[Qemu-devel] [PATCH 2/3] vnc: support password expire

[Qemu-devel] [PATCH 2/3] vnc: support password expire

[Gerd Hoffmann]

This patch adds support for expiring passwords to vnc.  It adds a new
lifetime parameter to the vnc_display_password() function, which
specifies the number of seconds the new password will be valid.  Passing
zero as lifetime maintains current behavior (password never expires).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 console.h |    2 +-
 monitor.c |    3 +--
 ui/vnc.c  |   15 ++++++++++++++-
 ui/vnc.h  |    1 +
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/console.h b/console.h
index aafb031..24670e5 100644
--- a/console.h
+++ b/console.h
@@ -368,7 +368,7 @@ void cocoa_display_init(DisplayState *ds, int full_screen);
 void vnc_display_init(DisplayState *ds);
 void vnc_display_close(DisplayState *ds);
 int vnc_display_open(DisplayState *ds, const char *display);
-int vnc_display_password(DisplayState *ds, const char *password);
+int vnc_display_password(DisplayState *ds, const char *password, int lifetime);
 void do_info_vnc_print(Monitor *mon, const QObject *data);
 void do_info_vnc(Monitor *mon, QObject **ret_data);
 char *vnc_display_local_addr(DisplayState *ds);
diff --git a/monitor.c b/monitor.c
index fbb678d..d82eb9e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -966,11 +966,10 @@ static int do_quit(Monitor *mon, const QDict *qdict, QObject **ret_data)
 
 static int change_vnc_password(const char *password)
 {
-    if (vnc_display_password(NULL, password) < 0) {
+    if (vnc_display_password(NULL, password, 0) < 0) {
         qerror_report(QERR_SET_PASSWD_FAILED);
         return -1;
     }
-
     return 0;
 }
 
diff --git a/ui/vnc.c b/ui/vnc.c
index 1ef0fc5..51aa9ca 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2078,11 +2078,19 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
     int i, j, pwlen;
     unsigned char key[8];
+    time_t now;
 
     if (!vs->vd->password || !vs->vd->password[0]) {
         VNC_DEBUG("No password configured on server");
         goto reject;
     }
+    if (vs->vd->expires) {
+        time(&now);
+        if (vs->vd->expires < now) {
+            VNC_DEBUG("Password is expired");
+            goto reject;
+        }
+    }
 
     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
 
@@ -2474,7 +2482,7 @@ void vnc_display_close(DisplayState *ds)
 #endif
 }
 
-int vnc_display_password(DisplayState *ds, const char *password)
+int vnc_display_password(DisplayState *ds, const char *password, int lifetime)
 {
     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
 
@@ -2492,6 +2500,11 @@ int vnc_display_password(DisplayState *ds, const char *password)
         if (vs->auth == VNC_AUTH_NONE) {
             vs->auth = VNC_AUTH_VNC;
         }
+        if (lifetime) {
+            vs->expires = time(NULL) + lifetime;
+        } else {
+            vs->expires = 0;
+        }
     } else {
         vs->auth = VNC_AUTH_NONE;
     }
diff --git a/ui/vnc.h b/ui/vnc.h
index 9619b24..4f895be 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -120,6 +120,7 @@ struct VncDisplay
 
     char *display;
     char *password;
+    time_t expires;
     int auth;
     bool lossy;
 #ifdef CONFIG_VNC_TLS
-- 
1.7.1

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Anthony Liguori]

On 10/07/2010 06:15 AM, Gerd Hoffmann wrote:
> This patch adds support for expiring passwords to vnc.  It adds a new
> lifetime parameter to the vnc_display_password() function, which
> specifies the number of seconds the new password will be valid.  Passing
> zero as lifetime maintains current behavior (password never expires).
>
> Signed-off-by: Gerd Hoffmann<kraxel@redhat.com>
>    

This has been posted before and I've never understood it.  Why can't a 
management tool just expire passwords on it's own?

How does password expiration help with security at all?

