Bug 87523

Summary: confirmation dialog before password verification
Product: [Applications] krfb Reporter: Waldo Bastian <bastian>
Component: generalAssignee: George Goldberg <grundleborg>
Status: CONFIRMED ---    
Severity: normal CC: grundleborg
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:

Description Waldo Bastian 2004-08-19 17:43:21 UTC 
Version:            (using KDE KDE 3.3.0)
Installed from:    Compiled From Sources
OS:                Linux

The user should not be bothered with the dialog for accepting an incoming VNC connection until the password has been verified. Now anyone can harass the user with this popup as long as the user has an open invitation outstanding.
Comment 1 Tomasz Chmielewski 2005-02-25 11:04:58 UTC 
True.
Comment 2 tim 2005-02-25 20:48:28 UTC 
I agree mostly, but one of the reasons for that design was that it allowed me to have krfb always running with a good conscience. Every bit of data from an unauthenticated host that is processed by a C application is a large risk. If there would be a bug (eg a buffer overflow) in the authentication code, this would be a fatal security problem. Every KDE system that has either an open invitation or a permanent password would be vulnerable. Asking the user for a confirmation before any data is processed solves that problem to some degree.
Comment 3 Dik Takken 2006-04-18 13:32:31 UTC 
I have used krfb for remotely assisting users in the past, but this has become unusable because users were getting loads of connection requests from all over the internet.

Maybe a whitelist of allowed remote hosts can solve this problem?
Comment 4 Jaison Lee 2006-04-18 15:12:42 UTC 
FYI: KRFB has been unmaintained for over a year now, despite numerous attempts to find someone interested in picking it up. Until someone does, the future of the program is uncertain.
Comment 5 George Goldberg 2009-09-04 12:40:11 UTC 
Issue still stands in KDE4.3.