On Fri, Dec 02, 2011 at 02:45:45PM +0000, Dan Garton wrote:
> > I'm not aware of any transparent signon. TigerVNC only allows:
> > * No authentification
> > * Classic VNC authentification
> > * Authentification with username/password (default authentification
> > provider
> > is the system authentification)
> >
> > It would be possible to extend SSecurityTLS/CSecurityTLS to send/verify
> > client
> > certificates and use this with X509None. This would result in a
> > passwordless
> > login solution based on certificates - but you would have to extend the
> > code.
> Ok, I must admit this has confused me a bit.
> Your email at
> http://www.mail-archive.com/tigervnc-devel@lists.sourceforge.net/msg01013.html
> suggested
> to me that X509None *already* allows for a passwordless login based on
> certificates, and you also listed the options used on both server and
> client sides for this.

No. x509cert  and x509key of the server are the crendentials, with which the 
will prove its identity.

x509ca + x509crl on the client are used to check the server identity.

This is the same procedure, as any normal https website works.

For passwordless logins, you need client certificates. The client needs
a certificate and it's key and the server needs the ca + crl to verify it.
gnutls has the support for this, but some glue code is missing.

If you don't know the whole client certificates thing, I suggest to start
reading the apache httpd mod_ssl documentation (especially 


All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
Tigervnc-devel mailing list

Reply via email to