As you put that, I would have to agree. The flaw we're dealing with here is a mix of *usage* and hacks to make it work on Windows.
Most applications rely on their environment for critical services - security being one of those. When you look at the role that VNC plays, the primary issues come down to (1) single-key authentication - a user is a user is a user if they have a password. (2) multiple people are likely to have access to the same system in typical support environments, which is a security issue itself. The real issue is that allowing multiple people access to the same account invalidates many security checks and balances - two people having a password to the same Windows VNC server is analogous to allowing two users to share the same computer account. The problem is that there are very few *cues* that parallel access may be occurring, there is more potential for direct spying, the risks of breached password security are greater due to distributed storage (and related staleness) of passwords, and so on. It's difficult to do anything about the underlying problem, which is mating a product designed for true multi-user computing systems with an essentially single-user system. I think it is possible to mitigate, and one thing which needs to be done is probably yet *another* level for the ConnectPriority, a denied-sharing level. There are other things in there also; one of the risk factors is that the "native" configuration of WinVNC has weak security "cues", and administrators need a tool to help with that.. Which means I will probably be volunteering for something on that end, even though I don't have the time... Once again we see that "free software" is *not* semantically equal to "free beer". ----- Original Message ----- From: "Rob Kenyon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday/2002 March 05 23.04 Subject: RE: WinVNC & -nevershared : I am so glad that you're able to confirm my findings. There are times : when you doubt yourself. : : It's funny that given all the security concerns that are flowing around : VNC (tunnelling and handshaking and all that) that something that is so : easy to do on WinVNC isn't seen as a risk. : : I guess I could probably pull the source and look for myself to see... : : Rob : : -----Original Message----- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED]] On Behalf Of Alex : Angelopoulos : Sent: Tuesday, March 05, 2002 8:18 PM : To: [EMAIL PROTECTED] : Subject: Re: WinVNC & -nevershared : : : I did another run, attempting a /noshared switch on Client A, setting : loglevel to 11. : : Client B can still connect by specifying /shared. A's client log shows : no traces of anything - not even any bobbles that could be used as a : *clue* that another session was attempted. : : ----- Original Message ----- : From: "Rob Kenyon" <[EMAIL PROTECTED]> : To: <[EMAIL PROTECTED]> : Sent: Tuesday/2002 March 05 20.21 : Subject: RE: WinVNC & -nevershared : : : : I did. : : : : I can honestly state that I actually read the docs before posting. : : Notice that "ConnectPriority" states: : : : : By default, all WinVNC servers will disconnect any existing : connections : : when an incoming, non-shared connection is authenticated. This : : behaviour is undesirable when the server machine is being used as a : : shared workstation by several users or when remoting a single display : to : : multiple clients for vewing, as in a classroom situation. : : : : ConnectPriority indicates what WinVNC should do when a non-shared : : connection is received: : : 0 = Disconnect all existing connections. : : 1 = Don't disconnect any existing connections. : : 2 = Refuse the new connection. : : : : Note the "non-shared" throughout. Non-shared is fine and works fine : : and is rejected properly and doesn't kick the first user. The problem : : is that if the second user asked for a shared connection, it's : accepted : : - even if the first client did not say that they wanted a shared : : connection (default on the java/web client is non-shared). : : : : Now you see the security issue. A second user can ALWAYS join a : : connection and see the screen (in fact, they can help type or move the : : mouse) even if the first user requested a non-shared session. : : : : The Xvnc --nevershared option looks like what I need as it states that : : it instructs the server to never accept a request for shared sessions. : : : : Any more thoughts? : : : : This isn't intended as a challenge/quiz/test - I really would like to : : know if there's an answer. : : : : Note, locking by IP does not work in this case as most clients will be : : dial up, non-static IP. : : : : Rob : : : : -----Original Message----- : : From: [EMAIL PROTECTED] : : [mailto:[EMAIL PROTECTED]] On Behalf Of Michael : Ossmann : : Sent: Tuesday, March 05, 2002 11:20 AM : : To: [EMAIL PROTECTED] : : Subject: Re: WinVNC & -nevershared : : : : : : On Mon, Mar 04, 2002 at 06:59:11PM -0700, Rob Kenyon wrote: : : > As my message stated, ConnectPriorty works fine, but it doesn't : : > prevent a second user from requesting a shared session, connecting : and : : : : > seeing the first user's screen. : : : : Yes, but did you actually try setting it to 2, not 1? : : : : -- : : Mike Ossmann, Tarantella/UNIX Engineer/Instructor : : Alternative Technology, Inc. http://www.alttech.com/ : : --------------------------------------------------------------------- : : To unsubscribe, mail [EMAIL PROTECTED] with the line: : : 'unsubscribe vnc-list' in the message BODY See also: : : http://www.uk.research.att.com/vnc/intouch.html : : --------------------------------------------------------------------- : : --------------------------------------------------------------------- : : To unsubscribe, mail [EMAIL PROTECTED] with the line: : : 'unsubscribe vnc-list' in the message BODY : : See also: http://www.uk.research.att.com/vnc/intouch.html : : --------------------------------------------------------------------- : --------------------------------------------------------------------- : To unsubscribe, mail [EMAIL PROTECTED] with the line: : 'unsubscribe vnc-list' in the message BODY See also: : http://www.uk.research.att.com/vnc/intouch.html : --------------------------------------------------------------------- : --------------------------------------------------------------------- : To unsubscribe, mail [EMAIL PROTECTED] with the line: : 'unsubscribe vnc-list' in the message BODY : See also: http://www.uk.research.att.com/vnc/intouch.html : --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
