Good authentication when using noVNC / websockify?
1,166 views
Skip to first unread message
Matthijs Vader
Sep 30, 2015, 2:06:17 PM9/30/15
to noVNC
Hi,
we plan to use noVNC / websockify to give customers (remote) access to a control panel. Used for home energy storage and related products. This control panel is an embedded linux device, not using X11, and the VNC server we have (easily) available is the one that ships with QT 4.8:
This VNC server works directly on the frame buffer, and is rather limited:
- It currently has no authentication methods implemented. Though implementing vncauth doesn't seem to difficult.
- One connection at a time only: good enough for our application.
The control panels are(mostly) installed behind a firewall. And the current plan is to make the control panels open a reverse ssh tunnel to a central, internet connected, proxy server. This proxy server will run websockify using the token based target selection.
The control panels are(mostly) installed behind a firewall. And the current plan is to make the control panels open a reverse ssh tunnel to a central, internet connected, proxy server. This proxy server will run websockify using the token based target selection.
To encrypt all the connections is easy:
- connection between control panel and proxy server is ssh. From client (smartphone/tablet/pc) to proxy server will be wss.
- occasional control panel that is connected directly on internet instead of behind a firewall we will locally also install websockify and force use of wss as well.
- connection between control panel and proxy server is ssh. From client (smartphone/tablet/pc) to proxy server will be wss.
- occasional control panel that is connected directly on internet instead of behind a firewall we will locally also install websockify and force use of wss as well.
- connection from public interface to (unencrypted) vnc port could be shielded if necessary
But authentication is more difficult. We could only enable the targets, on the proxy server, dynamically: first make the user authenticate him self, and then dynamically create and removing the his token configuration file. Perhaps even limiting on remote ip-address. But that is more applying quite good band aid than real air tight security.
The most straight forward method I see is to use authentication at the two end points:
1) in the qt/vnc/qws service
The most straight forward method I see is to use authentication at the two end points:
1) in the qt/vnc/qws service
2) in the noVNC javascript client.
So the question is, which authentication method to use. noVNC currently only supports vncauth? Or is there more and did I not read the code correctly? vncauth seems to be regarded as not good enough, quote "This type of authentication is known to be cryptographically weak and is not intended for use on untrusted networks." from:
So the question is, which authentication method to use. noVNC currently only supports vncauth? Or is there more and did I not read the code correctly? vncauth seems to be regarded as not good enough, quote "This type of authentication is known to be cryptographically weak and is not intended for use on untrusted networks." from:
https://tools.ietf.org/html/rfc6143#section-7.2.2.
Or do you have any other recommendations? VNC and all its ins and outs are not my nor my colleagues specialty..
Many thanks, Matthijs
Or do you have any other recommendations? VNC and all its ins and outs are not my nor my colleagues specialty..
Many thanks, Matthijs
Reply all
Reply to author
Forward
0 new messages