Lesser of 2 evils in absence of ssh
Shing-Fat Fred Ma
Mon Nov 18 19:17:01 2002
>From: David Smith <email@example.com>
>>>Without ssh, is it better to
>>>connect from a PC veiwer to
>>>a solaris server over the
>>>internet, or the following:
>>>start the solaris server
>>>with -localhost, telnet into
>>>the sun box and use vncconnect
>>>to make the server connect to
>>>your remote PC viewer.
>I would say the first is more secure. Regularly changing your
>password would also be a good idea since the VNC password chat is not
>exceptionally strong, but it is much better than passing your login
>and password in the clear.
>From: Dave Dyer <firstname.lastname@example.org>
> Or you could use zVnc, which incorporates ssh-class encryption
>into the basic vnc communication stream.
It looks pretty handy. But I think I'll rely on
my SysAdmin to look after the security arrangments.
I'm not using stock VNC, I'm using TightVNC. If I
keep security as a separate layer, I can migrate with
the technology as it changes.
About relying on VNC's authentication, what's your
view on the fact that running the server without
-localhost allows repeated attempts at connection?
I know that after a number of tries, it refuses
connection, but I seem to recall that just changing
where you try to connect from will reset that. I
haven't delved into the code, but is that behaviour
embedded in the viewer? There was a posting a while
ago showing that the viewer can be modified into an
"attack" machine, but I don't recall seeing too much
discussion following up.
In the end, I realize that the secure way is through
an ssh tunnel.