On Thu, Sep 02, 2010 at 09:18:15AM -0600, DRC wrote: > On 9/2/10 6:37 AM, Adam Tkac wrote: > > I would rather disable "Plain" type by default because it is real > > security hazard. I've commited your patch without "Plain" in the > > default list. User can manually select it. > > > > Rest of the patch is OK, I've commited it as r4127. Thank you very > > much. > > I haven't had time to review the patches yet, but it sounds like this is > the functional equivalent of Unix Login Authentication? That is, it
I haven't checked TurboVNC's Unix Login Authentication, yet, so I cannot say "Plain" method is same. > passes a user/password in plain text to the server to be validated with > PAM? If so, then I concur that it should be disabled by default. You are right, vncviewer passes user+password in plaintext and server validates supplied credentials via PAM. I disabled this insecure method by default on both server and client. > However, if someone starts the server and passes this security type as > the first in the list, will this cause the viewer to use the security > type by default? I would think it should. This type is, by default, disabled on the server. It must be enabled via commandline parameter (-SecurityTypes). Client has it disabled as well but if user specify he wants to use it (and server has Plain type enabled) then it is used. If it is client's first sectype then it is preferred over more "strong" mechanisms (TLS, for example). Regards, Adam -- Adam Tkac, Red Hat, Inc. ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
