Re: [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 4)

["Daniel P. Berrange" <berrange@redhat.com>]

On Mon, Mar 02, 2009 at 12:31:21PM +0000, Daniel P. Berrange wrote:
> Previously I provided patches for QEMU's VNC server to support SSL/TLS
> and x509 certificates. This provides good encryption capabilities for
> the VNC session. It doesn't really address the authentication problem
> though.
> 
> I have been working to  create a new authentication type in the RFB
> protocol to address this need in a generic, extendable way, by mapping
> the SASL API into the RFB protocol. Since SASL is a generic plugin
> based API, this will allow use of a huge range of auth mechanims over
> VNC, without us having to add any more auth code. For example, PAM,
> Digest-MD5, GSSAPI/Kerberos, One-time key/password, LDAP password
> lookup, SQL db password lookup, and more.
> 
> I have got a VNC auth type assigned by the RFB spec maintainers:
> 
>   http://realvnc.com/pipermail/vnc-list/2008-December/059463.html
> 
> With the full current spec  for the SASL extension currently documented
> here:
> 
>   http://realvnc.com/pipermail/vnc-list/2008-December/059462.html
> 
> This is the 4th version of the patches I previously posted:
> 
>  v1: http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00255.html
>  v2: http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00826.html
>  v3: http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg01418.html
> 
> Changes since last time
> 
>  - Removed mistaken changes to qemu-doc.texi from bad merge
> 
>  - Renamed the 'ACL' struct to 'qemu_acl' to avoid clash with
>    a system header typedef in Win32 platforms
> 
>  - Check for 'fnmatch' function in configure, and if not found
>    then revert to exact strcmp() matching instead of wildcard
>    matching
> 
>  - Add docs for the 'acl' monitor command

One other change I forgot to mention

  - ACLs are not activated unless you explicitly set the ',acl' flag 
    to the -vnc command line option. eg -vnc localhost:1,sasl,acl
  - When activated, ACLs now have a default policy of 'deny'.

The combination of those two changes is required to ensure current usage
of QEMU / VNC is not subject to breakage, while allowing secure use of
ACLs. Previous versions of these patches had ACLs enabled by default,
but with 'allow all' policy. This meant there was a window of open access
between QEMU starting up, and the user configuring ACLs in the monitor
console. 

Also, as previously discussed, I'm happy for patch 9 to be left out until
the more general QEMU config file plans come to fruition. I just include
it for completeness / as a demo.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|