Secure authentication with TigerVNC

[valh...@tutanota.com]

I am wanting to have way to remote access multiple computers, VNC seems like the only opensource choice. And TigerVNC seems to be the best choice due to cross platform.

The issue is though VNC by default is horrid on security, with only short passwords and no encryption. Seems like in VNC security is really a very small after thought.

On TigerVNC project website it states "TigerVNC also provides extensions for advanced authentication methods and TLS encryption."

Where can I find these extensions and details on them?

[Ben Hildred]

On Tue, Jun 27, 2017 at 8:00 AM, <valh...@tutanota.com> wrote:

I am wanting to have way to remote access multiple computers, VNC seems like the only opensource choice. And TigerVNC seems to be the best choice due to cross platform.

The issue is though VNC by default is horrid on security, with only short passwords and no encryption. Seems like in VNC security is really a very small after thought.

Yup, I always thought the vncpassword protocol was the perfect example of how not to do it. Unfortunately if you want to guarantee compatability you have either it or none and I think none is slightly more secure because you know it is insecure instead of thinking you have some security and being wrong.

 

On TigerVNC project website it states "TigerVNC also provides extensions for advanced authentication methods and TLS encryption."

Where can I find these extensions and details on them?

Yes, and on the client side nothing special is needed other than a compatible viewer which of course tigervnc's viewer is. the man pages should get you started. Server side is a touch more complicated in that you have to configure the security, and of course it does not work with other viewers or servers that do not have the same features. Tigervnc does not have a plugin architecture. The only plugins are the standard PAM modules for use with the password authentication types. for information on them any PAM tutorial will get you started. suggested search strings are "Pluggable authentication modules", "Linux PAM", and "Configuring PAM in <your favorite distro>". The last is particularly useful as many distros have simplified PAM configuration you might want to take advantage of.

--
You received this message because you are subscribed to the Google Groups "TigerVNC User Discussion/Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tigervnc-users+unsubscribe@googlegroups.com.
To post to this group, send email to tigervnc-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tigervnc-users/KndqgGJ--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

--

--

Ben Hildred

Automation Support Services

303 815 6721

[valh...@tutanota.com]

 

On TigerVNC project website it states "TigerVNC also provides extensions for advanced authentication methods and TLS encryption."

Where can I find these extensions and details on them?

Yes, and on the client side nothing special is needed other than a compatible viewer which of course tigervnc's viewer is. the man pages should get you started. Server side is a touch more complicated in that you have to configure the security, and of course it does not work with other viewers or servers that do not have the same features. Tigervnc does not have a plugin architecture. The only plugins are the standard PAM modules for use with the password authentication types. for information on them any PAM tutorial will get you started. suggested search strings are "Pluggable authentication modules", "Linux PAM", and "Configuring PAM in <your favorite distro>". The last is particularly useful as many distros have simplified PAM configuration you might want to take advantage of

So TigerVNC supports PAM?
I am not sure if there is PAM support in Windows though?
Even then PAM would only cover authentication, not VNC session encryption right?

I believe there is a version of OpenSSH available for Windows.
https://github.com/PowerShell/Win32-OpenSSH
I am thinking about using OpenSSH for its great authentication and encryption, then just simply binding VNC to local OpenSSH service so I can have both public key authentication and encryption for cross platform support. Thoughts on this?
I know have alot of questions, but any questions answered and previously answered much appreciated.
~                                                                                                       

[Ben Hildred]

On Fri, Jun 30, 2017 at 10:29 AM, <valh...@tutanota.com> wrote:

 

On TigerVNC project website it states "TigerVNC also provides extensions for advanced authentication methods and TLS encryption."

Where can I find these extensions and details on them?

Yes, and on the client side nothing special is needed other than a compatible viewer which of course tigervnc's viewer is. the man pages should get you started. Server side is a touch more complicated in that you have to configure the security, and of course it does not work with other viewers or servers that do not have the same features. Tigervnc does not have a plugin architecture. The only plugins are the standard PAM modules for use with the password authentication types. for information on them any PAM tutorial will get you started. suggested search strings are "Pluggable authentication modules", "Linux PAM", and "Configuring PAM in <your favorite distro>". The last is particularly useful as many distros have simplified PAM configuration you might want to take advantage of

So TigerVNC supports PAM?

The linux/unix server does. The client does not, but who cares.

I am not sure if there is PAM support in Windows though?

 mostly no (although there was a gina module that supported pam but that is an entirely different kettle of fish), however it is theoretically possible for the windows server to support plain authentication, but that has not been written yet (afak).

Even then PAM would only cover authentication, not VNC session encryption right?

Righto! That is why there is TLS.  To use there are several TLS variants including tlsplain which normally uses pam. THere are also tlsnone and tlsvnc which use no password and the vnc password respectively, there are also variants that require signed server certificates.

I believe there is a version of OpenSSH available for Windows.
https://github.com/PowerShell/Win32-OpenSSH

This version is a mite touchy to install on some versions of windows. If you hit problems the cygwin version is also available. 

I am thinking about using OpenSSH for its great authentication and encryption, then just simply binding VNC to local OpenSSH service so I can have both public key authentication and encryption for cross platform support. Thoughts on this?

This is a common solution and there are gobs of tutorials on how to do this using ssh port forwarding. Mind you that portforwarding is more complicated than some users can handle. It is theoretically possible to do without port forwarding but when you try to explain that it confuses people. 

I know have alot of questions, but any questions answered and previously answered much appreciated.
~                                                                                                       

[jerry...@gmail.com]

在 2017年6月27日星期二 UTC+8下午10:00:55，valh...@tutanota.com写道：

You can check the "−SecurityTypes" parameter of Xvnc, http://tigervnc.org/doc/Xvnc.html .

And check man of Xvnc to use "VeNCrypt" in securitytypes to enable TLS.