From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1IGbmb-0005Hk-3A for qemu-devel@nongnu.org; Thu, 02 Aug 2007 10:36:09 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1IGbma-0005Go-5d for qemu-devel@nongnu.org; Thu, 02 Aug 2007 10:36:08 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IGbmZ-0005Gh-Uw for qemu-devel@nongnu.org; Thu, 02 Aug 2007 10:36:08 -0400 Received: from wr-out-0506.google.com ([64.233.184.231]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1IGbmZ-00021U-KS for qemu-devel@nongnu.org; Thu, 02 Aug 2007 10:36:07 -0400 Received: by wr-out-0506.google.com with SMTP id 50so231228wra for ; Thu, 02 Aug 2007 07:36:05 -0700 (PDT) Message-ID: <46B1EBCA.8030208@codemonkey.ws> Date: Thu, 02 Aug 2007 09:35:54 -0500 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] PATCH 3/8: VNC password authentication References: <20070731192316.GI18730@redhat.com> <20070731192641.GL18730@redhat.com> <46AFE609.1080601@codemonkey.ws> <20070801162628.GD31282@redhat.com> In-Reply-To: <20070801162628.GD31282@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: qemu-devel@nongnu.org Daniel P. Berrange wrote: > On Tue, Jul 31, 2007 at 08:46:49PM -0500, Anthony Liguori wrote: > >> Daniel P. Berrange wrote: >> >>> This patch introduces support for VNC protocols upto 3.8 and with >>> it, support for password based authentication. VNC's password based >>> authentication is not entirely secure, but it is a standard and the >>> RFB spec requires that all clients support it. The password can be >>> provided by using the monitor 'change vnc :1' and it will prompt for >>> a password to be entered. Passwords have upto 8 letters of context. >>> Pressing 'enter' without entering any characters disables password >>> auth in the server. NB, we need a custom copy of d3des here because >>> VNC uses a 'special' modification of the algorithm. This d3des code >>> is public domain & in all other VNC servers & clients. >>> >>> >> I think it may be better to have a command to explicitly set the vnc >> password. Issuing "change vnc :1" just to change the password is a >> little awkward IMHO. >> > > Ok I'll add a separate command for that - any preference for naming. > I thought about 'change vncpassword', but the 'change' command requires > 2 args and we'd only have 1 here. Or if we think there may be other > devices/drivers which will have passwords in the future we could have > 'change password vnc' as the command. > I don't really have that strong of preference. Regards, Anthony Liguori >>> - >>> - vnc_write_u32(vs, 1); /* None */ >>> - vnc_flush(vs); >>> - >>> - vnc_read_when(vs, protocol_client_init, 1); >>> + VNC_DEBUG("Client request protocol version %d.%d\n", vs->major, >>> vs->minor); >>> + if (vs->major != 3 || >>> + (vs->minor != 3 && >>> + vs->minor != 7 && >>> + vs->minor != 8)) { >>> + VNC_DEBUG("Unsupported client version\n"); >>> + vnc_write_u32(vs, VNC_AUTH_INVALID); >>> + vnc_flush(vs); >>> + vnc_client_error(vs); >>> + return 0; >>> + } >>> >>> >> A very popular VNC client uses 3.5 as the protocol version. I believe >> the specification requires that 3.5 be treated at 3.3 because of that. >> > > Good point. I'll add support for that. > > Regards, > Dan. >