Re: [Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server

[Anthony Liguori <anthony@codemonkey.ws>]

Daniel P. Berrange wrote:
> Previously I provided patches for QEMU's VNC server to support SSL/TLS
> and x509 certificates. This provides good encryption capabilities for
> the VNC session. It doesn't really address the authentication problem
> though.
>
> I have been working to  create a new authentication type in the RFB
> protocol to address this need in a generic, extendable way, by mapping
> the SASL API into the RFB protocol. Since SASL is a generic plugin 
> based API, this will allow use of a huge range of auth mechanims over 
> VNC, without us having to add any more auth code. For example, PAM,
> Digest-MD5, GSSAPI/Kerberos, One-time key/password, LDAP password
> lookup, SQL db password lookup, and more.
>
> I have got a VNC auth type assigned by the RFB spec maintainers:
>
>   http://realvnc.com/pipermail/vnc-list/2008-December/059463.html
>
> With the full current spec  for the SASL extension currently documented 
> here:
>
>   http://realvnc.com/pipermail/vnc-list/2008-December/059462.html
>
>
> This is the 2nd version of the patches I initially posted here
>
>   http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00255.html
>   

Modulo the comments I made, this series look really nice.  I'm going to 
apply Brian Kress' multiple clients patch once he adds a SoB so you'll 
want to make sure to rebase against that for the next series.

Regards,

Anthony Liguori

> Changes since last time
>
>  - Re-factor the code to move TLS and SASL methods into separate files,
>    vnc-tls.c, vnc-auth-vencrypt.c and vnc-auth-vencrypt.h
>
>  - Added simple access control lists for authorization of client users
>    on either SASL username, or x509 distinguished name
>
>  - Added proof of concept external file format for persisting ACLs
>
>  - Extend 'info vnc' to show much more information about clients and
>    auth
>
>  - Tested with SASL + Digest-MD5,  SASL + GSSAPI. TLS + SASL + Digest-MD5
>    and TLS + SASL + GSSAPI. This gives coverage off all interesting 
>    code paths and/or I/O encryption combinations.
>
>
> The combined diffstat for all 7 patches about to follow, is
>
>  .hgignore             |   16 
>  Makefile              |   27 +
>  Makefile.target       |    5 
>  b/acl.c               |  264 ++++++++++++
>  b/acl.h               |   71 +++
>  b/keymaps.h           |   60 ++
>  b/qemu.sasl           |   34 +
>  b/vnc-auth-sasl.c     |  640 +++++++++++++++++++++++++++++
>  b/vnc-auth-sasl.h     |   76 +++
>  b/vnc-auth-vencrypt.c |  175 +++++++
>  b/vnc-auth-vencrypt.h |   33 +
>  b/vnc-tls.c           |  456 ++++++++++++++++++++
>  b/vnc-tls.h           |   76 +++
>  configure             |   34 +
>  curses.c              |    3 
>  curses_keys.h         |    9 
>  keymaps.c             |   45 --
>  monitor.c             |   80 +++
>  qemu-doc.texi         |  109 ++++
>  sdl.c                 |    3 
>  sdl_keysym.h          |    7 
>  vl.c                  |   12 
>  vnc.c                 | 1100 ++++++++++++++++++--------------------------------
>  vnc.h                 |  215 +++++++++
>  vnc_keysym.h          |    5 
>  25 files changed, 2795 insertions(+), 760 deletions(-)
>
>
> Daniel
>
>