TurboVNC Viewer 'sessMgrAuto=false ' -option

[Kimmo]

Hi,

When starting a TurboVNC-session inside an SSH-session (e.g. putty) with default setting I'm able to connect to the server using Session Managers automatic OTP authentication. If some other user wants to connect to the same session without Session Manager, she is able to do so with 'Standard VNC Authentication [TLSVnc]' if she knows the (non-OTP) VNC-password.

I would like to have the same behavour with Session Manager as described above. If I start a TurboVNC-session using Session Manager, only OTP security type is allowed ('-securitytype otp' option is set for the Xvnc -server). I tried setting options 'sessMgrAuto=false' and 'SecurityTypes=OTP, VNC' for the Viewer but with these setting the automatic OTP authentication doesn't work. This is a result of  'sessMgrAuto=false'.

Is there a way to start new TurboVNC sessions with security types 'OTP' and 'VNC' inside Session Manager AND access the session using Session Managers automatic OTP authentication if available OR the (non-OTP) VNC-password (if automatic OTP isn't available)?

[DRC]

In the interest of thoroughness, here is a summary of how the relevant features are supposed to work:

- If a TurboVNC session is started automatically via the Session Manager, then the Session Manager secures the session by default and enables only OTP authentication (by passing '-securitytypes otp' to /opt/TurboVNC/bin/vncserver via SSH.)  In that case, you can't use VNC password authentication with the session.  However, you can generate new full-control and view-only OTPs for collaboration purposes by running

  /opt/TurboVNC/bin/vncpasswd [-display {TurboVNC_session_X11_display}] -o [-v]

- If a TurboVNC session is started manually via an SSH shell, then all allowed [*] security types should be enabled except for *None.  Such sessions should work with either Session Manager-generated OTPs or VNC passwords.

  [*] allowed in /etc/turbovncserver-security.conf

- If you set SessMgrAuto=0 in the TurboVNC Viewer, then any new sessions created by the TurboVNC Session Manager will have all allowed security types enabled as well.  However, that doesn't change the security types of existing TurboVNC sessions.

- From the viewer's point of view, The Session Manager does the following when SessMgrAuto=1 (the default):

  * It passes '-securitytypes otp' to /opt/TurboVNC/bin/vncserver when starting new sessions.
  * It sets SecurityTypes=OTP Tunnel=1 when connecting to sessions.
  * It generates a new OTP for the session and passes it to the viewer through the SSH channel when connecting.

  To use marketing buzzwords, that is a single-sign-on (SSO) secure-by-default solution.  Disabling SessMgrAuto allows you to use the Session Manager but to control SSH tunneling, encryption, and authentication manually.  (However, I just realized that, due to an oversight on my part, you can't use SessMgrAuto=0 with Session Manager-generated OTPs.  That might be a useful enhancement.)

- It's non-intuitive, but if I understand correctly, I think you can achieve what you want by setting:

  ServerArgs=-securitytypes OTP,TLSVnc,X509Vnc

  in ~/.vnc/default.turbovnc on the client.  (~ is c:\Users\{your_user_name} on Windows.)  Any arguments specified in ServerArgs will be passed (by the Session Manager via SSH) to /opt/TurboVNC/bin/vncserver after '-securitytypes otp'.  Thus, the arguments above will override '-securitytypes otp'.  Effectively, any TurboVNC session started via the Session Manager from a client configured thusly will have OTP and all of the encrypted VNC password variants enabled, but the Session Manager will continue to use auto-generated OTPs and SSH tunneling per its default behavior.  That will allow collaborators to connect to {TurboVNC_host}:{TurboVNC_session_display_number} using any VeNCrypt-enabled VNC viewer and to authenticate using the VNC password.

DRC

Is there a way to start new TurboVNC sessions with security types 'OTP' and 'VNC' inside Session Manager AND access the session using Session Managers automatic OTP authentication if available OR the (non-OTP) VNC-password (if automatic OTP isn't available)? --
You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turbovnc-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/turbovnc-users/0c4fae79-6ba9-4728-9720-a3926e168677n%40googlegroups.com.

[Kimmo]

Hi and thanks again for a very thorough answer.

The "ServerArgs=-securitytypes OTP,TLSVnc,X509Vnc" was exactly what I was looking for. Just couldn't figure it out on my own. Thanks.