On Thu, Jul 22, 2010 at 04:02:52PM -0500, DRC wrote: > This makes the use of extended authentication types somewhat useless > from the point of view of a SysAdmin, though. If there is not a way for > them to enforce, or at least strongly encourage, the use of secure > authentication on a system-wide level, then any user can choose to use > VncAuth or VncNone.
A SysAdmin can't prevent a user from doing this. For normal (shell) user processes, he can only suggest defaults. If a sysadmin wants to control VNC use, has to: * Install a firewall on the server preventing inbound connection * Start vnc on some ports under a system user (eg. via inetd) Even in that case, the user can still start his own Xvnc server, but he needs to tunnel remote access. > The way we do things in TurboVNC is to have a separate config file, > /etc/turbovncserver-auth.conf, which is hard-coded into the Xvnc > executable. Thus, the user has no ability to override this without > re-compiling Xvnc (which, trust me, isn't something that a user is going > to do with TigerVNC. It's hard enough for us to compile it!) If the defaults are sensible, the user will not override them. If the user is annoyed by the sysadmin setting, he will search for alternatives. The user is not required to recompile it himself. User are likely to start exchanging modifed, precompiled version. If TurboVNC has not taken extra precautions, a 1-2 lines shell script should be sufficient to prevent it from using the sysadmin defaults. > >> If I understand correctly, then using the -securityTypes argument to > >> vncserver and vncviewer addresses most of this, but correct me if I'm > >> wrong. > > > > There is no config file support in Xvnc and vncviewer. > > I will need to implement an auth config file of some sort if I ever > deign to port the PAM authentication support over to TigerVNC, so that > would be the appropriate time to revisit having some sort of mechanism > for the SysAdmin to specify the security types globally. PAM support would not fit in a normal config file. It requires a file /etc/pam.d/<service-name> specifying the list of pam modules. The Plain security needs only needs another option specifing, that it should use a pam based password validator and maybe allows to override the service-name passed to PAM. Regards, Martin Kögler ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
