Authentication problems with RealVNC Server installed on Raspberry PI3

wizard982 commented 8 months ago

Hello, I've used UltraVNC Viewer for ages, with Windows, Linux and Rasbian systems. With the last version 1.4.3.6 I have problems during the connection phase to my Raspberry device. I want to start by saying that I moved from RealVNC 6 to RealVNC 7.8.0 but I have the same problem with both versions. BTW, I'm going to try to briefly explain the problem and enclose to this request also the RealVNC logs captured from Raspberry Debian OS and some screenshots, about the UltraVNC messages, captured from my Windows PC. I made three tests, one with RealVNC Viewer, one with TigerVNC, and obviously, one with UltraVNC Viewer. Other important things to say is that RealVNC is configured with:

Authentication property set to VncAuth value
Encryption property set to AlwaysOff value
AudioEnable property set to False value
IdelTimeout property set to 0 value
RfbPort set to a different one from the standard

The other configuration properties are set to their standard values.

Despite the various guides that I read on the Internet in which this seems to be the configuration that enables the other viewers to talk with success with RealVNC, this communication is systematically interrupted by the UltraVNC side (but I tried also with TightVNC and the problem seems to be the same) with the "no supported authentication methods" message. This doesn't happen when I use RealVNC viewer or TigerVNC.

Now I will paste the captured logs and the screens

UltraVNC with Authentication property set to VncAuth

<13> 2024-01-07T11:13:56.669Z serverp2p vncserver-x11[530]: Connections: connected: 192.168.1.2::58767 (TCP) <14> 2024-01-07T11:13:56.670Z serverp2p vncserver-x11[530]: SConnection: Client needs protocol version 3.8 <13> 2024-01-07T11:13:56.671Z serverp2p vncserver-x11[530]: Connections: disconnected: 192.168.1.2::58767 (TCP) ([EndOfStream] Disconnection by client) ![Screenshot 2024-01-07 121744](https://github.com/ultravnc/UltraVNC/assets/3286214/ec6a709e-d0bf-421e-a9cd-a19bd6bb676a)

UltraVNC with Authentication property set to None

<13> 2024-01-07T11:18:40.824Z serverp2p vncserver-x11[530]: Connections: connected: 192.168.1.2::59230 (TCP) <14> 2024-01-07T11:18:40.826Z serverp2p vncserver-x11[530]: SConnection: Client needs protocol version 3.8 <14> 2024-01-07T11:18:40.827Z serverp2p vncserver-x11[530]: SProtoV4Down: Client requests security type None(1) <14> 2024-01-07T11:18:40.827Z serverp2p vncserver-x11[530]: SConnection: Authentication successful <13> 2024-01-07T11:18:40.828Z serverp2p vncserver-x11[530]: Connections: authenticated: 192.168.1.2::59230 (TCP), as (anonymous) (d permissions) <14> 2024-01-07T11:18:40.888Z serverp2p vncserver-x11[530]: SConn: Server default pixel format depth 24 (32 bpp) little-endian rgb888 <14> 2024-01-07T11:20:04.250Z serverp2p vncserver-x11[530]: SConn: Client pixel format depth 24 (32 bpp) little-endian rgb888 <14> 2024-01-07T11:20:04.251Z serverp2p vncserver-x11[530]: SConnection: Encodings Hextile(5) [unknown encoding 29](29) [unknown encoding 27](27) [unknown encoding 26](26) [unknown encoding 25](25) [unknown encoding 19](19) [unknown encoding 18](18) [unknown encoding 17](17) ZRLE(16) [unknown encoding 10](10) [unknown encoding 9](9) [unknown encoding 8](8) [unknown encoding 7](7) Zlib(6) [unknown encoding 4](4) RRE(2) CopyRect(1) Raw(0) [unknown encoding -250](-250) Cursor(-239) [unknown encoding -232](-232) [unknown encoding -26](-26) [unknown encoding -65525](-65525) [unknown encoding -224](-224) DesktopSize(-223) [unknown encoding -308](-308) [unknown encoding -32768](-32768) [unknown encoding -32767](-32767) [unknown encoding -32764](-32764) [unknown encoding -32766](-32766) [unknown encoding -32765](-32765) [unknown encoding -1063131698](-1063131698) <14> 2024-01-07T11:20:04.251Z serverp2p vncserver-x11[530]: SConnection: Current encoding Hextile ![Screenshot 2024-01-07 121948](https://github.com/ultravnc/UltraVNC/assets/3286214/27f2c3ce-02ff-4182-b735-14889de88f0c) ![Screenshot 2024-01-07 122015](https://github.com/ultravnc/UltraVNC/assets/3286214/7583df74-7008-48fe-a5af-2c8f11e3fe8d)

