On 8/6/12 3:04 AM, James Wettenhall wrote: > 1. The Mac OS X Java VNC viewer > > I tried the Java VNC viewer app on my Mac (OS X 10.7.4), running Java > runtime environment v1.6.0_33. Everything worked really well, except > that when I connected to a non-TurboVNC VNC server (*), most of the VNC > screen was black initially, until I clicked the screen in a few places, > which caused it to refresh, then everything worked fine. > > (*) Mac OS X 10.6.8's > /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer
Repro'd and fixed. The Java viewer was sending an incremental framebuffer request on initial connection instead of a full framebuffer request. > One thing my users have requested is the ability to set the server-side > display geometry from the client-side GUI, which I accomplish by using a > Python SSH module to run a "sed" command on the (Linux) server to ensure > that the desired geometry settings are set in ~/.vnc/turbovncserver.conf. I have secured funding to proceed with the desktop resize feature, so that will hopefully address this limitation. > Another thing my wxPython GUI does is allow a choice of SSH ciphers for > the tunnel (e.g. 3des, blowfish, arcfour), because they can affect > performance. It should be possible to do this by exposing a new command line or GUI option that sets the JSch config to use the chosen cipher. > 2. The "built-in SSH tunnelling support". > > I assume that despite the "built-in" description, you are still calling > an external SSH binary, rather than an SSH API? No, the Java viewer is fully-encapsulated. It uses JSch, a pure Java implementation of an SSH2 client. No external SSH binaries required. > I notice that you > include "putty.exe" with the Windows distribution of TurboVNC. I prefer > the Cygwin OpenSSH, e.g. this build: > http://sshwindows.webheat.co.uk/display/sshwindows/OpenSSH+for+Windows for > the following reasons: > - Neither PuTTY.exe, nor its command-line alternative PLink.exe > understands OpenSSH keys, e.g. a key pair generated on the (Linux) > server side, using ssh-keygen > - Although PuTTYgen.exe is capable of importing OpenSSH keys, it doesn't > have a command-line interface (or API), only a GUI, so it is not scriptable. If you prefer to use that version of SSH with the TurboVNC native client, then godspeed. :) I include PuTTY with the native Windows viewer primarily so I can provide a documented process for using SSH tunneling that doesn't require installing any other software. The issue with SSHWindows is that it can't co-exist peacefully with Cygwin, which is a large reason why I don't use it myself. In the long term, it would be nice to have the Windows native viewer integrate with libssh so that I can provide a similar sort of -via feature as the Java viewer provides, and that would eliminate the need to distribute PuTTY. Personally, I don't see a reason to do the same thing with the Unix viewer, since it is only ever used on platforms for which an SSH binary is readily available. > My wxPython GUI currently requires a username (saved in local settings > for re-use next time the application launches), and a password, even if > the user has set up an SSH key pair with an empty passphrase (to avoid > having to enter a password for SSH login). As far as I know, I can't > use an SSH private key to bypass TurboVNC 1.1's Unix/PAM authentication. SSH authentication and TurboVNC authentication are two separate levels of security. You authenticate through SSH to set up the secure tunnel, but then you authenticate with the VNC server in order to establish your permission to connect to it. Imagine that you were connecting to the same VNC server using a local connection (if you were logged into the server machine.) Then you'd still authenticate with the VNC server, but you'd no longer be using SSH. Unless I miss my guess, what you're proposing is possible, but it would require a new authentication extension that either: (a) passes the SSH key over the wire from client to server using an as-yet-unspecified extension to the RFB protocol. Then the server could use the same PAM modules that SSHD uses. I don't relish the thought of getting such an RFB extension approved. or (b) somehow communicates the credentials from the SSH server to the TurboVNC server. Don't know if this is possible, and I'm pretty sure that if it was, it would represent a security hole. > (I know it is possible to use the "passwd" option if using standard > VNC authentication, but our server only allows Unix/PAM authentication). > It is not clear to me from the command-line help for the Java VNC > Viewer (java -jar VncViewer.jar -?) whether it will be possible to use > an SSH key-pair instead of entering a password for TurboVNC servers > requiring Unix/PAM authentication. If it is possible, it would be nice > to see a simple list of steps somewhere in the documentation, e.g. 1. > Run ssh-keygen on the server, 2. Download the private key and delete it > from the server, etc. etc. Yes, the use of SSH key pairs is theoretically in the code, but it isn't working yet, or at least, I haven't managed to make it work. This is where we need additional funding, which would go toward fixing this and could also cover the afore-mentioned cipher selection option and, optionally, GUI integration with all of the above (I envision SSH being selectable as a separate option on the "Security" tab, with an additional field for the "via" host or a check-box to use the VNC host (equivalent of -tunnel.) > On 05/08/2012, at 10:41 AM, DRC wrote: > >> http://www.virtualgl.org/DeveloperInfo/PreReleases > > … > >> Major new changes: > … > >> -- All-new Java viewer code base, which contains most if not all of the >> existing TurboVNC features, as well as: > … > >> * Built-in SSH tunneling support (currently has to be used from the >> command line. Looking for funding to expand this into the GUI and add >> SSH key, i.e. password-less login, support) > ... >> * Packaged as a stand-alone app on Mac (fully self-contained, with >> the Java code as well as the libjpeg-turbo JNI code included in the >> app), so the app can be used as a user-friendly alternative to the X11 >> TurboVNC Viewer. > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > VirtualGL-Devel mailing list > VirtualGL-Devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/virtualgl-devel > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ VirtualGL-Devel mailing list VirtualGL-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtualgl-devel
