Vnc url and security

I noticed that the URL for the VNC sessions can be copy and pasted between user sessions, and two different users can view the same console, even if one of those users doesn’t have access to that VM. This is problematic in public computer environments where someone could look at the browser history and use that information to access a VM’s console (it’s problematic for other reasons as well). This bug seems to articulate the issue http://dev.opennebula.org/issues/3534. Is there any way to restrict access to the VNC console? Unfortunately using a VNC password doesn’t help because it’s still included in the URL.

Hi,

Yes, indeed this is a problem for machines where several users are interacting with OpeNebula through Sunstone using different accounts. We will try to include an extra auth check to avoid this kind of issues in upcoming releases.

Meanwhile, if you apply the following patch I have just test it in master (it should apply in one-4.14), the password will be requested for vnc sessions in an external window. If you are using an opennebula version < 4.14 the patch will not aaply

Note that after applying this patch you will have to recompile/minify the js files:

We will try to include at least this change for the next release

Thanks so much for the patch! I noticed one issue once the patch was applied, although I confess it’s possible I missed something in patching my installation. I’m still seeing the VNC password in the URL for the window that opens. In looking at the patch, I’m guessing the commented password line in:

src/sunstone/public/app/console/vnc.js

is the relevant one. I double-checked and my corresponding file:

/usr/lib/one/sunstone/public/app/console/vnc.js

is in fact patched. Is there a minified version of this js file somewhere that I missed?

Here are some details about how I applied the patch. My installation is v4.14 on CentOS 7. I didn’t want to patch my installation directly so I cloned the opennebula git repo and switched to branch one-4.14. I then patched the files and ran “grunt sass” and “grunt requirejs”; both seemed to finish successfully. I then copied the following files onto their corresponding locations on my system and restarted the services:

src/sunstone/public/app/console/vnc.js
src/sunstone/public/dist/console/vnc.js
src/sunstone/public/dist/console/vnc.js.map
src/sunstone/public/app/utils/vnc.js

Did I miss anything? Thanks again!

The file (vnc.js) where the password is commented is in the utils directory and after minifying, it is included in the dist/main.js file, but if you are using branch one-4.14 I don’t recommend to copy these files on top of opennebula 4.14, since some changes are required in the conf files.

We will include this change in the next one-4.14.2, that we will release soon.

Sounds great. It’s much appreciated.

The code is already in the repo:
http://dev.opennebula.org/issues/4145

There will be an option (vnc_request_password) in sunstone-server.conf to enable/disable this functionality:
https://github.com/OpenNebula/docs/blob/master/source/administration/sunstone_gui/sunstone.rst#sunstone-serverconf