Independent Submission D. Warden
Request for Comments: 7869 Dell Products LP
Category: Informational I. Iordanov
ISSN: 2070-1721 Undatech
May 2016
Independent Submission D. Warden
Request for Comments: 7869 Dell Products LP
Category: Informational I. Iordanov
ISSN: 2070-1721 Undatech
May 2016
The "vnc" URI Scheme
“vnc”URI方案
Abstract
摘要
Virtual Network Computing (VNC) software provides remote desktop functionality. This document describes a Uniform Resource Identifier (URI) scheme enabling the launch of VNC clients from other applications. The scheme specifies parameters useful in securely connecting clients with remote hosts.
虚拟网络计算(VNC)软件提供远程桌面功能。本文档描述了一个统一资源标识符(URI)方案,该方案支持从其他应用程序启动VNC客户端。该方案指定了用于将客户端与远程主机安全连接的参数。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7869.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7869.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Requirements Language ......................................3
2. The "vnc" URI Scheme ............................................3
2.1. URI Scheme Syntax ..........................................3
2.1.1. URI Parameters ......................................4
2.1.2. Data Types ..........................................9
2.2. Processing URIs ...........................................11
2.2.1. Error Handling .....................................12
2.2.2. Connection Profile Matching ........................12
2.3. Connection Channel Types ..................................12
2.3.1. The "Integrated SSH" Channel Type ..................12
2.3.2. The "Secure Tunnel" Channel Type ...................14
3. Security Considerations ........................................15
3.1. Application Trust .........................................16
3.2. URI Handling ..............................................16
3.3. Host Identification .......................................17
3.4. Connection Database Integrity .............................18
4. IANA Considerations ............................................18
4.1. "vnc" Scheme ..............................................18
4.2. Remote Framebuffer Security Types .........................18
4.3. VNC URI Group .............................................19
4.4. VNC URI Connection Channel Types ..........................19
4.5. VNC URI ID Hash Algorithms ................................19
4.6. VNC URI Parameters ........................................21
5. References .....................................................22
5.1. Normative References ......................................22
5.2. Informative References ....................................23
Appendix A. "vnc" URI Template ....................................24
Acknowledgments ...................................................25
Authors' Addresses ................................................25
1. Introduction ....................................................3
1.1. Requirements Language ......................................3
2. The "vnc" URI Scheme ............................................3
2.1. URI Scheme Syntax ..........................................3
2.1.1. URI Parameters ......................................4
2.1.2. Data Types ..........................................9
2.2. Processing URIs ...........................................11
2.2.1. Error Handling .....................................12
2.2.2. Connection Profile Matching ........................12
2.3. Connection Channel Types ..................................12
2.3.1. The "Integrated SSH" Channel Type ..................12
2.3.2. The "Secure Tunnel" Channel Type ...................14
3. Security Considerations ........................................15
3.1. Application Trust .........................................16
3.2. URI Handling ..............................................16
3.3. Host Identification .......................................17
3.4. Connection Database Integrity .............................18
4. IANA Considerations ............................................18
4.1. "vnc" Scheme ..............................................18
4.2. Remote Framebuffer Security Types .........................18
4.3. VNC URI Group .............................................19
4.4. VNC URI Connection Channel Types ..........................19
4.5. VNC URI ID Hash Algorithms ................................19
4.6. VNC URI Parameters ........................................21
5. References .....................................................22
5.1. Normative References ......................................22
5.2. Informative References ....................................23
Appendix A. "vnc" URI Template ....................................24
Acknowledgments ...................................................25
Authors' Addresses ................................................25
Virtual Network Computing (VNC) clients are used to support remote desktop connectivity based on the Remote Framebuffer (RFB) Protocol [RFC6143]. It is often desirable to integrate such functionality with other software. However, the lack of a standard method for specifying VNC client parameters has limited such integration.
虚拟网络计算(VNC)客户端用于支持基于远程帧缓冲区(RFB)协议[RFC6143]的远程桌面连接。通常希望将此类功能与其他软件集成。然而,缺乏指定VNC客户机参数的标准方法限制了这种集成。
The "vnc" Uniform Resource Identifier (URI) scheme specified in this document facilitates the launch of VNC clients from applications in browser-based, desktop, and mobile environments. Using this scheme, users and application vendors will be able to integrate remote desktop capabilities without being tied to a particular client.
本文档中指定的“vnc”统一资源标识符(URI)方案有助于从基于浏览器、桌面和移动环境中的应用程序启动vnc客户端。使用此方案,用户和应用程序供应商将能够集成远程桌面功能,而无需绑定到特定的客户端。
Remote desktop clients often store connection profiles in a local connection database. By associating connections specified in a URI with those stored in a database, client-specific options can be automatically applied to a connection launched from another application, even when that application is unaware of those options.
远程桌面客户端通常将连接配置文件存储在本地连接数据库中。通过将URI中指定的连接与数据库中存储的连接相关联,可以将特定于客户端的选项自动应用于从另一个应用程序启动的连接,即使该应用程序不知道这些选项。
Connections to VNC servers are often secured using mechanisms including Transport Layer Security / Secure Sockets Layer (TLS/SSL) tunneling [RFC5246] and Secure Shell (SSH) [RFC4251] tunneling, which are outside the scope of the RFB protocol. Defining the behavior of these client-integrated security options enables their use with "vnc" URIs.
到VNC服务器的连接通常使用传输层安全/安全套接字层(TLS/SSL)隧道[RFC5246]和安全外壳(SSH)[RFC4251]隧道等机制进行保护,这些机制不在RFB协议的范围内。通过定义这些客户端集成安全选项的行为,可以使用“vnc”URI。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
In this document, these words will appear with that interpretation only when in ALL CAPS. Lowercase uses of these words are not to be interpreted as carrying the significance described in RFC 2119.
在本文件中,只有在所有大写字母中,这些单词才会以该解释出现。这些词语的小写用法不得解释为具有RFC 2119中所述的意义。
The normative syntax of the "vnc" URI is defined in the <vnc-uri> rule in the following syntax specification. This specification uses the Augmented Backus-Naur Form (ABNF) as described in [RFC5234]. The "vnc" URI conforms to the generic URI syntax specified in [RFC3986]. The <userinfo>, <host>, <port>, <unreserved>, and <pct-encoded> rules are defined in [RFC3986].
“vnc”URI的规范语法在以下语法规范的<vnc URI>规则中定义。本规范使用[RFC5234]中所述的扩充巴科斯诺尔表(ABNF)。“vnc”URI符合[RFC3986]中指定的通用URI语法。[RFC3986]中定义了<userinfo>、<host>、<port>、<unreserved>和<pct encoded>规则。
vnc-uri = "vnc://" [ userinfo "@" ] [ host [ ":" port ] ]
[ "?" [ vnc-params ] ]
vnc-uri = "vnc://" [ userinfo "@" ] [ host [ ":" port ] ]
[ "?" [ vnc-params ] ]
vnc-params = param "=" value *("&" param "=" value) ["&"]
vnc-params = param "=" value *("&" param "=" value) ["&"]
param = 1*( param-char )
param = 1*( param-char )
value = *( param-char )
value = *( param-char )
param-char = unreserved / pct-encoded / unreserved-symbols
param-char = unreserved / pct-encoded / unreserved-symbols
unreserved-symbols = ":" / "/" / "@" / "!" / "$" / "'"
/ "(" / ")" / "*" / "," / ";"
unreserved-symbols = ":" / "/" / "@" / "!" / "$" / "'"
/ "(" / ")" / "*" / "," / ";"
The "?", "=", and "&" characters are used to delimit VNC parameters and must be percent-encoded when representing a data octet as specified in [RFC3986]. Within the <vnc-params> portion of a "vnc" URI, the <unreserved-symbols> do not have special meaning and need not be percent-encoded when representing a data octet.
“?”、“=”和“&”字符用于分隔VNC参数,在表示[RFC3986]中规定的数据八位字节时,必须对其进行百分比编码。在“vnc”URI的<vnc params>部分中,<unreserved symbols>没有特殊意义,并且在表示数据八位字节时不需要进行百分比编码。
A "vnc" URI has the general form:
“vnc”URI的一般形式为:
vnc://host:port?param1=value1¶m2=value2...
vnc://host:port?param1=value1¶m2=value2...
