Red Hat Bugzilla – Bug 969542
empty vnc_password does not disable VNC but actually allow anyone
Last modified: 2016-04-14 17:26:12 EDT
# The default VNC password. Only 8 letters are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
# access without passwords, leave this commented out.
# An empty
# string will still enable passwords, but be rejected by QEMU,
# effectively preventing any use of VNC.
=> This seems to be wrong, and empty string "" leads to an empty password being accepted.
For spice_password it works however as described.
# Obviously change this
# example here before you set this.
As long as VNC/SPICE cannot be used via UNIX sockets, you should really allow disabling either of both completely for security reasons.
*** This bug has been marked as a duplicate of bug 1180092 ***