LDAP + TigerVNC?

[ryanl...@gmail.com]

I haven't found any examples of setting up tigervnc with LDAP authentication.

I've read a bit about using PAM, but I'm not having any luck with that.

OS: CentOS 7
LDAP: OpenLDAP

I'm running 'vncserver -PAM_Service=sshd -PlainUsers=$USER', which starts up the session, but when I input users LDAP password, the log reports ' SConnection: AuthFailureException: Authentication failure'

Any thoughts? What am I missing?

[Pierre Ossman]

Plain is not enabled by default. You also need to specify
-SecurityTypes=TLSPlain or -SecurityTypes=X509Plain.

Regards
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[Ryan Raines]

Thanks for the reply. 

-SecurityTypes=TLSPlain or -SecurityTypes=X509Plain

both result in 'No supported security types' from VNCviewer

[Pierre Ossman]

On 09/09/16 16:58, Ryan Raines wrote:
> Thanks for the reply.
>
> -SecurityTypes=TLSPlain or -SecurityTypes=X509Plain
>
>
> both result in 'No supported security types' from VNCviewer
>

The same thing needs to be enabled in the viewer's end.

[Ryan Raines]

I don't see that option in VNC Viewer 5.3.2 WINx64

[Brian Hinz]

Does RealVNC's client even support VeNCrypt security types?

--
You received this message because you are subscribed to the Google Groups "TigerVNC User Discussion/Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tigervnc-users+unsubscribe@googlegroups.com.
To post to this group, send email to tigervnc-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tigervnc-users/cc98d1e7-b30c-4f72-81ae-e9cb5794d36a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Pierre Ossman]

On 09/09/16 18:26, Brian Hinz wrote:
> Does RealVNC's client even support VeNCrypt security types?
>

It does not.

Ryan, you need to use our client.

Regards
--
Pierre Ossman Software Development

Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc

[Ryan Raines]

Ah, ok. 

on remote centos server, I started vncserver with 'vncserver -PAM_Service=sshd -SecurityTypes=TLSPlain'

from tigervncviewer v1. I checked only TLS with anonymous certificate and standard vnc authentication 

log file reports: 

 SConnection: Client needs protocol version 3.8

 SConnection: No supported security types

[Ryan Raines]

vncserver keeps checking ~/.vnc/passwd. 

I've created /etc/pam.d/vnc:

#%PAM-1.0

auth        requisite    pam_ldap.so

and calling it when starting vncserver:
vncserver :1 -pam_service=/etc/pam.d/vnc

Any thoughts?

[brian...@gmail.com]

On Monday, September 12, 2016 at 3:19:23 PM UTC-4, Ryan Raines wrote:
> vncserver keeps checking ~/.vnc/passwd. 

I just enabled this not 5 minutes ago on my RHEL 6 VM. I installed TigerVNC 1.7.0 RPMs and I'm using TigerVNC 1.7.0 viewer from my Mac. On the server side, I had to run this:
vncserver -rfbauth=0 -PlainUsers=$USER pam_service=login

If I didn't specify -rfbauth=0, it would insist on the .vnc/passwd file existing (I renamed it for testing). Funny thing is that Xvnc is started with two -rfbauth arguments but the last one wins.
/usr/bin/Xvnc :1 -securitytypes tlsplain,tlsvnc,vncauth -auth /home/foo/.Xauthority -desktop host.domain:1 (foo) -fp catalogue:/etc/X11/fontpath.d -pn -rfbauth /home/foo/.vnc/passwd -rfbport 5901 -rfbwait 30000 -rfbauth=0 PlainUsers=foo pam_service=login

In my client, I have a .vnc/default.tigervnc file. It has a line like this:
SecurityTypes=TLSPlain,TLSVnc,VncAuth

When I run vncviewer, it asks for both Username and Password and authenticates on my VM. My VM is running FreeIPA client (Red Hat Identity Management) and it seems to be working fine so far.

[Brian Long]

This is my file:

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

-session   optional     pam_ck_connector.so

On Mon, Sep 12, 2016 at 6:26 PM, Ryan L. Raines <ryanl...@gmail.com> wrote:

Care to share your /etc/pam.d/login file?

[Ryan Raines]

Thanks for sharing, Brian. 

Looks the same as mine. 

Still, using the command you used, Xvnc is still looking for vncpasswd file. 

 "SVncAuth:    opening password file '0' failed"

Any ideas?

[Ryan Raines]

Thanks Brian, for all your help. 

Update:  I've upgraded to tigervnc 1.7, but I'm still unable to authenticate against a pam_service.  vncserver keeps authenticating against the ~/.vnc/passwd file. 

Any thoughts? 

[Brian Long]

I would look at the Xvnc process that was started to see what parameters "vncserver" passed in.  Did you overwrite your Linux distro's vncserver program with TigerVNC 1.7.0?  I'm running RHEL 6 that has a really old tigervnc RPM.

--
You received this message because you are subscribed to a topic in the Google Groups "TigerVNC User Discussion/Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tigervnc-users/dHaoiQyx0ZI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tigervnc-users+unsubscribe@googlegroups.com.

To post to this group, send email to tigervnc-users@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/tigervnc-users/f166274f-748b-49ec-8cee-4542058fb610%40googlegroups.com.

[Ryan Raines]

***Resolved***

Thanks to Brian, and Pierre, for their support. 

The trick was to run vncserver -SecurityTypes=TLSPlain -PlainUsers=foo -pam_service=login from root, or any user with elevated permissions. 

[vjb...@gmail.com]

Hello Brian, Pierre and Ryan,

Am running tigervnc-server-1.8.0-13.el7.x86_64 on CentOS 7.6, the trick that was suggested "vncserver -SecurityTypes=TLSPlain -PlainUsers=foo -pam_service=login" didn't help me.

Can anyone guide me out here.

Reg
V John Bennet