Regards,

Anthony Liguori

> ---
>   console.h |    2 +-
>   monitor.c |    3 +--
>   ui/vnc.c  |   15 ++++++++++++++-
>   ui/vnc.h  |    1 +
>   4 files changed, 17 insertions(+), 4 deletions(-)
>
> diff --git a/console.h b/console.h
> index aafb031..24670e5 100644
> --- a/console.h
> +++ b/console.h
> @@ -368,7 +368,7 @@ void cocoa_display_init(DisplayState *ds, int full_screen);
>   void vnc_display_init(DisplayState *ds);
>   void vnc_display_close(DisplayState *ds);
>   int vnc_display_open(DisplayState *ds, const char *display);
> -int vnc_display_password(DisplayState *ds, const char *password);
> +int vnc_display_password(DisplayState *ds, const char *password, int lifetime);
>   void do_info_vnc_print(Monitor *mon, const QObject *data);
>   void do_info_vnc(Monitor *mon, QObject **ret_data);
>   char *vnc_display_local_addr(DisplayState *ds);
> diff --git a/monitor.c b/monitor.c
> index fbb678d..d82eb9e 100644
> --- a/monitor.c
> +++ b/monitor.c
> @@ -966,11 +966,10 @@ static int do_quit(Monitor *mon, const QDict *qdict, QObject **ret_data)
>
>   static int change_vnc_password(const char *password)
>   {
> -    if (vnc_display_password(NULL, password)<  0) {
> +    if (vnc_display_password(NULL, password, 0)<  0) {
>           qerror_report(QERR_SET_PASSWD_FAILED);
>           return -1;
>       }
> -
>       return 0;
>   }
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 1ef0fc5..51aa9ca 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2078,11 +2078,19 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
>       unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
>       int i, j, pwlen;
>       unsigned char key[8];
> +    time_t now;
>
>       if (!vs->vd->password || !vs->vd->password[0]) {
>           VNC_DEBUG("No password configured on server");
>           goto reject;
>       }
> +    if (vs->vd->expires) {
> +        time(&now);
> +        if (vs->vd->expires<  now) {
> +            VNC_DEBUG("Password is expired");
> +            goto reject;
> +        }
> +    }
>
>       memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
>
> @@ -2474,7 +2482,7 @@ void vnc_display_close(DisplayState *ds)
>   #endif
>   }
>
> -int vnc_display_password(DisplayState *ds, const char *password)
> +int vnc_display_password(DisplayState *ds, const char *password, int lifetime)
>   {
>       VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
>
> @@ -2492,6 +2500,11 @@ int vnc_display_password(DisplayState *ds, const char *password)
>           if (vs->auth == VNC_AUTH_NONE) {
>               vs->auth = VNC_AUTH_VNC;
>           }
> +        if (lifetime) {
> +            vs->expires = time(NULL) + lifetime;
> +        } else {
> +            vs->expires = 0;
> +        }
>       } else {
>           vs->auth = VNC_AUTH_NONE;
>       }
> diff --git a/ui/vnc.h b/ui/vnc.h
> index 9619b24..4f895be 100644
> --- a/ui/vnc.h
> +++ b/ui/vnc.h
> @@ -120,6 +120,7 @@ struct VncDisplay
>
>       char *display;
>       char *password;
> +    time_t expires;
>       int auth;
>       bool lossy;
>   #ifdef CONFIG_VNC_TLS
>    

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Daniel P. Berrange]

On Thu, Oct 07, 2010 at 02:53:05PM -0500, Anthony Liguori wrote:
> On 10/07/2010 06:15 AM, Gerd Hoffmann wrote:
> >This patch adds support for expiring passwords to vnc.  It adds a new
> >lifetime parameter to the vnc_display_password() function, which
> >specifies the number of seconds the new password will be valid.  Passing
> >zero as lifetime maintains current behavior (password never expires).
> >
> >Signed-off-by: Gerd Hoffmann<kraxel@redhat.com>
> >   
> 
> This has been posted before and I've never understood it.  Why can't a 
> management tool just expire passwords on it's own?

If the management tool crashes or is restarted for some reason
then it may miss the expiry task. 

> How does password expiration help with security at all?

VNC passwords are obviously rather weak, so if you can limit
the time the password is valid to the window in which you
are expecting the incoming VNC connection this limits the
time to attack the VNC password. A mgmt tool could do

  - Set a VNC password
  - Open the VNC connection
  - Clear the VNC password

If anything goes wrong in the mgmt tool at step 2 though,
then it may never to step 3, leaving the VNC server accessible.
If it had set a password expiry at step 1, it would have a
safety net that guarentees the password will be invalid after
'n' seconds, even if not explicitly cleared. Given how little
code this is in QEMU, I think it is a worthwhile feature.

