-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue on noVNC #216
Comments
Hi, Thanks for the suggestion. However adding password authentication via nginx would not really help, because all that viewer does is to connect to the VNC port of QEMU which has no password. And yes, it is possible to also set a password on the VNC port, but its not very useful:
Also, you can connect via RDP without password, so its not just an issue with VNC currently. I did this to keep the container easy to use and because I do not expect people to use this container for anything really important except for some short experiments. If anyone wants to make it more secure, the simple solution is that they change the Windows password for the Docker user. This will also prevent mis-use of the VNC port as you would not be able to use the viewer without logging in to Windows. |
This isnt an issue but I see there is a option to disable KVM with "KVM=N". I cant get this working though. Is this reccomended & how would I acheive this? |
@ajb3932 I don't see how KVM has anything to do with it? That is just a method for hardware accelerating CPU instructions, if you disable it it has no influence on VNC at all (the only difference you will notice is that the machine runs slower). If you want to disable VNC you can set the flag |
Thanks, yes sorry for my ignorance. That helps a lot 😊 |
Hi, thanks for your great work and it is indeed awesome!
I would like to notice that exposing noVNC without any authentication is dangerous, even exposing the port to localhost manually. Since this is a docker environment, suppose other docker container has vulnerability and an attacker gain access to it, the attacker can easily take over the windows docker by simply accessing the noVNC port.
Possible solution:
Optional configuration: Specify username and password in the docker yml file or from a file in the shared folder. When container starts, edit the Nginx configuration to add authentication.
The text was updated successfully, but these errors were encountered: