Proper Authentication for VNC
*VNC is a highly popular method to access remote GUIs, including for system administration and remote support. The protocol is widely used, but has a very weak security foundation. This exercise integrates the SASL security protocol into a well-known VNC client and server.
Skills needed: C programming, understanding of authentication.
This is an practical assignment that should take a few weeks of work.
Technologies
The VNC technology is defined under its formal name "Remote Framebuffer Protocol" in [RFC 6143]. This specification is a description of an already-existing protocol, and the security support is the clearest place where this shines through.
The SASL technology is widely used, and supported by popular libraries with workable APIs in [RFC 4422]. It is a method for negotiating and then executing one of a range of acceptable authentication mechanisms and, in some cases, encryption mechanisms.
On top of SASL, things like Kerberos, EAP/RADIUS and TTLS can be run; in short, integration of SASL into VNC provides an excellent update of security. Furthermore, highly attractive to administrators, there is the potential of using Single Sign-On systems once proper cryptography is used. This permits access to graphical consoles of virtual machines without endless typing of (weak) passwords.
We wrote an [Internet Draft] that details the integration of SASL into RFB. As part of the standardisation process, we require implementations, as well as keen readers that have had a closer look at the implementation process and nits that might exist in the specification.
Assignment
This assignment involves programming in the C programming language. The following tasks are defined:
-
Modify the TightVNC client in such a manner that it prefers to use libsasl2.
-
Modify the VNCserver server in such a manner that it prefers to use libsasl2.
-
Demonstrate that the components do indeed prefer libsasl2 over old methods.
The use of libsasl2 ensures that the various authentication mechanisms are available. We want you to demonstrate that the new solution uses SASL in preference of the older security mechanisms, where it is available.
This assignment will be guided by OpenFortress, so you will be assured of good cryptographic support, as well as knowledge of network protocols and standards. In return for the guidance, the student is expected to deliver working code for cross-realm authentication.
The idea is that Internet Drafts can be completed and, if all goes well, be turned into RFCs on the topic at a later time. The code from this assignment is the live demonstration of the principles. The student is welcome to get actively involved in the process of writing these documents, if s/he so desires.
Research Questions
-
Is the current proposal for integration of SASL into RFB/VNC complete? Or have details been overlooked?
-
Can older VNC servers co-operate with SASL-extended clients?
-
Can older VNC clients co-operate with SASL-extended servers?
-
How can Single Sign-on be implemented within the SASL framework?