On Wed, Mar 04, 2009 at 06:38:01AM -0500, Adam Tkac wrote:
On Wed, Mar 04, 2009 at 12:10:13PM +0000, Daniel P. Berrange wrote:
> Do you have any plans to implement the VeNCrypt extension in the
> server side ? This is the TLS/SSL + x509 certificate extension we
> have standardized on for QEMU, Xen, KVM and GTK-VNC (used by
> virt-viewer, virt-manager and vinagre clients). I would also like
> to add it to the GNOME VINO, since VINO's own TLS extension is flawed
> by not using x509 credentials. That leaves TigerVNC without a good
> interoperable TLS extension, so it'd be desriable to implement VeNCrypt
> there so we have a consistent TLS extension that's interoperable
> across all the VNC clients & servers in Fedora.
Yes, we are interested in VeNCrypt extension and we think that this
is the best approach for encrypted sessions. There are some patches
based on gnutls so we can probably use them. Main reason why they are
still not in upstream is that we would like to use libnss instead of
gnutls. But we will use gnutls based patches before libnss based
support will be ready.
Btw could you point me if there is any documentation of VeNCrypt
instead of source code, please? ;)
Stewart Becker (who wrote VeNCrypt) sent a mail to qemu-devel outlining
the spec for it:
The only change since that time is that he allocated two more
sub-auth codes for layering the new SASL auth over VeNCrypt
> Following on from that I also recently defined & implemented
> VNC auth extension based on SASL. This provides for a good extendable
> authentication capability, most importantly including GSSAPI Kerberos
> for single sign on. I've got it implemented for QEMU, KVM, GTK-VNC and
> VINO already, so again it'd be good to plan for adding it to TigerVNC
> too so we have a widely interoperable strong authentication system.
I know about SASL authentication (I'm subscribed to vnc-list ;)).
But we haven't discussed it, yet.
Ok, i'm happy to help out and/or advise with this when the time comes
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|