Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34880

Xvnc: "plain" security scheme should have a mechanism to force multiple connections to log in as the same user

    • tigervnc-1.14.0-6.el9
    • None
    • Low
    • FutureFeature
    • 2
    • rhel-sst-display-productivity
    • ssg_display
    • 5
    • 7
    • 5
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • DESKTOP Cycle #4 10.beta phase, DESKTOP Cycle #5 10.beta phase
    • All
    • None

      What were you trying to do that didn't work?

      Customer wants to use the VNC service is configured to use PAM authentication, as described in How to use PAM authentication with Virtual Network Computing (VNC) on Red Hat Enterprise Linux along with XDMCP and shared sessions and would like to force multiple VNC clients to log in as the same user.

      Please provide the package NVR for which bug is seen:

      tigervnc-server-1.13.1-2.el8_9.10

      How reproducible:

      Always

      Steps to reproduce

      1. Configure gdm to accept XDMCP queries, in /etc/gdm/custom.conf:
        [xdmcp]
        Enable=true 
      1. Create the systemd unit file /etc/systemd/system/vnc-xdmc.service with the following contents:
        [Unit]
        Description=VNC XDMCP Daemon
        
        [Service]
        ExecStart=-/usr/bin/Xvnc -query localhost -once -Log *:stderr:100 rfbport=5900 securitytypes=TLSPlain PlainUsers=* pam_service=gdm-password AlwaysShared=1
        User=root
        StandardError=syslog
        
        [Install]
        WantedBy=multi-user.target
        
      1. Start the service with:
        # systemctl daemon-reload
        # systemctl enable --now vnc-xdmcp.service
      1. On a remote machine, connect to the VNC service twice:
        $ vncviewer -SecurityTypes TLSPlain <server-name>:0 &
        $ vncviewer -SecurityTypes TLSPlain <server-name>:0 &

      This is a slightly modified version of the VNC+XDMCP method described in How do I configure XDMCP over TigerVNC for Red Hat Enterprise Linux 7 and later?.

      Expected results

      The second connection should be forced to authenticate as the same user of the first connection.

      Actual results

      The second connection can be authenticated as a different user, so the login made via GDM can be accessed by a different user.

              jgrulich@redhat.com Jan Grulich
              rhn-support-casantos Carlos Santos
              Jan Grulich Jan Grulich
              Radek Duda Radek Duda
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: