On 2/16/11 2:25 AM, Martin Koegler wrote: > Both approches use different security models: > > * sshing as user on the server and then executing the rest (session > listing, ...) as user too fits in the unix permission schema: The > client only does automatically, what the user could have done > manually - so no extra permissions are necessary. > > * In the web portal case, the webserver needs additional privileges to > act on behalf of the user (eg. list/start sessions). > And: If there is an need for an additional web application based on > the same technology as the VNC portal, how many user are deploying it > on the same webserver, so that that the second application runs with the > additional permissions too?
I'm not claiming to be an expert on web portals. I'm just saying that a lot of people are using them successfully. The portals I've seen require you to authenticate with your Unix login/password before you can start/list VNC sessions, so obviously they are doing something with respect to user impersonation. These are all inside-the-firewall sorts of things, also, so not necessarily hardened from a security point of view. The problem with SSH is that it requires authentication every time a command is issued, so you'd have to figure out a way to query the running VNC sessions, send that data to the client, then wait for input as to whether to connect to an existing session or start a new one. Otherwise, minimally the user would have to enter their SSH password twice. We have that problem with VirtualGL, and our solution is to make the user enter their password twice. :) ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