Regards,
Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Gerd Hoffmann]

   Hi,

>> How does password expiration help with security at all?
>
> VNC passwords are obviously rather weak, so if you can limit
> the time the password is valid to the window in which you
> are expecting the incoming VNC connection this limits the
> time to attack the VNC password. A mgmt tool could do
>
>    - Set a VNC password
>    - Open the VNC connection
>    - Clear the VNC password
>
> If anything goes wrong in the mgmt tool at step 2 though,
> then it may never to step 3, leaving the VNC server accessible.
> If it had set a password expiry at step 1, it would have a
> safety net that guarentees the password will be invalid after
> 'n' seconds, even if not explicitly cleared. Given how little
> code this is in QEMU, I think it is a worthwhile feature.

Anthony?  Do you agree?  If so I have a updated tree to pull from for 
you (rebased to latest master, added sign-offs, otherwise unmodified).

thanks,
   Gerd

The following changes since commit 7d72e76228351d18a856f1e4f5365b59d3205dc3:

   intel-hda: documentation update (2010-11-02 00:41:04 +0300)

are available in the git repository at:
   git://anongit.freedesktop.org/spice/qemu passwd.2

Gerd Hoffmann (3):
       vnc: auth reject cleanup
       vnc: support password expire
       vnc/spice: add set_passwd monitor command.

  console.h       |    2 +-
  hmp-commands.hx |   23 ++++++++++++++++++++
  monitor.c       |   61 
+++++++++++++++++++++++++++++++++++++++++++++++++++++-
  ui/qemu-spice.h |    3 ++
  ui/spice-core.c |    7 ++++++
  ui/vnc.c        |   43 +++++++++++++++++++++++---------------
  ui/vnc.h        |    1 +
  7 files changed, 120 insertions(+), 20 deletions(-)

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Gerd Hoffmann]

On 11/02/10 12:15, Gerd Hoffmann wrote:
>   Hi,
>
>>> How does password expiration help with security at all?
>>
>> VNC passwords are obviously rather weak, so if you can limit
>> the time the password is valid to the window in which you
>> are expecting the incoming VNC connection this limits the
>> time to attack the VNC password. A mgmt tool could do
>>
>> - Set a VNC password
>> - Open the VNC connection
>> - Clear the VNC password
>>
>> If anything goes wrong in the mgmt tool at step 2 though,
>> then it may never to step 3, leaving the VNC server accessible.
>> If it had set a password expiry at step 1, it would have a
>> safety net that guarentees the password will be invalid after
>> 'n' seconds, even if not explicitly cleared. Given how little
>> code this is in QEMU, I think it is a worthwhile feature.
>
> Anthony? Do you agree? If so I have a updated tree to pull from for you
> (rebased to latest master, added sign-offs, otherwise unmodified).

[ ... ]

> are available in the git repository at:
> git://anongit.freedesktop.org/spice/qemu passwd.2

Ping?  What is the status here?

cheers,
   Gerd

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Anthony Liguori]

On 10/08/2010 05:08 AM, Daniel P. Berrange wrote:
> On Thu, Oct 07, 2010 at 02:53:05PM -0500, Anthony Liguori wrote:
>    
>> On 10/07/2010 06:15 AM, Gerd Hoffmann wrote:
>>      
>>> This patch adds support for expiring passwords to vnc.  It adds a new
>>> lifetime parameter to the vnc_display_password() function, which
>>> specifies the number of seconds the new password will be valid.  Passing
>>> zero as lifetime maintains current behavior (password never expires).
>>>
>>> Signed-off-by: Gerd Hoffmann<kraxel@redhat.com>
>>>
>>>        
>> This has been posted before and I've never understood it.  Why can't a
>> management tool just expire passwords on it's own?
>>      
> If the management tool crashes or is restarted for some reason
> then it may miss the expiry task.
>
>    
>> How does password expiration help with security at all?
>>      
> VNC passwords are obviously rather weak, so if you can limit
> the time the password is valid to the window in which you
> are expecting the incoming VNC connection this limits the
> time to attack the VNC password. A mgmt tool could do
>
>    - Set a VNC password
>    - Open the VNC connection
>    - Clear the VNC password
>
> If anything goes wrong in the mgmt tool at step 2 though,
> then it may never to step 3, leaving the VNC server accessible.
>    

I think the point is that you can expire the password by just changing 
it through the monitor.  Having an expiration policy builtin to QEMU (as 
opposed to libvirt) seems like the wrong place.

