From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=57848 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PGCwm-0008KE-AW for qemu-devel@nongnu.org; Wed, 10 Nov 2010 10:50:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PGCwk-0007yJ-HT for qemu-devel@nongnu.org; Wed, 10 Nov 2010 10:50:52 -0500 Received: from mail-gx0-f173.google.com ([209.85.161.173]:33129) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PGCwk-0007xw-F7 for qemu-devel@nongnu.org; Wed, 10 Nov 2010 10:50:50 -0500 Received: by gxk1 with SMTP id 1so473774gxk.4 for ; Wed, 10 Nov 2010 07:50:49 -0800 (PST) Message-ID: <4CDABF56.8020804@codemonkey.ws> Date: Wed, 10 Nov 2010 09:50:46 -0600 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire References: <1286450121-17153-1-git-send-email-kraxel@redhat.com> <1286450121-17153-3-git-send-email-kraxel@redhat.com> <4CAE2521.2070500@codemonkey.ws> <20101008100841.GB9279@redhat.com> In-Reply-To: <20101008100841.GB9279@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Gerd Hoffmann , qemu-devel@nongnu.org On 10/08/2010 05:08 AM, Daniel P. Berrange wrote: > On Thu, Oct 07, 2010 at 02:53:05PM -0500, Anthony Liguori wrote: > >> On 10/07/2010 06:15 AM, Gerd Hoffmann wrote: >> >>> This patch adds support for expiring passwords to vnc. It adds a new >>> lifetime parameter to the vnc_display_password() function, which >>> specifies the number of seconds the new password will be valid. Passing >>> zero as lifetime maintains current behavior (password never expires). >>> >>> Signed-off-by: Gerd Hoffmann >>> >>> >> This has been posted before and I've never understood it. Why can't a >> management tool just expire passwords on it's own? >> > If the management tool crashes or is restarted for some reason > then it may miss the expiry task. > > >> How does password expiration help with security at all? >> > VNC passwords are obviously rather weak, so if you can limit > the time the password is valid to the window in which you > are expecting the incoming VNC connection this limits the > time to attack the VNC password. A mgmt tool could do > > - Set a VNC password > - Open the VNC connection > - Clear the VNC password > > If anything goes wrong in the mgmt tool at step 2 though, > then it may never to step 3, leaving the VNC server accessible. > I think the point is that you can expire the password by just changing it through the monitor. Having an expiration policy builtin to QEMU (as opposed to libvirt) seems like the wrong place. > If it had set a password expiry at step 1, it would have a > safety net that guarentees the password will be invalid after > 'n' seconds, even if not explicitly cleared. Given how little > code this is in QEMU, I think it is a worthwhile feature.\ > It's a policy not a mechanism and I don't see a good reason to have the code in QEMU because it honestly is a policy for a specific product. I don't think it's a strong enough policy that it's going to be seen as widely useful. Regards, Anthony Liguori > Regards, > Daniel >