From: "Daniel P. Berrange" <berrange@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: Paul Moore <pmoore@redhat.com>,
George Wilson <gcwilson@us.ibm.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Wed, 2 May 2012 10:29:58 +0100 [thread overview]
Message-ID: <20120502092958.GL13336@redhat.com> (raw)
In-Reply-To: <4FA075AB.5000002@codemonkey.ws>
On Tue, May 01, 2012 at 06:45:47PM -0500, Anthony Liguori wrote:
> On 05/01/2012 06:43 PM, George Wilson wrote:
> >
> >Anthony Liguori<anthony@codemonkey.ws> wrote on 05/01/2012 06:26:05 PM:
> >
> >>Anthony Liguori<anthony@codemonkey.ws>
> >>05/01/2012 06:26 PM
> >>
> >>To
> >>
> >>Paul Moore<pmoore@redhat.com>
> >>
> >>cc
> >>
> >>qemu-devel@nongnu.org, George Wilson/Austin/IBM@IBMUS
> >>
> >>Subject
> >>
> >>Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication
> >>(security type 2) when in FIPS mode
> >>
> >>On 05/01/2012 04:20 PM, Paul Moore wrote:
> >>>FIPS 140-2 requires disabling certain ciphers, including DES, which is
> >used
> >>>by VNC to obscure passwords when they are sent over the network. The
> >>>solution for FIPS users is to disable the use of VNC password auth when
> >the
> >>>host system is operating in FIPS mode.
> >>
> >>Sorry, what?
> >>
> >>Does FIPS really require software to detect when FIPS is enabled
> >andactively
> >>disable features??? That's absurd.
> >>
> >>Can you point to another software package that does something like this?
> >
> >Yes, it's true that only FIPS-approved algorithms are permitted for use in
> >FIPS
> >mode. The kernel and all other FIPS 140-2 validated crypto modules like
> >OpenSSL
> >and NSS are required to restrict algorithms to the approved set. The
> >kernel
> >sets /proc/sys/crypto/fips_enabled so that programs can detect FIPS mode
> >and
> >behave in accordance with the standard.
>
> But this is nonsensical. It would allow no-password to be configured
> for the VNC server but not DES? Why is that okay? It's not like we
> enable DES passwords by default. A user has to explicitly configure
> it.
In the wonderful world of security certifications, "sensible" is
rarely a relevant factor. To answer your point though, FIPS itself
is just about restricting use of insecure algorithms. Whether an
application uses authentication or not, is outside the scope of
that. Other security standards are responsible for dictating whether
authentication is mandatory or not.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2012-05-02 9:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-01 21:20 [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-01 22:54 ` Andreas Färber
2012-05-02 10:28 ` Christoph Hellwig
2012-05-02 11:05 ` Daniel P. Berrange
2012-05-02 15:45 ` Paul Moore
2012-05-01 23:26 ` Anthony Liguori
2012-05-01 23:43 ` George Wilson
2012-05-01 23:45 ` Anthony Liguori
2012-05-02 0:17 ` George Wilson
2012-05-02 9:29 ` Daniel P. Berrange [this message]
2012-05-02 9:16 ` Daniel P. Berrange
2012-05-02 9:18 ` Daniel P. Berrange
2012-05-02 15:50 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120502092958.GL13336@redhat.com \
--to=berrange@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=gcwilson@us.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).