Your message dated Fri, 4 Jan 2019 00:13:50 +0100
with message-id
<CABY6=0mHH_VvKUgL745rJozEgGun1Ofw=meeekcojnr-p2f...@mail.gmail.com>
and subject line Re: Bug#917904: tightvncserver does not ask for password set
by vncpasswd
has caused the Debian Bug report #917904,
regarding tightvncserver does not ask for password set by vncpasswd
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
917904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917904
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tightvncserver
Version: 1:1.3.9-9
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
I installed tightvncserver on my VPS machine via apt. This did set up
tightvncserver as an alternative for vncserver. Using a normal user account and
starting vncserver for the first time asks for a 8-letter password. My
assumption
is this password will be used to authenticate users when connecting to the vnc
server.
After starting the vnc server via vncserver script, it is served on port 5901.
On the client machine I use vinagre to connect to the server on port 5901. When
connecting, I am not asked for a password, but rather directly taken to the X
session. I would have expected the server to ask for the password I specified
earlier.
As a workaround, to ensure the integrity of the system, I set up iptable rules
to
not allow direct WAN connections to this port, but only allow local connections
and use an SSH tunnel for connecting to the vnc server.
kind regards,
Christoph
-- System Information:
Debian Release: buster/sid
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'testing'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.17-xxxx-std-ipv6-64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages tightvncserver depends on:
ii libc6 2.27-8
ii libjpeg62-turbo 1:1.5.2-2+b1
ii libx11-6 2:1.6.7-1
ii libxext6 2:1.3.3-1+b2
ii perl 5.28.0-3
ii x11-common 1:7.7+19
ii x11-utils 7.7+4
ii xauth 1:1.0.10-1
ii xserver-common 2:1.20.3-1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages tightvncserver recommends:
ii x11-xserver-utils 7.7+8
ii xfonts-base 1:1.0.4+nmu1
Versions of packages tightvncserver suggests:
pn tightvnc-java <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Haha
No worry at all. I did not have the faintest clue it could be that. Thank
you. Bug closed with this email.
Cheers
/ Ola
Sent from a phone
Den tors 3 jan. 2019 23:38Jan Christoph Terasa <ter...@kohlio.de> skrev:
> Hi,
>
> I checked using another testing installation, and that asked for a
> password upon connecting. I realized the problem was that I have used the
> vinagre client in the past to connect to a VNC server on the same target
> machine, with the same password. So vinagre had the password still stored
> internally in the gnome keyring. After deleting the cached password i get
> the password prompt in vinagre.
>
> This is embarrasing. I'm very sorry for having wasted your time with this,
> this bug should be closed.
>
>
> have a nice evening,
> Christoph
>
> On 1/3/19 1:11 PM, Ola Lundqvist wrote:
>
> Hi
>
> You should have a log file in ~/.vnc
>
> I think the following configuration files are worth saving and checking:
> /etc/vnc.conf
> ~/.vncrc
> /etc/X11/xorg.conf (should only be for font stuff though)
>
> I think the $authType is of most importance. It should be
> $authType = "-rfbauth $vncUserDir/passwd";
>
> Also an output of "ps xa" can help as you will then know if -rfbauth hass
> been added to the Xtightvncserver command or not run by tightvncserver
> script.
>
> // Ola
>
> On Wed, 2 Jan 2019 at 15:46, Christoph Terasa <christ...@kohlio.de> wrote:
>
>> Hi Ola,
>>
>> thank you for your answer. I checked:
>>
>> $ ls -l /etc/alternatives/vnc*
>> lrwxrwxrwx 1 root root 24 Jul 27 2017 /etc/alternatives/vncconnect ->
>> /usr/bin/tightvncconnect
>> lrwxrwxrwx 1 root root 40 Jul 27 2017 /etc/alternatives/vncconnect.1.gz
>> -> /usr/share/man/man1/tightvncconnect.1.gz
>> lrwxrwxrwx 1 root root 23 Jul 27 2017 /etc/alternatives/vncpasswd ->
>> /usr/bin/tightvncpasswd
>> lrwxrwxrwx 1 root root 39 Jul 27 2017 /etc/alternatives/vncpasswd.1.gz
>> -> /usr/share/man/man1/tightvncpasswd.1.gz
>> lrwxrwxrwx 1 root root 23 Jul 27 2017 /etc/alternatives/vncserver ->
>> /usr/bin/tightvncserver
>> lrwxrwxrwx 1 root root 39 Jul 27 2017 /etc/alternatives/vncserver.1.gz
>> -> /usr/share/man/man1/tightvncserver.1.gz
>>
>>
>> Before I will purge my configuration as well, I would try to keep my
>> system in its current state. Is there are way to get more debugging info
>> from tightvncserver, or a log file? The man page does not seem to mention
>> anything in that regard.