> If it had set a password expiry at step 1, it would have a
> safety net that guarentees the password will be invalid after
> 'n' seconds, even if not explicitly cleared. Given how little
> code this is in QEMU, I think it is a worthwhile feature.\
>    

It's a policy not a mechanism and I don't see a good reason to have the 
code in QEMU because it honestly is a policy for a specific product.  I 
don't think it's a strong enough policy that it's going to be seen as 
widely useful.

Regards,

Anthony Liguori

> Regards,
> Daniel
>    

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Anthony Liguori]

On 11/09/2010 07:42 AM, Gerd Hoffmann wrote:
>> are available in the git repository at:
>> git://anongit.freedesktop.org/spice/qemu passwd.2
>
> Ping?  What is the status here?

My view is that it's wrong for QEMU because it's a specific management 
policy that isn't generally useful.  It can be easily implemented 
outside of QEMU.

Of course, if both you and Dan disagree strongly, since this is so 
little code, I'll leave the final decision up to you.

Regards,

Anthony Liguori

> cheers,
>   Gerd
>

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Gerd Hoffmann]

   Hi,

>> If anything goes wrong in the mgmt tool at step 2 though,
>> then it may never to step 3, leaving the VNC server accessible.
>
> I think the point is that you can expire the password by just changing
> it through the monitor.

Well, you can't really expire it, you can only set it to $randomvalue. 
Unsetting the vnc password also disables authentication (in unstable), 
which is *not* what you want here ...

> Having an expiration policy builtin to QEMU (as
> opposed to libvirt) seems like the wrong place.

IMHO it doesn't build policy into qemu.  It is still up to libvirt (or 
the management app building on top of libvirt) to decide if and when the 
password will expire.  qemu will just do what libvirt asks for.

Instead of passing a expire time as implemented by the patches:

   set-password $protocol $secret $time

we could add a expire-password command, then ask management to do

    set-password $protocol $secret
    [ let $time pass ]
    expire-password $protocol

I fail to see why this is better though.  The former is more robust and 
easier to implement in the management.  The amount of code needed in 
qemu is probably quite similar ...

cheers,
   Gerd

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Anthony Liguori]

On 11/11/2010 05:39 AM, Gerd Hoffmann wrote:
>   Hi,
>
>>> If anything goes wrong in the mgmt tool at step 2 though,
>>> then it may never to step 3, leaving the VNC server accessible.
>>
>> I think the point is that you can expire the password by just changing
>> it through the monitor.
>
> Well, you can't really expire it, you can only set it to $randomvalue. 
> Unsetting the vnc password also disables authentication (in unstable), 
> which is *not* what you want here ...
>
>> Having an expiration policy builtin to QEMU (as
>> opposed to libvirt) seems like the wrong place.
>
> IMHO it doesn't build policy into qemu.  It is still up to libvirt (or 
> the management app building on top of libvirt) to decide if and when 
> the password will expire.

Except if you want to cancel the expiration because the expiration 
policy changes.   You'd have to set the password without an expiration 
time and you may not have ready access to the password.

>   qemu will just do what libvirt asks for.
>
> Instead of passing a expire time as implemented by the patches:
>
>   set-password $protocol $secret $time
>
> we could add a expire-password command, then ask management to do
>
>    set-password $protocol $secret
>    [ let $time pass ]
>    expire-password $protocol
>
> I fail to see why this is better though.  The former is more robust 
> and easier to implement in the management.  The amount of code needed 
> in qemu is probably quite similar ...

But the later let's a management tool implement arbitrarily complex 
expiration policies.  It can also be used to generically disable any 
login which is effectively expiration but it may not be directly because 
of a timeout but rather because of some other operation.  For instance, 
a management tool might want to implement a login policy whereas you're 
only allowed to log into a VM during business hours (9-5).  Setting an 
expiration time for 8 hours is quite a bit less straight forward than 
just unsetting the password during the off hours.

Regards,

Anthony Liguori

> cheers,
>   Gerd
>
>

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Gerd Hoffmann]

   Hi,

>>> Having an expiration policy builtin to QEMU (as
>>> opposed to libvirt) seems like the wrong place.
>>
>> IMHO it doesn't build policy into qemu. It is still up to libvirt (or
>> the management app building on top of libvirt) to decide if and when
>> the password will expire.
>
> Except if you want to cancel the expiration because the expiration
> policy changes. You'd have to set the password without an expiration
> time and you may not have ready access to the password.

Point.

>> set-password $protocol $secret
>> [ let $time pass ]
>> expire-password $protocol
>>
>> I fail to see why this is better though. The former is more robust and
>> easier to implement in the management. The amount of code needed in
>> qemu is probably quite similar ...
>
> But the later let's a management tool implement arbitrarily complex
> expiration policies.

Hmm, we could do this:

set-password $protocol $secret
expire-password $protocol [ now | never | $seconds ]

Comments?

cheers,
   Gerd

Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire

[Anthony Liguori]

On 11/17/2010 04:23 AM, Gerd Hoffmann wrote:
>> But the later let's a management tool implement arbitrarily complex
>> expiration policies.
>
>
> Hmm, we could do this:
>
> set-password $protocol $secret
> expire-password $protocol [ now | never | $seconds ]
>
> Comments?

I would be happy with this.  I don't mind a bit of policy creeping into 
qemu as long as we're exposing the underlying mechanisms.

If it were me, I'd do:

set-password $protocol $secret
unset-password $protocol
expire-password [never | $seconds]

And I would implement expire-password in terms of unset-password.

Regards,

Anthony Liguori

> cheers,
>   Gerd
>
>

[Qemu-devel] [PATCH 0/3] vnc/spice: add monitor commands to change+expire passwords.

[Gerd Hoffmann]

This patch series adds new monitor commands to set and expire
the password:

  set-password $protocol $secret
  expire-password $protocol [ now | never | +secs | secs ]

The time when the password expires can be specified either relative
(+60 == password expires in 60 seconds from now) or absolute in seconds
since 1970 aka unix-epoch.

Check the patches and/or updated docs for details.

Gerd Hoffmann (3):
  vnc: auth reject cleanup
  vnc: support password expire
  vnc/spice: add set_passwd monitor command.

 console.h       |    1 +
 hmp-commands.hx |   54 +++++++++++++++++++++++++++++
 monitor.c       |  100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 qemu-common.h   |    3 ++
 qmp-commands.hx |   57 +++++++++++++++++++++++++++++++
 ui/qemu-spice.h |    5 +++
 ui/spice-core.c |   35 +++++++++++++++++++
 ui/vnc.c        |   44 +++++++++++++++---------
 ui/vnc.h        |    1 +
 9 files changed, 283 insertions(+), 17 deletions(-)

[Qemu-devel] [PATCH 1/3] vnc: auth reject cleanup

[Gerd Hoffmann]

protocol_client_auth_vnc() has two places where the auth can fail,
with identical code sending the reject message to the client.
Move the common code to the end of the function and make both
error paths jump there.  No functional change.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/vnc.c |   30 +++++++++++++-----------------
 1 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index 864342e..da70757 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2085,15 +2085,7 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
 
     if (!vs->vd->password || !vs->vd->password[0]) {
         VNC_DEBUG("No password configured on server");
-        vnc_write_u32(vs, 1); /* Reject auth */
-        if (vs->minor >= 8) {
-            static const char err[] = "Authentication failed";
-            vnc_write_u32(vs, sizeof(err));
-            vnc_write(vs, err, sizeof(err));
-        }
-        vnc_flush(vs);
-        vnc_client_error(vs);
-        return 0;
+        goto reject;
     }
 
     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
@@ -2109,14 +2101,7 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
     /* Compare expected vs actual challenge response */
     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
         VNC_DEBUG("Client challenge reponse did not match\n");
-        vnc_write_u32(vs, 1); /* Reject auth */
-        if (vs->minor >= 8) {
-            static const char err[] = "Authentication failed";
-            vnc_write_u32(vs, sizeof(err));
-            vnc_write(vs, err, sizeof(err));
-        }
-        vnc_flush(vs);
-        vnc_client_error(vs);
+        goto reject;
     } else {
         VNC_DEBUG("Accepting VNC challenge response\n");
         vnc_write_u32(vs, 0); /* Accept auth */
@@ -2125,6 +2110,17 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
         start_client_init(vs);
     }
     return 0;
+
+reject:
+    vnc_write_u32(vs, 1); /* Reject auth */
+    if (vs->minor >= 8) {
+        static const char err[] = "Authentication failed";
+        vnc_write_u32(vs, sizeof(err));
+        vnc_write(vs, err, sizeof(err));
+    }
+    vnc_flush(vs);
+    vnc_client_error(vs);
+    return 0;
 }
 
 void start_auth_vnc(VncState *vs)
-- 
1.7.1

[Qemu-devel] [PATCH 2/3] vnc: support password expire

[Gerd Hoffmann]

