Bug 969542 - empty vnc_password does not disable VNC but actually allow anyone
Summary: empty vnc_password does not disable VNC but actually allow anyone
Keywords:
Status: CLOSED DUPLICATE of bug 1180092
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-31 18:29 UTC by Christoph Anton Mitterer
Modified: 2016-04-14 21:26 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-14 21:26:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1180092 0 medium CLOSED When set/update graphics password to empty, log in guest with spice and vnc show different behaviour 2021-02-22 00:41:40 UTC

Internal Links: 1180092

Description Christoph Anton Mitterer 2013-05-31 18:29:53 UTC 
qemu.conf claims:

# The default VNC password. Only 8 letters are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
# access without passwords, leave this commented out.

# An empty
# string will still enable passwords, but be rejected by QEMU,
# effectively preventing any use of VNC.
=> This seems to be wrong, and empty string "" leads to an empty password being accepted.

For spice_password it works however as described.


# Obviously change this
# example here before you set this.


As long as VNC/SPICE cannot be used via UNIX sockets, you should really allow disabling either of both completely for security reasons.


Cheers,
Chris.
Comment 1 Cole Robinson 2016-04-14 21:26:12 UTC 

*** This bug has been marked as a duplicate of bug 1180092 ***
Note You need to log in before you can comment on or make changes to this bug.