* TurboVNC Authentication Extensions

The TurboVNC Server supports four "authentication methods", which are
techniques that the VNC server uses to validate authentication credentials sent
from a VNC viewer.  If the credentials sent from a particular VNC viewer are
not valid, then that viewer is not allowed to connect.

	No Authentication :: {:}
		The VNC server does not authenticate the VNC viewer at all.

	VNC Password Authentication :: {:}
		A session password sent from the VNC viewer is validated against a password
		file, which is typically located under the user's home directory on the
		server machine.  The VNC password is separate from any other login
		credentials and thus represents less of a security threat if compromised
		(that is, assuming the VNC password and the user's account password are not
		the same.)

	One-Time Password (OTP) Authentication :: {:}
		Using the ''vncpasswd'' program, a unique password is generated "on the
		fly" for the VNC server session, and the password is printed on the
		command line (see the man page for ''vncpasswd'' for more details.)  The
		user enters this password in the VNC viewer, and the VNC viewer sends the
		password to the VNC server as if it were a VNC password.  However, once the
		OTP has been used to authenticate a viewer, the OTP is forgotten and cannot
		be reused.  OTP authentication can be used, for instance, to launch or
		connect to TurboVNC sessions from an automated web portal or from a job
		scheduler.  OTP authentication is also useful for allowing temporary access
		to a TurboVNC session for collaboration purposes.

	PAM User/Password Authentication :: {:}
		The VNC server uses Pluggable Authentication Modules (PAM) to validate a
		username and password received from a VNC viewer.  The password received
		from the VNC viewer need not necessarily be validated against the user's
		account password.  Generally, the TurboVNC Server can validate the username
		and password using any authentication credentials that can be accessed
		through PAM.  Since the user/password authentication scheme supported by
		TurboVNC (see below) transmits the password from the VNC viewer to the VNC
		server as plain text, it is strongly recommended that the PAM User/Password
		authentication method be used only if the server is restricted to allow
		only loopback (SSH) connections and to disallow reverse connections (see
		{ref prefix="Section ": Secure_TurboVNC_Usage}.)

The TurboVNC Viewer supports three "authentication schemes", which are
protocols used to send authentication credentials from a VNC viewer to a VNC
server for validation.

	None :: {:}
		No authentication credentials are sent to the server.

	Standard VNC Authentication :: {:}
		A password is sent to the server using a DES-encrypted
		challenge/response scheme.  The password can be up to 8 characters long,
		so the DES key length is 56 bits.  This is not a particularly strong form
		of encryption by today's standards (56-bit DES was broken by brute force
		attack in the late 90's.)

	Unix Login Authentication :: {:}
		Both the username and password are sent to the VNC server as plain text.
		Thus, it is __strongly__ recommended that this authentication scheme
		be used only with VNC connections that are encrypted using SSH (see
		{ref prefix="Section ": Secure_TurboVNC_Usage}.)

** Enabling Authentication Methods

The default behavior of the TurboVNC Server is for all authentication methods
except "None" to be enabled and for VNC Password and OTP authentication to be
preferred over PAM User/Password authentication.  However, the system
administrator can disable one or more of the authentication methods or set
the preferred order of the authentication methods by editing the server's
security configuration file.  See the ''Xvnc'' man page for more details.

If the VNC server allows multiple authentication methods that support multiple
authentication schemes, then the VNC viewer's default authentication scheme
will be determined by the server's preferred authentication method.  In this
case, the user can override the default by passing command-line arguments to
''vncviewer''.  If the VNC server prefers an authentication method that
supports Standard VNC authentication, then the user can force the use of Unix
Login authentication by passing an argument of ''-user ''__''{user_name}''__ to
''vncviewer'' when connecting to the TurboVNC session.  Similarly, if the VNC
server prefers an authentication method that supports Unix Login
authentication, then the user can force the use of Standard VNC authentication
by passing an argument of ''-nounixlogin'' to ''vncviewer''.  Both of these
command-line options work with all versions of the TurboVNC Viewer.  When using
the Java TurboVNC Viewer, you can also accomplish the same thing by unchecking
"Unix Login" or "Standard VNC" in the "Security" tab of the Options dialog or
by limiting the available security types using the ''SecurityTypes'', ''User'',
or ''NoUnixLogin'' arguments/parameters.

If the system administrator has not restricted any of the authentication
methods on a system-wide basis, then the user can choose to disable some or
all of them for a single TurboVNC session by passing command-line arguments to
''vncserver''.  See the ''vncserver'' man page for more details.

** Further Reading

For more detailed information about the TurboVNC authentication extensions,
refer to the TurboVNC man pages:

	#Verb: <<---
	man -M /opt/TurboVNC/man vncserver
	man -M /opt/TurboVNC/man Xvnc
	man -M /opt/TurboVNC/man vncpasswd
	---
