[Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server

["Daniel P. Berrange" <berrange@redhat.com>]

Previously I provided patches for QEMU's VNC server to support SSL/TLS
and x509 certificates. This provides good encryption capabilities for
the VNC session. It doesn't really address the authentication problem
though.

I have been working to  create a new authentication type in the RFB
protocol to address this need in a generic, extendable way, by mapping
the SASL API into the RFB protocol. Since SASL is a generic plugin 
based API, this will allow use of a huge range of auth mechanims over 
VNC, without us having to add any more auth code. For example, PAM,
Digest-MD5, GSSAPI/Kerberos, One-time key/password, LDAP password
lookup, SQL db password lookup, and more.

I have got a VNC auth type assigned by the RFB spec maintainers:

  http://realvnc.com/pipermail/vnc-list/2008-December/059463.html

With the full current spec  for the SASL extension currently documented 
here:

  http://realvnc.com/pipermail/vnc-list/2008-December/059462.html


This is the 2nd version of the patches I initially posted here

  http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00255.html


Changes since last time

 - Re-factor the code to move TLS and SASL methods into separate files,
   vnc-tls.c, vnc-auth-vencrypt.c and vnc-auth-vencrypt.h

 - Added simple access control lists for authorization of client users
   on either SASL username, or x509 distinguished name

 - Added proof of concept external file format for persisting ACLs

 - Extend 'info vnc' to show much more information about clients and
   auth

 - Tested with SASL + Digest-MD5,  SASL + GSSAPI. TLS + SASL + Digest-MD5
   and TLS + SASL + GSSAPI. This gives coverage off all interesting 
   code paths and/or I/O encryption combinations.


The combined diffstat for all 7 patches about to follow, is

 .hgignore             |   16 
 Makefile              |   27 +
 Makefile.target       |    5 
 b/acl.c               |  264 ++++++++++++
 b/acl.h               |   71 +++
 b/keymaps.h           |   60 ++
 b/qemu.sasl           |   34 +
 b/vnc-auth-sasl.c     |  640 +++++++++++++++++++++++++++++
 b/vnc-auth-sasl.h     |   76 +++
 b/vnc-auth-vencrypt.c |  175 +++++++
 b/vnc-auth-vencrypt.h |   33 +
 b/vnc-tls.c           |  456 ++++++++++++++++++++
 b/vnc-tls.h           |   76 +++
 configure             |   34 +
 curses.c              |    3 
 curses_keys.h         |    9 
 keymaps.c             |   45 --
 monitor.c             |   80 +++
 qemu-doc.texi         |  109 ++++
 sdl.c                 |    3 
 sdl_keysym.h          |    7 
 vl.c                  |   12 
 vnc.c                 | 1100 ++++++++++++++++++--------------------------------
 vnc.h                 |  215 +++++++++
 vnc_keysym.h          |    5 
 25 files changed, 2795 insertions(+), 760 deletions(-)


Daniel

-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|