From: "Daniel P. Berrange" <berrange@redhat.com>
To: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
Anthony Liguori <aliguori@us.ibm.com>,
qemu-devel@nongnu.org, Michael Roth <mdroth@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH 12/15] qapi: add change-vnc-listen (v2)
Date: Mon, 12 Sep 2011 10:17:21 +0100 [thread overview]
Message-ID: <20110912091721.GA2523@redhat.com> (raw)
In-Reply-To: <20110902175005.49784ffc@doriath>
On Fri, Sep 02, 2011 at 05:50:05PM -0300, Luiz Capitulino wrote:
> On Fri, 2 Sep 2011 12:34:55 -0500
> Anthony Liguori <aliguori@us.ibm.com> wrote:
>
> > New QMP only command to change the VNC server's listening address.
> >
> > Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
> > ---
> > v1 -> v2
> > - Enhanced docs (Luiz)
> > ---
> > qapi-schema.json | 15 +++++++++++++++
> > qmp-commands.hx | 8 ++++++++
> > qmp.c | 7 +++++++
> > 3 files changed, 30 insertions(+), 0 deletions(-)
> >
> > diff --git a/qapi-schema.json b/qapi-schema.json
> > index 350cf1c..0c6c9b8 100644
> > --- a/qapi-schema.json
> > +++ b/qapi-schema.json
> > @@ -109,3 +109,18 @@
> > # string. Existing clients are unaffected by executing this command.
> > ##
> > { 'command': 'change-vnc-password', 'data': {'password': 'str'} }
> > +
> > +##
> > +# @change-vnc-listen:
> > +#
> > +# Change the host that the VNC server listens on.
> > +#
> > +# @target: the new server specification to listen on
> > +#
> > +# Since: 1.0
> > +#
> > +# Notes: At this moment in time, the behavior of existing client connections
> > +# when this command is executed is undefined. The authentication
> > +# settings may change after executing this command.
>
> It seems to completely disable authentication. At least when using
> password auth. I'd be very clear about that.
That is really bad, since even if we have another command to set the
authentication mode, this creates a designed-in race condition. To be
securely race-free, we need to be able to set the desired auth mode
first, and then change the listen address without it affecting auth.
change-vnc-auth tls
change-vnc-listen 123.2.3.5:5901
If we really want vnc-listen to have possible side-effects on auth,
then we need to be able to put the VNC server in an offline mode
while making a sequence of configuration changes eg, something like
change-vnc-status offline
change-vnc-listen 123.2.3.5:5901
change-vnc-auth tls
change-vnc-status online
No incoming client connections would be allowed while it is offline
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2011-09-12 9:17 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-02 17:34 [Qemu-devel] [PATCH 00/15] Convert commands to QAPI (batch 1) (v2) Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 01/15] error: let error_is_type take a NULL error Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 02/15] qerror: add qerror_report_err() (v2) Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 03/15] qapi: add code generation support for middle mode Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 04/15] qapi: use middle mode in QMP server (v2) Anthony Liguori
2011-09-02 20:39 ` Luiz Capitulino
2011-09-02 17:34 ` [Qemu-devel] [PATCH 05/15] qapi: convert query-name Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 06/15] block: add unsafe_probe Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 07/15] monitor: expose readline state Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 08/15] qerror: add additional parameter to QERR_DEVICE_ENCRYPTED Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 09/15] qapi: convert eject (qmp and hmp) to QAPI Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 10/15] qapi: convert block_passwd and add set-blockdev-password Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 11/15] qapi: add change-vnc-password (v2) Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 12/15] qapi: add change-vnc-listen (v2) Anthony Liguori
2011-09-02 20:50 ` Luiz Capitulino
2011-09-12 9:17 ` Daniel P. Berrange [this message]
2011-09-12 9:28 ` Daniel P. Berrange
2011-09-02 17:34 ` [Qemu-devel] [PATCH 13/15] qapi: introduce drive-change (v2) Anthony Liguori
2011-09-02 21:06 ` Luiz Capitulino
2011-09-02 21:10 ` Luiz Capitulino
2011-09-02 17:34 ` [Qemu-devel] [PATCH 14/15] qapi: convert change (v2) Anthony Liguori
2011-09-02 17:34 ` [Qemu-devel] [PATCH 15/15] vnc: don't demote authentication protocol when disabling login Anthony Liguori
2011-09-07 21:56 ` [Qemu-devel] [PATCH 00/15] Convert commands to QAPI (batch 1) (v2) Alexander Graf
2011-09-07 22:03 ` Anthony Liguori
2011-09-07 22:04 ` Alexander Graf
2011-09-07 22:24 ` Anthony Liguori
2011-09-07 23:12 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110912091721.GA2523@redhat.com \
--to=berrange@redhat.com \
--cc=aliguori@us.ibm.com \
--cc=kwolf@redhat.com \
--cc=lcapitulino@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.