I am so glad that you're able to confirm my findings. There are times when you doubt yourself.
It's funny that given all the security concerns that are flowing around VNC (tunnelling and handshaking and all that) that something that is so easy to do on WinVNC isn't seen as a risk. I guess I could probably pull the source and look for myself to see... Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Angelopoulos Sent: Tuesday, March 05, 2002 8:18 PM To: [EMAIL PROTECTED] Subject: Re: WinVNC & -nevershared I did another run, attempting a /noshared switch on Client A, setting loglevel to 11. Client B can still connect by specifying /shared. A's client log shows no traces of anything - not even any bobbles that could be used as a *clue* that another session was attempted. ----- Original Message ----- From: "Rob Kenyon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday/2002 March 05 20.21 Subject: RE: WinVNC & -nevershared : I did. : : I can honestly state that I actually read the docs before posting. : Notice that "ConnectPriority" states: : : By default, all WinVNC servers will disconnect any existing connections : when an incoming, non-shared connection is authenticated. This : behaviour is undesirable when the server machine is being used as a : shared workstation by several users or when remoting a single display to : multiple clients for vewing, as in a classroom situation. : : ConnectPriority indicates what WinVNC should do when a non-shared : connection is received: : 0 = Disconnect all existing connections. : 1 = Don't disconnect any existing connections. : 2 = Refuse the new connection. : : Note the "non-shared" throughout. Non-shared is fine and works fine : and is rejected properly and doesn't kick the first user. The problem : is that if the second user asked for a shared connection, it's accepted : - even if the first client did not say that they wanted a shared : connection (default on the java/web client is non-shared). : : Now you see the security issue. A second user can ALWAYS join a : connection and see the screen (in fact, they can help type or move the : mouse) even if the first user requested a non-shared session. : : The Xvnc --nevershared option looks like what I need as it states that : it instructs the server to never accept a request for shared sessions. : : Any more thoughts? : : This isn't intended as a challenge/quiz/test - I really would like to : know if there's an answer. : : Note, locking by IP does not work in this case as most clients will be : dial up, non-static IP. : : Rob : : -----Original Message----- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Ossmann : Sent: Tuesday, March 05, 2002 11:20 AM : To: [EMAIL PROTECTED] : Subject: Re: WinVNC & -nevershared : : : On Mon, Mar 04, 2002 at 06:59:11PM -0700, Rob Kenyon wrote: : > As my message stated, ConnectPriorty works fine, but it doesn't : > prevent a second user from requesting a shared session, connecting and : : > seeing the first user's screen. : : Yes, but did you actually try setting it to 2, not 1? : : -- : Mike Ossmann, Tarantella/UNIX Engineer/Instructor : Alternative Technology, Inc. http://www.alttech.com/ : --------------------------------------------------------------------- : To unsubscribe, mail [EMAIL PROTECTED] with the line: : 'unsubscribe vnc-list' in the message BODY See also: : http://www.uk.research.att.com/vnc/intouch.html : --------------------------------------------------------------------- : --------------------------------------------------------------------- : To unsubscribe, mail [EMAIL PROTECTED] with the line: : 'unsubscribe vnc-list' in the message BODY : See also: http://www.uk.research.att.com/vnc/intouch.html : --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
