password in clear text in config file

[mrsteve0924]

is there a way to use an encrypted password file like tigervnc has?

[any1]

There are multiple authentication methods supported. The password would have to be hashed separately for all of them.

[mrsteve0924]

i dont see anything in the man pages or README about password files.

in tigervnc if i issue the command vncpasswd it will ask for a new password and store an obfuscated version of it to a password file. i can then pass it as an option to the vncserver command.

[any1]

I didn't say that password files were supported.

From vncpasswd(1):

The password must be at least six characters long (unless the -f command-line
option is used-- see below), and only the first eight characters are signifi‐
cant. Note that the stored password is not encrypted securely - anyone who
has access to this file can trivially find out the plain-text password, so
vncpasswd always sets appropriate permissions (read and write only by the
owner.) However, when accessing a VNC desktop, a challenge-response mecha‐
nism is used over the wire making it hard for anyone to crack the password
simply by snooping on the network.

So, what's the point?

[mrsteve0924]

well that is interesting. i dont know why they say "can trivially find out the plain text password" , when i open my password file, it is just a mess of random characters. i tried searching for some tools to read this file as plain text, found one but it was for Windows.

so it is what it is i guess. thanks for the help.

[Consolatis]

Here you go: https://github.com/TigerVNC/tigervnc/blob/master/common/rfb/obfuscate.cxx

So its d3des with a publicly known key.
Basically the only reason I can imagine this exists is to address the 'somebody-looking-over-the-shoulder' factor.

[mrsteve0924]

yes as i am reading more about it, their password encryption does seem pretty useless. even their source code has a warning about it
// XXX not thread-safe, because d3des isn't - do we need to worry about this?