Index: trunk/packages/invirt-vnc-server/debian/changelog
===================================================================
--- trunk/packages/invirt-vnc-server/debian/changelog	(revision 1387)
+++ trunk/packages/invirt-vnc-server/debian/changelog	(revision 1388)
@@ -2,6 +2,7 @@
 
   * sipb-xen-vnc-server -> invirt-vnc-server
+  * Generate the VNC token key at install-time instead of hard-coding
 
- -- Evan Broder <broder@mit.edu>  Tue, 28 Oct 2008 15:18:42 -0400
+ -- Evan Broder <broder@mit.edu>  Tue, 28 Oct 2008 19:44:04 -0400
 
 sipb-xen-vnc-server (1.2) unstable; urgency=low
Index: trunk/packages/invirt-vnc-server/debian/invirt-vnc-server.postinst
===================================================================
--- trunk/packages/invirt-vnc-server/debian/invirt-vnc-server.postinst	(revision 1387)
+++ trunk/packages/invirt-vnc-server/debian/invirt-vnc-server.postinst	(revision 1388)
@@ -24,4 +24,8 @@
 	    echo "Please be sure to copy vncproxy.crt and vncproxykey.pem into /usr/share/invirt-vnc-server/"
 	fi
+        mkdir -p /etc/invirt/secrets
+        if ! [ -e /etc/invirt/secrets/vnc-key ]; then
+            openssl rand -base64 33 >/etc/invirt/secrets/vnc-key
+        fi
     ;;
 
Index: trunk/packages/invirt-vnc-server/python/vnc/extauth.py
===================================================================
--- trunk/packages/invirt-vnc-server/python/vnc/extauth.py	(revision 1387)
+++ trunk/packages/invirt-vnc-server/python/vnc/extauth.py	(revision 1388)
@@ -19,9 +19,13 @@
 import socket
 import time
-import get_port
-
-TOKEN_KEY = "0M6W0U1IXexThi5idy8mnkqPKEq1LtEnlK/pZSn0cDrN"
+
+def getTokenKey():
+    token_key = file('/etc/invirt/secrets/vnc-key').read().strip()
+    while True:
+        yield token_key
+getTokenKey = getTokenKey().next
 
 def getPort(name, auth_data):
+    import get_port
     if (auth_data["machine"] == name):
         port = get_port.findPort(name)
@@ -63,10 +67,9 @@
 
     def validateToken(self, token):
-        global TOKEN_KEY
         self.auth_error = "Invalid token"
         try:
             token = base64.urlsafe_b64decode(token)
             token = cPickle.loads(token)
-            m = hmac.new(TOKEN_KEY, digestmod=sha)
+            m = hmac.new(getTokenKey(), digestmod=sha)
             m.update(token['data'])
             if (m.digest() == token['digest']):