GNOME Bugzilla – Bug 652334
Password length restriction to 8 characters
Last modified: 2020-11-13 17:30:22 UTC
The password box seems to be limited to 8 characters. I have passwords much longer than this.
What are exact steps to reproduce this?
Try to type a password longer than 8 characters into the password box. The box will not accept characters after the 8th.
I have also seen this restriction of 8 characters in the VNC password field. The machine I connect to is configured to use a longer password. While reading elsewhere on the web, someone pointed out that the VNC standard was for 8 character passwords. But for the sake of better security many people use longer passwords, and it would be nice even if you could provide a configuration option to allow longer passwords (with the default being off for standards compliance). I hope we can see a fix soon. Thanks!
> The machine I connect to is configured to use a longer password. ... > But for the sake of better security many people use longer passwords, If you're using the standard "VNC Authentication" scheme, then this is not doing what you think and has *zero* security benefit The VNC server may not have complained at your longer password, but it will be ignoring any characters in your password beyond the 8th byte, because the auth scheme is based on DES with a fixed length 8-byte key. eg, You may well have set a password on the server 'Thequickbrownfoxjumpsoverthelazydog' but you'll find you can successfully login to the server by entering any of 'Thequick' 'Thequickbrownfoxjumpsoverthelazydog' 'Thequickrandomgarbage' NB, longer passwords *are* useful if you're connecting to a VNC server than uses one of the following authentication protocol extensions: - SASL (in QEMU) - MSLOGON (In some builds of VNC for Windows) - ARD (OS-X remote desktop) So vinagre should allow characters > 8 bytes for these auth protocols extensions. For regular VNC auth though, it is totally useless and will not add any security benefit
Bug 666598 includes a patch for this.
*** Bug 672667 has been marked as a duplicate of this bug. ***
*** Bug 666598 has been marked as a duplicate of this bug. ***
So if I want to connect to an OS X remote desktop with a password longer than 8 characters I am sh.t out of luck?
I rebuilt this package on Debian Wheezy/Sid (version 3.4.2-1) with the patch in bug 666598, and have verified that it works just fine to connect to OS X VNC servers, which use a different authentication mechanism. Please accept the patch provided in 66598. It will fix vinagre for use with OS X. I will attach my .deb as well for testing.
I was unable to attach the .deb, but it can be downloaded at http://brocktice.com/Files/vinagre_3.4.2-1_amd64.deb
For the record, this has just costed me 2 hours of figuring out. Failing a conditional password length limit, just increasing the limit globally like the proposed patch appears to be *much* better than the current frustrating status quo (well, frustrating for me as a user. falling back to gvncviewer for the moment. ;))
Also, I presume the status is very well confirmed by now? ;)
*** Bug 708635 has been marked as a duplicate of this bug. ***
Please consider this bug "confirmed". Logging into Mac VNC servers is basically impossible so long as the password is limited to 8characters like this, which basically means that all the Mac people at my office get to say: "Why do you even use Linux? It never works!" My system: Gentoo Linux Gnome 3.10.2
xtightvncviewer works well as an alternative since bugs in vinagre don't seem to be getting fixed
(In reply to comment #15) > since bugs in vinagre don't seem to be getting fixed 4 Vinagre bugs got fixed in last 90 days - https://bugzilla.gnome.org/buglist.cgi?chfield=bug_status;chfieldfrom=-90d;chfieldvalue=RESOLVED;bug_status=RESOLVED;bug_status=VERIFIED;resolution=FIXED;product=vinagre Hashem: If you have more spare time to work on this software project than the volunteer developers that you criticize, get involved and provide patches.
Andre, I did provide a patch in https://bugzilla.gnome.org/show_bug.cgi?id=708635 which was ignored without any response. Should I repost that same patch in this ticket?
*** Bug 742931 has been marked as a duplicate of this bug. ***
Patches: https://bugzilla.gnome.org/show_bug.cgi?id=708635#c1 and https://bugzilla.gnome.org/show_bug.cgi?id=742931#c1
*** Bug 522476 has been marked as a duplicate of this bug. ***
Also see bug 747296; bug 793075
https://gitlab.gnome.org/GNOME/vinagre/issues/16
Obsoleted by https://gitlab.gnome.org/GNOME/vinagre/issues/16