On 02/11/2011 02:47 PM, DRC wrote: > On 2/11/11 3:22 PM, Robert Goley wrote: >> It does have some complications. Most software seems to use a GPL >> disclaimer/exception when using it. The libssh library is released LGPL >> though. If it can be used with GNUTLS, that should solve that issue. > > Not really, because as mentioned previously, GnuTLS is about 1/3 as fast > as OpenSSL. Also, I don't understand the advantage of using > libssh/GnuTLS vs. just using GnuTLS like we're already doing. The only > advantage I could see to that would be in cases where there is a > restrictive firewall and only the SSH port is open. >
I see GnuTLS and libssh as providing fundamentally different capabilities. GnuTLS provides transport-level encryption of application data, which in TigerVNC's case provides encrypted RFB protocol over a direct socket connection. libssh provides an authenticated login session with a secure channel (tunnel) riding on top of it. The application-level protocol does not change. My users use the SSH tunneling option of vncviewer out of necessity, because many of the systems we support and use are configured to require a user-specific operating system login (SSH) to connect, and the VNC desktops are only available for local connection. The tunneling and OS-level authentication are the important features, not the encryption. In fact, I'm contemplating turning on "None" encryption support in the SSH server... Like you say below, a manual ssh session with local port forwarding would work, followed by a vncviewer pointed at "localhost::<port>." However, using libssh within vncviewer would improve the performance by eliminating the extra process and extra socket transfer (and would keep my users from having to understand all the relevant port numbers in great detail!!). > I would get on board with using libssh if and only if: > > (1) It replaces GnuTLS as a way to do session encryption, not > supplements it. > > (2) It offers a fundamentally more user-friendly approach to SSH session > encryption (such as providing a single sign-on to both the SSH server > and the VNC server.) > > and > > (3) It performs as well as using the external SSH client. > > > Really, I see the -via option as a convenience feature, nothing more. > It's a way for Unix users to avoid typing the SSH forwarding command > line by hand. It's not part of a comprehensive session encryption function. > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > Tigervnc-devel mailing list > Tigervnc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tigervnc-devel ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
