How secure is VNC?
This is a discussion on How secure is VNC? within the Linux Networking forums, part of the Linux Forums category; Firstly, I'm aware that you can run VNC through an SSH tunnel. I'm running a vncserver session on &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-15-2004
|
|||
|
|||
How secure is VNC?
Firstly, I'm aware that you can run VNC through an SSH tunnel.
I'm running a vncserver session on "myserver", as listed below. I then connect to this server from a client using the following command, which indicates where the password file is located: vncviewer -passwd /home/fred/.vnc/passwd myserver.mydomain.com:0 What's to prevent someone else on the network from creating a "fred" account on their computer, then using the same command (Including the password file) to access the VNC server? THIS RUNNING ON VNC SERVER----------------------- myserver:/home/fred> ps -ef|grep vnc fred 818 1 0 08:58 ? 00:00:02 Xvnc :0 -desktop myserver.mydomain.com:0 (fred) -httpd /usr/share/vnc/classes -auth /home/fred/.Xauthority -geometry 1024x768 -depth 16 -rfbwait 30000 -rfbauth /home/fred/.vnc/passwd -rfbport 5900 -pn 
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
"somebody" <some@body.com> wrote in message
news:pan.2004.02.15.14.32.33.988070@body.com... > > > Firstly, I'm aware that you can run VNC through an SSH tunnel. > I'm running a vncserver session on "myserver", as listed > below. I then connect to this server from a client using > the following command, which indicates where the password > file is located: > > vncviewer -passwd /home/fred/.vnc/passwd myserver.mydomain.com:0 > > What's to prevent someone else on the network from creating > a "fred" account on their computer, Why would they need a fred account? > then using the same > command (Including the password file) to access the VNC server? If just anyone can access your /home/fred/.vnc/passwd file you have A LOT more to worry about than how secure VNC is. That said, there is a reason that running VNC over an SSH tunnel is suggested... -- William Hooper I'm out of my mind, but feel free to leave a message ...
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
On Sun, 15 Feb 2004 17:17:07 GMT, William Hooper wrote:
> there is a reason that running VNC over an SSH tunnel is > suggested... My understanding is that passwords are never sent over the network in the clear using VNC, so unless the material actually displayed is confidential, there is no need for ssh tunneling. Bob T.
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
On 2004-02-15, somebody <some@body.com> wrote:
> Firstly, I'm aware that you can run VNC through an SSH tunnel. > I'm running a vncserver session on "myserver", as listed > below. I then connect to this server from a client using > the following command, which indicates where the password > file is located: > > vncviewer -passwd /home/fred/.vnc/passwd myserver.mydomain.com:0 > > What's to prevent someone else on the network from creating > a "fred" account on their computer, then using the same > command (Including the password file) to access the VNC server? Because when you tunnel through ssh, both ends are authenticated using a cryptographic key. It is very difficult to forge such a key. -- -John (JohnThompson@new.rr.com)
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
"Bob Tennent" <BobT@cs.queensu.ca> wrote in message
news:slrnc2vb3o.fqd.BobT@linus.cs.queensu.ca... > > > On Sun, 15 Feb 2004 17:17:07 GMT, William Hooper wrote: > > > there is a reason that running VNC over an SSH tunnel is > > suggested... > > My understanding is that passwords are never sent over the network > in the clear using VNC, The VNC password isn't sent in clear (not that it is very encrypted, either). Every password after that is not protected. > so unless the material actually displayed is > confidential, there is no need for ssh tunneling. What about any passwords you type during that VNC session? "is suggested" means it is suggested. If you don't want to do it, that's OK, just don't complain about your info not being protected. -- William Hooper Access denied ... nah nah na nah nah !
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
On Sun, 15 Feb 2004 17:17:07 +0000, William Hooper wrote:
> "somebody" <some@body.com> wrote in message > news:pan.2004.02.15.14.32.33.988070@body.com... >> [quoted text muted] > > Why would they need a fred account? > >> [quoted text muted] > > If just anyone can access your /home/fred/.vnc/passwd file you have A LOT > more to worry about than how secure VNC is. My point is, the VNC server reads the password from the /home/fred/.vnc/passwd file. What's to stop someone else from connecting using vncviewer, since they would not be prompted for a password? -Thanks
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
On Sun, 15 Feb 2004 17:29:28 +0000, Bob Tennent wrote:
> On Sun, 15 Feb 2004 17:17:07 GMT, William Hooper wrote: > > > there is a reason that running VNC over an SSH tunnel is > > suggested... > > My understanding is that passwords are never sent over the network > in the clear using VNC, so unless the material actually displayed is > confidential, there is no need for ssh tunneling. > > Bob T. My point is, the VNC server reads the password from the /home/fred/.vnc/passwd file. What's to stop someone else from connecting using vncviewer, since they would not be prompted for a password? -Thanks
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
On Sun, 15 Feb 2004 19:17:01 +0000, William Hooper wrote:
> "Bob Tennent" <BobT@cs.queensu.ca> wrote in message > news:slrnc2vb3o.fqd.BobT@linus.cs.queensu.ca... >> [quoted text muted] > > The VNC password isn't sent in clear (not that it is very encrypted, > either). Every password after that is not protected. > My point is, the VNC server reads the password from the /home/fred/.vnc/passwd file. What's to stop someone else from connecting using vncviewer, since they would not be prompted for a password? -Thanks
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
somebody schrieb:
> My point is, the VNC server reads the password from the > /home/fred/.vnc/passwd file.Â*Â*What'sÂ*toÂ*stopÂ*someoneÂ*else > from connecting using vncviewer, since they would not > be prompted for a password? 1) You are repeating yourself. 2) Why would other users NOT be prompted for a password? They only will not be prompted, if your passwd-file is world readable, which it shouldn't! Arne -- [--- PGP key FD05BED7 --- http://www.root42.de/ ---]
|
|
02-15-2004
|
|||
|
|||
|
Re: How secure is VNC?
"somebody" <some@body.com> wrote in message
news:pan.2004.02.15.19.44.29.177305@body.com... > > If just anyone can access your /home/fred/.vnc/passwd file you have A LOT > > more to worry about than how secure VNC is. > > My point is, the VNC server reads the password from the > /home/fred/.vnc/passwd file. What's to stop someone else > from connecting using vncviewer, since they would not > be prompted for a password? I still don't see your point. If they can read your /home/fred/.vnc/passwd file you have bigger issues. It's not like you can just create an empty file named /home/fred/.vnc/passwd and it will magically work. -- William Hooper Finally, a good use for Clippy! "I see you're trying to email a program to every member of your Outlook Address book. DON'T DO THAT YOU FUCKING MORON!" -- Seen on Slashdot.org
|
Linear Mode
