enbaled x509 vnc by default

2025-12-13 01:30:31 +08:00 · 2021-02-15 05:35:50 +03:00 · 2021-02-15 05:35:50 +03:00 · 308832f986
commit 308832f986
parent dc5a07adb3
16 changed files with 76 additions and 76 deletions
--- a/configs/kvmd/main/v0-hdmi-rpi.yaml
+++ b/configs/kvmd/main/v0-hdmi-rpi.yaml
@ -60,8 +60,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v0-hdmi-rpi2.yaml
+++ b/configs/kvmd/main/v0-hdmi-rpi2.yaml
@ -61,8 +61,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v0-hdmi-rpi3.yaml
+++ b/configs/kvmd/main/v0-hdmi-rpi3.yaml
@ -60,8 +60,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v0-hdmi-zerow.yaml
+++ b/configs/kvmd/main/v0-hdmi-zerow.yaml
@ -61,8 +61,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v0-hdmiusb-rpi.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-rpi.yaml
@ -72,8 +72,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v0-hdmiusb-rpi2.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-rpi2.yaml
@ -72,8 +72,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v0-hdmiusb-rpi3.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-rpi3.yaml
@ -72,8 +72,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v0-hdmiusb-zerow.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-zerow.yaml
@ -72,8 +72,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v2-hdmi-rpi3.yaml
+++ b/configs/kvmd/main/v2-hdmi-rpi3.yaml
@ -62,8 +62,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v2-hdmi-rpi4.yaml
+++ b/configs/kvmd/main/v2-hdmi-rpi4.yaml
@ -76,8 +76,8 @@ vnc:
 #        h264:
 #            sink: "kvmd::ustreamer::h264"

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v2-hdmi-zerow.yaml
+++ b/configs/kvmd/main/v2-hdmi-zerow.yaml
@ -63,8 +63,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v2-hdmiusb-generic.yaml
+++ b/configs/kvmd/main/v2-hdmiusb-generic.yaml
@ -70,8 +70,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/configs/kvmd/main/v2-hdmiusb-rpi4.yaml
+++ b/configs/kvmd/main/v2-hdmiusb-rpi4.yaml
@ -74,8 +74,8 @@ vnc:
    streamer:
        unix: /run/kvmd/ustreamer.sock

-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
--- a/kvmd/apps/init.py
+++ b/kvmd/apps/init.py
@ -585,7 +585,7 @@ def _get_config_scheme() -> Dict:

                "tls": {
                    "ciphers": Option("ALL:@SECLEVEL=0", type=_make_ifarg(valid_ssl_ciphers, "")),
-                    "timeout": Option(5.0, type=valid_float_f01),
+                    "timeout": Option(30.0, type=valid_float_f01),
                    "x509": {
                        "cert": Option("", type=_make_ifarg(valid_abs_file, "")),
                        "key":  Option("", type=_make_ifarg(valid_abs_file, "")),
--- a/web/vnc/index.html
+++ b/web/vnc/index.html
@ -45,13 +45,13 @@
      <div class="start"><a style="display:inline-block; margin-top:4px; color:#5c90bc; text-decoration:none" href="/">&nbsp;&nbsp;&larr;&nbsp;&nbsp; [ Pi-KVM Index ]</a>
        <hr>
        <p class="text">This Pi-KVM device has running <b>kvmd-vnc</b> daemon and provides VNC access to the server.</p>
-        <p class="text"><b>WARNING!</b> We strongly don't recommend you to use VNC in untrusted networks.
-          The current implementation does not use encryption, and your passwords are transmitted
-          over the network in a plain text.
+        <p class="text"><b>WARNING!</b> We strongly don't recommend you to use VNC in untrusted networks without
+          enabled X.509 or TLS encryption. Otherwise your passwords are transmitted in a plain text
+          over the network.
        </p>
        <p class="text">
-          Your VNC client must support Tight JPEG compression, password authentication and allow
-          connection without encryption. <a href="https://tigervnc.org">TigerVNC</a> is a good choice.
+          Your VNC client must support Tight JPEG compression and password authentication.
+          <a href="https://tigervnc.org">TigerVNC</a> is a good choice.
          On Linux, this client will most likely be available for installation from the repository.
          It can also be called vncviewer.
        </p>
--- a/web/vnc/index.pug
+++ b/web/vnc/index.pug
@ -9,12 +9,12 @@ block start
 	p(class="text")
 		| This Pi-KVM device has running #[b kvmd-vnc] daemon and provides VNC access to the server.
 	p(class="text")
-		| #[b WARNING!] We strongly don't recommend you to use VNC in untrusted networks.
-		| The current implementation does not use encryption, and your passwords are transmitted
-		| over the network in a plain text.
+		| #[b WARNING!] We strongly don't recommend you to use VNC in untrusted networks without
+		| enabled X.509 or TLS encryption. Otherwise your passwords are transmitted in a plain text
+		| over the network.
 	p(class="text")
-		| Your VNC client must support Tight JPEG compression, password authentication and allow
-		| connection without encryption. #[a(href="https://tigervnc.org") TigerVNC] is a good choice.
+		| Your VNC client must support Tight JPEG compression and password authentication.
+		| #[a(href="https://tigervnc.org") TigerVNC] is a good choice.
 		| On Linux, this client will most likely be available for installation from the repository.
 		| It can also be called vncviewer.
 	div(id="vnc-text" class="code" style="max-height:200px")