PAM authentication

[paulp....@gmail.com]

Hi, I’m trying to use PAM auth with noVNC viewer. However I get a error when I try to login with my user. It only seems to work work with the SecurityTypes None & VncAuth. So is my configuration below correct? Is it possible set up PAM auth with noVNC ?

NoVNC response
Unsupported security types: 19


[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l test03 -c "/usr/bin/vncserver %i -PlainUsers=* SecurityTypes=VeNCrypt,TLSPlain -PAM_Service=login"
PIDFile=/home/test03/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'




Thanks,
Paul

[Pierre Ossman]

On 20/02/17 12:32, paulp....@gmail.com wrote:
> Hi, I’m trying to use PAM auth with noVNC viewer. However I get a error when I try to login with my user. It only seems to work work with the SecurityTypes None & VncAuth. So is my configuration below correct? Is it possible set up PAM auth with noVNC ?
>
> NoVNC response
> Unsupported security types: 19
>

noVNC doesn't support the necessary security types. The closest thing it
has is xvp, which in turn TigerVNC doesn't support.

Regards
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[paulp....@gmail.com]

ok, thanks for the response. Do you know of any alternative viewers that would work?

Paul

[Pierre Ossman]

On 21/02/2017 09:22, paulp....@gmail.com wrote:
>
> ok, thanks for the response. Do you know of any alternative viewers that would work?
>

No. The other HTML based viewer I know of is guacamole. I have no idea
what features it has though.

[DRC]

On 2/21/17 2:58 AM, Pierre Ossman wrote:
> No. The other HTML based viewer I know of is guacamole. I have no idea
> what features it has though.

Guac has similar authentication limitations to noVNC, and it's much
slower than noVNC (which is saying a lot, because noVNC is not very
swift to begin with.)

I have spent quite a bit of time with the noVNC code base. One of my
customers is very interested in the long-term prospects of optimizing
noVNC for the needs of performance-critical applications (3D
applications running with VirtualGL, mostly) and adding
TurboVNC/TigerVNC features to it, but currently that project is blocking
on two things:

(1) the inability to properly implement double buffering with the HTML 5
canvas. Basically the problem is that rendering in HTML 5 is
asynchronous. In order to properly implement a high-speed VNC viewer
with double buffering, you have to maintain a back buffer, incrementally
decode the RFB rectangles into that buffer as they arrive, then blit the
buffer to the screen at the end of the RFB framebuffer update. But that
requires the ability to block until the previous frame has finished
drawing, else you risk stomping on some of those pixels with the new
frame that you are decoding (and yes, I've tried a dual-canvas
approach-- way too slow.)

(2) performance. noVNC just doesn't decode and render fast enough (even
when using Chrome's JS acceleration) for the needs of 3D applications.
I'm hoping this will improve over time, but frankly, from a programmer's
point of view, Java applets were a way better solution, and I'm
disappointed that browser developers don't even give users and
developers that option anymore.

If I could get past the performance/double buffering hurdles, then I can
probably secure funding to add protocol features to noVNC such as
VeNCrypt, the RFB flow control extensions, etc. However, one important
caveat is that those features are implemented using GPL v2 code, so
adding them to noVNC would likely require changing the license of that
product to GPL v2 (it is currently MPL.) The GPL is such that it
extends not just to the literal code but to any "straightforward ports"
of that code to another language, so unless it was possible to implement
VeNCrypt and the other protocol extensions from first principles
(referring only to the spec and not basing the implementation on any of
the TigerVNC code), then it wouldn't be possible to maintain the current
noVNC license. That means that the noVNC developers would not likely
accept the modifications, and it would be necessary to fork the project.

DRC

[Pierre Ossman]

On 21/02/17 19:44, DRC wrote:
>
> (1) the inability to properly implement double buffering with the HTML 5
> canvas. Basically the problem is that rendering in HTML 5 is
> asynchronous. In order to properly implement a high-speed VNC viewer
> with double buffering, you have to maintain a back buffer, incrementally
> decode the RFB rectangles into that buffer as they arrive, then blit the
> buffer to the screen at the end of the RFB framebuffer update.

https://github.com/novnc/noVNC/commit/2ba767a7fe13191c6a7e5b6d8bc43c552e2f1cba

> But that
> requires the ability to block until the previous frame has finished
> drawing, else you risk stomping on some of those pixels with the new
> frame that you are decoding (and yes, I've tried a dual-canvas
> approach-- way too slow.)
>

https://github.com/novnc/noVNC/commit/d9ca5e5b6b418bf9c9e8c6281fa2edfaa695ac02

:)

> (2) performance. noVNC just doesn't decode and render fast enough (even
> when using Chrome's JS acceleration) for the needs of 3D applications.
> I'm hoping this will improve over time, but frankly, from a programmer's
> point of view, Java applets were a way better solution, and I'm
> disappointed that browser developers don't even give users and
> developers that option anymore.

asm.js or WebAssembly might be something to explore.

Regards
--
Pierre Ossman Software Development

Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc