system/weston
system/weston
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wayland/weston synced 2024-07-22 11:14:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

backend-vnc: Add user authentication

Browse source 
Let VNC clients authenticate using the local username and password of
the user weston is running as. To avoid transmitting the password in
cleartext, make TLS security mandatory.

Signed-off-by: Philipp Zabel <philipp.zabel@gmail.com>
This commit is contained in:
Philipp Zabel 2022-11-19 09:52:05 +01:00
parent 0733c8f571
commit 133417b016
2 changed files with 42 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
libweston/backend-vnc/vnc.c
View file

@ -36,6 +36,7 @@
#include <errno.h>
#include <linux/input.h>
#include <netinet/in.h>
#include <pwd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
@ -411,6 +412,19 @@ vnc_pointer_event(struct nvnc_client *client, uint16_t x, uint16_t y,
notify_pointer_frame(peer->seat);
}
static bool
vnc_handle_auth(const char *username, const char *password, void *userdata)
{
struct passwd *pw = getpwnam(username);
if (!pw || pw->pw_uid != getuid()) {
weston_log("VNC: wrong user '%s'\n", username);
return false;
}
return weston_authenticate_user(username, password);
}
static void
vnc_client_cleanup(struct nvnc_client *client)
{
@ -997,29 +1011,33 @@ vnc_backend_create(struct weston_compositor *compositor,
nvnc_set_userdata(backend->server, backend, NULL);
nvnc_set_name(backend->server, "Weston VNC backend");
if (config->server_cert || config->server_key) {
if (!nvnc_has_auth()) {
weston_log("Neat VNC built without TLS support\n");
goto err_output;
}
if (!config->server_cert) {
weston_log("Missing TLS certificate (--vnc-tls-cert)\n");
goto err_output;
}
if (!config->server_key) {
weston_log("Missing TLS key (--vnc-tls-key)\n");
goto err_output;
}
ret = nvnc_enable_auth(backend->server, config->server_key,
config->server_cert, NULL, NULL);
if (ret) {
weston_log("Failed to enable TLS support\n");
goto err_output;
}
weston_log("TLS support activated\n");
if (!nvnc_has_auth()) {
weston_log("Neat VNC built without TLS support\n");
goto err_output;
}
if (!config->server_cert && !config->server_key) {
weston_log("The VNC backend requires a key and a certificate for TLS security"
" (--vnc-tls-cert/--vnc-tls-key)\n");
goto err_output;
}
if (!config->server_cert) {
weston_log("Missing TLS certificate (--vnc-tls-cert)\n");
goto err_output;
}
if (!config->server_key) {
weston_log("Missing TLS key (--vnc-tls-key)\n");
goto err_output;
}
ret = nvnc_enable_auth(backend->server, config->server_key,
config->server_cert, vnc_handle_auth,
NULL);
if (ret) {
weston_log("Failed to enable TLS support\n");
goto err_output;
}
weston_log("TLS support activated\n");
ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME,
&api, sizeof(api));

4
man/weston-vnc.man
View file

@ -19,8 +19,8 @@ the graphical content, depending on what is supported by the VNC client.
The VNC backend is not multi-seat aware, so if a second client connects to the
backend, the first client will be disconnected.
Note that authentication is not supported yet. Anyone with access to the port
can get control of the desktop via the VNC output.
The VNC client has to authenticate as the user running weston. This requires a PAM configuration file
.BR /etc/pam.d/weston-remote-access .
.\" ***************************************************************
.SH CONFIGURATION