1*4882a593SmuzhiyunFrom 1964e244caee4f8acaeb43a032ea2f0cf96f3e2d Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Philipp Zabel <philipp.zabel@gmail.com> 3*4882a593SmuzhiyunDate: Sat, 19 Nov 2022 09:52:05 +0100 4*4882a593SmuzhiyunSubject: [PATCH 89/92] backend-vnc: Add user authentication 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunLet VNC clients authenticate using the local username and password of 7*4882a593Smuzhiyunthe user weston is running as. To avoid transmitting the password in 8*4882a593Smuzhiyuncleartext, make TLS security mandatory. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunSigned-off-by: Philipp Zabel <philipp.zabel@gmail.com> 11*4882a593Smuzhiyun(cherry picked from commit 133417b016c5dfbfea850ad6a2f29b1ad7162401) 12*4882a593SmuzhiyunSigned-off-by: Jeffy Chen <jeffy.chen@rock-chips.com> 13*4882a593Smuzhiyun--- 14*4882a593Smuzhiyun libweston/backend-vnc/vnc.c | 60 ++++++++++++++++++++++++------------- 15*4882a593Smuzhiyun man/weston-vnc.man | 4 +-- 16*4882a593Smuzhiyun 2 files changed, 41 insertions(+), 23 deletions(-) 17*4882a593Smuzhiyun 18*4882a593Smuzhiyundiff --git a/libweston/backend-vnc/vnc.c b/libweston/backend-vnc/vnc.c 19*4882a593Smuzhiyunindex e57e377..6cb05d7 100644 20*4882a593Smuzhiyun--- a/libweston/backend-vnc/vnc.c 21*4882a593Smuzhiyun+++ b/libweston/backend-vnc/vnc.c 22*4882a593Smuzhiyun@@ -36,6 +36,7 @@ 23*4882a593Smuzhiyun #include <errno.h> 24*4882a593Smuzhiyun #include <linux/input.h> 25*4882a593Smuzhiyun #include <netinet/in.h> 26*4882a593Smuzhiyun+#include <pwd.h> 27*4882a593Smuzhiyun #include <sys/types.h> 28*4882a593Smuzhiyun #include <sys/socket.h> 29*4882a593Smuzhiyun #include <unistd.h> 30*4882a593Smuzhiyun@@ -411,6 +412,19 @@ vnc_pointer_event(struct nvnc_client *client, uint16_t x, uint16_t y, 31*4882a593Smuzhiyun notify_pointer_frame(peer->seat); 32*4882a593Smuzhiyun } 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun+static bool 35*4882a593Smuzhiyun+vnc_handle_auth(const char *username, const char *password, void *userdata) 36*4882a593Smuzhiyun+{ 37*4882a593Smuzhiyun+ struct passwd *pw = getpwnam(username); 38*4882a593Smuzhiyun+ 39*4882a593Smuzhiyun+ if (!pw || pw->pw_uid != getuid()) { 40*4882a593Smuzhiyun+ weston_log("VNC: wrong user '%s'\n", username); 41*4882a593Smuzhiyun+ return false; 42*4882a593Smuzhiyun+ } 43*4882a593Smuzhiyun+ 44*4882a593Smuzhiyun+ return weston_authenticate_user(username, password); 45*4882a593Smuzhiyun+} 46*4882a593Smuzhiyun+ 47*4882a593Smuzhiyun static void 48*4882a593Smuzhiyun vnc_client_cleanup(struct nvnc_client *client) 49*4882a593Smuzhiyun { 50*4882a593Smuzhiyun@@ -997,30 +1011,34 @@ vnc_backend_create(struct weston_compositor *compositor, 51*4882a593Smuzhiyun nvnc_set_userdata(backend->server, backend, NULL); 52*4882a593Smuzhiyun nvnc_set_name(backend->server, "Weston VNC backend"); 53*4882a593Smuzhiyun 54*4882a593Smuzhiyun- if (config->server_cert || config->server_key) { 55*4882a593Smuzhiyun- if (!nvnc_has_auth()) { 56*4882a593Smuzhiyun- weston_log("Neat VNC built without TLS support\n"); 57*4882a593Smuzhiyun- goto err_output; 58*4882a593Smuzhiyun- } 59*4882a593Smuzhiyun- if (!config->server_cert) { 60*4882a593Smuzhiyun- weston_log("Missing TLS certificate (--vnc-tls-cert)\n"); 