Security: VNC scripts deploy no-auth servers — network-accessible without password

[mrveiss]

Problem

3 files in the repo deploy VNC servers with -SecurityTypes None --I-KNOW-THIS-IS-INSECURE, giving anyone on the network full remote desktop access without a password:

1. autobot-infrastructure/shared/scripts/infrastructure/browser-vnc.service (line 10)
   Systemd unit template — this was deployed to .25 and masked in chore: mask stale autobot-vnc service on node .25 #1904, but the template still exists.

2. autobot-infrastructure/shared/scripts/setup_browser_vnc.sh (lines 43-45)
   Automated setup script that SSHs to .25 and creates the insecure VNC.

3. autobot-infrastructure/shared/scripts/utilities/start-isolated-vnc.sh (lines 21-23)
   Utility script. Also has stale IP 192.168.168.17 (wrong subnet — should be 172.16.168.x).

Risk

Anyone on the 172.16.168.0/24 network can connect to port 5901 and get full desktop access — no password prompt. On .25 this is now masked (#1904), but re-running setup_browser_vnc.sh would re-create the insecure service.

Proposed Fix

• Replace -SecurityTypes None with -SecurityTypes VncAuth in all 3 files
• Remove --I-KNOW-THIS-IS-INSECURE flag
• Ensure ~/.vnc/passwd is set during setup
• Fix stale 192.168.168.17 IP in start-isolated-vnc.sh
• Consider whether browser-vnc.service template should be deleted (since chore: mask stale autobot-vnc service on node .25 #1904 masked the service)

Discovered During

Investigating #1904 (mask stale VNC on .25)

Impact

Priority: high — unauthenticated remote desktop access on internal network

[mrveiss]

Merged in PR #1941. VNC hardened with VncAuth,TLSVnc. Hardcoded passwords replaced with random generation.