May 3, 2011

hick991 hick991
Lab Rat
7 posts

Restrict client access to VNC display driver

 

Hello

I have an embedded installation running multiple dirvers ‘LinuxFb’ and ‘VCN’ together, everything works well so far. Now the point is that we need to restrict access from clients (using xtightvncviewer or equivalent) to the VNC part of this target. Is there any chance of doing this for example by:

-driver ‘Multi: LinuxFb:0 VNC:password=xyz:1’

or are other possibility using the QT VNC display driver directly?

Due to the limitations for the project, we aren’t able to use a ‘real’ X11 vnc server.

thanks for help

6 replies

May 3, 2011

ZapB ZapB
Ant Farmer
1424 posts

As far as I am aware the VNC display options has no security capabilities at all as it is only meant for testing purposes.

You would either have to code this into the VNC display driver yourself or use some other solution – perhaps a firewalled subnet.

Another option might be to put some form of authentication into your application itself.

Can you share some more information about your app and the environment within which it is expected to operate please?

 Signature 

Nokia Certified Qt Specialist
Interested in hearing about Qt related work

May 3, 2011

hick991 hick991
Lab Rat
7 posts

The app is running on a x86 system, having a self configured/installed qt-embedded version on it. It uses a eGalax 15” touchscreen as input and display device. We use an own configured/build version of tslib, there is no x11 on the system. The purpose of the VNC connection should be that remote-support can connect to the target hardware if a user reports any problems with the application, and we can see (1:1) what the users is able to see on the screen.

The main issue is that if we can’t provide any security, all persons knowing the ip address of the target hardware can connect and – use the application on that system – without any limitations. Regarding the project’ scopes, we should be able to prohibit that kind of direct access.

A possible option that we already checked is to use another vnc-server running directly on the framebuffer device, but we weren’t able to find that kind of software.

May 3, 2011

Luca Luca
Ant Farmer
637 posts

Why don’t you use Qt for X11 and then use x11vnc to share your monitor?

May 3, 2011

ZapB ZapB
Ant Farmer
1424 posts

What we usually do is to run the embedded app with only a local display then when somebody reports a problem we restart the app with both local and VNC displays enabled and ask the user to repeat the problem.

Another option might be to use a port-knockign solution such as knockd on the embedded device. That is the device only opens up the network port after receiving a suitable sequence of port “knocks” from the potential client. There is a detailed description on the Gentoo Wiki [en.gentoo-wiki.com].

It only requires iptables to be enabled in the kernel and a small knockd daemon to be running. That way you do not need to modify Qt or your software at all. Since only devs will be connecting in this way it is not unreasonable to expect them to use a knock client before connecting.

How does that sound?

 Signature 

Nokia Certified Qt Specialist
Interested in hearing about Qt related work

May 4, 2011

hick991 hick991
Lab Rat
7 posts

That sounds great, I’d always like give knockd a try. Thanks for support.

May 4, 2011

ZapB ZapB
Ant Farmer
1424 posts

No problem. knockd is not a security solution on its own but since you are only looking to deter access on private network anyway it should be sufficient. Let us know how you get on with it.

 Signature 

Nokia Certified Qt Specialist
Interested in hearing about Qt related work

 
  ‹‹ Qsound in ubuntu      Database size limit on S60 [renamed] ››

You must log in to post a reply. Not a member yet? Register here!