>> Thanks for posting to the list. Question: Until we can implement vnc
>> tunnelling via ssh for our user base (we just started using winvnc here)
>> will using the AuthHost registry hack, as we currently do,
>> (example: "-:+www.xxx.yyy") prevent 'M' from being able to 'wait for a
>> connection from a legit client'? TIA.
>
>Not really (IP addresses can easily be spoofed).
How about a combination of timeout and logging? This would require M to
continuously reconnect if it were to wait for a legit C, and the logs would
detect the presence of the intruder (if not it's identity). If IP
addresses are easy to spoof, how easy is it to spoof them continuously?
OTOH, if M initiates it's connection only when it detects a connection from
C, and is capable of blocking C's messages from ever reaching S, the logs
would show nothing and the timeout would have no effect. Then again, if M
has the ability to intercept AND modify C's TCP stream (what is it, a
router?), it could presumably cause the connection to "come from" C in the
first place, assuming static routes.
Also note that a system capable of 'sniffing' for VNC connections but not
modifying them can still pick up the challenge/response pair and "crack"
them like /etc/passwd. Note that personal computers capable of cracking
RC5 keys at a rate of 10 million keys per second are now widely available
(SMP PowerMac G4, anyone?) - I don't know how DES compares with this, but
the cracking speeds are probably faster. The only true defences against
this attack are SSH (as for the above problem) and support for longer
passwords (which is overdue).
As for the randomosity argument, this may be fixable on UNIX systems but
not on conventional desktop systems (Mac, Windows). Any ideas on how to
deal with the problem on systems without any true entropy gathering? If
there is a sensible way, I propose it should be incorporated into the RFB
protocol spec in the very near future, as part of an authentication update
including long password support as well.
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: [EMAIL PROTECTED] (not for attachments)
big-mail: [EMAIL PROTECTED]
uni-mail: [EMAIL PROTECTED]
The key to knowledge is not to rely on people to teach you it.
Get VNC Server for Macintosh from http://www.chromatix.uklinux.net/vnc/
-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GCS$/E/S dpu(!) s:- a20 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$ V? PS
PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r- y+
-----END GEEK CODE BLOCK-----
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
