. For 500, I would pay $5.88 each. For more than 500, I'd have to haggle, I guess. On the bright side, this applies to multiple computers. For example, I could have two servers with 50 desktops each or 10 severs with 10 desktops each and the price is the same because it's a total of 100 desktops. This leads to a fairly obvious question: How does the licence key work with Xvnc to keep a limit on the total number of desktops when the desktops are running on multiple machines? Is there an honor system, or is there a phone-home system? Just wondering how it works. I have had students who create a bunch of desktops for some foolish reason, like maybe they forgot their password. Couldn't that cause problems if we only have a license for 10 desktops and we have 10 running, but someone gets confused and makes a few more? By the way, VNC staff should note that the Solaris tar.gz file comes with a zero-byte LICENCE.txt file. Thanks in advance for any suggestions. Mike -- Michael B. Miller, Ph.D. Assistant Professor Division of Epidemiology and Community Health and Institute of Human Genetics University of Minnesota http://taxa.epi.umn.edu/~mbmiller/ ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC connection
Wez: Sorry for the confusion. I just meant for him to *try* EchoVNC, to see what its GUI responds with. The expriment is the equivalent of "telnet localhost 5900", of course. -Scott On Tue, 19 Apr 2005, James Weatherall wrote: Scott, Unless I've missed a mail somewhere, Michael isn't using EchoVNC. It's most likely that his server is either configured to only accept connections from the local host, configured for a different port than 5900 or was unable to listen for connections for some reason. Cheers, Wez @ RealVNC Ltd. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: X authentication
> -Original Message- > From: Dave Love [mailto:[EMAIL PROTECTED] > Sent: Monday, April 18, 2005 1:41 PM > To: Robert Echlin > Cc: vnc-list@realvnc.com > Subject: Re: X authentication > > "Robert Echlin" <[EMAIL PROTECTED]> writes: > > > every copy of bash that I run generates a different XAUTHORITY ... > Presumably your setup is different, but normally Fedora 3 running gdm > puts xauth cookies for the console in /var/gdm/:0.Xauth, > i.e. something like this will work (as root) with VNC on 0.0: > > # DISPLAY=:0.0 XAUTHORITY=/var/gdm/:0.Xauth vncconfig -list I am not running VNC on :0, as confirmed by variations of your command: (sudo did not work - it assumed that DISPLAY was an executable) >su root -c "DISPLAY=:0 XAUTHORITY=/var/gdm/:0.Xauth vncconfig -list >Password: >No VNC extension on display :0 >DISPLAY=:0.0 XAUTHORITY=/home/builder/.XauthVG!zFg vncconfig -list >No VNC extension on display :0 -- Thanks, Vamsi, for the ps parameters "ps ax | grep Xvnc" - it showed (partial list) >Xvnc :1 ... -auth /home/builder/.Xauthority ... This confirms VNC's display and Xauth file >DISPLAY=:1 XAUTHORITY=/home/builder/.Xauthority vncconfig -list (result = long list of names, one per line, including: localhost,desktop, rfbport,rfbwait, httpPort, httpd, rfbauth, PasswordFile) There are no listings in /var/gdm that include a ":1". However, it looks like I can manually run my programs in :1 from :0 using a command line that sets DISPLAY and XAUTHORITY before the main program is run. Thank you, Dave! Since the /var/gdm stuff is only useful for root processes, I can see why a bash process might be given a copy of it with a unique name. How early are the Xauth files created in /var/gdm? Would they be available to a script run from /etc/rc.d/rc.local, or is there a race condition? I could use sudo to make a copy of the Xauth file in /var/gdm to replace /home/builder/.Xauthority before running vncserver. Would that give it the same cookie as the :0 (regular X) display? Or is it replaced by vncserver, so that I would have to hack the vncserver perl script to do this? Anyway, assigning DISPLAY and XAUTHORITY on the command line looks like it will work for me. Robert ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
This is a very interesting question to me. In my own case, I do have SSH setup thru Cygwin (http://www.cygwin.com/) for my local network and I use VNC thru that connection when I need to manage my own stuff remotely. However, I have to admit that when I use VNC to aid remote clients (which happens quite frequently) I don't worry about encryption whatsoever. FWIW, here's my approach: 1. I don't even try to explain setting up an SSH daemon to them. I simply have them install the VNC server in user-mode and start it. 2. If I can't explain to them in 5 min or less how to do port forwarding, I just have them connect directly to their cable/dsl modem. 3. Get the debugging and/or support done. 4. Have them stop the VNC server. Since it isn't running as a service, it won't start up next time and so won't be a security risk. 5. Tell them to turn off port forwarding from the router (if they could grok it), or just have them connect their PC back to the router and their router back to the cable/dsl modem. In either case, 5900 isn't available to the outside world so there's no risk even if they were running VNC in service-mode. I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong: a. "Somebody" is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends! b. I have never captured the data shared between client and server (screen/UI deltas) and so have no idea if these pose a security risk or not. c. While the VNC server is running and they are connected to the internet (port forwarding has the same problem as direct connect) a port sniffer detects that 5900 is available and immediately zooms in thru some VNC security hole. Wez would know a lot more about this possibility than me, though! Am I missing something here? Steve Bostedor wrote: I'd like to know if anyone has any working examples of why an unencrypted VNC session over the Internet is seen as such a horrible security risk. I understand that unencrypted ANYTHING over the Internet lends the chance for someone to decode the packets (assuming that they capture every one of them) but in reality, what are the real risks here and has anyone successfully captured a VNC session from more than 2 router hops away and actually gotten any meaningful information from it? I've captured a big chunk of a LOCAL session using Ethereal and the only thing that I can see that is usable is the password exchange. Agreed that this could be a problem if someone just happened to be sniffing your local LAN segment at