[Bug 54312] Re: vino listen on all addresses
Oren Laadan
orenl at cs.columbia.edu
Wed Sep 13 19:28:53 UTC 2006
Here is the the motivation: we had a machine broken into because of a
vulnerability in vncserver. This, plus the issue of unencrypted channel,
brought me to tighten up security by requiring that users will be
obliged to use SSH tunnels.
The problem is that as long as the server (either vnc, vino) listens on
INADDR_ANY one cannot force such policy (note that with SSH tunnels the
server need not listen on anything other than localhost).
Therefore even if I had set the SSH channel for that instance of the
server (through which someone got in), it wouldn't have helped in the
event of a server vulnerability. Forcing localhost only prevents any
sort of remote exploit of the service (assuming, of course, SSH is safe
...)
(note that it is possible to tell vncserver to listen localhost only,
but only by a command line switch, thus depending on the good will of
the user; I wish there was - in vnc and vino - a way to set that option
system wide - e.g. via /etc/vnc.conf).
--
vino listen on all addresses
https://launchpad.net/bugs/54312
More information about the desktop-bugs
mailing list