From: Gerd Hoffmann <kraxel@redhat.com>
To: Christophe Fergeau <cfergeau@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v3] spice: Allow to set password even if disable-ticketing was used
Date: Mon, 12 Oct 2015 15:43:51 +0200 [thread overview]
Message-ID: <1444657431.19915.22.camel@redhat.com> (raw)
In-Reply-To: <1444649126-13863-1-git-send-email-cfergeau@redhat.com>
On Mo, 2015-10-12 at 13:25 +0200, Christophe Fergeau wrote:
> Before commit b1ea7b79e1, it was possible to start with -spice
> disable-ticketing, and then use the "set_password spice" command to
> enable ticketing with SPICE. Since commit b1ea7b79e1 this is no longer
> possible as qemu_spice_set_ticket() will return an error unless the
> 'auth' type is "spice". When ticketing is disabled, 'auth' is "none" so
> the attempt to set password fails.
Huh? And this actually worked? i.e. spice_server_set_ticket() has an
effect after spice_server_set_noauth() was called?
> This change of behaviour caused a bug in oVirt
> https://gerrit.ovirt.org/#/c/44842/
Hmm, I'd say fix this in ovirt then [1].
If you want run with spice authentication, then say so when starting
qemu. Switching authentication methods as side-effect of setting the
password is asking for trouble. We had that with vnc. We finally got
rid of it a while ago. I don't feel like opening that can of worms
again.
Also it encourages bad security practice. If you turn on password auth
as side effect of setting the password there is a window where one can
access the virtual machine without a password, which probably is not
what you want.
If there is an actual use case where switching authentication methods at
runtime is needed we can discuss that. But we'll be doing that as
explicit monitor command, not as side-effect of something else.
cheers,
Gerd
[1] You have to do that anyway. We had three qemu releases (2.1 to
2.3) with that behavior ...
next prev parent reply other threads:[~2015-10-12 13:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-12 11:25 [Qemu-devel] [PATCH v3] spice: Allow to set password even if disable-ticketing was used Christophe Fergeau
2015-10-12 13:43 ` Gerd Hoffmann [this message]
2015-10-12 15:10 ` Christophe Fergeau
2015-10-13 7:58 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1444657431.19915.22.camel@redhat.com \
--to=kraxel@redhat.com \
--cc=cfergeau@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).