On 6 May 2020, at 15:41, Daniel P. Berrangé wrote:
On Linux at least, providing passwords on the command line is
considered
a security flaw, because any user can see the command line args of any
other process on the host.
Agreed. The only reason bhyve supports this is to support VNC clients
that don’t support password-less authentication. Since it doesn’t
have any configuration file, and stdin may be used by the client, I’m
unsure what the alternative would be.
If CLI args of processes are similarly visible to other users on
FreeBSD,
then this VNC password would be a security flaw.
They are by default, however FreeBSD does have a sysctl that disallows
seeing other user’s processes. Since a few versions, users can easily
configure this sysctl in the FreeBSD installer.
Of course VNC password auth scheme itself is a security flaw since it
is
using Single-DES :-)
The bhyve(8) man page states that too:
This type of authentication is known to be cryptographically weak and
is
not intended for use on untrusted networks. Many implementations will
want
to use stronger security, such as running the session over an
encrypted
channel provided by IPsec or SSH.
(On a side note, it seems that Single-DES got even more broken recently:
https://eprint.iacr.org/2020/523)
I guess this is something that should probably also be added to that man
page.
Should we add a comment about this as well as the password being visible
to the docs on libvirt’s side?