From 308832f98679ca74f5d3975357c18c6268d650bd Mon Sep 17 00:00:00 2001 From: Devaev Maxim Date: Mon, 15 Feb 2021 05:35:50 +0300 Subject: [PATCH] enbaled x509 vnc by default --- configs/kvmd/main/v0-hdmi-rpi.yaml | 10 +++++----- configs/kvmd/main/v0-hdmi-rpi2.yaml | 10 +++++----- configs/kvmd/main/v0-hdmi-rpi3.yaml | 10 +++++----- configs/kvmd/main/v0-hdmi-zerow.yaml | 10 +++++----- configs/kvmd/main/v0-hdmiusb-rpi.yaml | 10 +++++----- configs/kvmd/main/v0-hdmiusb-rpi2.yaml | 10 +++++----- configs/kvmd/main/v0-hdmiusb-rpi3.yaml | 10 +++++----- configs/kvmd/main/v0-hdmiusb-zerow.yaml | 10 +++++----- configs/kvmd/main/v2-hdmi-rpi3.yaml | 10 +++++----- configs/kvmd/main/v2-hdmi-rpi4.yaml | 10 +++++----- configs/kvmd/main/v2-hdmi-zerow.yaml | 10 +++++----- configs/kvmd/main/v2-hdmiusb-generic.yaml | 10 +++++----- configs/kvmd/main/v2-hdmiusb-rpi4.yaml | 10 +++++----- kvmd/apps/__init__.py | 2 +- web/vnc/index.html | 10 +++++----- web/vnc/index.pug | 10 +++++----- 16 files changed, 76 insertions(+), 76 deletions(-) diff --git a/configs/kvmd/main/v0-hdmi-rpi.yaml b/configs/kvmd/main/v0-hdmi-rpi.yaml index 92b21484..a005e824 100644 --- a/configs/kvmd/main/v0-hdmi-rpi.yaml +++ b/configs/kvmd/main/v0-hdmi-rpi.yaml @@ -60,8 +60,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v0-hdmi-rpi2.yaml b/configs/kvmd/main/v0-hdmi-rpi2.yaml index 62af93f9..4f208ac7 100644 --- a/configs/kvmd/main/v0-hdmi-rpi2.yaml +++ b/configs/kvmd/main/v0-hdmi-rpi2.yaml @@ -61,8 +61,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v0-hdmi-rpi3.yaml b/configs/kvmd/main/v0-hdmi-rpi3.yaml index 92b21484..a005e824 100644 --- a/configs/kvmd/main/v0-hdmi-rpi3.yaml +++ b/configs/kvmd/main/v0-hdmi-rpi3.yaml @@ -60,8 +60,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v0-hdmi-zerow.yaml b/configs/kvmd/main/v0-hdmi-zerow.yaml index 9a0275c1..eb589caa 100644 --- a/configs/kvmd/main/v0-hdmi-zerow.yaml +++ b/configs/kvmd/main/v0-hdmi-zerow.yaml @@ -61,8 +61,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v0-hdmiusb-rpi.yaml b/configs/kvmd/main/v0-hdmiusb-rpi.yaml index 4e11fb10..215cddd3 100644 --- a/configs/kvmd/main/v0-hdmiusb-rpi.yaml +++ b/configs/kvmd/main/v0-hdmiusb-rpi.yaml @@ -72,8 +72,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v0-hdmiusb-rpi2.yaml b/configs/kvmd/main/v0-hdmiusb-rpi2.yaml index 4e11fb10..215cddd3 100644 --- a/configs/kvmd/main/v0-hdmiusb-rpi2.yaml +++ b/configs/kvmd/main/v0-hdmiusb-rpi2.yaml @@ -72,8 +72,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v0-hdmiusb-rpi3.yaml b/configs/kvmd/main/v0-hdmiusb-rpi3.yaml index 4e11fb10..215cddd3 100644 --- a/configs/kvmd/main/v0-hdmiusb-rpi3.yaml +++ b/configs/kvmd/main/v0-hdmiusb-rpi3.yaml @@ -72,8 +72,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v0-hdmiusb-zerow.yaml b/configs/kvmd/main/v0-hdmiusb-zerow.yaml index 4e11fb10..215cddd3 100644 --- a/configs/kvmd/main/v0-hdmiusb-zerow.yaml +++ b/configs/kvmd/main/v0-hdmiusb-zerow.yaml @@ -72,8 +72,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v2-hdmi-rpi3.yaml b/configs/kvmd/main/v2-hdmi-rpi3.yaml index 7fd4f44d..01f61794 100644 --- a/configs/kvmd/main/v2-hdmi-rpi3.yaml +++ b/configs/kvmd/main/v2-hdmi-rpi3.yaml @@ -62,8 +62,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v2-hdmi-rpi4.yaml b/configs/kvmd/main/v2-hdmi-rpi4.yaml index ac58879e..5042470c 100644 --- a/configs/kvmd/main/v2-hdmi-rpi4.yaml +++ b/configs/kvmd/main/v2-hdmi-rpi4.yaml @@ -76,8 +76,8 @@ vnc: # h264: # sink: "kvmd::ustreamer::h264" -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v2-hdmi-zerow.yaml b/configs/kvmd/main/v2-hdmi-zerow.yaml index bbe83def..cf0fa6f4 100644 --- a/configs/kvmd/main/v2-hdmi-zerow.yaml +++ b/configs/kvmd/main/v2-hdmi-zerow.yaml @@ -63,8 +63,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v2-hdmiusb-generic.yaml b/configs/kvmd/main/v2-hdmiusb-generic.yaml index b6671df2..8df381b2 100644 --- a/configs/kvmd/main/v2-hdmiusb-generic.yaml +++ b/configs/kvmd/main/v2-hdmiusb-generic.yaml @@ -70,8 +70,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/configs/kvmd/main/v2-hdmiusb-rpi4.yaml b/configs/kvmd/main/v2-hdmiusb-rpi4.yaml index 3f03fb69..8fb78245 100644 --- a/configs/kvmd/main/v2-hdmiusb-rpi4.yaml +++ b/configs/kvmd/main/v2-hdmiusb-rpi4.yaml @@ -74,8 +74,8 @@ vnc: streamer: unix: /run/kvmd/ustreamer.sock -# server: -# tls: -# x509: -# cert: /etc/kvmd/nginx/ssl/server.crt -# key: /etc/kvmd/nginx/ssl/server.key + server: + tls: + x509: + cert: /etc/kvmd/vnc/ssl/server.crt + key: /etc/kvmd/vnc/ssl/server.key diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py index d126a949..557a611a 100644 --- a/kvmd/apps/__init__.py +++ b/kvmd/apps/__init__.py @@ -585,7 +585,7 @@ def _get_config_scheme() -> Dict: "tls": { "ciphers": Option("ALL:@SECLEVEL=0", type=_make_ifarg(valid_ssl_ciphers, "")), - "timeout": Option(5.0, type=valid_float_f01), + "timeout": Option(30.0, type=valid_float_f01), "x509": { "cert": Option("", type=_make_ifarg(valid_abs_file, "")), "key": Option("", type=_make_ifarg(valid_abs_file, "")), diff --git a/web/vnc/index.html b/web/vnc/index.html index 1d47d971..d88cabb8 100644 --- a/web/vnc/index.html +++ b/web/vnc/index.html @@ -45,13 +45,13 @@
  ←   [ Pi-KVM Index ]

