On Sun, Oct 23, 2005 at 08:19:35PM -0400, Collin E Borrlewyn wrote:
> vncserver lets me in without supplying the full password.
>
> To reproduce this:
> start vncserver: vncserver :1
> whe prompted enter a password of eight or more characters
> start xvncviewer and connect to :1
> when prompted enter the first eight characters of the password and hit enter
> You have been authenticated.
This appears to be a known weakness in VNC, for which I can find
references going back to 1999.
e.g.
http://www.realvnc.com/pipermail/vnc-list/1999-November/010853.html
The source documents this:
vnc-3.3.7/vncpasswd/vncpasswd.c
"Always ignore anything after 8 characters, since this is what Solaris
getpass() does anyway.".
As does "man vncpasswd":
"The password must be at least six characters long, and only the first eight
characters are significant"
Perhaps a more prominent warning is required, but I consider it unlikely
that this will be fixed if upstream is content with the current state....
Steve
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
