From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] PATCH: 7/9: Include auth credentials in 'info vnc'
Date: Mon, 2 Mar 2009 12:41:45 +0000 [thread overview]
Message-ID: <20090302124145.GG2131@redhat.com> (raw)
In-Reply-To: <20090302123121.GH15108@redhat.com>
This patch extends the 'info vnc' monitor output to include information
about the VNC client authentication credentials.
For clients authenticated using SASL, this will output the username.
For clients authenticated using x509 certificates, this will output
the x509 distinguished name.
Auth can be stacked, so both username & x509 dname may be shown.
Server:
address: 0.0.0.0:5902
auth: vencrypt+x509+sasl
Client:
address: 10.33.6.67:38621
x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
username: admin
Client:
address: 10.33.6.63:38620
x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
username: admin
vnc-tls.c | 17 +++++++++++++++++
vnc-tls.h | 3 +++
vnc.c | 19 +++++++++++++++++--
3 files changed, 37 insertions(+), 2 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
diff -r 440be37a35ea vnc-tls.c
--- a/vnc-tls.c Fri Feb 20 11:46:26 2009 +0000
+++ b/vnc-tls.c Fri Feb 20 11:47:52 2009 +0000
@@ -241,6 +241,22 @@ int vnc_tls_validate_certificate(struct
return -1;
}
+ if (i == 0) {
+ size_t dnameSize = 1024;
+ vs->tls.dname = qemu_malloc(dnameSize);
+ requery:
+ if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) {
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ vs->tls.dname = qemu_realloc(vs->tls.dname, dnameSize);
+ goto requery;
+ }
+ gnutls_x509_crt_deinit (cert);
+ VNC_DEBUG("Cannot get client distinguished name: %s",
+ gnutls_strerror (ret));
+ return -1;
+ }
+ }
+
gnutls_x509_crt_deinit (cert);
}
@@ -347,6 +363,7 @@ void vnc_tls_client_cleanup(struct VncSt
vs->tls.session = NULL;
}
vs->tls.wiremode = VNC_WIREMODE_CLEAR;
+ free(vs->tls.dname);
}
diff -r 440be37a35ea vnc-tls.h
--- a/vnc-tls.h Fri Feb 20 11:46:26 2009 +0000
+++ b/vnc-tls.h Fri Feb 20 11:47:52 2009 +0000
@@ -55,6 +55,9 @@ struct VncStateTLS {
/* Whether data is being TLS encrypted yet */
int wiremode;
gnutls_session_t session;
+
+ /* Client's Distinguished Name from the x509 cert */
+ char *dname;
};
int vnc_tls_client_setup(VncState *vs, int x509Creds);
diff -r 440be37a35ea vnc.c
--- a/vnc.c Fri Feb 20 11:46:26 2009 +0000
+++ b/vnc.c Fri Feb 20 11:47:52 2009 +0000
@@ -156,6 +156,21 @@ static void do_info_vnc_client(VncState
term_puts("Client:\n");
term_puts(clientAddr);
free(clientAddr);
+
+#ifdef CONFIG_VNC_TLS
+ if (client->tls.session &&
+ client->tls.dname)
+ term_printf(" x509 dname: %s\n", client->tls.dname);
+ else
+ term_puts(" x509 dname: none\n");
+#endif
+#ifdef CONFIG_VNC_SASL
+ if (client->sasl.conn &&
+ client->sasl.username)
+ term_printf(" username: %s\n", client->sasl.username);
+ else
+ term_puts(" username: none\n");
+#endif
}
void do_info_vnc(void)
@@ -1823,7 +1838,7 @@ static int protocol_client_auth(VncState
/* We only advertise 1 auth scheme at a time, so client
* must pick the one we sent. Verify this */
if (data[0] != vs->vd->auth) { /* Reject auth */
- VNC_DEBUG("Reject auth %d\n", (int)data[0]);
+ VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
vnc_write_u32(vs, 1);
if (vs->minor >= 8) {
static const char err[] = "Authentication failed";
@@ -1863,7 +1878,7 @@ static int protocol_client_auth(VncState
#endif /* CONFIG_VNC_SASL */
default: /* Should not be possible, but just in case */
- VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
+ VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth);
vnc_write_u8(vs, 1);
if (vs->minor >= 8) {
static const char err[] = "Authentication failed";
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
next prev parent reply other threads:[~2009-03-02 12:41 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-02 12:31 [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 4) Daniel P. Berrange
2009-03-02 12:39 ` [Qemu-devel] PATCH: 1/9: Fix bug in TLS authentication Daniel P. Berrange
2009-03-02 12:39 ` [Qemu-devel] PATCH: 2/9: Enhance 'info vnc' monitor output Daniel P. Berrange
2009-03-02 12:39 ` [Qemu-devel] PATCH: 3/9: Refactor keymap code to avoid duplication Daniel P. Berrange
2009-03-02 12:40 ` [Qemu-devel] PATCH: 4/9: Move VNC structs into header file Daniel P. Berrange
2009-03-02 12:40 ` [Qemu-devel] PATCH: 5/9: Move TLS auth into separate file Daniel P. Berrange
2009-03-02 12:41 ` [Qemu-devel] PATCH: 6/9: Add SASL authentication support Daniel P. Berrange
2009-03-02 12:41 ` Daniel P. Berrange [this message]
2009-03-02 12:42 ` [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access Daniel P. Berrange
2009-03-02 12:42 ` [Qemu-devel] PATCH: 9/9: Persist ACLs in external files Daniel P. Berrange
2009-03-02 12:49 ` [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 4) Daniel P. Berrange
2009-03-06 20:30 ` Anthony Liguori
2009-03-09 9:51 ` Daniel P. Berrange
-- strict thread matches above, loose matches on Subject: below --
2009-02-26 11:39 [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 3) Daniel P. Berrange
2009-02-26 11:56 ` [Qemu-devel] PATCH: 7/9: Include auth credentials in 'info vnc' Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090302124145.GG2131@redhat.com \
--to=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).