This patch adds support for expiring passwords to vnc.  It adds a new
vnc_display_pw_expire() function which specifies the time when the
password will expire.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 console.h     |    1 +
 qemu-common.h |    3 +++
 ui/vnc.c      |   14 ++++++++++++++
 ui/vnc.h      |    1 +
 4 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/console.h b/console.h
index aafb031..b2fc908 100644
--- a/console.h
+++ b/console.h
@@ -369,6 +369,7 @@ void vnc_display_init(DisplayState *ds);
 void vnc_display_close(DisplayState *ds);
 int vnc_display_open(DisplayState *ds, const char *display);
 int vnc_display_password(DisplayState *ds, const char *password);
+int vnc_display_pw_expire(DisplayState *ds, time_t expires);
 void do_info_vnc_print(Monitor *mon, const QObject *data);
 void do_info_vnc(Monitor *mon, QObject **ret_data);
 char *vnc_display_local_addr(DisplayState *ds);
diff --git a/qemu-common.h b/qemu-common.h
index b3957f1..d0ab116 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -50,6 +50,9 @@ typedef struct DeviceState DeviceState;
 #if !defined(ENOTSUP)
 #define ENOTSUP 4096
 #endif
+#ifndef TIME_MAX
+#define TIME_MAX LONG_MAX
+#endif
 
 #ifndef CONFIG_IOVEC
 #define CONFIG_IOVEC
diff --git a/ui/vnc.c b/ui/vnc.c
index da70757..495d6d6 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2082,11 +2082,16 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
     int i, j, pwlen;
     unsigned char key[8];
+    time_t now = time(NULL);
 
     if (!vs->vd->password || !vs->vd->password[0]) {
         VNC_DEBUG("No password configured on server");
         goto reject;
     }
+    if (vs->vd->expires < now) {
+        VNC_DEBUG("Password is expired");
+        goto reject;
+    }
 
     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
 
@@ -2432,6 +2437,7 @@ void vnc_display_init(DisplayState *ds)
 
     vs->ds = ds;
     QTAILQ_INIT(&vs->clients);
+    vs->expires = TIME_MAX;
 
     if (keyboard_layout)
         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
@@ -2503,6 +2509,14 @@ int vnc_display_password(DisplayState *ds, const char *password)
     return 0;
 }
 
+int vnc_display_pw_expire(DisplayState *ds, time_t expires)
+{
+    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
+
+    vs->expires = expires;
+    return 0;
+}
+
 char *vnc_display_local_addr(DisplayState *ds)
 {
     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
diff --git a/ui/vnc.h b/ui/vnc.h
index 9619b24..4f895be 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -120,6 +120,7 @@ struct VncDisplay
 
     char *display;
     char *password;
+    time_t expires;
     int auth;
     bool lossy;
 #ifdef CONFIG_VNC_TLS
-- 
1.7.1

[Qemu-devel] [PATCH 3/3] vnc/spice: add set_passwd monitor command.

[Gerd Hoffmann]

This patch adds new set_password and expire_password monitor commands
which allows to change and expire the password for spice and vnc
connections.  See the doc update patch chunk for details.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hmp-commands.hx |   54 +++++++++++++++++++++++++++++
 monitor.c       |  100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 qmp-commands.hx |   57 +++++++++++++++++++++++++++++++
 ui/qemu-spice.h |    5 +++
 ui/spice-core.c |   35 +++++++++++++++++++
 5 files changed, 251 insertions(+), 0 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 0474950..fa85832 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1134,6 +1134,60 @@ Set the encrypted device @var{device} password to @var{password}
 ETEXI
 