61*4882a593Smuzhiyun- goto err_output; 62*4882a593Smuzhiyun- } 63*4882a593Smuzhiyun- if (!config->server_key) { 64*4882a593Smuzhiyun- weston_log("Missing TLS key (--vnc-tls-key)\n"); 65*4882a593Smuzhiyun- goto err_output; 66*4882a593Smuzhiyun- } 67*4882a593Smuzhiyun- 68*4882a593Smuzhiyun- ret = nvnc_enable_auth(backend->server, config->server_key, 69*4882a593Smuzhiyun- config->server_cert, NULL, NULL); 70*4882a593Smuzhiyun- if (ret) { 71*4882a593Smuzhiyun- weston_log("Failed to enable TLS support\n"); 72*4882a593Smuzhiyun- goto err_output; 73*4882a593Smuzhiyun- } 74*4882a593Smuzhiyun+ if (!nvnc_has_auth()) { 75*4882a593Smuzhiyun+ weston_log("Neat VNC built without TLS support\n"); 76*4882a593Smuzhiyun+ goto err_output; 77*4882a593Smuzhiyun+ } 78*4882a593Smuzhiyun+ if (!config->server_cert && !config->server_key) { 79*4882a593Smuzhiyun+ weston_log("The VNC backend requires a key and a certificate for TLS security" 80*4882a593Smuzhiyun+ " (--vnc-tls-cert/--vnc-tls-key)\n"); 81*4882a593Smuzhiyun+ goto err_output; 82*4882a593Smuzhiyun+ } 83*4882a593Smuzhiyun+ if (!config->server_cert) { 84*4882a593Smuzhiyun+ weston_log("Missing TLS certificate (--vnc-tls-cert)\n"); 85*4882a593Smuzhiyun+ goto err_output; 86*4882a593Smuzhiyun+ } 87*4882a593Smuzhiyun+ if (!config->server_key) { 88*4882a593Smuzhiyun+ weston_log("Missing TLS key (--vnc-tls-key)\n"); 89*4882a593Smuzhiyun+ goto err_output; 90*4882a593Smuzhiyun+ } 91*4882a593Smuzhiyun 92*4882a593Smuzhiyun- weston_log("TLS support activated\n"); 93*4882a593Smuzhiyun+ ret = nvnc_enable_auth(backend->server, config->server_key, 94*4882a593Smuzhiyun+ config->server_cert, vnc_handle_auth, 95*4882a593Smuzhiyun+ NULL); 96*4882a593Smuzhiyun+ if (ret) { 97*4882a593Smuzhiyun+ weston_log("Failed to enable TLS support\n"); 98*4882a593Smuzhiyun+ goto err_output; 99*4882a593Smuzhiyun } 100*4882a593Smuzhiyun 101*4882a593Smuzhiyun+ weston_log("TLS support activated\n"); 102*4882a593Smuzhiyun+ 103*4882a593Smuzhiyun ret = weston_plugin_api_register(compositor, WESTON_VNC_OUTPUT_API_NAME, 104*4882a593Smuzhiyun &api, sizeof(api)); 105*4882a593Smuzhiyun if (ret < 0) { 106*4882a593Smuzhiyundiff --git a/man/weston-vnc.man b/man/weston-vnc.man 107*4882a593Smuzhiyunindex 582fe28..5232aac 100644 108*4882a593Smuzhiyun--- a/man/weston-vnc.man 109*4882a593Smuzhiyun+++ b/man/weston-vnc.man 110*4882a593Smuzhiyun@@ -19,8 +19,8 @@ the graphical content, depending on what is supported by the VNC client. 111*4882a593Smuzhiyun The VNC backend is not multi-seat aware, so if a second client connects to the 112*4882a593Smuzhiyun backend, the first client will be disconnected. 113*4882a593Smuzhiyun 114*4882a593Smuzhiyun-Note that authentication is not supported yet. Anyone with access to the port 115*4882a593Smuzhiyun-can get control of the desktop via the VNC output. 116*4882a593Smuzhiyun+The VNC client has to authenticate as the user running weston. This requires a PAM configuration file 117*4882a593Smuzhiyun+.BR /etc/pam.d/weston-remote-access . 118*4882a593Smuzhiyun 119*4882a593Smuzhiyun .\" *************************************************************** 120*4882a593Smuzhiyun .SH CONFIGURATION 121*4882a593Smuzhiyun-- 122*4882a593Smuzhiyun2.20.1 123*4882a593Smuzhiyun 124