The host information and each parameter value specify information used in establishing or operating the remote desktop session as specified in Section 2.1.1.
主机信息和每个参数值指定了第2.1.1节中规定的用于建立或操作远程桌面会话的信息。
For example:
例如:
vnc://10.0.0.1:5901?VncPassword=secret&SecurityType=2
vnc://10.0.0.1:5901?VncPassword=secret&SecurityType=2
This example indicates a VNC connection to the host at IP "10.0.0.1" on port "5901" with VNC password "secret" using the VNC Authentication security type.
此示例表示与端口“5901”上IP“10.0.0.1”处主机的VNC连接,使用VNC身份验证安全类型使用VNC密码“secret”。
A description of host information and URI parameters is provided in this section. Information on the constraints of various data types is provided in Section 2.1.2. All parameters are considered optional; however, a client will not be able to connect without sufficient information.
本节提供了主机信息和URI参数的说明。第2.1.2节提供了关于各种数据类型约束的信息。所有参数均视为可选参数;但是,如果没有足够的信息,客户端将无法连接。
A parameter without a specified default value indicates that no default value is implied by this URI scheme; however, VNC clients can apply implementation-dependent default behaviors otherwise consistent with this document.
没有指定默认值的参数表示此URI方案没有隐含默认值;但是,VNC客户端可以应用依赖于实现的默认行为,否则与本文档一致。
The <userinfo> value is deprecated and processed only in an implementation-specific manner. The <userinfo> component MUST NOT be generated in an environment where a client supporting an updated URI format is expected to be available. When processing a URI value from an untrusted source, VNC clients SHOULD alert the user in order to mitigate the risk that the URI is constructed to obscure the identity of the remote host unless the URI can be validated or backwards-compatibility considerations make an alert impractical.
<userinfo>值已弃用,并且仅以特定于实现的方式进行处理。在预期支持更新URI格式的客户端可用的环境中,不能生成<userinfo>组件。当处理来自不受信任源的URI值时,VNC客户端应向用户发出警报,以降低URI被构造为隐藏远程主机身份的风险,除非URI可以验证或向后兼容性考虑使警报不切实际。
The <host> and <port> values in the "vnc" URI specify the address of the VNC server on the remote host:
“vnc”URI中的<host>和<port>值指定远程主机上vnc服务器的地址:
+------------+------------+-----------------------------+----------+
| Name | Type | Description | Default |
+------------+------------+-----------------------------+----------+
| host | string | VNC server hostname or IP | none |
+------------+------------+-----------------------------+----------+
| port | ushort | VNC server port | 5900 |
+------------+------------+-----------------------------+----------+
+------------+------------+-----------------------------+----------+
| Name | Type | Description | Default |
+------------+------------+-----------------------------+----------+
| host | string | VNC server hostname or IP | none |
+------------+------------+-----------------------------+----------+
| port | ushort | VNC server port | 5900 |
+------------+------------+-----------------------------+----------+
The "vnc" URI parameter values specify remote desktop connection or session properties, including aspects of client operation, usability, and security as specified in the table below:
“vnc”URI参数值指定远程桌面连接或会话属性,包括下表中指定的客户端操作、可用性和安全性方面:
+---------------+---------+-----------------------------+----------+
| Name | Type | Description | Default |
+---------------+---------+-----------------------------+----------+
|ConnectionName | string | Name of connection profile | none |
+---------------+---------+-----------------------------+----------+
|VncUsername | string | VNC server username | none |
+---------------+---------+-----------------------------+----------+
|VncPassword | string | VNC server password | none |
+---------------+---------+-----------------------------+----------+
|SecurityType | enum | RFB security type used | none |
| | <rfbsec>| | |
+---------------+---------+-----------------------------+----------+
|ChannelType | enum | Connection channel type | none |
| | <chan> | | |
+---------------+---------+-----------------------------+----------+
|SshHost | string | SSH server hostname or IP | <host> |
+---------------+---------+-----------------------------+----------+
|SshPort | ushort | SSH server port | 22 |
+---------------+---------+-----------------------------+----------+
|SshUsername | string | SSH username | none |
+---------------+---------+-----------------------------+----------+
|SshPassword | string | SSH password | none |
+---------------+---------+-----------------------------+----------+
|IdHashAlgorithm| enum | Hash algorithm used with | none |
| | <idhash>| "IdHash" parameter | |
+---------------+---------+-----------------------------+----------+
|IdHash | string | Expected hash of remote | none |
| | <hex> | public key or certificate | |
+---------------+---------+-----------------------------+----------+
|ColorLevel | enum | Client color depth/mode | none |
| | <clevel>| | |
+---------------+---------+-----------------------------+----------+
|ViewOnly | boolean | Client is view only | false |
+---------------+---------+-----------------------------+----------+
|SaveConnection | boolean | Store connection info | none |
+---------------+---------+-----------------------------+----------+
+---------------+---------+-----------------------------+----------+
| Name | Type | Description | Default |
+---------------+---------+-----------------------------+----------+
|ConnectionName | string | Name of connection profile | none |
+---------------+---------+-----------------------------+----------+
|VncUsername | string | VNC server username | none |
+---------------+---------+-----------------------------+----------+
|VncPassword | string | VNC server password | none |
+---------------+---------+-----------------------------+----------+
|SecurityType | enum | RFB security type used | none |
| | <rfbsec>| | |
+---------------+---------+-----------------------------+----------+
|ChannelType | enum | Connection channel type | none |
| | <chan> | | |
+---------------+---------+-----------------------------+----------+
|SshHost | string | SSH server hostname or IP | <host> |
+---------------+---------+-----------------------------+----------+
|SshPort | ushort | SSH server port | 22 |
+---------------+---------+-----------------------------+----------+
|SshUsername | string | SSH username | none |
+---------------+---------+-----------------------------+----------+
|SshPassword | string | SSH password | none |
+---------------+---------+-----------------------------+----------+
|IdHashAlgorithm| enum | Hash algorithm used with | none |
| | <idhash>| "IdHash" parameter | |
+---------------+---------+-----------------------------+----------+
|IdHash | string | Expected hash of remote | none |
| | <hex> | public key or certificate | |
+---------------+---------+-----------------------------+----------+
|ColorLevel | enum | Client color depth/mode | none |
| | <clevel>| | |
+---------------+---------+-----------------------------+----------+
|ViewOnly | boolean | Client is view only | false |
+---------------+---------+-----------------------------+----------+
|SaveConnection | boolean | Store connection info | none |
+---------------+---------+-----------------------------+----------+
o ConnectionName, SaveConnection
o ConnectionName,SaveConnection
"ConnectionName" is used to identify a connection profile in both the launching application and VNC client. Profiles are applied as described in Section 2.2.2. If omitted, the client MAY generate a name based on the host, port, and/or other parameters. The VNC client MAY normalize the name as required.
“ConnectionName”用于标识启动应用程序和VNC客户端中的连接配置文件。按照第2.2.2节所述应用外形。如果省略,客户端可以基于主机、端口和/或其他参数生成名称。VNC客户端可以根据需要规范化名称。
If true, "SaveConnection" indicates a connection profile should be created or updated and stored in the client connection database. If false, no profile should be updated or persisted.
如果为true,“SaveConnection”表示应创建或更新连接配置文件,并将其存储在客户端连接数据库中。如果为false,则不应更新或保留任何配置文件。
o VncUsername, VncPassword, SecurityType
o VncUsername、VncPassword、SecurityType
The "SecurityType" parameter indicates which RFB security type applies to the connection. RFB security types are recorded in the IANA "Remote Framebuffer Security Types" registry created by [RFC6143]. The VNC client will use this information to determine which parameters are required and establish the connection.
“SecurityType”参数指示哪个RFB安全类型应用于连接。RFB安全类型记录在[RFC6143]创建的IANA“远程帧缓冲区安全类型”注册表中。VNC客户端将使用此信息确定需要哪些参数并建立连接。
VNC clients can sometimes automatically negotiate a security type with a server. Specifying the security type controls the security negotiation. Specifying the security type also allows a client to prompt for necessary security parameters prior to establishing a connection. Parameters may take time to enter on mobile clients and could otherwise result in timeouts and/or security lockouts. If the specified type is not supported by the server, an error SHOULD be indicated as described in Section 2.2.1.
