Re: qemu vnc auth

["Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]

On Tue, Jan 30, 2007 at 01:03:20PM +0100, Yellis Services wrote:
> Hello,
> 
> I have adapted a xen path to kvm-qemu.
> This patch enable auth in vnc
> 
> qemu ../.. -hda=/home/os.img -vnc -vncpasswd toto
> 
> work with vncviewer on linux and Win.
> Don't work with vncviewer applet via http, must be fixed.

Passing passwords around on the command line is not really a viable
implementation because they can trivially be snooped by any user
on the system. Likewise environment variables are not suitable.

I suggest two approaches:

 1. Pass the name of a file containing the password on the command
    line. QEMU can then read the password from this file. This is
    the approach taken by the regular VNC server - eg it stores a
    passwd in $HOME/.vnc/passwd. This passwd file can be chmod 0600
    to secure it from other userseg. This is useful for a user who
    is laucnhing qemu process mannually and wants to make them all
    use a single passwd.

     qemu ../.. -hda=/home/os.img -vnc -vncpasswdfile /path/to/file

 2. Allow the password to be passed to the QEMU process via a file
    descriptor. This is useful if the QEMU process is being launched
    by some form of management process, letting the parent process
    easily control the password per-QEMU process without writing out
    a great many files.

     qemu ../.. -hda=/home/os.img -vnc -vncpasswdfd  7

So in fact I think it would be very useful to implement both approaches,
because they serve different use cases and I don't think there would be
too much code overhead in having both supported.

Aside from how you supply the initial password, the rest of the patch
looks good to me. It would probably be worthwhile posting this to 
upstream qemu-devel too, to avoid the need for further KVM-specific fork
of the codebae.

Regards,
Dan
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV