@@ -1493,12 +1493,14 @@ considerations depending on the deployment scenarios.
@node vnc_sec_none
@subsection Without passwords
-The simplest VNC server setup does not include any form of authentication.
-For this setup it is recommended to restrict it to listen on a UNIX domain
-socket only. For example
+Unless otherwise specified, the VNC server starts in password authentication
+mode (see the next section for details). It is possible to disable
+authentication entirely when needed however it is strongly recommended to use
+other methods of access control to ensure that only trusted persons can access
+it. For example you could restrict it to listen on a UNIX domain socket only:
@example
-qemu-system-i386 [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc
+qemu-system-i386 [...OPTIONS...] -vnc unix:/home/jb/.qemu-myvm-vnc,insecure
@end example
This ensures that only users on local box with read/write access to that
@@ -1284,7 +1284,8 @@ requires encrypted client connections.
@item password
-Require that password based authentication is used for client connections.
+Require that password based authentication is used for client connections. This
+is the default if no authentiation mechanism is specified.
The password must be set separately using the @code{set_password} command in
the @ref{pcsys_monitor}. The syntax to change your password is:
@@ -1301,6 +1302,10 @@ date and time).
You can also use keywords "now" or "never" for the expiration time to
allow <protocol> password to expire immediately or never expire.
+@item insecure
+
+Run the VNC server without any authentication.
+
@item tls-creds=@var{ID}
Provides the ID of a set of TLS credentials to use to secure the
@@ -3275,6 +3275,9 @@ static QemuOptsList qemu_vnc_opts = {
.name = "password",
.type = QEMU_OPT_BOOL,
},{
+ .name = "insecure",
+ .type = QEMU_OPT_BOOL,
+ },{
.name = "reverse",
.type = QEMU_OPT_BOOL,
},{
@@ -3312,6 +3315,7 @@ static QemuOptsList qemu_vnc_opts = {
static int
vnc_display_setup_auth(VncDisplay *vs,
bool password,
+ bool insecure,
bool sasl,
bool websocket,
Error **errp)
@@ -3454,6 +3458,16 @@ vnc_display_setup_auth(VncDisplay *vs,
vs->ws_auth = VNC_AUTH_INVALID;
}
}
+
+ if (vs->auth == VNC_AUTH_NONE && !insecure) {
+ /*
+ * If authentication is not specified use password authentication.
+ */
+ VNC_DEBUG("Initializing VNC server with password auth\n");
+ vs->auth = VNC_AUTH_VNC;
+ vs->subauth = VNC_AUTH_INVALID;
+ }
+
return 0;
}
@@ -3511,6 +3525,7 @@ void vnc_display_open(const char *id, Error **errp)
const char *share, *device_id;
QemuConsole *con;
bool password = false;
+ bool insecure = false;
bool reverse = false;
const char *vnc;
char *h;
@@ -3622,22 +3637,7 @@ void vnc_display_open(const char *id, Error **errp)
}
password = qemu_opt_get_bool(opts, "password", false);
- if (password) {
- if (fips_get_state()) {
- error_setg(errp,
- "VNC password auth disabled due to FIPS mode, "
- "consider using the VeNCrypt or SASL authentication "
- "methods as an alternative");
- goto fail;
- }
- if (!qcrypto_cipher_supports(
- QCRYPTO_CIPHER_ALG_DES_RFB)) {
- error_setg(errp,
- "Cipher backend does not support DES RFB algorithm");
- goto fail;
- }
- }
-
+ insecure = qemu_opt_get_bool(opts, "insecure", false);
reverse = qemu_opt_get_bool(opts, "reverse", false);
lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 1);
@@ -3760,10 +3760,27 @@ void vnc_display_open(const char *id, Error **errp)
}
#endif
- if (vnc_display_setup_auth(vs, password, sasl, vs->ws_enabled, errp) < 0) {
+ if (vnc_display_setup_auth(
+ vs, password, insecure, sasl, vs->ws_enabled, errp) < 0) {
goto fail;
}
+ if (vs->auth == VNC_AUTH_VNC) {
+ if (fips_get_state()) {
+ error_setg(errp,
+ "VNC password auth disabled due to FIPS mode, "
+ "consider using the VeNCrypt or SASL authentication "
+ "methods as an alternative");
+ goto fail;
+ }
+ if (!qcrypto_cipher_supports(
+ QCRYPTO_CIPHER_ALG_DES_RFB)) {
+ error_setg(errp,
+ "Cipher backend does not support DES RFB algorithm");
+ goto fail;
+ }
+ }
+
#ifdef CONFIG_VNC_SASL
if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
error_setg(errp, "Failed to initialize SASL auth: %s",
To improve the security of the embedded VNC server make password based authentication the default when no authentication mechanism is specified. If you really want to use "no authentication", a new authentication option called "insecure" is introduced which needs to be explicitly specified. Note: because password authentication is not availble in FIPS mode, you must explicitly set an authentication method when using VNC with QEMU compiled in FIPS mode or it won't start. Signed-off-by: Attila-Mihaly Balazs --- qemu-doc.texi | 10 ++++++---- qemu-options.hx | 7 ++++++- ui/vnc.c | 51 ++++++++++++++++++++++++++++++++++----------------- 3 files changed, 46 insertions(+), 22 deletions(-)