     {
+        .name       = "set_password",
+        .args_type  = "protocol:s,password:s,connected:s?",
+        .params     = "protocol password action-if-connected",
+        .help       = "set spice/vnc password",
+	.user_print = monitor_user_noop,
+        .mhandler.cmd_new = set_password,
+    },
+
+STEXI
+@item set_password [ vnc | spice ] password [ action-if-connected ]
+@findex set_password
+
+Change spice/vnc password.  Use zero to make the password stay valid
+forever.  @var{action-if-connected} specifies what should happen in
+case a connection is established: @var{fail} makes the password change
+fail.  @var{disconnect} changes the password and disconnects the
+client.  @var{keep} changes the password and keeps the connection up.
+@var{keep} is the default.
+ETEXI
+
+    {
+        .name       = "expire_password",
+        .args_type  = "protocol:s,time:s",
+        .params     = "protocol time",
+        .help       = "set spice/vnc password expire-time",
+	.user_print = monitor_user_noop,
+        .mhandler.cmd_new = expire_password,
+    },
+
+STEXI
+@item expire_password [ vnc | spice ] expire-time
+@findex expire_password
+
+Specify when a password for spice/vnc becomes
+invalid. @var{expire-time} accepts:
+
+@table @var
+@item now
+Invalidate password instantly.
+
+@item never
+Password stays valid forever.
+
+@item +nsec
+Password stays valid for @var{nsec} seconds starting now.
+
+@item nsec
+Password is invalidated at the given time.  @var{nsec} are the seconds
+passed since 1970, i.e. unix epoch.
+
+@end table
+ETEXI
+
+    {
         .name       = "info",
         .args_type  = "item:s?",
         .params     = "[subcommand]",
diff --git a/monitor.c b/monitor.c
index 153663c..e7af6d2 100644
--- a/monitor.c
+++ b/monitor.c
@@ -34,6 +34,7 @@
 #include "net.h"
 #include "net/slirp.h"
 #include "qemu-char.h"
+#include "ui/qemu-spice.h"
 #include "sysemu.h"
 #include "monitor.h"
 #include "readline.h"
@@ -1050,6 +1051,105 @@ static int do_change(Monitor *mon, const QDict *qdict, QObject **ret_data)
     return ret;
 }
 
+static int set_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *protocol  = qdict_get_str(qdict, "protocol");
+    const char *password  = qdict_get_str(qdict, "password");
+    const char *connected = qdict_get_try_str(qdict, "connected");
+    int disconnect_if_connected = 0;
+    int fail_if_connected = 0;
+    int rc;
+
+    if (connected) {
+        if (strcmp(connected, "fail") == 0) {
+            fail_if_connected = 1;
+        } else if (strcmp(connected, "disconnect") == 0) {
+            disconnect_if_connected = 1;
+        } else if (strcmp(connected, "keep") == 0) {
+            /* nothing */
+        } else {
+            qerror_report(QERR_INVALID_PARAMETER, "connected");
+            return -1;
+        }
+    }
+
+    if (strcmp(protocol, "spice") == 0) {
+        if (!using_spice) {
+            /* correct one? spice isn't a device ,,, */
+            qerror_report(QERR_DEVICE_NOT_ACTIVE, "spice");
+            return -1;
+        }
+        rc = qemu_spice_set_passwd(password, fail_if_connected,
+                                   disconnect_if_connected);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    if (strcmp(protocol, "vnc") == 0) {
+        if (fail_if_connected || disconnect_if_connected) {
+            /* vnc supports "connected=keep" only */
+            qerror_report(QERR_INVALID_PARAMETER, "connected");
+            return -1;
+        }
+        rc = vnc_display_password(NULL, password);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    qerror_report(QERR_INVALID_PARAMETER, "protocol");
+    return -1;
+}
+
+static int expire_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *protocol  = qdict_get_str(qdict, "protocol");
+    const char *whenstr = qdict_get_str(qdict, "time");
+    time_t when;
+    int rc;
+
+    if (strcmp(whenstr, "now")) {
+        when = 0;
+    } else if (strcmp(whenstr, "never")) {
+        when = TIME_MAX;
+    } else if (whenstr[0] == '+') {
+        when = time(NULL) + strtoull(whenstr+1, NULL, 10);
+    } else {
+        when = strtoull(whenstr, NULL, 10);
+    }
+
+    if (strcmp(protocol, "spice") == 0) {
+        if (!using_spice) {
+            /* correct one? spice isn't a device ,,, */
+            qerror_report(QERR_DEVICE_NOT_ACTIVE, "spice");
+            return -1;
+        }
+        rc = qemu_spice_set_pw_expire(when);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    if (strcmp(protocol, "vnc") == 0) {
+        rc = vnc_display_pw_expire(NULL, when);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    qerror_report(QERR_INVALID_PARAMETER, "protocol");
+    return -1;
+}
+
 static int do_screen_dump(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
     vga_hw_screen_dump(qdict_get_str(qdict, "filename"));
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 8e940e6..0d83764 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -757,6 +757,63 @@ Example:
 EQMP
 
