Hi Ola,
thank you for your answer. I checked:
$ ls -l /etc/alternatives/vnc*
lrwxrwxrwx 1 root root 24 Jul 27 2017 /etc/alternatives/vncconnect ->
/usr/bin/tightvncconnect
lrwxrwxrwx 1 root root 40 Jul 27 2017 /etc/alternatives/vncconnect.1.gz
-> /usr/share/man/man1/tightvncconnect.1.gz
lrwxrwxrwx 1 root root 23 Jul 27 2017 /etc/alternatives/vncpasswd ->
/usr/bin/tightvncpasswd
lrwxrwxrwx 1 root root 39 Jul 27 2017 /etc/alternatives/vncpasswd.1.gz
-> /usr/share/man/man1/tightvncpasswd.1.gz
lrwxrwxrwx 1 root root 23 Jul 27 2017 /etc/alternatives/vncserver ->
/usr/bin/tightvncserver
lrwxrwxrwx 1 root root 39 Jul 27 2017 /etc/alternatives/vncserver.1.gz
-> /usr/share/man/man1/tightvncserver.1.gz
Before I will purge my configuration as well, I would try to keep my
system in its current state. Is there are way to get more debugging info
from tightvncserver, or a log file? The man page does not seem to
mention anything in that regard.
kind regards,
Christoph
On 1/2/19 1:26 AM, Ola Lundqvist wrote:
Hi Jan
Thank you for the report.
I have now tested this myself. I purged all vnc software installed,
installed tightvncserver, run tightvncserver and then run vncpasswd to
set a password.
I failed to reproduce the problem. I'm asked for a password.
So the question is what you did differently. Can it be so that you
have some other vncpasswd software as an alternative and that happen
to not be updating the same things?
Best regards
// Ola
On Mon, 31 Dec 2018 at 15:33, Jan Christoph Terasa
<christ...@kohlio.de <mailto:christ...@kohlio.de>> wrote:
Package: tightvncserver
Version: 1:1.3.9-9
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
I installed tightvncserver on my VPS machine via apt. This did set up
tightvncserver as an alternative for vncserver. Using a normal
user account and
starting vncserver for the first time asks for a 8-letter
password. My assumption
is this password will be used to authenticate users when
connecting to the vnc
server.
After starting the vnc server via vncserver script, it is served
on port 5901.
On the client machine I use vinagre to connect to the server on
port 5901. When
connecting, I am not asked for a password, but rather directly
taken to the X
session. I would have expected the server to ask for the password
I specified
earlier.
As a workaround, to ensure the integrity of the system, I set up
iptable rules to
not allow direct WAN connections to this port, but only allow
local connections
and use an SSH tunnel for connecting to the vnc server.
kind regards,
Christoph
-- System Information:
Debian Release: buster/sid
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'testing'), (500,
'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.17-xxxx-std-ipv6-64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages tightvncserver depends on:
ii libc6 2.27-8
ii libjpeg62-turbo 1:1.5.2-2+b1
ii libx11-6 2:1.6.7-1
ii libxext6 2:1.3.3-1+b2
ii perl 5.28.0-3
ii x11-common 1:7.7+19
ii x11-utils 7.7+4
ii xauth 1:1.0.10-1
ii xserver-common 2:1.20.3-1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages tightvncserver recommends:
ii x11-xserver-utils 7.7+8
ii xfonts-base 1:1.0.4+nmu1
Versions of packages tightvncserver suggests:
pn tightvnc-java <none>
-- no debconf information
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ o...@inguza.com <mailto:o...@inguza.com> Folkebogatan 26
\
| o...@debian.org <mailto:o...@debian.org> 654 68 KARLSTAD
|
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
