[PATCH 4/4] bhyve: add VNC password support
Fabian Freyer
fabian.freyer at physik.tu-berlin.de
Wed May 6 14:02:04 UTC 2020
On 6 May 2020, at 15:41, Daniel P. Berrangé wrote:
> On Linux at least, providing passwords on the command line is
> considered
> a security flaw, because any user can see the command line args of any
> other process on the host.
Agreed. The only reason bhyve supports this is to support VNC clients
that don’t support password-less authentication. Since it doesn’t
have any configuration file, and stdin may be used by the client, I’m
unsure what the alternative would be.
> If CLI args of processes are similarly visible to other users on
> FreeBSD,
> then this VNC password would be a security flaw.
They are by default, however FreeBSD does have a sysctl that disallows
seeing other user’s processes. Since a few versions, users can easily
configure this sysctl in the FreeBSD installer.
> Of course VNC password auth scheme itself is a security flaw since it
> is
> using Single-DES :-)
The bhyve(8) man page states that too:
> This type of authentication is known to be cryptographically weak and
> is
> not intended for use on untrusted networks. Many implementations will
> want
> to use stronger security, such as running the session over an
> encrypted
> channel provided by IPsec or SSH.
(On a side note, it seems that Single-DES got even more broken recently:
https://eprint.iacr.org/2020/523)
I guess this is something that should probably also be added to that man
page.
Should we add a comment about this as well as the password being visible
to the docs on libvirt’s side?
More information about the libvir-list
mailing list