(not only) NT Domain authorization

Ivan Popov pin "at" math.chalmers.se
Tue, 29 Sep 1998 17:49:52 +0000 

On Tue, 29 Sep 1998, Quentin Stafford-Fraser wrote:

> 1. there are some serious security problems with NT authentication.  If
> we wanted to improve VNC security (and we'll get round to it one day!)
               ^^^^^^^^^^^^^^^^^^^^
> we wouldn't do it this way.
> 
> 2. it's a rather platform-specific approach, and VNC has always tried to
> be completely cross-platform.
     ^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 3. there are several other possible password mechanisms that people
> might like to use, and incorporating them all would probably lead to
> bloated software
  ^^^^^^^^^^^^^^^^

Once again, wouldn't it be nice to separate vnc protocol and
authentication?

These are in fact independent and authentication is
often desired to be done by very different means. Think about
pam-modules having become (well, almost) de-facto standard in Unix world
very rapidly.

Let the connection establishment and authentication lie separately,
while the rfb protocol might use just a readily authenticated and
eventually encrypted/compressed channel. The origin of the channel does
not matter, neither for the server nor for clients. They deal with
data streams, don't they?

You don't need to include/implement all kinds of authentication in the
protocol. Just define/implement the interface.

The modules will come to life at once, according to all sorts of needs
of the users. Beginning with plain text passwords and Unix authentication,
ending with kerberos, public keys and so on.

It would be a cleaner solution, not sacrificing simplicity and
portability.

Think also about improving security...

Do I miss something important (besides human resources)?
May I be of any help?

Regards,
--
Ivan Popov <pin "at" math.chalmers.se>
Systemman, Driftavdelningen, Matematiska institutionen, Chalmers TH


---------------------------------------------------------------------
The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
---------------------------------------------------------------------