>>
>>
>> kind regards,
>> Christoph
>>
>>
>> On 1/2/19 1:26 AM, Ola Lundqvist wrote:
>>
>> Hi Jan
>>
>> Thank you for the report.
>> I have now tested this myself. I purged all vnc software installed,
>> installed tightvncserver, run tightvncserver and then run vncpasswd to set
>> a password.
>> I failed to reproduce the problem. I'm asked for a password.
>>
>> So the question is what you did differently. Can it be so that you have
>> some other vncpasswd software as an alternative and that happen to not be
>> updating the same things?
>>
>> Best regards
>>
>> // Ola
>>
>> On Mon, 31 Dec 2018 at 15:33, Jan Christoph Terasa <christ...@kohlio.de>
>> wrote:
>>
>>> Package: tightvncserver
>>> Version: 1:1.3.9-9
>>> Severity: grave
>>> Tags: security
>>> Justification: user security hole
>>>
>>> Dear Maintainer,
>>>
>>> I installed tightvncserver on my VPS machine via apt. This did set up
>>> tightvncserver as an alternative for vncserver. Using a normal user
>>> account and
>>> starting vncserver for the first time asks for a 8-letter password. My
>>> assumption
>>> is this password will be used to authenticate users when connecting to
>>> the vnc
>>> server.
>>>
>>> After starting the vnc server via vncserver script, it is served on port
>>> 5901.
>>> On the client machine I use vinagre to connect to the server on port
>>> 5901. When
>>> connecting, I am not asked for a password, but rather directly taken to
>>> the X
>>> session. I would have expected the server to ask for the password I
>>> specified
>>> earlier.
>>>
>>> As a workaround, to ensure the integrity of the system, I set up iptable
>>> rules to
>>> not allow direct WAN connections to this port, but only allow local
>>> connections
>>> and use an SSH tunnel for connecting to the vnc server.
>>>
>>>
>>> kind regards,
>>> Christoph
>>>
>>>
>>> -- System Information:
>>> Debian Release: buster/sid
>>> APT prefers oldstable-updates
>>> APT policy: (500, 'oldstable-updates'), (500, 'testing'), (500,
>>> 'oldstable')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 4.14.17-xxxx-std-ipv6-64 (SMP w/2 CPU cores)
>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
>>> LANGUAGE=en_US:en (charmap=UTF-8)
>>> Shell: /bin/sh linked to /bin/bash
>>> Init: systemd (via /run/systemd/system)
>>>
>>> Versions of packages tightvncserver depends on:
>>> ii libc6 2.27-8
>>> ii libjpeg62-turbo 1:1.5.2-2+b1
>>> ii libx11-6 2:1.6.7-1
>>> ii libxext6 2:1.3.3-1+b2
>>> ii perl 5.28.0-3
>>> ii x11-common 1:7.7+19
>>> ii x11-utils 7.7+4
>>> ii xauth 1:1.0.10-1
>>> ii xserver-common 2:1.20.3-1
>>> ii zlib1g 1:1.2.11.dfsg-1
>>>
>>> Versions of packages tightvncserver recommends:
>>> ii x11-xserver-utils 7.7+8
>>> ii xfonts-base 1:1.0.4+nmu1
>>>
>>> Versions of packages tightvncserver suggests:
>>> pn tightvnc-java <none>
>>>
>>> -- no debconf information
>>>
>>
>>
>> --
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> / o...@inguza.com Folkebogatan 26 \
>> | o...@debian.org 654 68 KARLSTAD |
>> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> ---------------------------------------------------------------
>>
>>
>>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / o...@inguza.com Folkebogatan 26 \
> | o...@debian.org 654 68 KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
>
>
--- End Message ---
