VNC 3.3.1: passwords and security

Charles Karney karney "at" pppl.gov
Thu, 05 Mar 1998 19:49:08 +0000


Two comments about passwords and security:

(1) Nowadays, the restriction of passwords to 8 characters seems a bit out
of date.  Why not just allow much longer (e.g., 16 character) or arbitrary
length strings?  If it would help internally, the longer passwords could be
folded down to a smaller length (8 bytes or whatever) by a simple
checksum-like algorithm

(2) My home directory is shared between machines via NFS.  The contents of
~/.vns/passwd is then visible to a network snooper and this can easily be
used to retrieve my VNC password.

How about a combination of the challenge-response password negotiation
currently used by VNC and the one-way encryption currently used for Unix
passwords?  The goals would be to have the unencrypted password only
present in the memory of server and client processes and NOT on the network
wires nor in files.

I could envision such a scheme using public key encryption (a la ssh).  Has
anyone thought of this?  (On the other hand, perhaps I'm fooling myself,
since .Xauthority and other sensitive files are already in my NFS exported
home directory.)

(3) How about linking vncserver with the tcp-wrapper library and allowing
using to allow or deny hosts via ~/.vnc/hosts.{allow,deny}?

-- 
Charles Karney
Plasma Physics Laboratory	  E-mail:  Karney "at" Princeton.EDU
Princeton University		  Phone:   +1 609 243 2607
Princeton, NJ 08543-0451	  FAX:	   +1 609 243 3438