Re: [Qemu-devel] Possible security enhancement for QEMU

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Possible security enhancement for QEMU

From:	Peter Maydell
Subject:	Re: [Qemu-devel] Possible security enhancement for QEMU
Date:	Mon, 29 Dec 2014 21:26:45 +0000

On 29 December 2014 at 19:09, Attila-Mihaly Balazs <address@hidden> wrote:
> My suggestion for improvement would be:
> - change the behaviour of "-vnc :port" such that it listens on "127.0.0.1"
> when the IP isn't specified
> - if host is "0.0.0.0" (perhaps also include any routable IPv4 addresses -
> and non-link-local IPv6 addresses) and no authentication method is specified
> error out with a message like "It is recommended that you DO NOT expose the
> VNC server directly to the public internet. If you are sure of what you are
> doing, please specify an authentication method for the VNC server. See the
> documentation for more details"

Seems reasonable to me. Some questions:
 * do we need an option for "yes, I know what I'm doing and do not
   want any authentication" ?
 * how many of these VMs are configured for wide-open VNC by libvirt or
   similar management tool rather than by the user directly running QEMU?

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] Possible security enhancement for QEMU, Attila-Mihaly Balazs, 2014/12/29
- Re: [Qemu-devel] Possible security enhancement for QEMU, Peter Maydell <=

Prev by Date: [Qemu-devel] Possible security enhancement for QEMU
Next by Date: Re: [Qemu-devel] [Qemu-trivial] [PATCH 1/1] Do not hang on full PTY
Previous by thread: [Qemu-devel] Possible security enhancement for QEMU
Next by thread: [Qemu-devel] [PATCH] Fixes fullscreen aspect ratio and leaving fullscreen mode problem on Mac OS X
Index(es):
- Date
- Thread