Re: [Tigervnc-devel] [PATCH] vncserver checks ~/.vnc/passwd when not needed and -TermOnLogout option
My understanding is that they were going to change the auth code so that it defaulted to using VeNCrypt so that you would no longer have to specify it on the command line. You would however have to set the method priority. The method priority would default to VncAuth for compatibility. I do not know if that was completed or is in the current binaries that DRC built. I am running the same binaries and I am still specifying in the old manner. I have not tested the short form using them. I was not sure if that work was completed yet. Again this is my understanding from following that thread. If anything in my 2 cents above is incorrect, please jump in let me know. Robert On 03/01/2011 08:10 AM, Sebastiaan Breedveld wrote: On 03/01/2011 12:13 PM, DRC wrote: As far as checking for the VNC password, we're no longer requiring "VeNCrypt" to be specified in the -SecurityTypes parameter, so checking for that won't work. The correct approach is to check whether -SecurityTypes is not specified -- or -- whether -SecurityTypes is specified and contains (case insensitive) "VncAuth". If either of those conditions is true, then and only then should vncserver check for the existence of the VNC password. Looking at it again, the vncserver script adds --rfbauth automatically, so a more structural change is necessary: - if no options are given, force VeNCrypt, and do not use --rfbauth anymore - force VeNCrypt by specifying SecurityTypes, and do not use --rfbauth in that case Or am I misunderstanding something? Greetings, Sebastiaan -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel -- Robert Goley FOSS Implementation Specialist Toll Free: (800) 338-4984 Local: (770) 479-7933 Fax: (770) 479-4076 www.openrda.com America's only Free Open Source fund accounting software company. -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] [PATCH] vncserver checks ~/.vnc/passwd when not needed and -TermOnLogout option
Hi, On 03/01/2011 06:48 PM, Robert Goley wrote: My understanding is that they were going to change the auth code so that it defaulted to using VeNCrypt so that you would no longer have to specify it on the command line. You would however have to set the method priority. The method priority would default to VncAuth for compatibility. I do not know if that was completed or is in the current binaries that DRC built. I am running the same binaries and I am still specifying in the old manner. I have not tested the short form using them. I was not sure if that work was completed yet. Again this is my understanding from following that thread. If anything in my 2 cents above is incorrect, please jump in let me know. Working on understanding too: if VeNCrypt would be the default, the authentication is always done using PAM. However, a 'vnc' pam file is not present by default. It is also not trivial to make one since each distribution has its own way of configuring pam. I would suggest to default to /etc/pam.d/vnc if present, otherwise use /etc/pam.d/login (which is present on all systems). Sebastiaan Robert On 03/01/2011 08:10 AM, Sebastiaan Breedveld wrote: On 03/01/2011 12:13 PM, DRC wrote: As far as checking for the VNC password, we're no longer requiring VeNCrypt to be specified in the -SecurityTypes parameter, so checking for that won't work. The correct approach is to check whether -SecurityTypes is not specified -- or -- whether -SecurityTypes is specified and contains (case insensitive) VncAuth. If either of those conditions is true, then and only then should vncserver check for the existence of the VNC password. Looking at it again, the vncserver script adds --rfbauth automatically, so a more structural change is necessary: - if no options are given, force VeNCrypt, and do not use --rfbauth anymore - force VeNCrypt by specifying SecurityTypes, and do not use --rfbauth in that case Or am I misunderstanding something? Greetings, Sebastiaan -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] [PATCH] vncserver checks ~/.vnc/passwd when not needed and -TermOnLogout option
The current binaries have all of the modifications you describe (VeNCrypt no longer needs to be specified, the server's security type order is preferred, and VncAuth is at the top of the server's security type list.) On 3/1/11 11:48 AM, Robert Goley wrote: My understanding is that they were going to change the auth code so that it defaulted to using VeNCrypt so that you would no longer have to specify it on the command line. You would however have to set the method priority. The method priority would default to VncAuth for compatibility. I do not know if that was completed or is in the current binaries that DRC built. I am running the same binaries and I am still specifying in the old manner. I have not tested the short form using them. I was not sure if that work was completed yet. Again this is my understanding from following that thread. If anything in my 2 cents above is incorrect, please jump in let me know. Robert -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
[Tigervnc-devel] Security types on server
Is there a good reason why only VncAuth and TLSVnc are enabled on the server by default? Would it be reasonable to enable the other secure types as well? DRC -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] [PATCH] vncserver checks ~/.vnc/passwd when not needed and -TermOnLogout option
On 3/1/11 3:10 PM, Martin Koegler wrote: I had the same problem long ago, I modifed the vncserver script this way: system(($vncStartup ; $0 -kill :$displayNumber ) . quotedString($desktopLog) . 21 ) if ($vncStartup); The change is minimal and it does not change the function/parameters of vncserver [except, that Xvnc is killed, after the session/window manager exits]. I believe that both approaches are beneficial. The -fg switch is, as previously mentioned, necessary in a grid environment. The combined patch which I've personally tested is attached. Index: unix/vncserver === --- unix/vncserver (revision 4305) +++ unix/vncserver (working copy) @@ -122,7 +122,7 @@ # Check command line options ParseOptions(-geometry,1,-depth,1,-pixelformat,1,-name,1,-kill,1, - -help,0,-h,0,--help,0,-fp,1,-list,0); + -help,0,-h,0,--help,0,-fp,1,-list,0,-fg,0); Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'}); @@ -306,7 +306,15 @@ } $ENV{VNCDESKTOP}= $desktopName; -system($vncUserDir/xstartup . quotedString($desktopLog) . 21 ); +if ($opt{'-fg'}) { +system($vncUserDir/xstartup . quotedString($desktopLog) . 21); +if (kill 0, `cat $pidFile`) { +$opt{'-kill'} = ':'.$displayNumber; +Kill(); +} +} else { +system(($vncUserDir/xstartup; $0 -kill :$displayNumber) . quotedString($desktopLog) . 21 ); +} exit; -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] [PATCH] vncserver checks ~/.vnc/passwd when not needed and -TermOnLogout option
On 3/2/11 3:00 AM, Sebastiaan Breedveld wrote: Working on understanding too: if VeNCrypt would be the default, the authentication is always done using PAM. However, a 'vnc' pam file is not present by default. It is also not trivial to make one since each distribution has its own way of configuring pam. I would suggest to default to /etc/pam.d/vnc if present, otherwise use /etc/pam.d/login (which is present on all systems). No, you're misunderstanding. PAM is not used unless the Plain or TLSPlain security type is enabled, which is definitely not done by default. -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] Security types on server
On Tue, Mar 01, 2011 at 08:53:27PM -0600, DRC wrote: Is there a good reason why only VncAuth and TLSVnc are enabled on the server by default? Would it be reasonable to enable the other secure types as well? X509* make no sense without specifing certificates. *None and Plain should not be enable by default because of security issues. *Plain require some additional configuration, as most users probably only want to authentificate as themself. Regards, Martin Kögler -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
Re: [Tigervnc-devel] Security types on server
OK, that makes sense. Thanks. On 3/2/11 4:41 PM, Martin Koegler wrote: On Tue, Mar 01, 2011 at 08:53:27PM -0600, DRC wrote: Is there a good reason why only VncAuth and TLSVnc are enabled on the server by default? Would it be reasonable to enable the other secure types as well? X509* make no sense without specifing certificates. *None and Plain should not be enable by default because of security issues. *Plain require some additional configuration, as most users probably only want to authentificate as themself. -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel