WinVNC & -nevershared

Rob Kenyon robdkenyon "at" attbi.com
Wed, 06 Mar 2002 04:08:02 +0000


I am so glad that you're able to confirm my findings.  There are times
when you doubt yourself.

It's funny that given all the security concerns that are flowing around
VNC (tunnelling and handshaking and all that) that something that is so
easy to do on WinVNC isn't seen as a risk.

I guess I could probably pull the source and look for myself to see...

Rob

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com] On Behalf Of Alex
Angelopoulos
Sent: Tuesday, March 05, 2002 8:18 PM
To: vnc-list "at" uk.research.att.com
Subject: Re: WinVNC & -nevershared


I did another run, attempting a /noshared switch on Client A, setting
loglevel to 11.

Client B can still connect by specifying /shared. A's client log shows
no traces of anything - not even any bobbles that could be used as a
*clue* that another session was attempted.

----- Original Message -----
From: "Rob Kenyon" <robdkenyon "at" attbi.com>
To: <vnc-list "at" uk.research.att.com>
Sent: Tuesday/2002 March 05 20.21
Subject: RE: WinVNC & -nevershared


: I did.
:
: I can honestly state that I actually read the docs before posting.
: Notice that "ConnectPriority" states:
:
: By default, all WinVNC servers will disconnect any existing
connections
: when an incoming, non-shared connection is authenticated.  This
: behaviour is undesirable when the server machine is being used as a
: shared workstation by several users or when remoting a single display
to
: multiple clients for vewing, as in a classroom situation.
:
: ConnectPriority indicates what WinVNC should do when a non-shared
: connection is received:
: 0 = Disconnect all existing connections.
: 1 = Don't disconnect any existing connections.
: 2 = Refuse the new connection.
:
: Note the "non-shared" throughout.   Non-shared is fine and works fine
: and is rejected properly and doesn't kick the first user.  The problem
: is that if the second user asked for a shared connection, it's
accepted
: - even if the first client did not say that they wanted a shared
: connection (default on the java/web client is non-shared).
:
: Now you see the security issue.  A second user can ALWAYS join a
: connection and see the screen (in fact, they can help type or move the
: mouse) even if the first user requested a non-shared session.
:
: The Xvnc --nevershared option looks like what I need as it states that
: it instructs the server to never accept a request for shared sessions.
:
: Any more thoughts?
:
: This isn't intended as a challenge/quiz/test - I really would like to
: know if there's an answer.
:
: Note, locking by IP does not work in this case as most clients will be
: dial up, non-static IP.
:
: Rob
:
: -----Original Message-----
: From: owner-vnc-list "at" uk.research.att.com
: [mailto:owner-vnc-list "at" uk.research.att.com] On Behalf Of Michael
Ossmann
: Sent: Tuesday, March 05, 2002 11:20 AM
: To: vnc-list "at" uk.research.att.com
: Subject: Re: WinVNC & -nevershared
:
:
: On Mon, Mar 04, 2002 at 06:59:11PM -0700, Rob Kenyon wrote:
: > As my message stated, ConnectPriorty works fine, but it doesn't
: > prevent a second user from requesting a shared session, connecting
and
:
: > seeing the first user's screen.
:
: Yes, but did you actually try setting it to 2, not 1?
:
: --
: Mike Ossmann, Tarantella/UNIX Engineer/Instructor
: Alternative Technology, Inc.  http://www.alttech.com/
: ---------------------------------------------------------------------
: To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
: 'unsubscribe vnc-list' in the message BODY See also:
: http://www.uk.research.att.com/vnc/intouch.html
: ---------------------------------------------------------------------
: ---------------------------------------------------------------------
: To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
: 'unsubscribe vnc-list' in the message BODY
: See also: http://www.uk.research.att.com/vnc/intouch.html
: ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY See also:
http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------