From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Mt2JZ-0002zF-QJ for qemu-devel@nongnu.org; Wed, 30 Sep 2009 12:46:05 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Mt2JV-0002sk-05 for qemu-devel@nongnu.org; Wed, 30 Sep 2009 12:46:05 -0400 Received: from [199.232.76.173] (port=53999 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Mt2JU-0002sQ-NO for qemu-devel@nongnu.org; Wed, 30 Sep 2009 12:46:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:12732) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1Mt2JU-00025s-4g for qemu-devel@nongnu.org; Wed, 30 Sep 2009 12:46:00 -0400 Date: Wed, 30 Sep 2009 18:45:54 +0200 From: Dan Kenigsberg Subject: Re: [Qemu-devel] [PATCH] let management expire vnc password Message-ID: <20090930164553.GA8310@redhat.com> References: <1253609255-13016-1-git-send-email-danken@redhat.com> <4AC361E8.6060907@codemonkey.ws> <20090930140312.GB5408@redhat.com> <4AC36E81.901@codemonkey.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4AC36E81.901@codemonkey.ws> List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: qemu-devel@nongnu.org On Wed, Sep 30, 2009 at 09:43:13AM -0500, Anthony Liguori wrote: > Dan Kenigsberg wrote: >> On Wed, Sep 30, 2009 at 08:49:28AM -0500, Anthony Liguori wrote: >> >>> Dan Kenigsberg wrote: >>> >>>> After a client connects to vnc server, management may wish to expire the >>>> vnc password, so that an attacker has less time to break into the vm. >>>> >>> I don't understand what the use-case for this is. >>> >>> You want to basically lock out any new clients? Can't you just set >>> the password to something random? >>> >> >> Yes, and actually that's what we currently do. But having a random >> password still opens a crack for guessing it. >> > > Is the requirement, prevent future clients from connecting to the vnc > server? Essentially, disabling the vnc server? > > Could we do something more direct like add a 'vnc off' monitor command? > The nice thing about this approach is that we could add a flag to > disconnect all connected clients since someone else wanted that feature > in the past. > We would like to prevent future connection, but not to disconnect existing ones. > Can you explain the rationale for doing this though in a management > tool? I'd like to better understand what sort of policy you're trying > to enforce. The rationale is central management of access to virtual machines. Normally, no vnc access to VMs is allowed. A user with enough credentials may request the management tool for a short-lived "ticket" to connect to a VM. If the user uses it, great. But after the ticket expires, no further connections are allowed. Regards, Dan.