[geeks] Back to Windowmaker on Solaris

jodys at helluin.org jodys at helluin.org
Fri Jul 19 15:32:03 CDT 2002 

On Wed, Jul 17, 2002 at 11:09:32PM -0400, Michael Schiller wrote:
> 
> Ok, I know this is probably a silly question, but here goes:
> 
> My U30 is currently headless (and has been for a while), but has my
> SunPCi card in it. I've been using VNC to run the sunpci software (as
> per a suggestion by one of the list members, thanks), but was wondering,
> if I was to start Xvnc by adding a line in /etc/dt/config/Xservers like
> this:
>  :1 Local local_uid at none nobody /usr/local/bin/Xvnc :1 -geometry
> 1024x768 -depth 24
> 
> Are there any security issues I should be aware of? I know that this
> goes around vnc's passwd mechanism, but as it runs dtlogin the system
> isn't insecure, or is it? Also, as this machine is headless, can I
> comment out the :0 entry, or is this not really needed?

Well dtlogin only authenticates the X session, not the VNC session.
So once the vnc server is started, any client can access it (unless
you have the vnc auth stuff set up). So, IIRC, once you're logged in, 
anyone could "steal" your session just by pointing a client at it.
I think that vnc has several options to deal with this, and I think
you can get Xvnc to use vnc passwords (which would mean two passwords
to log in). 

	Pulling up docs... boy it's not terribly clear. You can
tell Xvnc to use the rfb auth stuff (-rfbauth), I think you would 
use vncpasswd as root to set a passwd for the VNC session (as the
session is started by root). You would point a client at it, then
authenticate yourself to VNC. Then you would authenticate yourself
to X (via dtlogin). Some other options to look at, -nevershared and
-dontdisconnect. And yeah, you can remove the :0 entry if it is
headless, save some memory.

Another option is to,
	a) setup dtlogin to accept xdmcp (or whatever sun calls it)
	 queries (used for xterminals). Not sure how this is done.
	b) setup Xvnc to launch from inetd, and to -query the host 
	 name of the U30. 

This would set it up so that anyone trying to access the VNC server
port would get a dtlogin screen, instead of getting your session. 
Additionaly you can use tcpd, or whatever you want to restrict
connections by ip address.

see http://www.dei.isep.ipp.pt/~andre/extern/ixvnc.htm for more info.

Personally I would lean towards the second option as it would allow
you to log in multiple times as different users, or if your feeling
sinister, providing X sessions on your machine to people around
the world (Go VNC!).

Jody

More information about the geeks mailing list