This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 969542 - empty vnc_password does not disable VNC but actually allow anyone
empty vnc_password does not disable VNC but actually allow anyone
Status: CLOSED DUPLICATE of bug 1180092
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
unspecified
All All
unspecified Severity high
: ---
: ---
Assigned To: Libvirt Maintainers
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-31 14:29 EDT by Christoph Anton Mitterer
Modified: 2016-04-14 17:26 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-14 17:26:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christoph Anton Mitterer 2013-05-31 14:29:53 EDT
qemu.conf claims:

# The default VNC password. Only 8 letters are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
# access without passwords, leave this commented out.

# An empty
# string will still enable passwords, but be rejected by QEMU,
# effectively preventing any use of VNC.
=> This seems to be wrong, and empty string "" leads to an empty password being accepted.

For spice_password it works however as described.


# Obviously change this
# example here before you set this.


As long as VNC/SPICE cannot be used via UNIX sockets, you should really allow disabling either of both completely for security reasons.


Cheers,
Chris.
Comment 1 Cole Robinson 2016-04-14 17:26:12 EDT

*** This bug has been marked as a duplicate of bug 1180092 ***

Note You need to log in before you can comment on or make changes to this bug.