[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] qemu.conf: update vnc_password docs



On Wed, Jun 05, 2013 at 03:09:54PM +0200, Ján Tomko wrote:
> QEMU does accept empty VNC passwords now and allows anyone
> to connect with an empty password.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=969542
> ---
>  src/qemu/qemu.conf | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index cdf1ec4..49ef75f 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -62,9 +62,9 @@
>  # VNC passwords. This parameter is only used if the per-domain
>  # XML config does not already provide a password. To allow
>  # access without passwords, leave this commented out. An empty
> -# string will still enable passwords, but be rejected by QEMU,
> -# effectively preventing any use of VNC. Obviously change this
> -# example here before you set this.
> +# string might either prevent any use of VNC or allow access
> +# with an empty password depending on QEMU version. Obviously
> +# change this example here before you set this.
>  #
>  #vnc_password = "XYZ12345"

NACK. This is not correct. This is a security flaw and regression
in behaviour that must be fixed, if true.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]