From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MtiQm-0006FH-Me
	for qemu-devel@nongnu.org; Fri, 02 Oct 2009 09:44:20 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MtiQh-0006DU-RD
	for qemu-devel@nongnu.org; Fri, 02 Oct 2009 09:44:20 -0400
Received: from [199.232.76.173] (port=40928 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MtiQh-0006DM-IM
	for qemu-devel@nongnu.org; Fri, 02 Oct 2009 09:44:15 -0400
Received: from mail-px0-f179.google.com ([209.85.216.179]:60388)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1MtiQh-0007Ot-0q
	for qemu-devel@nongnu.org; Fri, 02 Oct 2009 09:44:15 -0400
Received: by pxi9 with SMTP id 9so1121891pxi.4
	for <qemu-devel@nongnu.org>; Fri, 02 Oct 2009 06:44:13 -0700 (PDT)
Message-ID: <4AC603A9.1050208@codemonkey.ws>
Date: Fri, 02 Oct 2009 08:44:09 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH] let management expire vnc password
References: <1253609255-13016-1-git-send-email-danken@redhat.com>
	<4AC361E8.6060907@codemonkey.ws>
	<20090930140312.GB5408@redhat.com> <4AC36E81.901@codemonkey.ws>
	<20090930164553.GA8310@redhat.com> <4AC3C798.2090703@codemonkey.ws>
	<20091002095837.GB21416@redhat.com>
In-Reply-To: <20091002095837.GB21416@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, Dan Kenigsberg <danken@redhat.com>

Daniel P. Berrange wrote:
> I think it is a pretty valid use case, though I don't like the proposed
> implementation. In essence it is implementing one-time-passwords instead
> of multi-use passwords and both of those are reasonable concepts. Having
> to implement one-time passwords using multi-use passwords + iptables is
> a really bad, over complicated hack, particularly considering how trivial
> this is todo in QEMU.
>
> In terms of impl though, rather than having separate a 'expire_password'
> command, I think  it would be preferrable to have alternative syntax for
> setting initial credentials 
>
>     change vnc passwd     (for multi-use passwords)
>     change vnc otp        (for single-use passwords)
>
> Or, extend the existing 'change vnc passwd' command to allow optional
> flags as a 4th argument.
>
>      change vnc passwd otp
>   

A one time password does make a bit more sense to me but I wonder if 
that still satisfies the use case.

Regards,

Anthony Liguori