From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Le7aK-0002yN-Vu for qemu-devel@nongnu.org; Mon, 02 Mar 2009 07:49:29 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Le7aH-0002wc-Eb for qemu-devel@nongnu.org; Mon, 02 Mar 2009 07:49:28 -0500 Received: from [199.232.76.173] (port=40164 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Le7aH-0002wT-8a for qemu-devel@nongnu.org; Mon, 02 Mar 2009 07:49:25 -0500 Received: from mx1.redhat.com ([66.187.233.31]:48834) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1Le7aG-00081g-4Y for qemu-devel@nongnu.org; Mon, 02 Mar 2009 07:49:25 -0500 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n22CnMDI015573 for ; Mon, 2 Mar 2009 07:49:22 -0500 Received: from file.fab.redhat.com (file.fab.redhat.com [10.33.63.6]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n22CnLOa014310 for ; Mon, 2 Mar 2009 07:49:24 -0500 Received: from file.fab.redhat.com (localhost.localdomain [127.0.0.1]) by file.fab.redhat.com (8.13.1/8.13.1) with ESMTP id n22CnJDl031974 for ; Mon, 2 Mar 2009 12:49:19 GMT Received: (from berrange@localhost) by file.fab.redhat.com (8.13.1/8.13.1/Submit) id n22CnJhM031970 for qemu-devel@nongnu.org; Mon, 2 Mar 2009 12:49:19 GMT Date: Mon, 2 Mar 2009 12:49:19 +0000 From: "Daniel P. Berrange" Subject: Re: [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 4) Message-ID: <20090302124919.GJ2131@redhat.com> References: <20090302123121.GH15108@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090302123121.GH15108@redhat.com> Reply-To: "Daniel P. Berrange" , qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On Mon, Mar 02, 2009 at 12:31:21PM +0000, Daniel P. Berrange wrote: > Previously I provided patches for QEMU's VNC server to support SSL/TLS > and x509 certificates. This provides good encryption capabilities for > the VNC session. It doesn't really address the authentication problem > though. > > I have been working to create a new authentication type in the RFB > protocol to address this need in a generic, extendable way, by mapping > the SASL API into the RFB protocol. Since SASL is a generic plugin > based API, this will allow use of a huge range of auth mechanims over > VNC, without us having to add any more auth code. For example, PAM, > Digest-MD5, GSSAPI/Kerberos, One-time key/password, LDAP password > lookup, SQL db password lookup, and more. > > I have got a VNC auth type assigned by the RFB spec maintainers: > > http://realvnc.com/pipermail/vnc-list/2008-December/059463.html > > With the full current spec for the SASL extension currently documented > here: > > http://realvnc.com/pipermail/vnc-list/2008-December/059462.html > > This is the 4th version of the patches I previously posted: > > v1: http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00255.html > v2: http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00826.html > v3: http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg01418.html > > Changes since last time > > - Removed mistaken changes to qemu-doc.texi from bad merge > > - Renamed the 'ACL' struct to 'qemu_acl' to avoid clash with > a system header typedef in Win32 platforms > > - Check for 'fnmatch' function in configure, and if not found > then revert to exact strcmp() matching instead of wildcard > matching > > - Add docs for the 'acl' monitor command One other change I forgot to mention - ACLs are not activated unless you explicitly set the ',acl' flag to the -vnc command line option. eg -vnc localhost:1,sasl,acl - When activated, ACLs now have a default policy of 'deny'. The combination of those two changes is required to ensure current usage of QEMU / VNC is not subject to breakage, while allowing secure use of ACLs. Previous versions of these patches had ACLs enabled by default, but with 'allow all' policy. This meant there was a window of open access between QEMU starting up, and the user configuring ACLs in the monitor console. Also, as previously discussed, I'm happy for patch 9 to be left out until the more general QEMU config file plans come to fruition. I just include it for completeness / as a demo. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|