VNC客户端有时可以自动与服务器协商安全类型。指定安全类型控制安全协商。指定安全类型还允许客户端在建立连接之前提示输入必要的安全参数。在移动客户端输入参数可能需要时间,否则可能导致超时和/或安全锁定。如果服务器不支持指定类型,则应按照第2.2.1节所述指示错误。
"VncUsername" and "VncPassword" are used when applicable to authenticate to the VNC server using the specified "SecurityType". Since passwords often contain arbitrary characters, they will often require percent encoding.
“VncUsername”和“VncPassword”在适用时用于使用指定的“SecurityType”对VNC服务器进行身份验证。由于密码通常包含任意字符,因此通常需要百分比编码。
o ChannelType
o 通道类型
"ChannelType" specifies the transport stream used to carry connection data. This allows a client to initiate a connection using a secure transport protocol such as SSH prior to connecting to the VNC server socket. Use of this value in the context of the "Integrated SSH" and "Secure Tunnel" channel types is provided in Section 2.3.
“ChannelType”指定用于承载连接数据的传输流。这允许客户端在连接到VNC服务器套接字之前使用安全传输协议(如SSH)启动连接。第2.3节提供了在“集成SSH”和“安全隧道”通道类型的上下文中使用此值。
o SshHost, SshPort, SshUsername, SshPassword
o SshHost、SshPort、SshUsername、SshPassword
The SSH parameters are intended for use with the "Integrated SSH" channel type described in Section 2.3.1. These parameters can also be used with any future SSH-based channel types. Since passwords often contain arbitrary characters, they will often require percent encoding.
SSH参数用于第2.3.1节中描述的“集成SSH”通道类型。这些参数还可以用于将来任何基于SSH的通道类型。由于密码通常包含任意字符,因此通常需要百分比编码。
o IdHashAlgorithm, IdHash
o IdHash算法
The "IdHashAlgorithm" and "IdHash" values are used to verify the expected identity of the remote system based on its public key or certificate. Use of these values in the context of the "Integrated SSH" and "Secure Tunnel" channel types is provided in Section 2.3.
“IdHashAlgorithm”和“IdHash”值用于根据远程系统的公钥或证书验证其预期身份。第2.3节提供了在“集成SSH”和“安全隧道”通道类型的上下文中使用这些值。
o ColorLevel
o 色阶
The "ColorLevel" parameter specifies the color model to use for data transfer and display as specified in Section 2.1.2. If the requested color model is unsupported, the behavior is implementation dependent.
“ColorLevel”参数指定用于数据传输和显示的颜色模型,如第2.1.2节所述。如果请求的颜色模型不受支持,则该行为取决于实现。
o ViewOnly
o 仅查看
If "ViewOnly" is true, the VNC client SHOULD operate in a display-only mode and refrain from sending input data including KeyEvent, PointerEvent, and ClientCutText messages specified in Section 7.5 of [RFC6143] unless this mode is unsupported by the client.
如果“ViewOnly”为真,则VNC客户端应在仅显示模式下运行,并避免发送输入数据,包括[RFC6143]第7.5节中规定的KeyEvent、PointerEvent和ClientCutText消息,除非客户端不支持此模式。
Parameter names SHOULD be provided in the case specified in this document; however, for compatibility, clients SHOULD accept parameters in a case-insensitive manner. Values SHALL be interpreted in a case-sensitive manner, unless otherwise noted.
在本文件规定的情况下,应提供参数名称;但是,为了兼容性,客户端应该以不区分大小写的方式接受参数。除非另有说明,否则应以区分大小写的方式解释数值。
Additional parameters likely to be useful with multiple VNC clients can be added to the "VNC URI Parameters" registry as specified in Section 4.6 of this document. Individual clients MAY support parameters specific to that client. VNC clients supporting application-specific parameters SHOULD include a distinguishing prefix within the parameter name, such as the name of the application package specified in source code except when precluded by compatibility constraints. For example:
如本文档第4.6节所述,可以将可能对多个VNC客户端有用的其他参数添加到“VNC URI参数”注册表中。单个客户端可能支持特定于该客户端的参数。支持特定于应用程序的参数的VNC客户端应在参数名称中包含一个区别前缀,例如源代码中指定的应用程序包的名称,但兼容性约束排除的情况除外。例如:
vnc://?com.dell.vncclient.ScreenMode=2&
vnc://?com.dell.vncclient.ScreenMode=2&
It can also be expected that clients will maintain backward compatibility with legacy URI formats and parameters.
还可以预期,客户端将保持与遗留URI格式和参数的向后兼容性。
Legacy software applications respond to "vnc" URIs in different ways and may fail to behave as expected. It is advisable to test "vnc" URIs with specific applications or consult application-specific documentation.
遗留软件应用程序以不同的方式响应“vnc”URI,可能无法按预期运行。建议使用特定的应用程序测试“vnc”URI,或查阅特定于应用程序的文档。
"vnc" URIs can be percent-encoded as specified in [RFC3986] and MUST be decoded. After decoding, the following type constraints and semantics apply:
“vnc”URI可以按照[RFC3986]中的规定进行百分比编码,并且必须进行解码。解码后,将应用以下类型约束和语义:
o string
o 一串
Values of "string" type are UTF-encoded strings as specified in [RFC3629].
“字符串”类型的值是[RFC3629]中指定的UTF编码字符串。
The "string<hex>" subtype used in the "IdHash" consists of colon-delimited ":" octets displayed in hexadecimal. For example:
“IdHash”中使用的“string<hex>”子类型由冒号分隔的“:”以十六进制显示的八位字节组成。例如:
5D:D2:39:57
5D:D2:39:57
Comparison of "string<hex>" values SHALL be case insensitive; however, the uppercase notation is preferred for readability.
“字符串<十六进制>”值的比较应不区分大小写;但是,为了便于阅读,最好使用大写符号。
o enum
o 枚举
The "enum" types consist of specific enumerated subtypes and are represented by their decimal value.
“枚举”类型由特定的枚举子类型组成,并由其十进制值表示。
The "enum<rfbsec>" values represent an RFB security type included in the IANA "Remote Framebuffer Security Types" registry created by [RFC6143].
“enum<rfbsec>”值表示由[RFC6143]创建的IANA“远程帧缓冲区安全类型”注册表中包含的RFB安全类型。
"enum<chan>" values represent connection channel types listed in the "VNC URI Connection Channel Types" registry created by Section 4.4 of this document. Initial values are:
“enum<chan>”值表示本文档第4.4节创建的“VNC URI连接通道类型”注册表中列出的连接通道类型。初始值为:
Value Description
-------- --------------
1 Standard TCP
23 Secure Tunnel
24 Integrated SSH
Value Description
-------- --------------
1 Standard TCP
23 Secure Tunnel
24 Integrated SSH
The "Standard TCP" channel type represents a generic TCP connection. The "Secure Tunnel" and "Integrated SSH" [RFC4252] channel types are described in Section 2.3.
“标准TCP”通道类型表示通用TCP连接。第2.3节描述了“安全隧道”和“集成SSH”[RFC4252]通道类型。
Values of the "enum<idhash>" parameter represent secure hash algorithms in the "VNC URI Hash Algorithms" registry created by Section 4.5 of this document. The initial values include:
“enum<idhash>”参数的值表示本文档第4.5节创建的“VNC URI哈希算法”注册表中的安全哈希算法。初始值包括:
Value Description
-------- ------------
1 MD5
2 SHA1
4 SHA256
Value Description
-------- ------------
1 MD5
2 SHA1
4 SHA256
The MD5 algorithm is described in [RFC1321]. The SHA-1 and SHA-256 algorithms are described in [SHS].
