On Wed, Jun 05, 2013 at 03:09:54PM +0200, Ján Tomko wrote: > QEMU does accept empty VNC passwords now and allows anyone > to connect with an empty password. > > https://bugzilla.redhat.com/show_bug.cgi?id=969542 > --- > src/qemu/qemu.conf | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index cdf1ec4..49ef75f 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -62,9 +62,9 @@ > # VNC passwords. This parameter is only used if the per-domain > # XML config does not already provide a password. To allow > # access without passwords, leave this commented out. An empty > -# string will still enable passwords, but be rejected by QEMU, > -# effectively preventing any use of VNC. Obviously change this > -# example here before you set this. > +# string might either prevent any use of VNC or allow access > +# with an empty password depending on QEMU version. Obviously > +# change this example here before you set this. > # > #vnc_password = "XYZ12345" NACK. This is not correct. This is a security flaw and regression in behaviour that must be fixed, if true. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list