TigerVNC with Authentication property set to VncAuth

<13> 2024-01-07T11:15:32.930Z serverp2p vncserver-x11[530]: Connections: connected: 192.168.1.2::58953 (TCP) <14> 2024-01-07T11:15:32.966Z serverp2p vncserver-x11[530]: SConnection: Client needs protocol version 3.8 <14> 2024-01-07T11:15:32.983Z serverp2p vncserver-x11[530]: SProtoV4Down: Client requests security type RA2ne_128(6) <14> 2024-01-07T11:15:34.404Z serverp2p vncserver-x11[530]: SecTypeRA2: using AES-128 <14> 2024-01-07T11:15:39.513Z serverp2p vncserver-x11[530]: SConnection: Authentication successful <13> 2024-01-07T11:15:39.513Z serverp2p vncserver-x11[530]: Connections: authenticated: 192.168.1.2::58953 (TCP), as (anonymous) (d permissions) <14> 2024-01-07T11:15:39.544Z serverp2p vncserver-x11[530]: SConn: Server default pixel format depth 24 (32 bpp) little-endian rgb888 <13> 2024-01-07T11:15:39.545Z serverp2p vncserver-x11[530]: Connections: disconnected: 192.168.1.2::58436 (TCP) ([NonShared] Non-shared connection requested) <14> 2024-01-07T11:15:39.595Z serverp2p vncserver-x11[530]: SModulePrint: set printer (none) as default <14> 2024-01-07T11:15:39.595Z serverp2p vncserver-x11[530]: CupsApi: Removing printer HPLJPM15w_(HP_LaserJet_M15w)_via_VNC_from_UNO <14> 2024-01-07T11:15:39.614Z serverp2p vncserver-x11[530]: SMsgWriter: framebuffer updates 448 <14> 2024-01-07T11:15:39.614Z serverp2p vncserver-x11[530]: SMsgWriter: Raw rects 1, bytes 16650, pixels 16640 <14> 2024-01-07T11:15:39.614Z serverp2p vncserver-x11[530]: SMsgWriter: JRLE rects 1161, bytes 1903476, pixels 11024384 <14> 2024-01-07T11:15:39.614Z serverp2p vncserver-x11[530]: SMsgWriter: ZRLE2 rects 412, bytes 183684, pixels 3144716 <14> 2024-01-07T11:15:39.614Z serverp2p vncserver-x11[530]: SMsgWriter: CopyRect rects 0, bytes 0, pixels 0 <14> 2024-01-07T11:15:39.614Z serverp2p vncserver-x11[530]: SMsgWriter: raw bytes equivalent 53947128, compression ratio 25.64 <14> 2024-01-07T11:15:39.617Z serverp2p vncserver-x11[530]: SConnection: Encodings CursorWithAlpha(-314) [unknown encoding 1464686180](1464686180) Cursor(-239) [unknown encoding -240](-240) [unknown encoding 1464686182](1464686182) DesktopSize(-223) [unknown encoding -308](-308) [unknown encoding -261](-261) [unknown encoding 1464686184](1464686184) [unknown encoding -307](-307) [unknown encoding -224](-224) [unknown encoding -1063131698](-1063131698) [unknown encoding -313](-313) [unknown encoding -312](-312) [unknown encoding -258](-258) [unknown encoding 7](7) CopyRect(1) [unknown encoding 50](50) ZRLE(16) Hextile(5) RRE(2) CopyRect(1) Raw(0) [unknown encoding -254](-254) [unknown encoding -24](-24) <14> 2024-01-07T11:15:39.618Z serverp2p vncserver-x11[530]: SConnection: Current encoding ZRLE