[RFC1321]中描述了MD5算法。[SHS]中描述了SHA-1和SHA-256算法。
Values of the "enum<clevel>" subtype represent a color level. In the table below, the columns have the meaning specified in Section 7.4 of [RFC6143]:
“enum<clevel>子类型”的值表示颜色级别。在下表中,各列具有[RFC6143]第7.4节规定的含义:
BPP = bits-per-pixel TC = true-color-flag RM = red-max GM = green-max BM = blue-max RS = red-shift GS = green-shift BS = blue-shift
BPP=每像素位TC=真彩色标志RM=红色最大GM=绿色最大BM=蓝色最大RS=红移GS=绿移BS=蓝移
The values are:
这些数值是:
Value Description BPP Depth TC RM GM BM RS GS BS
----- --------------- --- ----- -- ---- ---- ---- -- -- --
1 Black and White 8 3 t 1 1 1 2 1 0
2 Grayscale 8 6 t 3 3 3 4 2 0
3 8 Colors 8 3 t 1 1 1 2 1 0
4 64 Colors 8 6 t 3 3 3 4 2 0
5 256 Colors 8 8 t 7 7 3 0 3 6
6 16-bit Color 16 16 t 31 63 31 11 5 0
7 24-bit Color 32 24 t 255 255 255 16 8 0
8 30-bit Color 32 30 t 1023 1023 1023 0 10 20
Value Description BPP Depth TC RM GM BM RS GS BS
----- --------------- --- ----- -- ---- ---- ---- -- -- --
1 Black and White 8 3 t 1 1 1 2 1 0
2 Grayscale 8 6 t 3 3 3 4 2 0
3 8 Colors 8 3 t 1 1 1 2 1 0
4 64 Colors 8 6 t 3 3 3 4 2 0
5 256 Colors 8 8 t 7 7 3 0 3 6
6 16-bit Color 16 16 t 31 63 31 11 5 0
7 24-bit Color 32 24 t 255 255 255 16 8 0
8 30-bit Color 32 30 t 1023 1023 1023 0 10 20
A value of "t" indicates the true-color-flag should be set. The big-endian-flag (see Section 7.4 of [RFC6143]) should be set as required for the system.
值“t”表示应设置真彩色标志。应根据系统要求设置大端标志(见[RFC6143]第7.4节)。
o ushort
o 无符号短整数
The "ushort" values represent unsigned 16-bit integers expressed in decimal digits with value between 0-65535 inclusive.
“ushort”值表示以十进制数字表示的无符号16位整数,其值介于0-65535之间(含0-65535)。
o boolean
o 布尔值
"boolean" values represent conditions that are true or false and are represented as either "true" or "false" respectively. For maximum compatibility, clients SHOULD accept the value 1 as representing true values and 0 as representing false values. Clients SHOULD perform parsing of "boolean" values in a case-insensitive manner.
“布尔”值表示为真或假的条件,并分别表示为“真”或“假”。为了获得最大的兼容性,客户端应接受值1表示真值,0表示假值。客户端应以不区分大小写的方式对“布尔”值进行解析。
An example "vnc" URI including several of these data types is:
包括以下几种数据类型的“vnc”URI示例如下:
vnc://localhost:5900?ConnectionName=Server&SecurityType=2&
IdHash=0D:3A:72:08:57:EA:4D:30&SaveConnection=false&
vnc://localhost:5900?ConnectionName=Server&SecurityType=2&
IdHash=0D:3A:72:08:57:EA:4D:30&SaveConnection=false&
Note the above example should be considered to be a contiguous string without line breaks or whitespace and is broken into multiple lines in this document for readability.
注:上述示例应被视为一个连续字符串,没有换行符或空格,并且在本文档中被分成多行以便于阅读。
Conceptually, a "vnc" URI supports only a "VIEW" operation, indicating the user wishes to view the remote desktop accessible via the URI reference.
从概念上讲,“vnc”URI只支持“查看”操作,表示用户希望查看通过URI引用访问的远程桌面。
In general, when a VNC client receives a "vnc" URI, it will initiate a remote desktop connection with the RFB protocol using the specified host information and parameter values. Initiating the connection using a connection channel mechanism such as those specified in Section 2.3 might require processing prior to establishing the RFB connection. A client MAY attempt to automatically discover or negotiate appropriate connection channel, security, or other parameter values.
通常,当VNC客户端接收到“VNC”URI时,它将使用指定的主机信息和参数值启动与RFB协议的远程桌面连接。使用连接通道机制(如第2.3节中规定的机制)启动连接可能需要在建立RFB连接之前进行处理。客户端可能会尝试自动发现或协商适当的连接通道、安全性或其他参数值。
The process for negotiating security types is specified in [RFC6143]. Supported connection channels could be discovered by testing channel types to detect when a channel is successfully established. To best integrate with other applications, the VNC client SHOULD initiate the connection with minimal or no user intervention, whenever sufficient information is available and adequate security is preserved.
[RFC6143]中规定了协商安全类型的过程。支持的连接通道可以通过测试通道类型来发现,以检测通道何时成功建立。为了最好地与其他应用程序集成,只要有足够的信息可用并且保持了足够的安全性,VNC客户端就应该以最少或不需要用户干预的方式启动连接。
Host information and parameter values may be provided through connection profiles. When a parameter value is not available from either a URI or a connection profile described in Section 2.2.2, the default value specified in Section 2.1.1 SHOULD be applied. If available parameters are not sufficient to establish a connection, the VNC client SHOULD present a session initiation data-entry screen.
可以通过连接配置文件提供主机信息和参数值。当第2.2.2节中描述的URI或连接配置文件中没有参数值时,应应用第2.1.1节中指定的默认值。如果可用参数不足以建立连接,VNC客户端应显示会话启动数据输入屏幕。
In a typical interactive environment, if an error prevents a session from being established, the VNC client presents an error message to the user. When the message is acknowledged, the console application can show a session initiation data-entry screen populated with available session parameters, or it can terminate. If an error occurs after a session is successfully established that terminates the connection, the VNC client presents a termination notification to the user. When the termination notification is acknowledged, the client can present a reconnection prompt or terminate.
在典型的交互环境中,如果错误阻止建立会话,VNC客户端将向用户显示错误消息。确认消息后,console应用程序可以显示一个会话启动数据输入屏幕,其中填充了可用的会话参数,也可以终止。如果成功建立终止连接的会话后发生错误,VNC客户端将向用户发出终止通知。确认终止通知后,客户端可以显示重新连接提示或终止。
When an error occurs in a dedicated environment (such as a kiosk system), the system can transmit an alert to the remote operator, record a log entry, and execute appropriate fallback behavior such as automatically attempting to reestablish a session or displaying a generic message requesting servicing.
当专用环境(如信息亭系统)中发生错误时,系统可向远程操作员发送警报,记录日志条目,并执行适当的回退行为,如自动尝试重新建立会话或显示请求服务的一般消息。
VNC clients MAY store remote desktop session settings in connection profiles. If the client is able to uniquely identify and associate a connection request with a connection profile based on the "ConnectionName" parameter value, remote host IP address, or hostname / fully qualified domain name, the VNC client SHOULD apply profile values for those settings that do not have values supplied in the "vnc" URI. When profile data is unavailable, the VNC client MAY apply global application defaults for settings not supplied in the URI and for which the scheme does not specify a default value. The VNC client MUST NOT override supplied parameters with profile values or global defaults.
VNC客户端可以在连接配置文件中存储远程桌面会话设置。如果客户端能够基于“ConnectionName”参数值、远程主机IP地址或主机名/完全限定域名唯一地标识连接请求并将其与连接配置文件关联,则VNC客户端应为那些在“VNC”URI中未提供值的设置应用配置文件值。当配置文件数据不可用时,VNC客户端可以对URI中未提供且方案未指定默认值的设置应用全局应用程序默认值。VNC客户端不得使用配置文件值或全局默认值覆盖提供的参数。
When the "SaveConnection" parameter value is true, within the VNC client, a connection profile SHOULD be created or updated with the values supplied in the "vnc" URI. Profile updates and storage should be consistent with the recommendations in Section 3.4.
当“SaveConnection”参数值为true时,在VNC客户端内,应使用“VNC”URI中提供的值创建或更新连接配置文件。配置文件更新和存储应符合第3.4节中的建议。
The "Integrated SSH" channel type establishes an SSH connection to a host, authenticates with SSH password authentication, establishes a secure tunnel to the VNC host/port, and then connects to the VNC server using a supported "SecurityType". The secure tunnel will provide encryption and data integrity, while verifying the public key authenticates the server. The SSH architecture is specified in [RFC4251]. The steps are detailed below:
“集成SSH”通道类型建立到主机的SSH连接,使用SSH密码身份验证进行身份验证,建立到VNC主机/端口的安全隧道,然后使用支持的“SecurityType”连接到VNC服务器。安全隧道将提供加密和数据完整性,同时验证公钥以验证服务器。SSH体系结构在[RFC4251]中指定。具体步骤如下:
1. The VNC client initiates a transport-level connection to the "SshHost" on the "SshPort" specified in the parameter values with a key exchange as described in [RFC4253].
