neatvnc icon indicating copy to clipboard operation
neatvnc copied to clipboard
verified publisher icon any1

Draft: Simple VNC Auth

Open nob13 opened this issue 8 months ago • 4 comments

Hi @any1 you already discussed this topic in https://github.com/any1/wayvnc/issues/176 and declined it. Feel free to just say no and I will close this PR immediately. In case if there is a chance to get it in, I would be happy to clean it up and test it more.

For my client we want to use NeatVNC in mobile devices, where our application is providing its own encryption channel. Nettle doesn't fit due its license

However we still want to block local connection attempts using a random password and being standard compliant would mean coming back to simple VNC auth.

The protocol change is based upons https://github.com/thezealousfool/neatvnc/commit/7a2f040a5a10f66ee3e73d7420664bf90ea1599b and all credits belong to @thezealousfool .

I just removed the older RFB Protocol support and enabled the VNC Auth.

The embedded DES-Library is derived from https://github.com/dhuertas/DES/blob/master/des.c and MIT licensed.

I have read and understood CONTRIBUTING.md.

nob13 avatar Apr 11 '25 07:04 nob13

There does not appear to be any new argument here for adding DES auth.

I also don't see what's wrong with Nettle's license; it's LGPL, not GPL. However, nettle is wrapped in crypto.h, so it should be fairly straight-forward to implement the same using OpenSSL. I went with nettle to begin with because the API is cleaner, better documented, easier to understand and more stable.

By the way, you can apply other people's patches while maintaining the original author, comment, etc. using git am.

any1 avatar Apr 11 '25 07:04 any1

@any1 thanks for your response I will keep git am in my mind.

Regarding the license: the LGPL requires the end user to be able to change the LGPL-Part. This is tricky on App Stores as the Applications are signed. On Wikipedia its called Tivoization.

OpenSSL would be fine but sounds like much more work.

Libvnc also has a DES-Implementation which they claim as being public domain.

nob13 avatar Apr 11 '25 08:04 nob13

There does not appear to be any new argument here for adding DES auth.

Not sure if it was mentioned already, but for people switching from x11vnc, it would make things easier. Also, many clients (at least xtigervnc) show a big red banner "the connection is not secure", so I think "false sense of security" is less of a concern.

For me, the last time I tried, SSH added much noticeable latency. So I expose the VNC directly. However, the computer being "open" for anyone in the network to me is a far greater threat than "someone snooping with specialized software". As I understand it, currently enabling enable_auth=true would encrypt the entire connection, so I would expect a similar latency overhead as with SSH?

powellnorma avatar May 26 '25 16:05 powellnorma

As I understand it, currently enabling enable_auth=true would encrypt the entire connection, so I would expect a similar latency overhead as with SSH?

I have not experienced increased latency from encryption, and I would not expect there to be increased latency.

any1 avatar May 26 '25 16:05 any1