Bug 48106 - Only first 8 characters of VNC passwords are actually required
Only first 8 characters of VNC passwords are actually required
Product: UCS
Classification: Unclassified
Component: Virtualization - UVMM
UCS 4.3
Other Linux
: P4 normal (vote)
: UCS 4.3-2-errata
Assigned To: Johannes Keiser
Philipp Hahn
Depends on: 21227
  Show dependency treegraph
Reported: 2018-11-06 17:19 CET by Valentin Heidelberger
Modified: 2018-12-05 14:39 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.034
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2018-11-06 17:19:44 CET
The VNC web password prompt in UVMM only checks the first 8 characters of a password. E.g. a VM has the VNC password "univention", it would be enough to type "univent" in the password prompt to get access.

Philipp correctly stated the following in the original bug:

> Quoting qemu-kvm/qemu-doc.texi:
>> The VNC protocol has limited support for password based authentication. Since
>> the protocol limits passwords to 8 characters it should not be considered to
>> provide high security. The password can be fairly easily brute-forced by a
>> client making repeat connections. For this reason, a VNC server using
>> password authentication should be restricted to only listen on the loopback
>> interface or UNIX domain sockets.

> QEMU supports authentication through SASL, which probably supports longer 
> passwords, but not all VNC viewers support that extension, especially noVNC
> does not.

See also: https://github.com/qemu/qemu/blob/master/qemu-doc.texi#L1077

I think the UVMM VNC viewer should be capable of longer passwords, if possible. I'd consider the possibility of breaking other VNC clients a known limitation. The user could get a warning pop-up, if they decide to use a password with more than 8 characters in the UMC.

+++ This bug was initially created as a clone of Bug #21227 +++

Berichtet an Ticket#: 2011011710013502

Im UVMM Modul der UMC kann für den Direktzugriff per VNC ein Passwort vergeben werden. Hier werden allerdings nur die ersten 8 Stellen ausgewertet. Wird ein längeres Passwort angegeben, reichen im VNC Viewer die ersten 8 Stellen zur Authentisierung aus.
Comment 2 Johannes Keiser univentionstaff 2018-11-28 16:08:52 CET
2866ac51eb Bug #48106: Move TextBoxMaxLengthChecker to univention-web
3986783803 Bug #48106: make TextBoxMaxLengthChecker usable through TextBox
fdd0b5894d Bug #48106: add max length warning for vnc_password
b9687f96b5 Bug #48106: fix missing import and wrong pagename
d69ce28120 Bug #48106: fix jshint errors
40faaa6fc0 Bug #48106: Debian changelog entries
4d3e85d6aa Bug #48106: YAML - add entries
ff6cbfcc07 Bug #48106: Merge branch 'jkeiser/4.3-2/48106' into 4.3-2
7b2a8fdccb Bug #48106: yaml wording
d750a77d39 Bug #48106: YAML - update version

Successful build
Package: univention-management-console-module-udm
Version: 8.0.5-27A~

Successful build
Package: univention-virtual-machine-manager-daemon
Version: 7.0.0-16A~

Successful build
Package: univention-web
Version: 2.0.0-30A~
Comment 3 Philipp Hahn univentionstaff 2018-11-28 17:17:19 CET
OK: UVMM VNC password
OK: UDM user add
OK: errata-announce -V --only univention-management-console-module-udm.yaml
OK: errata-announce -V --only univention-web.yaml
OK: errata-announce -V --only univention-virtual-machine-manager-daemon.yaml
OK: univention-virtual-machine-manager-daemon.yaml univention-web.yaml univention-management-console-module-udm.yaml