that exact moment and happened to capture your encrypted VNC password, he could crack the password and log in himself. But how paranoid is it to go through all of the trouble of setting up SSH to avoid that when you could just change your VNC password often and make sure that your local LAN is reasonably secure from prying eyes? How about once it gets out on the Internet? Packets bounce all over the place on the Internet. What are the odds that someone out there will pick your VNC packets out of all of the millions of packets running through the back bone routers without being noticed, capture enough of them to possibly replay a session, and actually have the patience or the tools to do so. I've scoured the web out of this curiosity, looking for a tool to put VNC packets together into something useful for a hacker. There's nothing. Nada. So, I guess that what I'm asking is; what all of the fuss is about? Your POP3 password likely gets passed unencrypted but we're being asked to be paranoid about an encrypted VNC password? This is all coming from a discussion that I had with someone over the merits of using SSH with VNC over the internet for a 10 minute VNC session. Does anyone have anything that's not hypothetical? Is there a tool that I'm missing out there that does more than just crack a VNC password? Does anyone know of any reported security breaches where VNC was a weakness? ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
VNC Security
I'd like to know if anyone has any working examples of why an unencrypted VNC session over the Internet is seen as such a horrible security risk. I understand that unencrypted ANYTHING over the Internet lends the chance for someone to decode the packets (assuming that they capture every one of them) but in reality, what are the real risks here and has anyone successfully captured a VNC session from more than 2 router hops away and actually gotten any meaningful information from it? I've captured a big chunk of a LOCAL session using Ethereal and the only thing that I can see that is usable is the password exchange. Agreed that this could be a problem if someone just happened to be sniffing your local LAN segment at that exact moment and happened to capture your encrypted VNC password, he could crack the password and log in himself. But how paranoid is it to go through all of the trouble of setting up SSH to avoid that when you could just change your VNC password often and make sure that your local LAN is reasonably secure from prying eyes? How about once it gets out on the Internet? Packets bounce all over the place on the Internet. What are the odds that someone out there will pick your VNC packets out of all of the millions of packets running through the back bone routers without being noticed, capture enough of them to possibly replay a session, and actually have the patience or the tools to do so. I've scoured the web out of this curiosity, looking for a tool to put VNC packets together into something useful for a hacker. There's nothing. Nada. So, I guess that what I'm asking is; what all of the fuss is about? Your POP3 password likely gets passed unencrypted but we're being asked to be paranoid about an encrypted VNC password? This is all coming from a discussion that I had with someone over the merits of using SSH with VNC over the internet for a 10 minute VNC session. Does anyone have anything that's not hypothetical? Is there a tool that I'm missing out there that does more than just crack a VNC password? Does anyone know of any reported security breaches where VNC was a weakness? ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc problem with linux firewall
Em Terga, 19 de Abril de 2005 06:54, o QUINN MCKINSEY escreveu: > I'm not sure if you guys could help because I am using tightvnc on linux > mandrake 10.1. Anyway the problem is that when I turned on the firewall > and opened the ports vnc server uses, namely 5900 and 5800, I couldn't > connect. Keep in mind I was able to connect before. So, then I turned off > the firewall, but now it still doesn't work. I'm thinking that tightvnc > changed the port number that it use when it saw the firewall was on and > didn't change back when I turned it off or that this is a major bug. I'm > not sure which. Any suggestions would be greatly appreciated. Try to open port 5901 and 5801 assuming you are using vncserver in desktop 1. port desktop 59000 5901 1 5902 2 . . . . and so on. Best Reagads. Paulo Martins ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC connection
Scott, Unless I've missed a mail somewhere, Michael isn't using EchoVNC. It's most likely that his server is either configured to only accept connections from the local host, configured for a different port than 5900 or was unable to listen for connections for some reason. Cheers, Wez @ RealVNC Ltd. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Scott C. Best > Sent: 18 April 2005 18:54 > To: vnc-list@realvnc.com > Cc: [EMAIL PROTECTED] > Subject: Re: VNC connection > > Michael: > > Heya. So what does the UI of EchoVNC report when you install > it alongside your RealVNC Server? It will try to detect your > VNC server > listening on the loopback interface (127.0.0.1). If it can detect a > VNC server, you should be able to make VNC connections with it. > > -Scott > > PS: We updated EchoVNC to 1.1 this weekend, making it more compatible > with the RealVNC 4.x releases. http://www.echovnc.com > > > > Done the port forward. > > > > Tried disabling Norton. > > > > Firewall is permanently off. > > > > Still no response on 5900? > > > > Regards > > > > Michael Bentley > ___ > VNC-List mailing list > VNC-List@realvnc.com > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: X authentication
Adding on Robert's suggestion, > >> This seems to be required for the shell to start stuff in the :0.0 >> display. >> At least, when I changed XAUTHORITY to point at ~/.Xauthority, I found I > >could then run stuff in :1, but not in :0. >Presumably your setup is different, but normally Fedora 3 running gdm >puts xauth cookies for the console in /var/gdm/:0.Xauth, >i.e. something like this will work (as root) with VNC on 0.0: ># DISPLAY=:0.0 XAUTHORITY=/var/gdm/:0.Xauth vncconfig -list If your setup is different, probably you can use # ps ax | grep Xvnc and then see what is specified as auth arguement to the XVNC server. You can use the same authority file as your XAUTHORITY in the above command. This should help. - Vamsi ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
