Description of problem: The semantics of the ',password' option to -vnc are that it enables the VNC auth scheme. If the VNC server password is unset or empty string, all attempts to authenticate with the server will be explicitly blocked. This allows applications to enable and selectively allow access for a period of time, before clearing the password again to prevent further access. See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134 https://bugzilla.redhat.com/show_bug.cgi?id=668589
As far as I understand it, an empty password means no authentication. See explanation here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134#10
No. An empty password means no(In reply to comment #1) > As far as I understand it, an empty password means no authentication. > > See explanation here: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134#10 > Incorrect. You're grabbing the opinion of some person commenting on a Debian bug. The actual documentation reads as follows: # The default VNC password. Only 8 letters are significant for # VNC passwords. This parameter is only used if the per-domain # XML config does not already provide a password. To allow # access without passwords, leave this commented out. An empty # string will still enable passwords, but be rejected by QEMU # effectively preventing any use of VNC.
This was determined to not be an error at all but in fact a misunderstanding of how VNC authentication worked. A blank password is meant to remove authentication and that's how applications that use qemu-kvm expect it to behave.
CVE-2011-0011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0011): qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.
