Restrict client access to VNC display driver
I have an embedded installation running multiple dirvers ‘LinuxFb’ and ‘VCN’ together, everything works well so far. Now the point is that we need to restrict access from clients (using xtightvncviewer or equivalent) to the VNC part of this target. Is there any chance of doing this for example by:
-driver ‘Multi: LinuxFb:0 VNC:password=xyz:1’
or are other possibility using the QT VNC display driver directly?
Due to the limitations for the project, we aren’t able to use a ‘real’ X11 vnc server.
thanks for help
As far as I am aware the VNC display options has no security capabilities at all as it is only meant for testing purposes.
You would either have to code this into the VNC display driver yourself or use some other solution – perhaps a firewalled subnet.
Another option might be to put some form of authentication into your application itself.
Can you share some more information about your app and the environment within which it is expected to operate please?
The app is running on a x86 system, having a self configured/installed qt-embedded version on it. It uses a eGalax 15” touchscreen as input and display device. We use an own configured/build version of tslib, there is no x11 on the system. The purpose of the VNC connection should be that remote-support can connect to the target hardware if a user reports any problems with the application, and we can see (1:1) what the users is able to see on the screen.
The main issue is that if we can’t provide any security, all persons knowing the ip address of the target hardware can connect and – use the application on that system – without any limitations. Regarding the project’ scopes, we should be able to prohibit that kind of direct access.
A possible option that we already checked is to use another vnc-server running directly on the framebuffer device, but we weren’t able to find that kind of software.
What we usually do is to run the embedded app with only a local display then when somebody reports a problem we restart the app with both local and VNC displays enabled and ask the user to repeat the problem.
Another option might be to use a port-knockign solution such as knockd on the embedded device. That is the device only opens up the network port after receiving a suitable sequence of port “knocks” from the potential client. There is a detailed description on the Gentoo Wiki [en.gentoo-wiki.com].
It only requires iptables to be enabled in the kernel and a small knockd daemon to be running. That way you do not need to modify Qt or your software at all. Since only devs will be connecting in this way it is not unreasonable to expect them to use a knock client before connecting.
How does that sound?