RealVNC Viewer with Authentication property set to VncAuth

<13> 2024-01-07T11:16:07.773Z serverp2p vncserver-x11[530]: Connections: disconnected: 192.168.1.2::58953 (TCP) ([System-104] read: Connection reset by peer (104)) <14> 2024-01-07T11:16:07.832Z serverp2p vncserver-x11[530]: SMsgWriter: framebuffer updates 92 <14> 2024-01-07T11:16:07.833Z serverp2p vncserver-x11[530]: SMsgWriter: ZRLE rects 451, bytes 622852, pixels 4334786 <14> 2024-01-07T11:16:07.833Z serverp2p vncserver-x11[530]: SMsgWriter: CopyRect rects 0, bytes 0, pixels 0 <14> 2024-01-07T11:16:07.833Z serverp2p vncserver-x11[530]: SMsgWriter: raw bytes equivalent 17344556, compression ratio 27.85 <14> 2024-01-07T11:16:07.942Z serverp2p vncserver-x11[530]: Agent: SServerAgent: Stopping desktop <13> 2024-01-07T11:16:12.348Z serverp2p vncserver-x11[530]: Connections: connected: 192.168.1.2::59028 (TCP) <14> 2024-01-07T11:16:12.359Z serverp2p vncserver-x11[530]: SConnection: Client needs protocol version 5.0 <14> 2024-01-07T11:16:12.360Z serverp2p vncserver-x11[530]: SProtoV5Up: Choosing cipher suite RA4ne_128 [0x0204] (algorithms: RSA-OAEP, ECDHE-Curve25519, SHA-256, AES-GCM-128/NULL-HMAC-SHA1) <14> 2024-01-07T11:16:12.545Z serverp2p vncserver-x11[530]: SAuthProtoImpl: Offering auth method UserPasswd(1) [required=1] <14> 2024-01-07T11:16:12.578Z serverp2p vncserver-x11[530]: SAuthProtoImpl: Client chose auth method UserPasswd(1) <14> 2024-01-07T11:16:18.033Z serverp2p vncserver-x11[530]: SConnection: Authentication successful <14> 2024-01-07T11:16:18.033Z serverp2p vncserver-x11[530]: SProtoV5Up: Offering empty auth list (auth completed) <13> 2024-01-07T11:16:18.033Z serverp2p vncserver-x11[530]: Connections: authenticated: 192.168.1.2::59028 (TCP), as (anonymous) (d permissions) <14> 2024-01-07T11:16:18.034Z serverp2p vncserver-x11[530]: SConn: Pixel buffer 1280x720 at 0,0 depth 24 <14> 2024-01-07T11:16:18.071Z serverp2p vncserver-x11[530]: SConn: Server default pixel format depth 24 (32 bpp) little-endian rgb888 <14> 2024-01-07T11:16:18.073Z serverp2p vncserver-x11[530]: SServerRfb: Peer user agent vncviewer/7.8.0 (Windows NT 10.0; x64; it_IT) <14> 2024-01-07T11:16:18.078Z serverp2p vncserver-x11[530]: ftExtension: Received advertisement for share 1707611435 <14> 2024-01-07T11:16:18.078Z serverp2p vncserver-x11[530]: FTMsgWriter: Requesting '' of share 1707611435 to depth 0 <14> 2024-01-07T11:16:18.078Z serverp2p vncserver-x11[530]: SConnection: Encodings ZRLE2(24) ZRLE(16) JRLE(22) JPEG(21) TRLE(15) Zlib(6) Hextile(5) RRE(2) Raw(0) CopyRect(1) CursorWithAlpha(-314) CursorWithAlphaOld(-311) Cursor(-239) DesktopSize(-223) <14> 2024-01-07T11:16:18.078Z serverp2p vncserver-x11[530]: SConnection: Current encoding ZRLE2 <14> 2024-01-07T11:16:18.087Z serverp2p vncserver-x11[530]: SConn: Client pixel format depth 6 (8 bpp) rgb222 <14> 2024-01-07T11:16:18.215Z serverp2p vncserver-x11[530]: ftExtension: Received share EOF <14> 2024-01-07T11:16:18.216Z serverp2p vncserver-x11[530]: DownloadManager: Requested HPLJPM15w (HP LaserJet M15w) via VNC from UNO <14> 2024-01-07T11:16:18.216Z serverp2p vncserver-x11[530]: Agent: SServerAgent: Starting desktop <14> 2024-01-07T11:16:18.216Z serverp2p vncserver-x11[530]: Agent: PixelBufferX11: Using shared memory Pixmap <14> 2024-01-07T11:16:18.216Z serverp2p vncserver-x11[530]: Agent: SServerAgent: setPixelBuffer 1280x720 at 0,0 pf depth 24 (32 bpp) little-endian rgb888 <14> 2024-01-07T11:16:18.219Z serverp2p vncserver-x11[530]: SConnection: Encodings JRLE(22) ZRLE2(24) ZRLE(16) JPEG(21) TRLE(15) Zlib(6) Hextile(5) RRE(2) Raw(0) CopyRect(1) CursorWithAlpha(-314) CursorWithAlphaOld(-311) Cursor(-239) DesktopSize(-223) <14> 2024-01-07T11:16:18.219Z serverp2p vncserver-x11[530]: SConnection: Current encoding JRLE <14> 2024-01-07T11:16:18.219Z serverp2p vncserver-x11[530]: DownloadManager: Download complete. <14> 2024-01-07T11:16:18.222Z serverp2p vncserver-x11[530]: CupsApi: Adding printer HPLJPM15w_(HP_LaserJet_M15w)_via_VNC_from_UNO <14> 2024-01-07T11:16:18.290Z serverp2p vncserver-x11[530]: SModulePrint: set printer HPLJPM15w_(HP_LaserJet_M15w)_via_VNC_from_UNO as default <14> 2024-01-07T11:16:18.291Z serverp2p vncserver-x11[530]: SConn: Client pixel format depth 24 (32 bpp) little-endian rgb888

Following you can read the details about the RealVNC Server version. Screenshot 2024-01-07 122426

Finally, I tried also different versions of UltraVNC and I obtained the same result with the VNC password authentication system enabled.