1. VNC客户端通过[RFC4253]中所述的密钥交换,在参数值中指定的“SshPort”上启动到“SshHost”的传输级连接。
2. When the VNC client receives the server key (or certificate), the hash of the key (or certificate) is computed using the algorithm corresponding to the "IdHashAlgorithm" parameter value and compared with the expected "IdHash" value (if available). If the certificate hash cannot be verified, the client alerts the user or operator. In a typical interactive environment, the alert provides the remote system's identifying information including the hash value and allows the user to terminate the connection. The alert could allow the user to accept the key and continue establishing the connection. In a dedicated environment (such as a kiosk system), the system can transmit an alert to the remote operator, record a log entry, and execute appropriate fallback behavior such as displaying a generic message requesting servicing.
2. 当VNC客户端接收到服务器密钥(或证书)时,使用与“IdHashAlgorithm”参数值对应的算法计算密钥(或证书)的哈希值,并与预期的“IdHash”值(如果可用)进行比较。如果无法验证证书哈希,则客户端会提醒用户或操作员。在典型的交互环境中,警报提供远程系统的标识信息,包括哈希值,并允许用户终止连接。此警报可允许用户接受密钥并继续建立连接。在专用环境(如信息亭系统)中,系统可以向远程操作员发送警报,记录日志条目,并执行适当的回退行为,例如显示请求服务的通用消息。
3. The SSH client authenticates the user using the "SshUsername" and "SshPassword" parameter values according to the "password" authentication mechanism described in [RFC4252].
3. SSH客户端根据[RFC4252]中描述的“密码”身份验证机制,使用“SshUsername”和“SshPassword”参数值对用户进行身份验证。
4. The SSH client opens a TCP/IP channel as specified in [RFC4254] from the local system to the system indicated by the <host> and <port> information values.
4. SSH客户端按照[RFC4254]中的规定打开一个从本地系统到<host>和<port>信息值指示的系统的TCP/IP通道。
5. The VNC client establishes an RFB connection to the VNC server over the channel and authenticates using the "SecurityType" as described in [RFC6143] or other reference.
5. VNC客户端通过通道建立到VNC服务器的RFB连接,并使用[RFC6143]或其他参考文献中描述的“SecurityType”进行身份验证。
The VNC client MAY establish the connection described in this section using an external SSH client, by launching the client and then connecting to a secure tunnel created between a local port and the VNC server.
VNC客户端可以使用外部SSH客户端建立本节所述的连接,方法是启动客户端,然后连接到本地端口和VNC服务器之间创建的安全隧道。
If the VNC client is supplied with additional parameters outside the scope of this document, it MAY perform a variation of these steps consistent with the underlying protocols, for example, by using "publickey" SSH client authentication [RFC4252] or providing another form of authentication to the VNC server. The specific negotiation of SSH parameters such as cipher suite configuration is outside the scope of this document.
如果向VNC客户机提供了本文档范围之外的附加参数,则它可以执行与基础协议一致的这些步骤的变化,例如,通过使用“公钥”SSH客户机身份验证[RFC4252]或向VNC服务器提供另一种形式的身份验证。SSH参数(如密码套件配置)的具体协商不在本文档的范围内。
Many SSH clients present key hashes using MD5, and it can be expected that launching applications will specify the hash be displayed in the manner its users are familiar with.
许多SSH客户机使用MD5提供密钥散列,可以预期,启动应用程序将指定以用户熟悉的方式显示散列。
For compatibility, when the "SecurityType" parameter value is "Integrated SSH" (24), a VNC client MUST treat the value as a request to use "Integrated SSH" as the "ChannelType". However, this value SHOULD NOT be supplied for the "SecurityType" parameter unless required for backward compatibility as the channel is established prior to connecting to the server and is not consistent with the negotiation of other security types.
为了兼容性,当“SecurityType”参数值为“integratedssh”(24)时,VNC客户端必须将该值视为将“integratedssh”用作“ChannelType”的请求。但是,不应为“SecurityType”参数提供此值,除非需要向后兼容,因为通道是在连接到服务器之前建立的,并且与其他安全类型的协商不一致。
The "Secure Tunnel" channel type establishes a TLS connection with a remote server using certificate authentication, over which a connection to the VNC server is established using a supported "SecurityType". The secure tunnel will provide encryption and data integrity, while verifying the certificate authenticates the server. The TLS protocol is specified in [RFC5246]. The steps are detailed below:
“安全隧道”通道类型使用证书身份验证与远程服务器建立TLS连接,通过证书身份验证使用支持的“SecurityType”建立与VNC服务器的连接。安全隧道将提供加密和数据完整性,同时验证证书以验证服务器。[RFC5246]中规定了TLS协议。具体步骤如下:
1. The VNC client initiates the TLS Handshake Protocol with a system indicated by the <host> and <port> information values.
1. VNC客户端通过<host>和<port>信息值指示的系统启动TLS握手协议。
2. When the server certificate is received, the hash of the key certificate is computed using the algorithm corresponding to the "IdHashAlgorithm" parameter value and compared with the expected "IdHash" value (if available). If the certificate hash cannot be verified, the client alerts the user or operator. In a typical interactive environment, the alert provides the remote system's identifying information and allows the user to terminate the connection. The alert could allow the user to accept the key and continue establishing the connection. In a dedicated environment (such as a kiosk system), the system can transmit an alert to the remote operator, record a log entry, and execute appropriate fallback behavior such as displaying a generic message requesting servicing.
2. 当接收到服务器证书时,使用与“IdHashAlgorithm”参数值对应的算法计算密钥证书的哈希值,并与预期的“IdHash”值(如果可用)进行比较。如果无法验证证书哈希,则客户端会提醒用户或操作员。在典型的交互环境中,警报提供远程系统的标识信息,并允许用户终止连接。此警报可允许用户接受密钥并继续建立连接。在专用环境(如信息亭系统)中,系统可以向远程操作员发送警报,记录日志条目,并执行适当的回退行为,例如显示请求服务的通用消息。
When providing identifying information of a host identified by an X.509 certificate [RFC5280] [X.509], the certificate subject, issuer, validity period, and certificate hash is typically included. The VNC client MAY verify the validity of the certificate. If the validity of a certificate is not confirmed, the alert includes a statement indicating such information has not been verified.
当提供由X.509证书[RFC5280][X.509]标识的主机的标识信息时,通常包括证书主题、颁发者、有效期和证书哈希。VNC客户端可以验证证书的有效性。如果未确认证书的有效性,则警报将包含一条声明,表明此类信息尚未验证。
3. The client finishes establishing the TLS tunnel.
3. 客户端完成TLS隧道的建立。
4. The VNC client establishes an RFB connection to the VNC server over the channel and authenticates using the "SecurityType" as described in [RFC6143] or other reference.
4. VNC客户端通过通道建立到VNC服务器的RFB连接,并使用[RFC6143]或其他参考文献中描述的“SecurityType”进行身份验证。
If the VNC client is supplied with additional parameters, it MAY perform a variation of these steps consistent with the underlying protocols, for example, by providing another form of authentication to the VNC server. The negotiation of specific TLS parameters such as cipher suite configuration is outside the scope of this document.
如果向VNC客户机提供了附加参数,则它可以执行与底层协议一致的这些步骤的变化,例如,通过向VNC服务器提供另一种形式的认证。特定TLS参数(如密码套件配置)的协商不在本文档范围内。
The TLS protocol provides backwards compatibility with SSLv3; however, due to known security flaws, it SHOULD NOT be used.
TLS协议提供了与SSLv3的向后兼容性;但是,由于已知的安全缺陷,不应使用它。
For compatibility, when the "SecurityType" parameter value is "Secure Tunnel" (23), a VNC client MUST treat the value as a request to use "Secure Tunnel" as the "ChannelType". However, this value SHOULD NOT be supplied for the "SecurityType" parameter unless required for backward compatibility as the channel must be established prior to connecting to the server and is not consistent with the negotiation of other security types.
