• [6.10.0] [SECURITY] VNC does not allow secure passwords

    Kevinb123213

    By Kevinb123213

      • Minor

    OP in pre-release section by me for Unraid OS 6.10.0 RC8. Since this issue has persisted into the stable release, I am reposting here. Not sure if allowed to have two posts (prerelease/stable) for the same issue. If this is not allowed, feel free to contact me or adjust as needed. :)

    I looked at the full release notes and tried to see if the VNC package that Unraid Linux uses was the cause. I could not figure out which library/package it is.

     

    Issue:

    When editing or creating a VM, the VNC password field in the WebGUI template, does not allow any password greater than 8 characters.

    This issue was first noticed when turning on a VM just after 6.10.0-RC8 update. I was prompted that my 19 character password exceeded the 8 character limit (as shown similarly in screenshot attached).

     

    By today's standards passwords less than 8 characters are considered insecure.

     

    Reproduction steps:

    1. Inside of Unraid WebGUI, navigate to VMs tab.

    2. Select the "ADD VM" button below the list of currently installed VMs to create a new VM.

    3. Select VM template type Linux. This shouldn't matter but these are my exact steps for testing.

    4. Set primary vDisk size to "10M".

    5. Set VNC Password to anything greater than 8 characters. In this case "123456789".

    6. Select the button "Create VM".

    7. Observe the following error: "VM reation error unsupported configuration: VNC password is 9 characters long, only 8 permitted."

    download

     

     

    everestsrvr-diagnostics-20220518-1203.zip

    • Upvote 3
    Go to reports Stable Releases

    User Feedback

    Recommended Comments

    bitcore

    Just an FYI, the 8 character password limitation in VNC is actually a protocol limitation with VNC. Most implementations of VNC are inherently insecure. You'll find that your VNC password is also effectively transmitted in clear text.  It's more common to encapsulate (tunnel) VNC through SSH, but in this application it's not practical. KVM/QEMU/LibVirt is actually the VNC host.

     

    Other "more secure" VNC applications (such as RealVNC) break protocol spec to implement their security and additional features. Most other common flavors of VNC (Tiger, Tight, NoVNC, Turbo,Ultra) all pretty much adhere to spec, and thusly are also insecure (outside of encryption plugins). We must rely upon what KVM/QEMU/LibVirt support.

     

    If security is a concern, I recommend disabling the VNC VM console across your VMs altogether until UNRAID makes it easy to operate with x.590/TLS that libvirt also supports.

     

    See: https://wiki.libvirt.org/page/VNCTLSSetup  A step in the right direction, but cumbersome to use.

    Edited by bitcore
    correction
    Link to comment
    JonathanM

    In my opinion, the KVM hosted VNC should not be used for anything but operations that require local console on the VM. RDP, nomachine, pretty much any remote access hosted in the VM itself is going to give you a much better experience.

    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.

    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.