0

This question has also been asked on Server Fault, but was not taken seriously. I hope this is a better place for it

I'm going to install Debian Wheezy on a KVM VPS. VNC access to console is enabled, and by sniffing network traffic when connecting, I see VNC password is encrypted but everything else is sent in plain text. It's possible to install Debian remotely over SSH by loading the "network-console" component early in the installation process. After configuring the network, a dialog asks for "Remote installation password"

I can then connect to the installation with ssh installer@x.x.x.x and continue the installation over an encrypted connection. However, the remote installation password has to be typed while connected via VNC, and is therefore sent in plain text. An attacker who sniffs the password can then compromise the installation.

What is the best method in this case to avoid an attacker compromising the installation?

Before typing the remote installation password it's possible to execute a shell. However, the installation environment is very limited so only few commands are availiable. I think the best option is to restrict SSH connections to only my IP address, but this do not seems to be possible.

Another option I have thought about is quickly connecting to the installation after typing the remote installation password, and then remove the "installer" user from /etc/shadow thereby avoiding others from logging in, but not sure if this is safe enough. I hope there are more options I haven't thought of.

user40945
  • 1
  • Other than VNC, are there any other options to access the pre-OS environment? Alternately,is their VNC server one of the (few) that has some level of encryption support if you use the matching VNC client? – Anti-weakpasswords Feb 27 '14 at 02:56
  • Unfortunately, VNC is the only option for access to the pre-OS environment, and the VNC server does not support encryption. – user40945 Feb 27 '14 at 06:22

1 Answers1

1

Presumably by KVM you mean KVM rather than KVM.

So in this case, you should have a Linux host and N virtual machines, potentially accessible over VNC.

If your Linux host is not trusted, then nobody can save you. So we'll assume network traffic can't be sniffed within the kernel. So in that case, SSH-ing to the server and forwarding the VNC connection over your SSH tunnel effectively encrypts your traffic from the server to your SSH console on your own machine.

While the VNC connection is unencrypted at both ends of the tunnel, the first in is on your own computer (presumably trusted) while the second end is within the kernel on the Linux server (also presumably trusted), and at no point is VNC traffic sent over the network; it stays within the SSH tunnel.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Only the VPS provider has access to the host. I have access to the VM I rent. The virtualization solution used by the VPS provider, supports access to the console of the VM via VNC. I need to use VNC for the first part of the installation process, until the network settings and remote access has been configured. The problem is that the remote installation password is sent in plain text. I need to secure the installation environment so an attacker cannot compromise the installation, even through he has sniffed the password. – user40945 Feb 27 '14 at 06:23
  • If you can't get VNC over an encrypted tunnel (VPN, etc), then perhaps you should bring this up w/ your host. It's a critical failing on their part. – tylerl Feb 27 '14 at 06:26
  • I do not know of any VPS provider that implements VNC encryption, so this is normal. The VNC console is not for general use, only for installation and correcting problems that make secure login impossible. Passwords typed when connected via VNC should be changed when the problem is solved. I guess it comes down to how much risk you are willing to take. Some will be fine with installing the OS and changing passwords when finished. I'm not willing to take the risk, so therefore I try to find a way to secure the installation environment, even though the password is sent in plain text. – user40945 Feb 27 '14 at 07:10
  • @user40945 You don't encrypt VNC itself. Instead you provide a VPN or other encrypted tunnel over which the VNC connection can operate. This is actually *very* common in cases where VNC access is used. – tylerl Feb 27 '14 at 17:49