Bug 969542

Summary: empty vnc_password does not disable VNC but actually allow anyone
Product: [Community] Virtualization Tools Reporter: Christoph Anton Mitterer <calestyo>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: crobinso, rbalakri
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-14 21:26:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christoph Anton Mitterer 2013-05-31 18:29:53 UTC 
qemu.conf claims:

# The default VNC password. Only 8 letters are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
# access without passwords, leave this commented out.

# An empty
# string will still enable passwords, but be rejected by QEMU,
# effectively preventing any use of VNC.
=> This seems to be wrong, and empty string "" leads to an empty password being accepted.

For spice_password it works however as described.


# Obviously change this
# example here before you set this.


As long as VNC/SPICE cannot be used via UNIX sockets, you should really allow disabling either of both completely for security reasons.


Cheers,
Chris.
Comment 1 Cole Robinson 2016-04-14 21:26:12 UTC 

*** This bug has been marked as a duplicate of bug 1180092 ***