RudiDeVos commented 8 months ago

Status: ubuntu server with RA2ne Auth done, repeat using UltraVNC viewer " no support.." done *Seems that vncAuth is not supported, you need RA2ne ( authetication type 6)

I"m able to see what happen, if no encrytion is needed we possible can implement it, no promises.

wizard982 commented 8 months ago

@RudiDeVos thanks for your answer,

maybe these links can help you: https://github.com/novnc/noVNC/issues/1788 https://static.realvnc.com/media/documents/realvnc-rfb-protocol-security-analysis.pdf

The strange thing is that, at the moment, on my server, the security encryption is set to AlwaysOff

and the only possible options for the Authentication property are:

so it seems to be impossible to manually set the RA2NE Value

RudiDeVos commented 8 months ago

Does someone has a linux image with a vncserver that support RA2NE. Created a linux server with tigervnc, he announce he support RA2ne but as soon as you connect the server log he doesn't support it. Does there exist a working wayvnc image for hyper-v ?

Updated tigervnc manual to 1.13, that should support it. got a little further

SConnection: Client requests security type RA2ne(6) VNCSConnST: closing 172.29.32.1::54218: Connection failed: failed to open key Seems i need to read the manual first... some extra config is needed

RudiDeVos commented 8 months ago

Spending to much time on server setup while i should be testing the viewer... Anyone know how to setup the linux vnc server that support RA2ne?

StArBoY-Works commented 8 months ago

I have a ubuntu server hosted on raspberry pi, I connect it using ssh instead of HDMI, I have enabled VNC on it but I am not sure if its supports RA2ne @RudiDeVos

RudiDeVos commented 8 months ago

This isue is more or less the same as https://github.com/ultravnc/UltraVNC/issues/133 Both support RA2ne as authentication type

RudiDeVos commented 8 months ago

branche RA2ne created. Required libs for AES libnettle_nettle_3.9.1_release_20230601_msvc17.zip libgmp_6.2.1-4_msvc17.zip Complex builds, can be downloaded prebuild from https://github.com/ShiftMediaProject

vnc server Download trixie debian testbuild and install tigervnc, this support RA2ne Authentication, runs in Hyper-V

RudiDeVos commented 7 months ago

Thanks to Vladimir Vissoultchev extra AUthentication methods have been implemented in the viewer. binary test builds. Please provide feedback https://www.uvnc.eu/download/1440/vncviewer_1.4.4.0-dev.zip

Extra Info WIP: RSA-AES authentication and encryption (#139)

First cut of RSA-AES authentication and encryption
Fix AESEAXPlugin threading issues
Use separate DynBuffers for encoding and for decoding
Copy previous content when resizing DynBuffer
Remove CMAC and AES-EAX test vectors
On auth user cancel raise QuiteException
Allow multiple RestoreBuffer calls to gather enough incoming data
On ReadExact decryption plugin might need several lookahead peeks on incoming data to fill encrypted buffer with enough data to be able decrypt a chunk of plaintext enough to fulfil requested size of data
Repeat request is signalled by returning -1 from RestoreBuffer call
Various m_pDSMPlugin->IsEnabled() checks are added alternative m_pPluginInterface check
Stop using separate CSP context for client RSA key
Reduce memcpy on RestoreBuffer
Fix m_pPluginInterface availability check for RAW and Tight encoding
Allow CMAC to depend on externally initialized cipher
Add support for RSA-AES-256 security types
Use constant-time array compare and refactor err handling
Abstract client connection so RSAKEX can be reused for server-side impl
Remove user/pass spurious size checks
Add ClientConnectionRSAAES.cpp to vs2017 project
Show server identity confirmation dialog
Allow persisting server key fingerprint in options file
Fix non-encrypted RA2ne/RA2ne_256 sub-types encrypt til end of handshake

eNCrypt authentication with TLS encrypted transport (#142)

First cut VeNCrypt authentication with TLS encrypted transport
Add ClientConnectionTLS.cpp to vs2017 project
Cleanup includes
Fix TLS 1.3 support
Refactor member var names
Show warning dialog for invalid server certificates in TLS sub-types
Chain TLSVnc and X509Vnc sub-types to AuthVnc
Allow persisting TLS certificate thumbprint in options file

wizard982 commented 7 months ago

Thanks a lot @RudiDeVos, now it works perfectly. Now I'm waiting for the integration in the official release.

ultravnc / UltraVNC