On Wed, Jun 05, 2013 at 03:09:54PM +0200, Ján Tomko wrote:
QEMU does accept empty VNC passwords now and allows anyone to connect with an empty password.
https://bugzilla.redhat.com/show_bug.cgi?id=969542 --- src/qemu/qemu.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index cdf1ec4..49ef75f 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -62,9 +62,9 @@ # VNC passwords. This parameter is only used if the per-domain # XML config does not already provide a password. To allow # access without passwords, leave this commented out. An empty -# string will still enable passwords, but be rejected by QEMU, -# effectively preventing any use of VNC. Obviously change this -# example here before you set this. +# string might either prevent any use of VNC or allow access +# with an empty password depending on QEMU version. Obviously +# change this example here before you set this. # #vnc_password = "XYZ12345"
NACK. This is not correct. This is a security flaw and regression in behaviour that must be fixed, if true. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|