Univention Bugzilla – Bug 48106
Only first 8 characters of VNC passwords are actually required
Last modified: 2018-12-05 14:39:26 CET
The VNC web password prompt in UVMM only checks the first 8 characters of a password. E.g. a VM has the VNC password "univention", it would be enough to type "univent" in the password prompt to get access. Philipp correctly stated the following in the original bug: > Quoting qemu-kvm/qemu-doc.texi: >> The VNC protocol has limited support for password based authentication. Since >> the protocol limits passwords to 8 characters it should not be considered to >> provide high security. The password can be fairly easily brute-forced by a >> client making repeat connections. For this reason, a VNC server using >> password authentication should be restricted to only listen on the loopback >> interface or UNIX domain sockets. > QEMU supports authentication through SASL, which probably supports longer > passwords, but not all VNC viewers support that extension, especially noVNC > does not. See also: https://github.com/qemu/qemu/blob/master/qemu-doc.texi#L1077 I think the UVMM VNC viewer should be capable of longer passwords, if possible. I'd consider the possibility of breaking other VNC clients a known limitation. The user could get a warning pop-up, if they decide to use a password with more than 8 characters in the UMC. +++ This bug was initially created as a clone of Bug #21227 +++ Berichtet an Ticket#: 2011011710013502 Im UVMM Modul der UMC kann für den Direktzugriff per VNC ein Passwort vergeben werden. Hier werden allerdings nur die ersten 8 Stellen ausgewertet. Wird ein längeres Passwort angegeben, reichen im VNC Viewer die ersten 8 Stellen zur Authentisierung aus.
<https://git.knut.univention.de/univention/ucs/tree/phahn/48106-uvmm-vnc>
2866ac51eb Bug #48106: Move TextBoxMaxLengthChecker to univention-web 3986783803 Bug #48106: make TextBoxMaxLengthChecker usable through TextBox fdd0b5894d Bug #48106: add max length warning for vnc_password b9687f96b5 Bug #48106: fix missing import and wrong pagename d69ce28120 Bug #48106: fix jshint errors 40faaa6fc0 Bug #48106: Debian changelog entries 4d3e85d6aa Bug #48106: YAML - add entries ff6cbfcc07 Bug #48106: Merge branch 'jkeiser/4.3-2/48106' into 4.3-2 7b2a8fdccb Bug #48106: yaml wording d750a77d39 Bug #48106: YAML - update version Successful build Package: univention-management-console-module-udm Version: 8.0.5-27A~4.3.0.201811281558 Successful build Package: univention-virtual-machine-manager-daemon Version: 7.0.0-16A~4.3.0.201811281603 Successful build Package: univention-web Version: 2.0.0-30A~4.3.0.201811281600
OK: UVMM VNC password OK: UDM user add OK: errata-announce -V --only univention-management-console-module-udm.yaml OK: errata-announce -V --only univention-web.yaml OK: errata-announce -V --only univention-virtual-machine-manager-daemon.yaml OK: univention-virtual-machine-manager-daemon.yaml univention-web.yaml univention-management-console-module-udm.yaml
<http://errata.software-univention.de/ucs/4.3/346.html> <http://errata.software-univention.de/ucs/4.3/347.html> <http://errata.software-univention.de/ucs/4.3/351.html>