Dear everyone, I've managed to move a little further and am kind of satisfied with the limited success. This is my current set of options for the VNC-only video output, protected by a simple password (not even a login):
-vga std -object secret,id=secvnc1,file=/etc/qemu/my-vnc-passwd.txt -vnc :1,password-secret=secvnc1 Good enough for an internal LAN, I guess. The minimal password protection can actually be achieved this way: -vga std -vnc :1,password=on -monitor stdio ...but you need to define the password at the standard input of the qemu-system-* binary, after its startup! This is where you have asked the monitor commandline to live, and the command is: change vnc password Good enough for basic testing, but not plausible for production operation. Both these examples result in the QEMU VNC server proposing an auth mechanism called simply "VNC", i.e. just a single password. Which is supported by all the three VNC clients that I've tried: UltraVNC, TightVNC and TigerVNC. The mechanism does not transport the password in clear text, it uses a simple challenge-handshake exchange. Only a random challenge and an encrypted response are sent over the network. It took me a bit of investigation to figure out. I did recompile with TLS support, but that alone did not help. Then I took a look inside ui/vnc.c , where I found some interesting options such as "sasl-authz" and "password-secret". I tried googling those, and found the following links: https://qemu-project.gitlab.io/qemu/system/vnc-security.html https://www.qemu.org/docs/master/system/secrets.html#passing-secrets-a s-clear-text-via-a-file https://www.qemu.org/docs/master/system/authz.html It still took some trial and error, giving me a couple helpful hints about the mapping of an "-object" to the "-vnc" via password-secret. I probably should've tried the TLS route long ago... :-) Frank
