Bug 165334

Summary: VNC -localhost should be default
Product: [Fedora] Fedora Reporter: Jonathan S. Shapiro <shap>
Component: vncAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: markmc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 4.1.1-16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-11 11:30:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150221    

Description Jonathan S. Shapiro 2005-08-08 03:26:51 UTC 
In the absence of a firewall, the default VNC execution mode is insecure. It
encourages transmission of passwords in the clear over the local net. Therefore,
the -localhost option should be the default.

In the presence of a firewall, either the customer punches an insecure hole for
VNC leading to disclosed passwords, or they use ssh tunneling, in which case
having the -localhost default suffices.

In either case, -localhost should be the default mode of operation.

On another note, would RedHat integrate an OpenSSL/StartTLS patch if I could dig
one up?
Comment 1 Tim Waugh 2005-08-08 10:08:06 UTC 
I tend to agree, although it seems to be hard enough already for people to get
VNC working what with one thing and another.  I certainly think it should be
mentioned in the example in /etc/sysconfig/vncservers.

Not sure about OpenSSL -- if you file the patch in a separate bug report I'll
take a look.

It would be great if vino could support secure connections out of the box: I
think that's probably what most new users use first.
Comment 2 Jonathan S. Shapiro 2005-08-11 15:10:31 UTC 
Pardon a silly question, but just in case...

I do not *recall* any command line option to vncserver that would be equivalent
to -remotehost. If -localhost becomes the default, then we may need to add a new
option to allow remote connections to be enabled.

And if we do *that*, we need a global configuration file option to prohibit its use.

No urgency, and I think this can wait to see if there is pushback, but I wanted
to have it in the record...
Comment 3 Tim Waugh 2005-08-11 15:14:19 UTC 
As I hinted in comment #1 (but perhaps did not make explicit), we will add the
'-localhost' option to the example in the sysconfig file, but the default
behaviour of Xvnc will be unchanged.
Comment 4 Jonathan S. Shapiro 2005-08-11 15:16:58 UTC 
I understand why this is the right fix from your perspective, but can you tell
me if there is a way to push the RFE upstream? Does RealVNC have a method for
accepting bug requests?
Comment 5 Tim Waugh 2005-08-11 15:29:46 UTC 
The best thing to do is send email to the vnc-list mailing list I think.