From: Gerd Hoffmann <kraxel@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire
Date: Tue, 02 Nov 2010 12:15:26 +0100 [thread overview]
Message-ID: <4CCFF2CE.1040902@redhat.com> (raw)
In-Reply-To: <20101008100841.GB9279@redhat.com>
Hi,
>> How does password expiration help with security at all?
>
> VNC passwords are obviously rather weak, so if you can limit
> the time the password is valid to the window in which you
> are expecting the incoming VNC connection this limits the
> time to attack the VNC password. A mgmt tool could do
>
> - Set a VNC password
> - Open the VNC connection
> - Clear the VNC password
>
> If anything goes wrong in the mgmt tool at step 2 though,
> then it may never to step 3, leaving the VNC server accessible.
> If it had set a password expiry at step 1, it would have a
> safety net that guarentees the password will be invalid after
> 'n' seconds, even if not explicitly cleared. Given how little
> code this is in QEMU, I think it is a worthwhile feature.
Anthony? Do you agree? If so I have a updated tree to pull from for
you (rebased to latest master, added sign-offs, otherwise unmodified).
thanks,
Gerd
The following changes since commit 7d72e76228351d18a856f1e4f5365b59d3205dc3:
intel-hda: documentation update (2010-11-02 00:41:04 +0300)
are available in the git repository at:
git://anongit.freedesktop.org/spice/qemu passwd.2
Gerd Hoffmann (3):
vnc: auth reject cleanup
vnc: support password expire
vnc/spice: add set_passwd monitor command.
console.h | 2 +-
hmp-commands.hx | 23 ++++++++++++++++++++
monitor.c | 61
+++++++++++++++++++++++++++++++++++++++++++++++++++++-
ui/qemu-spice.h | 3 ++
ui/spice-core.c | 7 ++++++
ui/vnc.c | 43 +++++++++++++++++++++++---------------
ui/vnc.h | 1 +
7 files changed, 120 insertions(+), 20 deletions(-)
next prev parent reply other threads:[~2010-11-02 13:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-07 11:15 [Qemu-devel] [PATCH 0/3] vnc/spice: add monitor command to change password Gerd Hoffmann
2010-10-07 11:15 ` [Qemu-devel] [PATCH 1/3] vnc: auth reject cleanup Gerd Hoffmann
2010-10-07 11:15 ` [Qemu-devel] [PATCH 2/3] vnc: support password expire Gerd Hoffmann
2010-10-07 19:53 ` Anthony Liguori
2010-10-08 10:08 ` Daniel P. Berrange
2010-11-02 11:15 ` Gerd Hoffmann [this message]
2010-11-09 13:42 ` Gerd Hoffmann
2010-11-10 15:52 ` Anthony Liguori
2010-11-10 15:50 ` Anthony Liguori
2010-11-11 11:39 ` Gerd Hoffmann
2010-11-16 20:26 ` Anthony Liguori
2010-11-17 10:23 ` Gerd Hoffmann
2010-11-20 2:14 ` Anthony Liguori
2010-10-07 11:15 ` [Qemu-devel] [PATCH 3/3] vnc/spice: add set_passwd monitor command Gerd Hoffmann
-- strict thread matches above, loose matches on Subject: below --
2010-11-24 17:03 [Qemu-devel] [PATCH 0/3] vnc/spice: add monitor commands to change+expire passwords Gerd Hoffmann
2010-11-24 17:03 ` [Qemu-devel] [PATCH 2/3] vnc: support password expire Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CCFF2CE.1040902@redhat.com \
--to=kraxel@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.