VNC console secure?

M

monster

Member
Oct 23, 2010
30
0
6
I just got my first Proxmox installation working (well, almost).

I noticed that the instruction on setting up Shorewall as firewall for Proxmox leave some incoming ports open:

rules:ACCEPT net fw tcp 443,5900:5999

I understand that "5900:5999" is for the VNC consoles. Which means that they are NOT tunneled through HTTPS. Since the VNC protocol is NOT encrypted by default have you got VNC somehow encrypted while still using the same ports, or is it "for LAN only"?

I had to fight with such issues before, and basically had to reserve a public IP just for VNC in the end (over HTTPS).
 
monster said:
I understand that "5900:5999" is for the VNC consoles. Which means that they are NOT tunneled through HTTPS. Since the VNC protocol is NOT encrypted by default have you got VNC somehow encrypted while still using the same ports, or is it "for LAN only"?
Click to expand...

Yes, VNC is currently not encrypted.
 
Hello,

are there any plans to implement vnc tunelled over https? Even in my internal network I would like to prevent root password flying clear text through the line.

Maybe you could use the xvp code and use in in proxmox? Although xvp is meant to be used with xen, the vnc proxy should be usable with proxmox, too.

I really like Proxmox, but unencrypted console access is a no go - at least for me.
 
dosag said:
are there any plans to implement vnc tunelled over https? Even in my internal network I would like to prevent root password flying clear text through the line.
Click to expand...

Sorry, seems you misunderstand something - we 'never' transfer passwords in clear text! Proxmox VE use some kind of 'ticket' system for vnc access.
 
dietmar said:
Sorry, seems you misunderstand something - we 'never' transfer passwords in clear text! Proxmox VE use some kind of 'ticket' system for vnc access.
Click to expand...

Yes, but only for the initial vnc session creation or am I wrong? When the session is opened, every keystroke is transferred unencrypted and that would also be valid for ssh, ftp or other logins which are opened within the shell.
 
dosag said:
When the session is opened, every keystroke is transferred unencrypted and that would also be valid for ssh, ftp or other logins which are opened within the shell.
Click to expand...

Yes - an attacker can listen to the vnc traffic.
 
You must log in or register to reply here.
Top Bottom