severity 335439 wishlist tags 335439 + security thanks On Mon, Oct 24, 2005 at 02:11:21AM +0100, Steve Kemp wrote: > On Sun, Oct 23, 2005 at 08:19:35PM -0400, Collin E Borrlewyn wrote: > > > vncserver lets me in without supplying the full password. > > > > To reproduce this: > > start vncserver: vncserver :1 > > whe prompted enter a password of eight or more characters > > start xvncviewer and connect to :1 > > when prompted enter the first eight characters of the password and hit enter > > You have been authenticated. > > This appears to be a known weakness in VNC, for which I can find > references going back to 1999.
Yes it is very well known and will not be fixed by upstream as they sell an other product (for money) with enhanced security. > e.g. > > http://www.realvnc.com/pipermail/vnc-list/1999-November/010853.html > > > The source documents this: > > vnc-3.3.7/vncpasswd/vncpasswd.c > > "Always ignore anything after 8 characters, since this is what Solaris > getpass() does anyway.". > > > As does "man vncpasswd": > > "The password must be at least six characters long, and only the first eight > characters are significant" > > Perhaps a more prominent warning is required, but I consider it unlikely > that this will be fixed if upstream is content with the current state.... Maybe. Or that someone provide me a patch with this fixed. On the other hand it will not be fixed upstream and we will deviate (once more) from it. Thanks for your prompt answer. Regards, // Ola > Steve > -- > > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
