WinVNC & -nevershared

Alex Angelopoulos alex "at" bittnet.com
Wed, 06 Mar 2002 04:34:21 +0000


As you put that, I would have to agree.  The flaw we're dealing with here is a
mix of *usage* and hacks to make it work on Windows.

Most applications rely on their environment for critical services - security
being one of those.  When you look at the role that VNC plays, the primary
issues come down to
(1) single-key authentication - a user is a user is a user if they have a
password.
(2) multiple people are likely to have access to the same system in typical
support environments, which is a security issue itself.

The real issue is that allowing multiple people access to the same account
invalidates many security checks and balances - two people having a password
to the same Windows VNC server is analogous to allowing two users to share the
same computer account.  The problem is that there are very few *cues* that
parallel access may be occurring, there is more potential for direct spying,
the risks of breached password security are greater due to distributed storage
(and related staleness) of passwords, and so on.

It's difficult to do anything about the underlying problem, which is mating a
product designed for true multi-user computing systems with an essentially
single-user system.


I think it is possible to mitigate, and one thing which needs to be done is
probably yet *another* level for the ConnectPriority, a denied-sharing level.

There are other things in there also; one of the risk factors is that the
"native" configuration of WinVNC has weak security "cues", and administrators
need a tool to help with that..

Which means I will probably be volunteering for something on that end, even
though I don't have the time... Once again we see that "free software" is
*not* semantically equal to "free beer".


----- Original Message -----
From: "Rob Kenyon" <robdkenyon "at" attbi.com>
To: <vnc-list "at" uk.research.att.com>
Sent: Tuesday/2002 March 05 23.04
Subject: RE: WinVNC & -nevershared


: I am so glad that you're able to confirm my findings.  There are times
: when you doubt yourself.
:
: It's funny that given all the security concerns that are flowing around
: VNC (tunnelling and handshaking and all that) that something that is so
: easy to do on WinVNC isn't seen as a risk.
:
: I guess I could probably pull the source and look for myself to see...
:
: Rob
:
: -----Original Message-----
: From: owner-vnc-list "at" uk.research.att.com
: [mailto:owner-vnc-list "at" uk.research.att.com] On Behalf Of Alex
: Angelopoulos
: Sent: Tuesday, March 05, 2002 8:18 PM
: To: vnc-list "at" uk.research.att.com
: Subject: Re: WinVNC & -nevershared
:
:
: I did another run, attempting a /noshared switch on Client A, setting
: loglevel to 11.
:
: Client B can still connect by specifying /shared. A's client log shows
: no traces of anything - not even any bobbles that could be used as a
: *clue* that another session was attempted.
:
: ----- Original Message -----
: From: "Rob Kenyon" <robdkenyon "at" attbi.com>
: To: <vnc-list "at" uk.research.att.com>
: Sent: Tuesday/2002 March 05 20.21
: Subject: RE: WinVNC & -nevershared
:
:
: : I did.
: :
: : I can honestly state that I actually read the docs before posting.
: : Notice that "ConnectPriority" states:
: :
: : By default, all WinVNC servers will disconnect any existing
: connections
: : when an incoming, non-shared connection is authenticated.  This
: : behaviour is undesirable when the server machine is being used as a
: : shared workstation by several users or when remoting a single display
: to
: : multiple clients for vewing, as in a classroom situation.
: :
: : ConnectPriority indicates what WinVNC should do when a non-shared
: : connection is received:
: : 0 = Disconnect all existing connections.
: : 1 = Don't disconnect any existing connections.
: : 2 = Refuse the new connection.
: :
: : Note the "non-shared" throughout.   Non-shared is fine and works fine
: : and is rejected properly and doesn't kick the first user.  The problem
: : is that if the second user asked for a shared connection, it's
: accepted
: : - even if the first client did not say that they wanted a shared
: : connection (default on the java/web client is non-shared).
: :
: : Now you see the security issue.  A second user can ALWAYS join a
: : connection and see the screen (in fact, they can help type or move the
: : mouse) even if the first user requested a non-shared session.
: :
: : The Xvnc --nevershared option looks like what I need as it states that
: : it instructs the server to never accept a request for shared sessions.
: :
: : Any more thoughts?
: :
: : This isn't intended as a challenge/quiz/test - I really would like to
: : know if there's an answer.
: :
: : Note, locking by IP does not work in this case as most clients will be
: : dial up, non-static IP.
: :
: : Rob
: :
: : -----Original Message-----
: : From: owner-vnc-list "at" uk.research.att.com
: : [mailto:owner-vnc-list "at" uk.research.att.com] On Behalf Of Michael
: Ossmann
: : Sent: Tuesday, March 05, 2002 11:20 AM
: : To: vnc-list "at" uk.research.att.com
: : Subject: Re: WinVNC & -nevershared
: :
: :
: : On Mon, Mar 04, 2002 at 06:59:11PM -0700, Rob Kenyon wrote:
: : > As my message stated, ConnectPriorty works fine, but it doesn't
: : > prevent a second user from requesting a shared session, connecting
: and
: :
: : > seeing the first user's screen.
: :
: : Yes, but did you actually try setting it to 2, not 1?
: :
: : --
: : Mike Ossmann, Tarantella/UNIX Engineer/Instructor
: : Alternative Technology, Inc.  http://www.alttech.com/
: : ---------------------------------------------------------------------
: : To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
: : 'unsubscribe vnc-list' in the message BODY See also:
: : http://www.uk.research.att.com/vnc/intouch.html
: : ---------------------------------------------------------------------
: : ---------------------------------------------------------------------
: : To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
: : 'unsubscribe vnc-list' in the message BODY
: : See also: http://www.uk.research.att.com/vnc/intouch.html
: : ---------------------------------------------------------------------
: ---------------------------------------------------------------------
: To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
: 'unsubscribe vnc-list' in the message BODY See also:
: http://www.uk.research.att.com/vnc/intouch.html
: ---------------------------------------------------------------------
: ---------------------------------------------------------------------
: To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
: 'unsubscribe vnc-list' in the message BODY
: See also: http://www.uk.research.att.com/vnc/intouch.html
: ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------