[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] Make password based authentication the default
Re: [Qemu-devel] [PATCH] Make password based authentication the default for VNC
Tue, 7 Jun 2016 20:46:56 +0300
On Tue, Jun 7, 2016 at 12:24 PM, Daniel P. Berrange <address@hidden> wrote:
> On Tue, Jun 07, 2016 at 12:13:06PM +0300, Attila-Mihaly Balazs wrote:
>> To improve the security of the embedded VNC server make password
>> based authentication the default when no authentication mechanism
>> is specified.
> VNC password authentication offers no meaningful level of security,
> so this is really just going to change long standing default behaviour
> of QEMU VNC configuration without any real world benefit IMHO.
While VNC password auth is quite limited (literally - to 8 characters
:-)) it's still much better than just having an open VNC server. For
example considering uppercase + lowercase + numbers (not even symbols)
we would get a ~48 bit key which should hold up causal bruteforcers.
> Anyone who actually wants credible real world security should be using
> the TLS and/or SASL options to VNC, never the awful legacy passwd based
Agreed. The target of this patch is however not people who know that
they want security, but rather people who don't know it :-). Ie.
people who just run things with their default settings and stop as
soon as it seems to work, without conideration for security.
> |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org -o- http://virt-manager.org :|
> |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|