From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Ld0Ev-00081d-Th for qemu-devel@nongnu.org; Fri, 27 Feb 2009 05:46:45 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Ld0Eu-00081C-SN for qemu-devel@nongnu.org; Fri, 27 Feb 2009 05:46:44 -0500 Received: from [199.232.76.173] (port=46512 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Ld0Eu-000813-AO for qemu-devel@nongnu.org; Fri, 27 Feb 2009 05:46:44 -0500 Received: from mx1.redhat.com ([66.187.233.31]:42709) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1Ld0Et-0000Ia-TZ for qemu-devel@nongnu.org; Fri, 27 Feb 2009 05:46:44 -0500 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1RAkOqS017932 for ; Fri, 27 Feb 2009 05:46:24 -0500 Received: from file.fab.redhat.com (file.fab.redhat.com [10.33.63.6]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1RAkOTU016478 for ; Fri, 27 Feb 2009 05:46:25 -0500 Received: from file.fab.redhat.com (localhost.localdomain [127.0.0.1]) by file.fab.redhat.com (8.13.1/8.13.1) with ESMTP id n1RAkOMh004172 for ; Fri, 27 Feb 2009 10:46:24 GMT Received: (from berrange@localhost) by file.fab.redhat.com (8.13.1/8.13.1/Submit) id n1RAkOxH004168 for qemu-devel@nongnu.org; Fri, 27 Feb 2009 10:46:24 GMT Date: Fri, 27 Feb 2009 10:46:23 +0000 From: "Daniel P. Berrange" Subject: Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support Message-ID: <20090227104623.GD23877@redhat.com> References: <20090226113933.GA29854@redhat.com> <20090226115624.GL22494@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090226115624.GL22494@redhat.com> Reply-To: "Daniel P. Berrange" , qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On Thu, Feb 26, 2009 at 11:56:24AM +0000, Daniel P. Berrange wrote: > This patch adds the new SASL authentication protocol to the VNC server. > > diff -r 0eb0b12c0673 vnc-auth-sasl.c > --- /dev/null Thu Jan 01 00:00:00 1970 +0000 > +++ b/vnc-auth-sasl.c Mon Feb 23 13:40:03 2009 +0000 > + > +#include "vnc.h" > + > +/* Max amount of data we send/recv for SASL steps to prevent DOS */ > +#define SASL_DATA_MAX_LEN (1024 * 1024) > + FYI, last time I posted this series, a question was raised about whether this limit is large enough for Windows Kerberos tickets with lots of groups. I've done a little googling and found this MicroSoft technote http://technet.microsoft.com/en-us/library/cc756101.aspx "Recommended Maximum Kerberos Settings The maximum recommended size for a Kerberos ticket is 65,535 bytes, which is configured through the MaxTokenSize REG_DWORD value in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Kerberos\Parameters). Increasing this value from the default may cause errors, particularly when Web browsers or Web servers are used. " Given that Microsoft recommends a max size of 65,535 bytes I think we should be OK with this 1MB limit on a SASL auth step. In any case this is only a server side sanity check, not a fundamental part of the auth protocol definition, so we can easily increase in future should it become a problem Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|