SecureVNCPlugin without password

[Prisma]

First of all, sorry for this stupid question. I was digging this forum and didn't find an answer:

We use the old rc4 dsmplugin. With the new 1.1.8.0 I thought about changing the plugin to a never and saver technology. We use a reverse connection with a repeater in mode II. As far as I can remember in case of the secureVNCplugin you're always prompted for a password. This behaviour doesn't fit our needs.

So, isn't it possible to strip the password from a secureVNC key? With an openSSH or putty keyfile I would be able to do that...

[Rudi De Vos]

When i'm correct, you are only asked for a password when you don't use a key.
Using winvnc.exe you need to create the a server and viewer key and copy the viewer key to vncviewer.exe.
The key isn't generated with a password ?

[Prisma]

Ok, I just have to try it. I'll give you a feedback (only for your personal records). Thanks Rudi.

[Prisma]

Ok, like I mentioned above, the viewer always prompts you for a password. Even if I generate a keypair without typing a password into the configuration dialogue. Confirming the viewer prompt with ENTER (and leave the password empty) works. I know you're your own CEO, Rudi. But this behaviour I can't sell my CEO. Everything has to work exactly analogue to RC4 encryption.

The reason could be, that even with a empty password the private key is encrypted. If I knew the binary format, I'd try to save the private key decrypted using OpenSSH or what ever...

Who's able to help with information?

[Rudi De Vos]

Encryption and password are something different.

1) encryption without a key
Using DH you exchange a key ( used for encryption) and insite the encryption you send a password for authentication
2) encryption with a key with empty passwor'd
You don't use Dh to exchange a key, but use a predefined key. You can use this key for encryption but also for
authentication as the server/viewer key is a unique pair
3) encryption with key and password
If you are paranoid and often loose your keys you can use the key for encryption and authentication and on top of that
send a passwd insite the encription.

The only bug i see is that you also get a passwd popup for an empty password, it should not show in that case.

[Prisma]

Encryption and password are something different.

I assumed that SecureVNC is similar to OpenSSH/puTTY where the private key itself is encrypted with a password (which could be removed by decrypting the private key). Nice that nothing has to be decrypted. But:

The only bug i see is that you also get a passwd popup for an empty password, it should not show in that case.

Right, that's the only bug I see too. Is prompting for a empty password a problem of the viewer, or a problem of the plugin itself? In other words, is it a bug you're able to fix?

[Prisma]

I checked adamwalling.com and read that openSSL is used. So, basically this is for me a rather well-known technology and I'm not sure what a understood wrong. He writes, if no passphrase is chosen, the VNC password is used. We don't set a VNC password. During a reverse connection and no allowed socket connections we see no need to set a password. It's a SC scenario. He also writes: "The passphrase is used to generate a 256-bit key for use with the AES cipher". Even when no password is set? Or what happens if no password is set?

I can only refer to webserver technologies based on openSSL where it's quite normal to use no passwords. Assuming you don't want to pass a passphrase to your webserver every time he restarts

I think it could make sense to contact Mr. Walling to bring some light in my case. Or is there a any other hint you can give me to avoid a "empty" prompt, Rudi?