     {
+        .name       = "set_password",
+        .args_type  = "protocol:s,password:s,connected:s?",
+        .params     = "protocol password action-if-connected",
+        .help       = "set spice/vnc password",
+	.user_print = monitor_user_noop,
+        .mhandler.cmd_new = set_password,
+    },
+
+SQMP
+set_password
+------------
+
+Set the password for vnc/spice protocols.
+
+Arguments:
+
+- "protocol": protocol name (json-string)
+- "password": password (json-string)
+- "connected": [ keep | disconnect | fail ] (josn-string, optional)
+
+Example:
+
+-> { "execute": "set_password", "arguments": { "protocol": "vnc",
+                                               "password": "secret" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "expire_password",
+        .args_type  = "protocol:s,time:s",
+        .params     = "protocol time",
+        .help       = "set spice/vnc password expire-time",
+	.user_print = monitor_user_noop,
+        .mhandler.cmd_new = expire_password,
+    },
+
+SQMP
+expire_password
+---------------
+
+Set the password expire time for vnc/spice protocols.
+
+Arguments:
+
+- "protocol": protocol name (json-string)
+- "time": [ now | never | +secs | secs ] (json-string)
+
+Example:
+
+-> { "execute": "expire_password", "arguments": { "protocol": "vnc",
+                                                  "time": "+60" } }
+<- { "return": {} }
+
+EQMP
+
+    {
         .name       = "qmp_capabilities",
         .args_type  = "",
         .params     = "",
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 1a0ed49..3a52d75 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -32,6 +32,9 @@ void qemu_spice_input_init(void);
 void qemu_spice_audio_init(void);
 void qemu_spice_display_init(DisplayState *ds);
 int qemu_spice_add_interface(SpiceBaseInstance *sin);
+int qemu_spice_set_passwd(const char *passwd,
+                          bool fail_if_connected, bool disconnect_if_connected);
+int qemu_spice_set_pw_expire(time_t expires);
 
 void do_info_spice(Monitor *mon, QObject **ret_data);
 int mon_spice_migrate(Monitor *mon, const QDict *qdict, QObject **ret_data);
@@ -39,6 +42,8 @@ int mon_spice_migrate(Monitor *mon, const QDict *qdict, QObject **ret_data);
 #else  /* CONFIG_SPICE */
 
 #define using_spice 0
+#define qemu_spice_set_passwd(_p, _f1, _f2) (-1)
+#define qemu_spice_set_pw_expire(_e) (-1)
 
 #endif /* CONFIG_SPICE */
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 7d51563..7b9ac22 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -37,6 +37,8 @@
 
 static SpiceServer *spice_server;
 static const char *auth = "spice";
+static char *auth_passwd;
+static time_t auth_expires = TIME_MAX;
 int using_spice = 0;
 
 struct SpiceTimer {
@@ -635,6 +637,39 @@ int qemu_spice_add_interface(SpiceBaseInstance *sin)
     return spice_server_add_interface(spice_server, sin);
 }
 
+static int qemu_spice_set_ticket(bool fail_if_conn, bool disconnect_if_conn)
+{
+    time_t lifetime, now = time(NULL);
+    char *passwd;
+
+    if (now < auth_expires) {
+        passwd = auth_passwd;
+        lifetime = (auth_expires - now);
+        if (lifetime > INT_MAX) {
+            lifetime = INT_MAX;
+        }
+    } else {
+        passwd = NULL;
+        lifetime = 1;
+    }
+    return spice_server_set_ticket(spice_server, passwd, lifetime,
+                                   fail_if_conn, disconnect_if_conn);
+}
+
+int qemu_spice_set_passwd(const char *passwd,
+                          bool fail_if_conn, bool disconnect_if_conn)
+{
+    free(auth_passwd);
+    auth_passwd = strdup(passwd);
+    return qemu_spice_set_ticket(fail_if_conn, disconnect_if_conn);
+}
+
+int qemu_spice_set_pw_expire(time_t expires)
+{
+    auth_expires = expires;
+    return qemu_spice_set_ticket(false, false);
+}
+
 static void spice_register_config(void)
 {
     qemu_add_opts(&qemu_spice_opts);
-- 
1.7.1

Re: [Qemu-devel] [PATCH 3/3] vnc/spice: add set_passwd monitor command.

[malc]

On Wed, 24 Nov 2010, Gerd Hoffmann wrote:

> This patch adds new set_password and expire_password monitor commands
> which allows to change and expire the password for spice and vnc
> connections.  See the doc update patch chunk for details.
> 

This has tabs.

[..snip..]

-- 
mailto:av1474@comtv.ru