Project

General

Profile

Feature #10584

Fix wrong comment in /etc/lightdm/lightdm.conf

Added by Hubert Garavel 5 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2019-03-25
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:

Description

In /etc/lightdm/lightdm.conf, the following comment line
    #command=Xvnc securitytypes=none

should be written
    #command=Xvnc

for two reasons:
  • first, one should write -securitytypes=... rather than securitytypes=...
  • second, -securitytypes=none is not insecure and should no longer be a recommended option

History

#1

Updated by Hubert Garavel 5 months ago

  • second, -securitytypes=none is not insecure and should no longer be a recommended option

This should read:

  • second, -securitytypes=none is insecure and should no longer be a recommended option
#2

Updated by Tim Mooney 5 months ago

Hubert Garavel wrote:

  • second, -securitytypes=none is not insecure and should no longer be a recommended option

This should read:

  • second, -securitytypes=none is insecure and should no longer be a recommended option

Hubert-

Have you tried the other option (-SecurityTypes=VncAuth) on OpenIndiana hipster, to verify that it works?

I agree that the commented config shouldn't suggest an insecure option, but before I submit a patch to remove the option,
it would be nice to have some confirmation that we can get by without it.

Thanks,

Tim

#3

Updated by Tim Mooney 4 months ago

Tim Mooney wrote:

Hubert-

Have you tried the other option (-SecurityTypes=VncAuth) on OpenIndiana hipster, to verify that it works?

I agree that the commented config shouldn't suggest an insecure option, but before I submit a patch to remove the option,
it would be nice to have some confirmation that we can get by without it.

Hubert responded via direct email and indicated that he has successfully used other options on OI, so there are better options available than -securitytypes=none.

I also verified that -securitytypes=none is not something we inherited from upstream, we're actually adding it in one of the local build patches (patches/17-customize-config.patch).

I'll follow-up and see if this option can be dropped from our local config.

#4

Updated by Tim Mooney 4 months ago

I checked with the developer that packaged lightdm for OpenIndiana.

He indicated that the patch is working as intended. In particular, he said

1) securitypes=none should be set as without this Xvnc will ask password set in Xvnc global password file.
We don't want this to happen, as lightdm authenticates user, not Xvnc.

I've verified that is true. Because it's lightdm that is launching Xvnc, lightdm is also handling authentication. So, while securitytypes=none is insecure when Xvnc is launched other ways, when launched via lightdm there is still an authentication step.

Of course, if you haven't tunneled your connection over an encrypted channel, the username and password that lightdm receives will be visible on the network, but that's a separate issue from securitytypes=none.

Do you agree with this assessment?

#5

Updated by Michal Nowak 3 months ago

  • Status changed from New to Closed
  • Tags deleted (needs-triage)

I believe Tim explained the line. Thanks.

Also available in: Atom PDF