From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55647) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VqmfD-0006Z3-S6 for qemu-devel@nongnu.org; Wed, 11 Dec 2013 11:29:37 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vqmf7-0004Yn-T0 for qemu-devel@nongnu.org; Wed, 11 Dec 2013 11:29:31 -0500 Received: from mx1.redhat.com ([209.132.183.28]:6182) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vqmf7-0004Yh-LW for qemu-devel@nongnu.org; Wed, 11 Dec 2013 11:29:25 -0500 Message-ID: <1386779361.26258.48.camel@nilsson.home.kraxel.org> From: Gerd Hoffmann Date: Wed, 11 Dec 2013 17:29:21 +0100 In-Reply-To: <52A88D9E.2070306@redhat.com> References: <1386777271-12667-1-git-send-email-kraxel@redhat.com> <52A88D9E.2070306@redhat.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] vnc: refuse to set a password with VNC_AUTH_NONE List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: qemu-devel@nongnu.org, Anthony Liguori On Mi, 2013-12-11 at 17:06 +0100, Paolo Bonzini wrote: > Il 11/12/2013 16:54, Gerd Hoffmann ha scritto: > > Current code silently changes the authentication settings > > in case you try to set a password without password authentication > > turned on. This is bad. Return an error instead. > > > > If we want allow changing auth settings at runtime this should > > be done explicitly using a separate monitor command, not as > > side effect of set_passwd. > > > > Signed-off-by: Gerd Hoffmann > > Isn't this backwards-incompatible? Yes. I think it is the correct thing nevertheless. Users which want a passwort protected guests should configure vnc correctly to avoid a unprotected window between qemu start and setting the password. Also note that enabling passwd auth via "set_passwd" side-effect bypasses fips restrictions. So this is a clear security improvement IMHO. cheers, Gerd