VNC strong authentication, fixing the registry permissions

Andrew van der Stock ajv "at" greebo.net
Mon, 27 Nov 2000 02:09:52 +0000


The problem is that until IPsec becomes near-universal transport encryptor
(it'll be a few years yet), protocols that have security implications*
should take steps to provide confidentiality (encryption), availability
(good garbage in detection and prevention, automatic restart in case of
failure, etc), and serviceability (by allowing secure remote upgrades of in
place components, secure remote and online changes of configuration, etc).
Strong authentication is just the tip of the iceberg.

We do look at sshd services and their ilk, but realistically if the server
is Win2K, we're more likely to use IPsec than an sshd or workalike
implementation. IPsec provides a great deal of robustness and
interoperability, replay prevention and even at its lowest form of ESP
encryption, header authentication.

Where we trust the network (our own 4 - 8 port switch for example), we do
use a Unix sshd as the end point. This works very well, and in the days of
sub-$200 switches, this should be the default, but... :-)

Andrew

* such as remote administrative control of production servers :-)

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of David
Starks-Browning
Sent: Friday, 24 November 2000 10:56 PM
To: vnc-list "at" uk.research.att.com
Subject: Re: VNC strong authentication, fixing the registry permissions


On Friday 24 Nov 00, Tim Waugh writes:
> > Unless you can find a stable native sshd port for Win32 (there are
> > various non-native cygwin-derived sshd ports, but these are all
> > flawed as they are not true NT services), sshd is port forwarding
> > the VNC traffic over potentially insecure network segments
> > (typically true in a colocation scenario).
>
> But sshd is encrypting it, surely?

I think his point was that vnc would have to go unencrypted over a
network segment *if* there were no ssh running on the Windows host.

Andrew, did you look at Zebedee?  You did not mention it.  I find it
to be a convenient substitute for a Windows sshd implementation.  (But
security-wise, I don't know how it compares.)

Cheers,
David
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------