为了兼容性,当“SecurityType”参数值为“Secure Tunnel”(23)时,VNC客户端必须将该值视为将“Secure Tunnel”用作“ChannelType”的请求。但是,不应为“SecurityType”参数提供此值,除非需要向后兼容,因为通道必须在连接到服务器之前建立,并且与其他安全类型的协商不一致。
General security concerns involving URI schemes are discussed in [RFC3986]. In implementing support for the "vnc" URI scheme, areas for particular consideration include application trust, URI handling, host identification, and connection database security.
[RFC3986]中讨论了涉及URI方案的一般安全问题。在实现对“vnc”URI方案的支持时,需要特别考虑的领域包括应用程序信任、URI处理、主机标识和连接数据库安全。
Remote desktop connectivity requires the transmission of security credentials, which could be included in a URI. If those credentials are not kept secure, an attacker can gain access to any systems using those credentials. Host addresses and connection parameters might also be considered sensitive, as such information can be used in planning an attack.
远程桌面连接需要传输可以包含在URI中的安全凭据。如果这些凭据不安全,攻击者可以使用这些凭据访问任何系统。主机地址和连接参数也可能被视为敏感信息,因为此类信息可用于规划攻击。
URIs can also contain host identification information. It is important to securely identify the remote host system to which a connection is established. If a user connects to an attacker's system, user data, including credentials, can be exposed.
URI还可以包含主机标识信息。安全地识别与之建立连接的远程主机系统非常重要。如果用户连接到攻击者的系统,则可能会暴露用户数据,包括凭据。
Note that the RFB protocol itself may not encrypt data. To protect data in transit, RFB should be tunneled over TLS [RFC5246], SSH [RFC4251], or another secure protocol.
请注意,RFB协议本身可能不会加密数据。为了保护传输中的数据,RFB应该通过TLS[RFC5246]、SSH[RFC4251]或其他安全协议进行隧道传输。
Some VNC systems can be used without authentication. To protect the remote host, strong passwords or other authentication mechanisms need to be used.
一些VNC系统可以在没有身份验证的情况下使用。为了保护远程主机,需要使用强密码或其他身份验证机制。
A malicious application receiving VNC credentials via URI or other means can obviously misuse those credentials. To protect against this, users should only install applications from trusted sources. The integrity of application packages can be verified through digital signatures.
通过URI或其他方式接收VNC凭据的恶意应用程序显然会误用这些凭据。为了防止出现这种情况,用户应该只安装来自可信来源的应用程序。应用程序包的完整性可以通过数字签名进行验证。
Applications launching VNC clients can elect to launch only particular trusted clients and can specify those clients through platform-specific mechanisms. Package integrity can be verified programmatically by querying the package manager for digital signatures or other platform-specific means.
启动VNC客户端的应用程序可以选择只启动特定的受信任客户端,并且可以通过特定于平台的机制指定这些客户端。可以通过查询包管理器中的数字签名或其他特定于平台的方式,以编程方式验证包的完整性。
The risk to a VNC client from a launching application is generally much lower, since the launching application will not receive credentials or data from the client. A VNC client can verify its caller thorough platform-specific means.
启动应用程序对VNC客户端的风险通常要低得多,因为启动应用程序不会从客户端接收凭据或数据。VNC客户端可以通过特定于平台的方式验证其调用者。
VNC clients ought not to accept potentially destructive parameters from untrusted launching applications without explicit user confirmation. For example, a client-specific parameter that runs an arbitrary command upon establishing an SSH connection used for VNC tunneling is potentially destructive and high risk.
在没有明确的用户确认的情况下,VNC客户端不应该接受来自不受信任的启动应用程序的潜在破坏性参数。例如,在建立用于VNC隧道的SSH连接时运行任意命令的特定于客户端的参数具有潜在的破坏性和高风险。
Within a mobile or desktop environment, application launch will typically involve in-memory URI data transmission facilitated and secured by the operating system.
在移动或桌面环境中,应用程序启动通常涉及内存URI数据传输,由操作系统提供便利和保护。
When "vnc" URIs are exchanged or used within a system, their contents might be exposed by process listings or other instrumentation. Users need to avoid including sensitive information in "vnc" URIs that could be exposed to unauthorized observation.
当在系统中交换或使用“vnc”URI时,它们的内容可能会通过进程列表或其他工具公开。用户需要避免在“vnc”URI中包含可能暴露于未经授权观察的敏感信息。
If sensitive URI information is exchanged across a network, for example, by providing a list of connection URIs in a web page, the data needs to be encrypted in transit and only be accessible to authorized users.
如果通过网络交换敏感URI信息,例如,通过在网页中提供连接URI列表,则需要在传输过程中对数据进行加密,并且只有授权用户才能访问数据。
When an application detects potentially sensitive information in a "vnc" URI, it needs to be handled securely or discarded. In particular, URI data on persistent storage needs to be encrypted as described in Section 3.4.
当应用程序在“vnc”URI中检测到潜在的敏感信息时,需要对其进行安全处理或丢弃。特别是,持久存储上的URI数据需要按照第3.4节所述进行加密。
Since "vnc" URIs may contain sensitive information, applications should avoid logging the URIs even when errors occur. Users need to avoid including sensitive information in "vnc" URIs that are used with applications where logging is unavoidable.
由于“vnc”URI可能包含敏感信息,因此即使出现错误,应用程序也应避免记录URI。用户需要避免在“vnc”URI中包含敏感信息,这些URI用于无法避免日志记录的应用程序。
Applications that process URIs in a generic way, such as web browsers, might not detect that sensitive information is contained in a URI and could cache or store that information insecurely. It is advisable to avoid including credentials and other sensitive information in URIs that are likely to be processed in a generic way unless such caching and storage is disabled or otherwise secured.
以通用方式处理URI的应用程序(如web浏览器)可能检测不到URI中包含敏感信息,并且可能会不安全地缓存或存储该信息。建议避免在URI中包含可能以通用方式处理的凭据和其他敏感信息,除非禁用或以其他方式保护此类缓存和存储。
In the absence of verifiable host identification, a VNC client application is vulnerable to spoofing and man-in-the-middle attacks that capture VNC or host OS credentials and user data. To prevent such attacks, administrators SHOULD secure their VNC communications with TLS [RFC5246] or SSH [RFC4251] tunnels or other connection mechanisms identifying remote hosts via certificate or public key. VNC clients MUST verify the respective certificates or public keys to confirm the remote host's identity.
在缺乏可验证的主机标识的情况下,VNC客户端应用程序容易受到欺骗和中间人攻击,这些攻击会捕获VNC或主机操作系统凭据和用户数据。为防止此类攻击,管理员应通过TLS[RFC5246]或SSH[RFC4251]隧道或其他通过证书或公钥识别远程主机的连接机制保护其VNC通信。VNC客户端必须验证相应的证书或公钥,以确认远程主机的身份。
An application launching a VNC client via URI MAY provide a certificate hash or public key hash identifying the remote host. VNC clients maintaining a connection database can also store certificate or public key data suitable for validating a host's identity.
通过URI启动VNC客户端的应用程序可以提供标识远程主机的证书哈希或公钥哈希。维护连接数据库的VNC客户端还可以存储适合于验证主机身份的证书或公钥数据。
If connecting to a system identified by certificate or public key and a remote system ID hash cannot be matched to available identifying data, the VNC client needs to alert the user or operator. In a typical interactive environment, the alert will provide the remote system's identifying information and allow the user to terminate the connection. The alert can allow the user to accept the information and continue establishing the connection. In a dedicated environment (such as a kiosk system), the system can transmit an alert to the remote operator, record a log entry, and execute appropriate fallback behavior such as displaying a generic message requesting servicing.
如果连接到由证书或公钥标识的系统,并且远程系统ID哈希无法与可用标识数据匹配,则VNC客户端需要向用户或操作员发出警报。在典型的交互环境中,警报将提供远程系统的识别信息,并允许用户终止连接。此警报允许用户接受信息并继续建立连接。在专用环境(如信息亭系统)中,系统可以向远程操作员发送警报,记录日志条目,并执行适当的回退行为,例如显示请求服务的通用消息。
When providing identifying information of a host identified by an X.509 certificate [RFC5280] [X.509], the certificate subject, issuer, validity period, and certificate hash need to be included. The VNC client can verify the certificate validity. If the validity of a certificate is not determined, the alert needs to include a statement indicating such information has not been verified.
