[PATCH 4/4] bhyve: add VNC password support

[Fabian Freyer]

On 6 May 2020, at 15:41, Daniel P. Berrangé wrote:
> On Linux at least, providing passwords on the command line is 
> considered
> a security flaw, because any user can see the command line args of any
> other process on the host.

Agreed. The only reason bhyve supports this is to support VNC clients 
that don’t support password-less authentication. Since it doesn’t 
have any configuration file, and stdin may be used by the client, I’m 
unsure what the alternative would be.

> If CLI args of processes are similarly visible to other users on 
> FreeBSD,
> then this VNC password would be a security flaw.
They are by default, however FreeBSD does have a sysctl that disallows 
seeing other user’s processes. Since a few versions, users can easily 
configure this sysctl in the FreeBSD installer.

> Of course VNC password auth scheme itself is a security flaw since it 
> is
> using Single-DES :-)

The bhyve(8) man page states that too:

> This type of authentication is known to be cryptographically weak and 
> is
> not intended for use on untrusted networks.  Many implementations will 
> want
> to use stronger security, such as running the session over an 
> encrypted
> channel provided by IPsec or SSH.

(On a side note, it seems that Single-DES got even more broken recently: 
https://eprint.iacr.org/2020/523)

I guess this is something that should probably also be added to that man 
page.
Should we add a comment about this as well as the password being visible 
to the docs on libvirt’s side?