From: "Daniel P. Berrange" <berrange@redhat.com>
To: Michal Privoznik <mprivozn@redhat.com>
Cc: kraxel@redhat.com, qemu-devel@nongnu.org, armbru@redhat.com
Subject: Re: [Qemu-devel] [PATCH 1/3] qapi-schema: Make @password in set_password optional
Date: Tue, 17 Feb 2015 16:53:11 +0000 [thread overview]
Message-ID: <20150217165311.GF8344@redhat.com> (raw)
In-Reply-To: <7d250759ff7d01d2aec5f8f48ed51afb7fcfb17c.1424190993.git.mprivozn@redhat.com>
On Tue, Feb 17, 2015 at 05:40:45PM +0100, Michal Privoznik wrote:
> So, imagine you've started a guest with ticketing enabled. You've set
> some password to access your SPICE/VNC session. However, later you
> want to give the access to somebody else's and therefore disable the
> ticketing. Come on, be imaginative! Currently, there's no way how to
> achieve this. And while there are two possible ways to fulfill the
> goal: 1) invent new monitor command to disable ticketing, or 2) let
> @password argument to 'set_password' monitor command be optional, I'm
> choosing the latter. It's easier to implement, after all.
>
> The idea behind, how this will work, is: if user issues the command
> without the password field, it means they want to disable the
> ticketing. Any subsequent call to the call with password field filled
> in, will enable the ticketing again.
When password auth is enabled with VNC, the use of a NULL / empty string
password is explicitly intended to block access to the VNC server, by
causing the password auth to always return failure. Overloading the
'set_password' command such that a missing password changes the auth
scheme in use is a really surprising and bad side effect.
If we want to have the ability to change the authentication protocol
used for VNC/SPICE, then lets add a proper command for this. ie
create a 'set_graphics_auth' command to change auth protocol. This
is really better for VNC anyway, as there are far more possible auth
schemes than just password or no-password, and overloading the
'set_password' command can't handle that.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2015-02-17 16:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-17 16:40 [Qemu-devel] [PATCH 0/3] SPICE/VNC: Allow ticketing on the fly Michal Privoznik
2015-02-17 16:40 ` [Qemu-devel] [PATCH 1/3] qapi-schema: Make @password in set_password optional Michal Privoznik
2015-02-17 16:53 ` Daniel P. Berrange [this message]
2015-02-17 17:05 ` Eric Blake
2015-02-17 16:40 ` [Qemu-devel] [PATCH 2/3] spice: Implement set_password without password Michal Privoznik
2015-02-17 16:40 ` [Qemu-devel] [PATCH 3/3] vnc: " Michal Privoznik
2015-02-18 8:29 ` [Qemu-devel] [PATCH 0/3] SPICE/VNC: Allow ticketing on the fly Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150217165311.GF8344@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=kraxel@redhat.com \
--cc=mprivozn@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).