当提供由X.509证书[RFC5280][X.509]标识的主机的标识信息时,需要包括证书主题、颁发者、有效期和证书哈希。VNC客户端可以验证证书的有效性。如果未确定证书的有效性,则警报需要包含一条语句,表明尚未验证此类信息。
Identifying information of a host identified by public key, such as the endpoint of an SSH connection using a raw key, needs to include a hash of the key.
标识由公钥标识的主机的信息(例如使用原始密钥的SSH连接的端点)需要包含密钥的哈希。
A VNC client application and/or launching application can maintain a connection database containing remote host information, credentials, and/or connection parameters. Applications storing credentials need to ensure they are stored in an encrypted format with a decryption process requiring user-supplied or device-specific data. If supported, it is advisable for applications to have a setting disabling storage of credentials.
VNC客户端应用程序和/或启动应用程序可以维护包含远程主机信息、凭据和/或连接参数的连接数据库。存储凭据的应用程序需要确保以加密格式存储凭据,解密过程需要用户提供的或特定于设备的数据。如果支持,建议应用程序设置禁用凭据存储。
If available, the VNC client connection database can store certificate or public key data used to verify host identification. To prevent a malicious URI from overriding the database, if identification information in the URI conflicts with information in the database, the user or operator needs to be alerted. In a typical interactive environment, the user can be prompted to accept the new information prior to updating the database.
如果可用,VNC客户端连接数据库可以存储用于验证主机标识的证书或公钥数据。为了防止恶意URI覆盖数据库,如果URI中的标识信息与数据库中的信息冲突,则需要提醒用户或操作员。在典型的交互环境中,可以提示用户在更新数据库之前接受新信息。
The "vnc" scheme has been registered in the "Uniform Resource Identifier (URI) Schemes" registry.
“vnc”方案已在“统一资源标识符(URI)方案”注册表中注册。
The "Remote Framebuffer Security Types", "VNC URI Connection Channel Types", "VNC URI ID Hash Algorithms", and "VNC URI Parameters" registries support elements of the scheme.
“远程帧缓冲区安全类型”、“VNC URI连接通道类型”、“VNC URI ID哈希算法”和“VNC URI参数”注册表支持该方案的元素。
IANA has added the "vnc" scheme to the "Uniform Resource Identifier (URI) Schemes" registry with description "Remote Framebuffer Protocol" and reference to this document. A registration template is provided in Appendix A.
IANA已将“vnc”方案添加到“统一资源标识符(URI)方案”注册表中,说明为“远程帧缓冲协议”,并引用了本文档。附录A中提供了注册模板。
The IANA schemes registry is currently located at <http://www.iana.org/assignments/uri-schemes>.
IANA计划注册处目前位于<http://www.iana.org/assignments/uri-schemes>.
This document references the existing IANA "Remote Framebuffer Security Types" registry in specifying security type options. RFB security types are supported in "vnc" URIs.
本文档在指定安全类型选项时引用了现有的IANA“远程帧缓冲区安全类型”注册表。“vnc”URI中支持RFB安全类型。
Security mechanisms integrated with VNC clients might need to alter the process by which a connection is established prior to the security handshake described in Section 7.1.2 of [RFC6143]. Such mechanisms should be reflected in the "VNC URI Connection Channel Types" registry described in Section 4.4 of this document rather than the "Remote Framebuffer Security Types" registry, as their use cannot be negotiated by the mechanism specified in [RFC6143].
与VNC客户端集成的安全机制可能需要改变[RFC6143]第7.1.2节中描述的安全握手之前建立连接的过程。此类机制应反映在本文件第4.4节所述的“VNC URI连接通道类型”注册表中,而不是“远程帧缓冲区安全类型”注册表中,因为它们的使用无法通过[RFC6143]中指定的机制进行协商。
Exceptions can be made for backwards compatibility. IANA has updated the "Secure Tunnel" and "Integrated SSH" security types to refer to this document.
可以为向后兼容性设置例外。IANA更新了“安全隧道”和“集成SSH”安全类型,以参考本文档。
IANA has created a "Virtual Network Computing (VNC) Uniform Resource Identifier (URI)" group. This group contains application-level, URI-related registries distinct from those used by the RFB protocol itself.
IANA创建了一个“虚拟网络计算(VNC)统一资源标识符(URI)”组。该组包含应用程序级、URI相关的注册表,与RFB协议本身使用的注册表不同。
IANA has created a "VNC URI Connection Channel Types" registry within the "Virtual Network Computing (VNC) Uniform Resource Identifier (URI)" group. The registry includes Value, Description, and Reference columns. The initial contents of the registry are described in this document. The values of the "Secure Tunnel" and "Integrated SSH" types are copied from the RFB Security Types registry. They are:
IANA在“虚拟网络计算(VNC)统一资源标识符(URI)”组中创建了“VNC URI连接通道类型”注册表。注册表包括值、说明和引用列。本文件介绍了登记册的初始内容。“安全隧道”和“集成SSH”类型的值是从RFB安全类型注册表复制的。他们是:
Value Description Reference
-------- --------------- --------------
0 Reserved this document
1 Standard TCP this document
23 Secure Tunnel this document
24 Integrated SSH this document
Value Description Reference
-------- --------------- --------------
0 Reserved this document
1 Standard TCP this document
23 Secure Tunnel this document
24 Integrated SSH this document
The maximum acceptable value is 2,147,483,647.
最大可接受值为2147483647。
Future assignments to this registry should be made through the "First Come First Served" process described in [RFC5226].
今后应通过[RFC5226]中所述的“先到先得”流程分配给该注册中心。
IANA has created a "VNC URI ID Hash Algorithms" registry within the "Virtual Network Computing (VNC) Uniform Resource Identifier (URI)" group. The registry includes Value, Description, and Reference columns.
IANA在“虚拟网络计算(VNC)统一资源标识符(URI)”组中创建了“VNC URI ID哈希算法”注册表。注册表包括值、说明和引用列。
The initial hash algorithms specified are a subset of the algorithms contained in the "TLS HashAlgorithm Registry". The initial contents of the registry are:
指定的初始哈希算法是“TLS哈希算法注册表”中包含的算法的子集。登记册的初始内容包括:
Value Description Reference
-------- ------------ --------------
0 Reserved this document
1 MD5 this document
2 SHA1 this document
4 SHA256 this document
Value Description Reference
-------- ------------ --------------
0 Reserved this document
1 MD5 this document
2 SHA1 this document
4 SHA256 this document
The maximum acceptable value is 2,147,483,647.
最大可接受值为2147483647。
Future assignments to this registry should be made through the "First Come First Served" process described in [RFC5226].
今后应通过[RFC5226]中所述的“先到先得”流程分配给该注册中心。
IANA has created a "VNC URI Parameters" registry within the "VNC URI" group.
