Security Feature Suggestion: "Delete Password" on exit?

[Corné Beerse]

Alex K. Angelopoulos wrote:

> I've been looking at VNC in remote assistance roles recently, and it has 
> occurred to me that for that specific role, it might be helpful if VNC 
> could be set to either delete the registry keys for passwords on exit or 
> to never save the password at all.
> 
> I find myself taken with the idea, but I can also see how this could be 
> a pain in the rear for a standard install even if done carefully - if 
> it's possible to wade through the issues of multiple keys where the 
> password may be specified, it could still be very confusing to people if 
> this "setting" were configured and they weren't aware of it.
> 
> Any general reactions to the idea, though? 

afaik, VNC installs 2 registry hives: one for the current user and one for the 
system. Both have a password entry. As long as no-one is logged-in, the 
system-hive and hence the password in there rules. ONce the user is logged-in, 
the users hive prevails and its password works.

My idea with this is that you can do one of the next:
1: fill the password in the system-hive with some text (like 'no-password') and 
no-one will be able to vnc as long as no-one is logged in.

2: fill the password in the user-hive with some text (like 'no-password') and 
no-one will be able to vnc as long as that user is logged in.

3: Remove the password in the system-hive will remove the password question and 
give direct access. (removing the password on the user level is no security at 
all...)

With only 1:, you roughly have what you want if the user is logged-out at the 
console.

I might be off at some point, like if the user has no password, it can fall-back 
to the system-password. Try and test with this and off you go.

NOte: VNC 4 has different security than vnc 3. My knowledge is based on vnc3 
(and might be off at some points too).


CBee