Skip to content

fix(security): harden VNC to require password authentication (#1939, #1940)#1941

Merged
mrveiss merged 2 commits intoDev_new_guifrom
fix/issue-1939
Mar 20, 2026
Merged

fix(security): harden VNC to require password authentication (#1939, #1940)#1941
mrveiss merged 2 commits intoDev_new_guifrom
fix/issue-1939

Conversation

@mrveiss
Copy link
Owner

@mrveiss mrveiss commented Mar 19, 2026

Summary

All 3 VNC scripts/templates in the repo used -SecurityTypes None --I-KNOW-THIS-IS-INSECURE, allowing unauthenticated remote desktop access to anyone on the network.

Changes

File Before After
browser-vnc.service No auth, no passwd check VncAuth + TLSVnc, ExecStartPre passwd check
setup_browser_vnc.sh No auth VncAuth, adds password setup step (step 2/7)
start-isolated-vnc.sh No auth, stale IP 192.168.168.17 VncAuth, passwd check, fixed output
.gitignore certs/ blocks docker/certs/ Added !docker/certs/ negation (#1940)

Security details

  • All VNC servers now use VncAuth,TLSVnc (password + optional TLS)
  • Scripts verify ~/.vnc/passwd exists before starting VNC
  • setup_browser_vnc.sh prompts to create password if missing
  • Services already masked on .25 (chore: mask stale autobot-vnc service on node .25 #1904) — these template fixes prevent re-deploying insecure services

Closes #1939
Closes #1940

Test plan

  • Verify browser-vnc.service fails to start without ~/.vnc/passwd
  • Run setup_browser_vnc.sh — confirm it prompts for password
  • Run start-isolated-vnc.sh — confirm password required to connect
  • Verify git add docker/certs/generate-self-signed.sh works without -f

@mrveiss
fix(security): harden VNC scripts to require password authentication (#…
22ec777 
…1939)

All VNC scripts/templates previously used -SecurityTypes None with
--I-KNOW-THIS-IS-INSECURE, allowing unauthenticated remote desktop
access to anyone on the network.

Changes:
- browser-vnc.service: switch to VncAuth,TLSVnc + add passwd check
- setup_browser_vnc.sh: add VNC password verification step, use VncAuth
- start-isolated-vnc.sh: use VncAuth, fix stale IP, add passwd check
- .gitignore: un-ignore docker/certs/ for tracked scripts (#1940)
@github-actions
Copy link

github-actions bot commented Mar 19, 2026

✅ SSOT Configuration Compliance: Passing

🎉 No hardcoded values detected that have SSOT config equivalents!

@mrveiss
fix(security): address code review critical findings (#1939)
60971e2 
- vnc_manager.py: replace SecurityTypes None with VncAuth,TLSVnc
  (this is the main runtime path when users open noVNC tab)
- fix-vnc-desktop.sh: replace hardcoded "kali" password with random
  generation via openssl rand (accepts VNC_PASSWORD env var override)
- fix-vnc-wsl.sh: same hardcoded password removal
@mrveiss mrveiss mentioned this pull request Mar 20, 2026
Open
@mrveiss mrveiss merged commit 7c81911 into Dev_new_gui Mar 20, 2026
1 of 3 checks passed
This was referenced Mar 20, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mrveiss