IANA已在“VNC URI”组中创建了“VNC URI参数”注册表。
The initial contents are described in this document. They are:
本文件中描述了初始内容。他们是:
+-----------------+-----------------------------+-----------------+
| Name | Description | Reference |
+-----------------+-----------------------------+-----------------+
| ConnectionName | Name of connection profile | this document |
+-----------------+-----------------------------+-----------------+
| VncUsername | VNC server username | this document |
+-----------------+-----------------------------+-----------------+
| VncPassword | VNC server password | this document |
+-----------------+-----------------------------+-----------------+
| SecurityType | RFB security type used | this document |
+-----------------+-----------------------------+-----------------+
| ChannelType | Connection channel type | this document |
+-----------------+-----------------------------+-----------------+
| SshHost | SSH server hostname or IP | this document |
+-----------------+-----------------------------+-----------------+
| SshPort | SSH server port | this document |
+-----------------+-----------------------------+-----------------+
| SshUsername | SSH username | this document |
+-----------------+-----------------------------+-----------------+
| SshPassword | SSH password | this document |
+-----------------+-----------------------------+-----------------+
| IdHashAlgorithm | Hash algorithm used with | this document |
| | "IdHash" parameter | |
+-----------------+-----------------------------+-----------------+
| IdHash | Expected hash of remote | this document |
| | public key or certificate | |
+-----------------+-----------------------------+-----------------+
| ColorLevel | Client color depth/mode | this document |
+-----------------+-----------------------------+-----------------+
| ViewOnly | Client is view only | this document |
+-----------------+-----------------------------+-----------------+
| SaveConnection | Store connection info | this document |
+-----------------+-----------------------------+-----------------+
+-----------------+-----------------------------+-----------------+
| Name | Description | Reference |
+-----------------+-----------------------------+-----------------+
| ConnectionName | Name of connection profile | this document |
+-----------------+-----------------------------+-----------------+
| VncUsername | VNC server username | this document |
+-----------------+-----------------------------+-----------------+
| VncPassword | VNC server password | this document |
+-----------------+-----------------------------+-----------------+
| SecurityType | RFB security type used | this document |
+-----------------+-----------------------------+-----------------+
| ChannelType | Connection channel type | this document |
+-----------------+-----------------------------+-----------------+
| SshHost | SSH server hostname or IP | this document |
+-----------------+-----------------------------+-----------------+
| SshPort | SSH server port | this document |
+-----------------+-----------------------------+-----------------+
| SshUsername | SSH username | this document |
+-----------------+-----------------------------+-----------------+
| SshPassword | SSH password | this document |
+-----------------+-----------------------------+-----------------+
| IdHashAlgorithm | Hash algorithm used with | this document |
| | "IdHash" parameter | |
+-----------------+-----------------------------+-----------------+
| IdHash | Expected hash of remote | this document |
| | public key or certificate | |
+-----------------+-----------------------------+-----------------+
| ColorLevel | Client color depth/mode | this document |
+-----------------+-----------------------------+-----------------+
| ViewOnly | Client is view only | this document |
+-----------------+-----------------------------+-----------------+
| SaveConnection | Store connection info | this document |
+-----------------+-----------------------------+-----------------+
Future assignments to this registry should be made through the "First Come First Served" process described in [RFC5226].
今后应通过[RFC5226]中所述的“先到先得”流程分配给该注册中心。
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, DOI 10.17487/RFC1321, April 1992, <http://www.rfc-editor.org/info/rfc1321>.
[RFC1321]Rivest,R.,“MD5消息摘要算法”,RFC 1321,DOI 10.17487/RFC1321,1992年4月<http://www.rfc-editor.org/info/rfc1321>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,DOI 10.17487/RFC3629,2003年11月<http://www.rfc-editor.org/info/rfc3629>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>.
[RFC3986]Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,DOI 10.17487/RFC3986,2005年1月<http://www.rfc-editor.org/info/rfc3986>.
[RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251, January 2006, <http://www.rfc-editor.org/info/rfc4251>.
[RFC4251]Ylonen,T.和C.Lonvick,编辑,“安全外壳(SSH)协议架构”,RFC 4251,DOI 10.17487/RFC4251,2006年1月<http://www.rfc-editor.org/info/rfc4251>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, January 2006, <http://www.rfc-editor.org/info/rfc4252>.
[RFC4252]Ylonen,T.和C.Lonvick,Ed.,“安全外壳(SSH)认证协议”,RFC 4252,DOI 10.17487/RFC4252,2006年1月<http://www.rfc-editor.org/info/rfc4252>.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, January 2006, <http://www.rfc-editor.org/info/rfc4253>.
[RFC4253]Ylonen,T.和C.Lonvick,编辑,“安全外壳(SSH)传输层协议”,RFC 4253,DOI 10.17487/RFC4253,2006年1月<http://www.rfc-editor.org/info/rfc4253>.
[RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Connection Protocol", RFC 4254, DOI 10.17487/RFC4254, January 2006, <http://www.rfc-editor.org/info/rfc4254>.
[RFC4254]Ylonen,T.和C.Lonvick,编辑,“安全外壳(SSH)连接协议”,RFC 4254,DOI 10.17487/RFC4254,2006年1月<http://www.rfc-editor.org/info/rfc4254>.
[RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, <http://www.rfc-editor.org/info/rfc5234>.
[RFC5234]Crocker,D.,Ed.,和P.Overell,“语法规范的扩充BNF:ABNF”,STD 68,RFC 5234,DOI 10.17487/RFC5234,2008年1月<http://www.rfc-editor.org/info/rfc5234>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <http://www.rfc-editor.org/info/rfc5280>.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<http://www.rfc-editor.org/info/rfc5280>.
[RFC6143] Richardson, T. and J. Levine, "The Remote Framebuffer Protocol", RFC 6143, DOI 10.17487/RFC6143, March 2011, <http://www.rfc-editor.org/info/rfc6143>.
[RFC6143]Richardson,T.和J.Levine,“远程帧缓冲协议”,RFC 6143,DOI 10.17487/RFC6143,2011年3月<http://www.rfc-editor.org/info/rfc6143>.
[SHS] National Institute of Standards and Technology, "Secure Hash Standard", NIST FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4, August 2015.
[SHS]国家标准与技术研究所,“安全哈希标准”,NIST FIPS PUB 180-4,DOI 10.6028/NIST.FIPS.180-42015年8月。
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>.
[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,DOI 10.17487/RFC5226,2008年5月<http://www.rfc-editor.org/info/rfc5226>.
[RFC7595] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines and Registration Procedures for URI Schemes", BCP 35, RFC 7595, DOI 10.17487/RFC7595, June 2015, <http://www.rfc-editor.org/info/rfc7595>.
[RFC7595]Thaler,D.,Ed.,Hansen,T.和T.Hardie,“URI方案的指南和注册程序”,BCP 35,RFC 7595,DOI 10.17487/RFC7595,2015年6月<http://www.rfc-editor.org/info/rfc7595>.
[X.509] ITU-T, "Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks", ITU-T Recommendation X.509, ISO/IEC 9594-8, 2005.
[X.509]ITU-T,“信息技术-开放系统互连-目录:公钥和属性证书框架”,ITU-T建议X.509,ISO/IEC 9594-82005。
Appendix A. "vnc" URI Template
附录A“vnc”URI模板
This template is provided for registration of the "vnc" URI in the IANA "Uniform Resource Identifier (URI) Schemes" registry as specified in [RFC7595].
此模板用于在IANA“统一资源标识符(URI)方案”注册表中注册[RFC7595]中指定的“vnc”URI。
Scheme name: vnc
方案名称:vnc
Status: Permanent
地位:永久
Applications/protocols that use this scheme name: Virtual Network Computing (VNC) remote desktop applications use vnc URIs. VNC applications use the Remote Framebuffer (RFB) protocol.
使用此方案名称的应用程序/协议:虚拟网络计算(VNC)远程桌面应用程序使用VNC URI。VNC应用程序使用远程帧缓冲区(RFB)协议。
Contact: IESG <iesg@ietf.org>.
联系人:IESG<iesg@ietf.org>.
Change Controller: See the authors of this document. Change control is through the IESG on behalf of the IETF <iesg@ietf.org>.
更改控制器:请参阅本文档的作者。变更控制通过IESG代表IETF进行<iesg@ietf.org>.
References: This document.
参考文献:本文件。
Acknowledgments
致谢
Dominic Parkes and the staff of RealVNC Ltd. graciously reviewed this document and provided constructive comments.
多米尼克·帕克斯(Dominic Parkes)和RealVNC有限公司的员工亲切地审阅了本文件,并提出了建设性意见。
RFB and VNC are registered trademarks of RealVNC Ltd. in the United States and in other countries.
RFB和VNC是RealVNC Ltd.在美国和其他国家的注册商标。
Authors' Addresses
作者地址
David Warden Dell Products LP 200 Dell Way Round Rock, TX 78682 United States
David Warden Dell Products LP 200戴尔路环礁,德克萨斯州78682美国
Phone: 512-728-0380
Email: David_Warden@dell.com
URI: http://www.dell.com
Phone: 512-728-0380
Email: David_Warden@dell.com
URI: http://www.dell.com
Iordan Iordanov Undatech 260 Scarlet Road, Apt. 503 Toronto, ON M6N 4X6 Canada
Iordan Iordanov Undatech加拿大M6N 4X6多伦多猩红路260号503室
Email: iiordanov@gmail.com
Email: iiordanov@gmail.com