From: Anthony Liguori <anthony@codemonkey.ws>
To: Paul Moore <pmoore@redhat.com>
Cc: Roman Drahtmueller <draht@suse.de>,
Alexander Graf <agraf@suse.de>,
qemu-devel Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Wed, 06 Jun 2012 07:07:03 +0800 [thread overview]
Message-ID: <4FCE9117.7080908@codemonkey.ws> (raw)
In-Reply-To: <58221974.kN8gObynPi@sifl>
On 06/06/2012 06:06 AM, Paul Moore wrote:
> On Tuesday, June 05, 2012 11:51:40 PM Alexander Graf wrote:
>> On 05.06.2012, at 23:45, Paul Moore wrote:
>>> On Tuesday, June 05, 2012 03:08:26 AM Alexander Graf wrote:
>>>> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a
>>>> password is set? I agree with the assessment that we should never
>>>> silently drop features. So the best way to make sure that the user knows
>>>> he did something stupid (enable FIPS, but require a non-FIPS compliant
>>>> authentication method) would be to just quit, no?
>>>
>>> That is basically what the patch does now. In vnc_display_open() if it
>>> detects that the user has supplied a VNC password it prints an error to
>>> stderr and returns an error which causes QEMU to exit.
>>>
>>> The error message displayed is shown below:
>>>
>>> "VNC password auth disabled due to FIPS mode, consider using the VeNCrypt
>>> or SASL authentication methods as an alernative"
>>>
>>> ... which seems pretty obvious to me. If anyone would prefer something
>>> different, let me know.
>>
>> No, as long as the spelling is actually correct and not the one above,
>> that's perfectly fine.
>
> What, not a fan of my "alernative" spelling? Fixed in the next version of the
> patch :)
>
>> I just have a habit of not reading the patches I comment on :).
>
> If nothing else, it makes the discussions much more interesting :)
>
>>> On Tuesday, June 05, 2012 09:23:04 AM Anthony Liguori wrote:
>>>> I think my primary requirement is: allow a user to use vnc authentication
>>>> even when fips mode is active by using some command line option.
>>>
>>> I'll agree that FIPS mode can be a bit silly in the case of QEMU and VNC
>>> but to be honest, that requirement above seems just as silly to me, if
>>> not more so. However, if making this behavior optional is what it takes
>>> to get the patch accepted, so be it.
>>>
>>> I'll start working on v4 of the patch tomorrow.
>>
>> Let's just wait for Anthony to reply ...
>
> Fine with me, I've got plenty else to do in the meantime and I don't think
> this is 1.1 material anyway.
What's the actual requirement from FIPS for applications?
Regards,
Anthony Liguori
next prev parent reply other threads:[~2012-06-05 23:07 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-02 19:32 [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-03 8:29 ` Daniel P. Berrange
2012-05-03 8:51 ` Alexander Graf
2012-05-03 8:57 ` Daniel P. Berrange
2012-05-03 9:01 ` Alexander Graf
2012-05-03 9:03 ` Daniel P. Berrange
2012-05-03 9:06 ` Alexander Graf
2012-05-03 9:09 ` Daniel P. Berrange
2012-05-03 9:11 ` Alexander Graf
2012-05-03 20:58 ` Paul Moore
2012-05-03 9:04 ` Alexander Graf
2012-05-03 20:51 ` Paul Moore
2012-05-03 14:54 ` Alexander Graf
2012-05-03 20:54 ` Paul Moore
2012-05-04 2:01 ` Roman Drahtmueller
2012-05-04 12:39 ` Paul Moore
2012-05-04 12:42 ` Daniel P. Berrange
2012-06-03 0:55 ` Anthony Liguori
2012-06-04 18:16 ` Paul Moore
2012-06-04 23:11 ` Anthony Liguori
2012-06-04 23:17 ` Alexander Graf
2012-06-04 23:54 ` Anthony Liguori
2012-06-05 0:55 ` Alexander Graf
2012-06-05 1:03 ` Anthony Liguori
2012-06-05 1:08 ` Alexander Graf
2012-06-05 1:23 ` Anthony Liguori
2012-06-05 1:29 ` Alexander Graf
2012-06-05 7:23 ` Gerd Hoffmann
2012-06-05 21:45 ` Paul Moore
2012-06-05 21:51 ` Alexander Graf
2012-06-05 22:06 ` Paul Moore
2012-06-05 23:07 ` Anthony Liguori [this message]
2012-06-05 23:56 ` Alexander Graf
2012-06-06 22:56 ` Paul Moore
2012-06-07 3:10 ` Anthony Liguori
2012-06-07 10:31 ` Alexander Graf
2012-06-07 13:21 ` Paul Moore
2012-06-08 21:37 ` Paul Moore
2012-06-11 13:33 ` Roman Drahtmueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FCE9117.7080908@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=agraf@suse.de \
--cc=draht@suse.de \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.