README: Document RSA-AES
parent
89e4e8508f
commit
16ff0fa11d
32
README.md
32
README.md
|
@ -116,8 +116,10 @@ use SSH tunneling while listening on localhost, but users can also be
|
||||||
authenticated when connecting to wayvnc.
|
authenticated when connecting to wayvnc.
|
||||||
|
|
||||||
### Encryption & Authentication
|
### Encryption & Authentication
|
||||||
You'll need a private X509 key and a certificate. A self-signed key with a
|
|
||||||
certificate can be generated like so:
|
#### VeNCrypt (TLS)
|
||||||
|
For TLS, you'll need a private X509 key and a certificate. A self-signed key
|
||||||
|
with a certificate can be generated like so:
|
||||||
```
|
```
|
||||||
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
|
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
|
||||||
-keyout key.pem -out cert.pem -subj /CN=localhost \
|
-keyout key.pem -out cert.pem -subj /CN=localhost \
|
||||||
|
@ -139,6 +141,32 @@ private_key_file=/path/to/key.pem
|
||||||
certificate_file=/path/to/cert.pem
|
certificate_file=/path/to/cert.pem
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### RSA-AES
|
||||||
|
The RSA-AES security type combines RSA with AES in EAX mode to provide secure
|
||||||
|
authentication and encryption that's resilient to eavesdropping and MITM. Its
|
||||||
|
main weakness is that the user has to verify the server's credentials on first
|
||||||
|
use. Thereafter, the client software should warn the user if the server's
|
||||||
|
credentials change. It's a Trust on First Use (TOFU) scheme as employed by SSH.
|
||||||
|
|
||||||
|
For the RSA-AES to be enabled, you need to generate an RSA key. This can be
|
||||||
|
achieved like so:
|
||||||
|
```
|
||||||
|
ssh-keygen -m pem -f ~/.config/wayvnc/rsa_key.pem -t rsa -N ""
|
||||||
|
```
|
||||||
|
|
||||||
|
You also need to tell wayvnc where this file is located, by setting setting the
|
||||||
|
`rsa_private_key_file` configuration parameter:
|
||||||
|
```
|
||||||
|
address=0.0.0.0
|
||||||
|
enable_auth=true
|
||||||
|
username=luser
|
||||||
|
password=p455w0rd
|
||||||
|
rsa_private_key_file=/path/to/rsa_key.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
You may also add credentials for TLS in combination with RSA. The client will
|
||||||
|
choose.
|
||||||
|
|
||||||
### wayvncctl control socket
|
### wayvncctl control socket
|
||||||
|
|
||||||
To facilitate runtime interaction and control, wayvnc opens a unix domain socket
|
To facilitate runtime interaction and control, wayvnc opens a unix domain socket
|
||||||
|
|
Loading…
Reference in New Issue