From: Anthony Liguori <anthony@codemonkey.ws>
To: George Wilson <gcwilson@us.ibm.com>
Cc: Paul Moore <pmoore@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Tue, 01 May 2012 18:45:47 -0500 [thread overview]
Message-ID: <4FA075AB.5000002@codemonkey.ws> (raw)
In-Reply-To: <OF147BC4EA.478FD40F-ON862579F1.0081078A-862579F1.00824EAB@us.ibm.com>
On 05/01/2012 06:43 PM, George Wilson wrote:
>
> Anthony Liguori<anthony@codemonkey.ws> wrote on 05/01/2012 06:26:05 PM:
>
>> Anthony Liguori<anthony@codemonkey.ws>
>> 05/01/2012 06:26 PM
>>
>> To
>>
>> Paul Moore<pmoore@redhat.com>
>>
>> cc
>>
>> qemu-devel@nongnu.org, George Wilson/Austin/IBM@IBMUS
>>
>> Subject
>>
>> Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication
>> (security type 2) when in FIPS mode
>>
>> On 05/01/2012 04:20 PM, Paul Moore wrote:
>>> FIPS 140-2 requires disabling certain ciphers, including DES, which is
> used
>>> by VNC to obscure passwords when they are sent over the network. The
>>> solution for FIPS users is to disable the use of VNC password auth when
> the
>>> host system is operating in FIPS mode.
>>
>> Sorry, what?
>>
>> Does FIPS really require software to detect when FIPS is enabled
> andactively
>> disable features??? That's absurd.
>>
>> Can you point to another software package that does something like this?
>
> Yes, it's true that only FIPS-approved algorithms are permitted for use in
> FIPS
> mode. The kernel and all other FIPS 140-2 validated crypto modules like
> OpenSSL
> and NSS are required to restrict algorithms to the approved set. The
> kernel
> sets /proc/sys/crypto/fips_enabled so that programs can detect FIPS mode
> and
> behave in accordance with the standard.
But this is nonsensical. It would allow no-password to be configured for the VNC
server but not DES? Why is that okay? It's not like we enable DES passwords by
default. A user has to explicitly configure it.
Is there an open source app that actually keys off of fips_enabled?
Regards,
Anthony Liguori
>
>>
>> Regards,
>>
>> Anthony Liguori
>>
>>>
>>> This patch causes qemu to emits a syslog entry indicating that VNC
> password
>>> auth is disabled when it detects the host is running in FIPS mode, and
>>> unless a VNC password was specified on the command line it continues
>>> normally. However, if a VNC password was given on the command line,
> qemu
>>> fails with an error message to stderr explaining that that VNC password
>>> auth is not allowed in FIPS mode.
>>>
>>> Signed-off-by: Paul Moore<pmoore@redhat.com>
>>> ---
>>> qemu-doc.texi | 8 +++++---
>>> ui/vnc.c | 32 ++++++++++++++++++++++++++++++++
>>> ui/vnc.h | 1 +
>>> 3 files changed, 38 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/qemu-doc.texi b/qemu-doc.texi
>>> index e5d7ac4..f9b113e 100644
>>> --- a/qemu-doc.texi
>>> +++ b/qemu-doc.texi
>>> @@ -1124,9 +1124,11 @@ the protocol limits passwords to 8
>> characters it should not be considered
>>> to provide high security. The password can be fairly easily
>> brute-forced by
>>> a client making repeat connections. For this reason, a VNC
>> server using password
>>> authentication should be restricted to only listen on the
>> loopback interface
>>> -or UNIX domain sockets. Password authentication is requested with
>> the @code{password}
>>> -option, and then once QEMU is running the password is set with
>> the monitor. Until
>>> -the monitor is used to set the password all clients will be rejected.
>>> +or UNIX domain sockets. Password authentication is not supported
>> when operating
>>> +in FIPS 140-2 compliance mode as it requires the use of the DES
>> cipher. Password
>>> +authentication is requested with the @code{password} option, and
>> then once QEMU
>>> +is running the password is set with the monitor. Until the
>> monitor is used to
>>> +set the password all clients will be rejected.
>>>
>>> @example
>>> qemu [...OPTIONS...] -vnc :1,password -monitor stdio
>>> diff --git a/ui/vnc.c b/ui/vnc.c
>>> index deb9ecd..620791e 100644
>>> --- a/ui/vnc.c
>>> +++ b/ui/vnc.c
>>> @@ -32,6 +32,7 @@
>>> #include "acl.h"
>>> #include "qemu-objects.h"
>>> #include "qmp-commands.h"
>>> +#include<syslog.h>
>>>
>>> #define VNC_REFRESH_INTERVAL_BASE 30
>>> #define VNC_REFRESH_INTERVAL_INC 50
>>> @@ -48,6 +49,24 @@ static DisplayChangeListener *dcl;
>>> static int vnc_cursor_define(VncState *vs);
>>> static void vnc_release_modifiers(VncState *vs);
>>>
>>> +static int fips_enabled(void)
>>> +{
>>> + int enabled = 0;
>>> + char value;
>>> + FILE *fds;
>>> +
>>> + fds = fopen("/proc/sys/crypto/fips_enabled", "r");
>>> + if (fds == NULL) {
>>> + return 0;
>>> + }
>>> + if (fread(&value, sizeof(value), 1, fds) == 1&& value == '1') {
>>> + enabled = 1;
>>> + }
>>> + fclose(fds);
>>> +
>>> + return enabled;
>>> +}
>>> +
>>> static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
>>> {
>>> #ifdef _VNC_DEBUG
>>> @@ -2748,6 +2767,12 @@ void vnc_display_init(DisplayState *ds)
>>> dcl->idle = 1;
>>> vnc_display = vs;
>>>
>>> + vs->fips = fips_enabled();
>>> + VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
>>> + if (vs->fips) {
>>> + syslog(LOG_NOTICE, "Disabling VNC password auth due to
>> FIPS mode\n");
>>> + }
>>> +
>>> vs->lsock = -1;
>>>
>>> vs->ds = ds;
>>> @@ -2892,6 +2917,13 @@ int vnc_display_open(DisplayState *ds,
>> const char *display)
>>> while ((options = strchr(options, ','))) {
>>> options++;
>>> if (strncmp(options, "password", 8) == 0) {
>>> + if (vs->fips) {
>>> + fprintf(stderr,
>>> + "VNC password auth disabled due to FIPS mode
> \n");
>>> + g_free(vs->display);
>>> + vs->display = NULL;
>>> + return -1;
>>> + }
>>> password = 1; /* Require password auth */
>>> } else if (strncmp(options, "reverse", 7) == 0) {
>>> reverse = 1;
>>> diff --git a/ui/vnc.h b/ui/vnc.h
>>> index a851ebd..8746a98 100644
>>> --- a/ui/vnc.h
>>> +++ b/ui/vnc.h
>>> @@ -160,6 +160,7 @@ struct VncDisplay
>>> char *display;
>>> char *password;
>>> time_t expires;
>>> + int fips;
>>> int auth;
>>> bool lossy;
>>> bool non_adaptive;
>>>
>>>
>>>
>>
>
> Regards,
> George Wilson
next prev parent reply other threads:[~2012-05-01 23:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-01 21:20 [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-01 22:54 ` Andreas Färber
2012-05-02 10:28 ` Christoph Hellwig
2012-05-02 11:05 ` Daniel P. Berrange
2012-05-02 15:45 ` Paul Moore
2012-05-01 23:26 ` Anthony Liguori
2012-05-01 23:43 ` George Wilson
2012-05-01 23:45 ` Anthony Liguori [this message]
2012-05-02 0:17 ` George Wilson
2012-05-02 9:29 ` Daniel P. Berrange
2012-05-02 9:16 ` Daniel P. Berrange
2012-05-02 9:18 ` Daniel P. Berrange
2012-05-02 15:50 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FA075AB.5000002@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=gcwilson@us.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.