On 9/2/10 9:50 AM, Adam Tkac wrote: > This type is, by default, disabled on the server. It must be enabled > via commandline parameter (-SecurityTypes). Client has it disabled as > well but if user specify he wants to use it (and server has Plain type > enabled) then it is used. If it is client's first sectype then it is > preferred over more "strong" mechanisms (TLS, for example).
IMHO, the correct behavior should be that if the server enables this security type before other security types, then the client should use it unless the user specifically passes the -SecurityTypes parameter to the client to disable the type. IOW, I think the Plain type should be enabled by default on the client but not given priority. I agree that it should not be enabled on the server without an explicit override. Here's why-- let's say a SysAdmin wants all users to use Unix login, so he/she has configured the server such that it only supports the Plain type, and presumably he/she has taken other security measures to ensure that only SSH-tunneled VNC connections can be made. Under this scenario, if someone tries to connect using the viewer, it will fail to authenticate unless they explicitly enable the Plain type. I am thinking in terms of how to implement the same types of authentication scenarios that TurboVNC customers are currently using. ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel