Re: Monitor commands related to display server passwords

[Markus Armbruster <armbru@redhat.com>]

Daniel P. Berrangé <berrange@redhat.com> writes:

> On Wed, Nov 30, 2022 at 09:02:56AM +0100, Markus Armbruster wrote:
>> We have a couple of password-related commands, and I'm not sure about
>> which ones should be used.  In order of appearance:
>> 
>> * HMP change vnc
>> 
>>   Change a VNC server password.  Unlike set_password below, there's no
>>   way to select a display other than the first.
>> 
>>   Note: if change's second argument isn't "vnc", w're changing removable
>>   media.  If you call your block device "vnc", you cannot change its
>>   media.  Hilarious.
>
> Note, QMP equivalent is blockdev-change-medium, which is an wrapper
> around a blockdev-open-tray/remove-medium/insert-medium/close-tray
> sequence.  'change <blockdev>' maps to this.

Yes.

> If you call your blockdev 'vnc' you're not getting sympathy
> from me ;-P But seriously, I agree with your point.
>
>>   Password prompting (with hidden user input) since commit 7084851534
>>   "VNC password authentication, by Daniel P. Berrange." (v0.9.1,
>>   2007-08-25).
>> 
>>   Password argument since commit 2569da0cb6 "Accept password as an
>>   argument to 'change vnc password' monitor command (Chris Webb)"
>>   (v0.10.0, 2008-12-10).
>> 
>>   Nowadays, this wraps around QMP change-vnc-password, discussed below.
>
>> * HMP and QMP set_password, expire_password
>> 
>>   Change a VNC or Spice server password.  For Spice, can optionally fail
>>   when connections exist, or disconnect them.
>> 
>>   HMP commands wrap around the respective QMP command, as they should.
>> 
>>   HMP set_password does not support password prompting like "change vnc"
>>   does.
>> 
>>   Commands are present even when both CONFIG_VNC and CONFIG_SPICE are
>>   off.  Attempts to use them are rejected manually.  Defeats
>>   introspection.
>> 
>>   Since commit 7572150c18 "vnc/spice: add set_passwd monitor command."
>>   (v0.14.0, 2010-12-09)
>> 
>>   Support for VNC displays other than the first since commit 675fd3c96b
>>   "qapi/monitor: allow VNC display id in set/expire_password" (v7.0.0,
>>   2022-03-02).
>> 
>> * QMP change-vnc-password
>> 
>>   Can only target the first VNC display, unlike set_password.
>> 
>>   Command present only with CONFIG_VNC.
>> 
>>   Since commit 270b243f91 "qapi: Introduce change-vnc-password" (v1.1,
>>   2012-01-18).
>
> IIRC, this was designed as a 1-1 mapping to replace the QMP
> 'change vnc' command, except it was obviously redundant
> since we had already added 'set_passwd' by that point. I
> vaguely recall this was all just an oversight on part of
> author and reviewers. 

Happens.

>> Do we really need / want both set_password and change-vnc-password in
>> QMP?
>
> Nope.
>
>> On the one hand, set_password feels outdated from a QAPI point of view:
>> it violates the naming rules, and it defeats introspection.  On the
>> other hand, it's more powerful.
>> 
>> Do we really need / want both set_password and "change vnc" in HMP?
>> set_password is more powerful, but only "change vnc" supports password
>> prompting.
>> 
>> Getting rid of "change vnc" would fix the "cannot change media for block
>> device named 'vnc'" wart.
>
>> Related: QCryptoSecret objects.
>
> snip
>
>> Currently used by various block backends and the tls-creds-x509 object.
>> 
>> Would it make sense with display servers, too?
>
> In 6.0 I introduced support for 'password-secret' to SPICE and VNC
> command line.
>
> I don't know why, but I only deprecated 'password' in SPICE and
> not in VNC.

I figure you mean

    ``-spice password=string`` (since 6.0)
    ''''''''''''''''''''''''''''''''''''''

    This option is insecure because the SPICE password remains visible in
    the process listing. This is replaced by the new ``password-secret``
    option which lets the password be securely provided on the command
    line using a ``secret`` object instance.

and -vnc password=...

There's also -iscsi password=..., and possibly more.

> I didn't wire up any QMP commands todo live password changes. If
> the display was already configured with 'password-secret', you
> could delete and re-create the existing named secret object
> using object-add/object-del, since we fetch the secret value
> on every auth check.

Is this behavior documented?

> There's no way to change from password-off to password-on mode
> and vica-verca.
>
> Also no way to change other things like expiry time,
>
> We since gained the 'display-update' command, which could be
> extended to allow change expiry time, and turning on/off
> use of passwords, and even changing what 'secret' they
> point to.
>
> So overall I say
>
>  * Deprecate VNC 'password' option
>  * Deprecated QMP and HMP commands for changing VNC/SPICE
>    password
>  * Extend 'display-update' other other misc live changes

Makes sense.

Of course, we can deprecate the old commands for changing passwords only
after we extended display-update to replace them.