From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=53473 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PFoT5-0003oZ-SB
	for qemu-devel@nongnu.org; Tue, 09 Nov 2010 08:42:55 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1PFoSi-0002D9-UJ
	for qemu-devel@nongnu.org; Tue, 09 Nov 2010 08:42:35 -0500
Received: from mx1.redhat.com ([209.132.183.28]:54748)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1PFoSi-0002Cx-NY
	for qemu-devel@nongnu.org; Tue, 09 Nov 2010 08:42:12 -0500
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
	(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id oA9DgBKX024508
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Tue, 9 Nov 2010 08:42:12 -0500
Message-ID: <4CD94FB0.2010509@redhat.com>
Date: Tue, 09 Nov 2010 14:42:08 +0100
From: Gerd Hoffmann <kraxel@redhat.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire
References: <1286450121-17153-1-git-send-email-kraxel@redhat.com>	<1286450121-17153-3-git-send-email-kraxel@redhat.com>	<4CAE2521.2070500@codemonkey.ws>
	<20101008100841.GB9279@redhat.com> <4CCFF2CE.1040902@redhat.com>
In-Reply-To: <4CCFF2CE.1040902@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org

On 11/02/10 12:15, Gerd Hoffmann wrote:
>   Hi,
>
>>> How does password expiration help with security at all?
>>
>> VNC passwords are obviously rather weak, so if you can limit
>> the time the password is valid to the window in which you
>> are expecting the incoming VNC connection this limits the
>> time to attack the VNC password. A mgmt tool could do
>>
>> - Set a VNC password
>> - Open the VNC connection
>> - Clear the VNC password
>>
>> If anything goes wrong in the mgmt tool at step 2 though,
>> then it may never to step 3, leaving the VNC server accessible.
>> If it had set a password expiry at step 1, it would have a
>> safety net that guarentees the password will be invalid after
>> 'n' seconds, even if not explicitly cleared. Given how little
>> code this is in QEMU, I think it is a worthwhile feature.
>
> Anthony? Do you agree? If so I have a updated tree to pull from for you
> (rebased to latest master, added sign-offs, otherwise unmodified).

[ ... ]

> are available in the git repository at:
> git://anongit.freedesktop.org/spice/qemu passwd.2

Ping?  What is the status here?

cheers,
   Gerd