Vnc url and security

jdreese · November 4, 2015, 3:38pm

I noticed that the URL for the VNC sessions can be copy and pasted between user sessions, and two different users can view the same console, even if one of those users doesn’t have access to that VM. This is problematic in public computer environments where someone could look at the browser history and use that information to access a VM’s console (it’s problematic for other reasons as well). This bug seems to articulate the issue http://dev.opennebula.org/issues/3534. Is there any way to restrict access to the VNC console? Unfortunately using a VNC password doesn’t help because it’s still included in the URL.

dmolina · November 10, 2015, 11:37am

Hi,

Yes, indeed this is a problem for machines where several users are interacting with OpeNebula through Sunstone using different accounts. We will try to include an extra auth check to avoid this kind of issues in upcoming releases.

Meanwhile, if you apply the following patch I have just test it in master (it should apply in one-4.14), the password will be requested for vnc sessions in an external window. If you are using an opennebula version < 4.14 the patch will not aaply

gist.github.com

https://gist.github.com/dmamolina/0c76d5b9b6e329e44060

vnc_password.diff

diff --git a/src/sunstone/public/app/console/vnc.js b/src/sunstone/public/app/console/vnc.js
index 5e4e05d..231bb49 100644
--- a/src/sunstone/public/app/console/vnc.js
+++ b/src/sunstone/public/app/console/vnc.js
@@ -29,19 +29,31 @@ define(function(require) {
   require('vnc-keysym');

   var rfb;
+  var encrypt = WebUtil.getQueryVar('encrypt', (window.location.protocol === "https:"));
+  var repeaterID = WebUtil.getQueryVar('repeaterID', '');

This file has been truncated. show original

Note that after applying this patch you will have to recompile/minify the js files:

github.com

OpenNebula/docs/blob/master/source/integration/references/sunstone_dev.rst#modifying-js--css-files

.. _sunstone_dev:

================================================================================
Sunstone Development
================================================================================

In OpenNebula 5.0 the graphical interface code, Sunstone, was redesigned and modularized to improve the code readability and ease the task of adding new components. Now, each component (tab, panel, form...) is defined in a separate module using `requirejs <http://requirejs.org/>`__ and HTML code is now defined in separate files using `Handlebars <http://handlebarsjs.com/>`__ templates. External libraries are handled using `Bower <http://bower.io/>`__, a Javascript package manager. `Zurb Foundation <http://foundation.zurb.com/>`__ is used for the styles and layout of the web and additional CSS styles are added using `SASS <http://sass-lang.com/>`__. `Grunt <http://gruntjs.com/>`__ is used as a tasker to automate the different processes to generate the optimized files.

RequireJS
================================================================================

`requirejs <http://requirejs.org/>`__ allows you to define blocks of functionality in different modules/files and then load and reuse them in other modules.

This is an example of the images-tab files layout:

.. code::

  images-tab.js
  images-tab/
    actions.js

This file has been truncated. show original

We will try to include at least this change for the next release

jdreese · November 11, 2015, 3:27pm

Thanks so much for the patch! I noticed one issue once the patch was applied, although I confess it’s possible I missed something in patching my installation. I’m still seeing the VNC password in the URL for the window that opens. In looking at the patch, I’m guessing the commented password line in:

src/sunstone/public/app/console/vnc.js

is the relevant one. I double-checked and my corresponding file:

/usr/lib/one/sunstone/public/app/console/vnc.js

is in fact patched. Is there a minified version of this js file somewhere that I missed?

Here are some details about how I applied the patch. My installation is v4.14 on CentOS 7. I didn’t want to patch my installation directly so I cloned the opennebula git repo and switched to branch one-4.14. I then patched the files and ran “grunt sass” and “grunt requirejs”; both seemed to finish successfully. I then copied the following files onto their corresponding locations on my system and restarted the services:

src/sunstone/public/app/console/vnc.js
src/sunstone/public/dist/console/vnc.js
src/sunstone/public/dist/console/vnc.js.map
src/sunstone/public/app/utils/vnc.js

Did I miss anything? Thanks again!

dmolina · November 11, 2015, 3:34pm

The file (vnc.js) where the password is commented is in the utils directory and after minifying, it is included in the dist/main.js file, but if you are using branch one-4.14 I don’t recommend to copy these files on top of opennebula 4.14, since some changes are required in the conf files.

We will include this change in the next one-4.14.2, that we will release soon.

jdreese · November 11, 2015, 3:35pm

Sounds great. It’s much appreciated.

dmolina · November 12, 2015, 4:38pm

The code is already in the repo:
http://dev.opennebula.org/issues/4145

There will be an option (vnc_request_password) in sunstone-server.conf to enable/disable this functionality:
https://github.com/OpenNebula/docs/blob/master/source/administration/sunstone_gui/sunstone.rst#sunstone-serverconf

Topic		Replies	Views
Connect with VM's VNC without using sunstone Community Support	10	3222	September 12, 2018
Opennebula 6.2.0 @ Character in Chrome VNC session Community Support	1	576	December 10, 2021
Console integration issue General	1	271	July 31, 2023
Federation VNC issues Community Support	2	665	March 13, 2015
How to connect with my vm’s vnc from browser Development	0	432	September 12, 2018

Vnc url and security

Related Topics