From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: qemu-devel@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: Monitor commands related to display server passwords
Date: Wed, 30 Nov 2022 09:03:03 +0000 [thread overview]
Message-ID: <Y4ccR2d2GUHpmHwx@redhat.com> (raw)
In-Reply-To: <87mt88oonj.fsf@pond.sub.org>
On Wed, Nov 30, 2022 at 09:02:56AM +0100, Markus Armbruster wrote:
> We have a couple of password-related commands, and I'm not sure about
> which ones should be used. In order of appearance:
>
> * HMP change vnc
>
> Change a VNC server password. Unlike set_password below, there's no
> way to select a display other than the first.
>
> Note: if change's second argument isn't "vnc", w're changing removable
> media. If you call your block device "vnc", you cannot change its
> media. Hilarious.
Note, QMP equivalent is blockdev-change-medium, which is an wrapper
around a blockdev-open-tray/remove-medium/insert-medium/close-tray
sequence. 'change <blockdev>' maps to this.
If you call your blockdev 'vnc' you're not getting sympathy
from me ;-P But seriously, I agree with your point.
> Password prompting (with hidden user input) since commit 7084851534
> "VNC password authentication, by Daniel P. Berrange." (v0.9.1,
> 2007-08-25).
>
> Password argument since commit 2569da0cb6 "Accept password as an
> argument to 'change vnc password' monitor command (Chris Webb)"
> (v0.10.0, 2008-12-10).
>
> Nowadays, this wraps around QMP change-vnc-password, discussed below.
> * HMP and QMP set_password, expire_password
>
> Change a VNC or Spice server password. For Spice, can optionally fail
> when connections exist, or disconnect them.
>
> HMP commands wrap around the respective QMP command, as they should.
>
> HMP set_password does not support password prompting like "change vnc"
> does.
>
> Commands are present even when both CONFIG_VNC and CONFIG_SPICE are
> off. Attempts to use them are rejected manually. Defeats
> introspection.
>
> Since commit 7572150c18 "vnc/spice: add set_passwd monitor command."
> (v0.14.0, 2010-12-09)
>
> Support for VNC displays other than the first since commit 675fd3c96b
> "qapi/monitor: allow VNC display id in set/expire_password" (v7.0.0,
> 2022-03-02).
>
> * QMP change-vnc-password
>
> Can only target the first VNC display, unlike set_password.
>
> Command present only with CONFIG_VNC.
>
> Since commit 270b243f91 "qapi: Introduce change-vnc-password" (v1.1,
> 2012-01-18).
IIRC, this was designed as a 1-1 mapping to replace the QMP
'change vnc' command, except it was obviously redundant
since we had already added 'set_passwd' by that point. I
vaguely recall this was all just an oversight on part of
author and reviewers.
> Do we really need / want both set_password and change-vnc-password in
> QMP?
Nope.
> On the one hand, set_password feels outdated from a QAPI point of view:
> it violates the naming rules, and it defeats introspection. On the
> other hand, it's more powerful.
>
> Do we really need / want both set_password and "change vnc" in HMP?
> set_password is more powerful, but only "change vnc" supports password
> prompting.
>
> Getting rid of "change vnc" would fix the "cannot change media for block
> device named 'vnc'" wart.
> Related: QCryptoSecret objects.
snip
> Currently used by various block backends and the tls-creds-x509 object.
>
> Would it make sense with display servers, too?
In 6.0 I introduced support for 'password-secret' to SPICE and VNC
command line.
I don't know why, but I only deprecated 'password' in SPICE and
not in VNC.
I didn't wire up any QMP commands todo live password changes. If
the display was already configured with 'password-secret', you
could delete and re-create the existing named secret object
using object-add/object-del, since we fetch the secret value
on every auth check.
There's no way to change from password-off to password-on mode
and vica-verca.
Also no way to change other things like expiry time,
We since gained the 'display-update' command, which could be
extended to allow change expiry time, and turning on/off
use of passwords, and even changing what 'secret' they
point to.
So overall I say
* Deprecate VNC 'password' option
* Deprecated QMP and HMP commands for changing VNC/SPICE
password
* Extend 'display-update' other other misc live changes
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2022-11-30 9:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 8:02 Monitor commands related to display server passwords Markus Armbruster
2022-11-30 9:03 ` Daniel P. Berrangé [this message]
2022-11-30 13:25 ` Markus Armbruster
2022-11-30 13:29 ` Daniel P. Berrangé
2022-12-01 6:48 ` Markus Armbruster
2022-12-01 9:20 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y4ccR2d2GUHpmHwx@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.