3 machine running VNC behind NAT router?

[Scott C. Best]

Kevin:

 	Heya. I felt compelled to reply, as your VNC password
information is very misleading.

 	Telnet and FTP actually *do* send passwords in the clear.
That is, if you actually captured packets in transit, you'd see
the password right there. However, VNC absolutely does not do this.
VNC uses challenge-response authentication, well decribed here:

http://en.wikipedia.org/wiki/Challenge-response_authentication

 	In VNC, I believe it works as follows: the server generates
a random value "N", and encrypts it using the saved VNC password.
When a VNC client connects, it receives this "encrypted challenge".
The Viewer then decrypts the value "N" using the password provided by
the user into the Viewer. It then performs a simple operation (eg,
calculates "N+1"), encrypts that and sends it back as the "response".
If the "response" is correct, the Server knows that the Viewer user
knows the correct password. And while enough information has gone
by in the wires for someone to *deduce* the password (ie, if a
malicious user knows the challenge string, the response string,
and the exact "simple operation" in the source), the password itself
cannot fairly be said to be "in the clear".

 	Otherwise...I agree with your assertion that leaving any
service open to direct connections from the Internet is asking
for trouble. I use EchoVNC to avoid this.

cheers,
Scott

> That is a pretty dangerous configuration you have there.  VNC transfers
> passwords in the clear, so it is no more save as a WAN protocol than
> 'Telnet' or 'FTP'...
<snip>