This Pi-KVM device has running kvmd-vnc daemon and provides VNC access to the server.

-

WARNING! We strongly don't recommend you to use VNC in untrusted networks. - The current implementation does not use encryption, and your passwords are transmitted - over the network in a plain text. +

WARNING! We strongly don't recommend you to use VNC in untrusted networks without + enabled X.509 or TLS encryption. Otherwise your passwords are transmitted in a plain text + over the network.

- Your VNC client must support Tight JPEG compression, password authentication and allow - connection without encryption. TigerVNC is a good choice. + Your VNC client must support Tight JPEG compression and password authentication. + TigerVNC is a good choice. On Linux, this client will most likely be available for installation from the repository. It can also be called vncviewer.

diff --git a/web/vnc/index.pug b/web/vnc/index.pug index ab8be68e..fbab5e25 100644 --- a/web/vnc/index.pug +++ b/web/vnc/index.pug @@ -9,12 +9,12 @@ block start p(class="text") | This Pi-KVM device has running #[b kvmd-vnc] daemon and provides VNC access to the server. p(class="text") - | #[b WARNING!] We strongly don't recommend you to use VNC in untrusted networks. - | The current implementation does not use encryption, and your passwords are transmitted - | over the network in a plain text. + | #[b WARNING!] We strongly don't recommend you to use VNC in untrusted networks without + | enabled X.509 or TLS encryption. Otherwise your passwords are transmitted in a plain text + | over the network. p(class="text") - | Your VNC client must support Tight JPEG compression, password authentication and allow - | connection without encryption. #[a(href="https://tigervnc.org") TigerVNC] is a good choice. + | Your VNC client must support Tight JPEG compression and password authentication. + | #[a(href="https://tigervnc.org") TigerVNC] is a good choice. | On Linux, this client will most likely be available for installation from the repository. | It can also be called vncviewer. div(id="vnc-text" class="code" style="max-height:200px")