Bug 206669

Summary: VNC Remote Access via X11: spaces in password don't work but no hint given by YaST
Product: [openSUSE] SUSE Linux 10.1 Reporter: Forgotten User Drfk9mafMw <forgotten_Drfk9mafMw>
Component: YaST2Assignee: Marcus Schaefer <ms>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Minor    
Priority: P5 - None CC: max, security-team, snwint
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User Drfk9mafMw 2006-09-19 12:34:06 UTC 
The VNC display sharing with the sax2 YaST Control Center option works nice unless the specified password doesn't contain spaces or colons. 

Though this might be a restriction of X.org the user should be given a warning that the password will not work since it is invalid.

mada@Santenay:~> rpm -qa | grep xorg
xorg-x11-devel-6.9.0-48
xorg-x11-driver-video-6.9.0-46.15
xorg-x11-fonts-scalable-6.9.0-48
xorg-x11-Xvnc-6.9.0-48
xorg-x11-fonts-75dpi-6.9.0-48
xorg-x11-fonts-100dpi-6.9.0-48
xorg-x11-server-glx-6.9.0-50.17
xorg-x11-server-6.9.0-50.20
xorg-x11-6.9.0-50.17
xorg-x11-driver-video-nvidia-6.9.0-46.15
xorg-x11-libs-6.9.0-50.17
Comment 1 Stefan Dirsch 2006-09-20 18:50:00 UTC 
Yes, AFAIK it is a restriction in Xvnc. So this needs to be detected in YaST2. IMHO this is a minor issue.
Comment 2 Christoph Thiel 2006-09-20 21:05:14 UTC 
I guess this doesn't only need to get fixed in YaST, but in linuxrc as well.
Comment 3 Thomas Fehr 2006-09-21 07:51:11 UTC 
Reassigned to maintainer of linuxrc
Comment 4 Steffen Winterfeldt 2006-09-21 09:33:29 UTC 
Xvnc not supporting spaces in passwords sounds like grotesque nonsense to me.

More likely I'd suspect a quoting issue in one of the shell scripts used
to setup vnc.
Comment 5 Marcus Schaefer 2006-09-21 12:03:16 UTC 
Hmm, I don't think so. The startup script does the following:

   $VNCPASS /root/.vnc/passwd "$VNCPassword" 

The variable $VNCPassword is an exported variable from the linuxrc environment
and is never touched in the scripts. The contents are directly passed to
the program $VNCPASS = /usr/bin/vncpasswd.arg

So I assume a problem with the space handling in the vncpasswd.arg which
is part of the tightvnc package. Assigning to maintainer of tightvnc

By the way setting spaces in a password is a bad idea at all
Comment 6 Reinhard Max 2006-09-21 15:24:37 UTC 
I think you guys are all running into the wrong direction. As I understand Daniel, the problem didn't happen on a VNC installation, but in an installed system, when during the X configuration he checked the box to export the local display via VNC. So linuxrc the installation system are certainly out of the loop here.

I also tested vncpasswd.arg with passwords containing spaces, and didn't see any problems with it.

So, my guess is, that the password gets truncated at the first space by YaST or SAX when it is queried from the user before it gets written to the disk.

BTW, what's wrong with spaces in passwords? It's a regular character that shouldn't cause any problems. The only characters I would discourage people from using in passwords are umlauts, because they might be hit by encoding problems.
Comment 7 Forgotten User Drfk9mafMw 2006-09-21 15:35:52 UTC 
@ c0mment #6: Yes, this is exactly what I mean... I was already looking up information about linuxrc and couldn't come up with a reason for why it should be related to the problem but blaimed my average Linux user skills for not understanding...

And yes, I use spaces and other chars extensively in other (regular) passwords since I think it makes things much more secure :)
Comment 9 Marcus Schaefer 2006-09-22 09:43:11 UTC 
aha, we are talking about the installed system ;) ok first of all the
initial report is correct. A space in the password string confuses sax2
because the shell which is invocing the createVNC.sh script is called like
this:

   /usr/share/sax/libsax/createVNC.sh 123 123

so only the first portion of the passowrd is used. Additionally this is
a security problem because you can pass a shell quoted command as password
which is executed.

Both issues have been fixed