On Wed, Nov 30, 2011 at 06:03:36PM +0000, Dan Garton wrote: > I have kind of answered my own question. An option seems to be to run with > > "-SecurityTypes=VNCAuth,TLSVnc" > > This mandates a minimum of a secure authentication stage, and then the > client can be configured (but not forced) to encrypt the session traffic.
No. The client may choose between one of them. Either the session is unencrypted (VNCAuth) or using the VeNcrypt+TLSVnc protocol (encrypted). > I don't think that the server is NOT forcing encryption on the session is > significant, as in reality all instances of user sessions will implement > encryption (this could even be "hard-configured" on the client side ie by > passing the param in the JNLP for the Java viewer). > > Really my only remaining issue is how to implement password-less login .... > either with TLSVnc and doing some kind of "hidden" password passing with > the JNLP, or by using X509Vnc I guess ..... I'm not aware of any transparent signon. TigerVNC only allows: * No authentification * Classic VNC authentification * Authentification with username/password (default authentification provider is the system authentification) It would be possible to extend SSecurityTLS/CSecurityTLS to send/verify client certificates and use this with X509None. This would result in a passwordless login solution based on certificates - but you would have to extend the code. > > I'm trying to run a TigerVNC server in my project with the following > > security: > > > > - encryption (to make session traffic hard to sniff) > > - authentication (preferably via transparent key exchange, but if > > necessary a password submission is possible) > > > > According to this email from Martin K back in February ( > > http://www.mail-archive.com/tigervnc-devel@lists.sourceforge.net/msg01013.html > > ) > > I have these options: > > > > - TLSVnc > > - X509Vnc > > > > I am currently using TLSVnc fine with the bundled Java viewer. > > > > However, for non-Java-capable platforms, I need to use a different client > > solution, and on a tip from Brian H I have landed on noVNC ( > > https://github.com/kanaka/noVNC ) > > (noVNC doesn't do SSL natively, but can use a WebSockets proxy > > (websockify) which I have deployed) > > > > But I can't get it to connect to TigerVNC server running with > > SecurityType=TLSVnc. > > > > The noVNC developer tells me that *"The problem is that your VNC server > > is only configured to allow VeNCrypt and noVNC only supports standard VNC > > auth (2)."* > > * > > * > > But surely TLSVnc _is_ standard authentication? (as in, VNCAuth + > > encryption ?) VeNcrypt is protocol extentions to raise the number of supported security types to from 2^8 to 2^32. TLSVnc is an extended security type, which first does a TLS setup and then a normal VNC auth challenge respond protocol. Passing VNCAuth through a SSL-Proxy results in a different trafic than using TLSVnc, because TLSVNC sends some bytes unencrypted, has a different ID and some additional bytes are added to the protocol. Regards, Martin ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
