From: Gerd Hoffmann <kraxel@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire
Date: Thu, 11 Nov 2010 12:39:15 +0100 [thread overview]
Message-ID: <4CDBD5E3.8080008@redhat.com> (raw)
In-Reply-To: <4CDABF56.8020804@codemonkey.ws>
Hi,
>> If anything goes wrong in the mgmt tool at step 2 though,
>> then it may never to step 3, leaving the VNC server accessible.
>
> I think the point is that you can expire the password by just changing
> it through the monitor.
Well, you can't really expire it, you can only set it to $randomvalue.
Unsetting the vnc password also disables authentication (in unstable),
which is *not* what you want here ...
> Having an expiration policy builtin to QEMU (as
> opposed to libvirt) seems like the wrong place.
IMHO it doesn't build policy into qemu. It is still up to libvirt (or
the management app building on top of libvirt) to decide if and when the
password will expire. qemu will just do what libvirt asks for.
Instead of passing a expire time as implemented by the patches:
set-password $protocol $secret $time
we could add a expire-password command, then ask management to do
set-password $protocol $secret
[ let $time pass ]
expire-password $protocol
I fail to see why this is better though. The former is more robust and
easier to implement in the management. The amount of code needed in
qemu is probably quite similar ...
cheers,
Gerd
next prev parent reply other threads:[~2010-11-11 11:39 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-07 11:15 [Qemu-devel] [PATCH 0/3] vnc/spice: add monitor command to change password Gerd Hoffmann
2010-10-07 11:15 ` [Qemu-devel] [PATCH 1/3] vnc: auth reject cleanup Gerd Hoffmann
2010-10-07 11:15 ` [Qemu-devel] [PATCH 2/3] vnc: support password expire Gerd Hoffmann
2010-10-07 19:53 ` Anthony Liguori
2010-10-08 10:08 ` Daniel P. Berrange
2010-11-02 11:15 ` Gerd Hoffmann
2010-11-09 13:42 ` Gerd Hoffmann
2010-11-10 15:52 ` Anthony Liguori
2010-11-10 15:50 ` Anthony Liguori
2010-11-11 11:39 ` Gerd Hoffmann [this message]
2010-11-16 20:26 ` Anthony Liguori
2010-11-17 10:23 ` Gerd Hoffmann
2010-11-20 2:14 ` Anthony Liguori
2010-10-07 11:15 ` [Qemu-devel] [PATCH 3/3] vnc/spice: add set_passwd monitor command Gerd Hoffmann
-- strict thread matches above, loose matches on Subject: below --
2010-11-24 17:03 [Qemu-devel] [PATCH 0/3] vnc/spice: add monitor commands to change+expire passwords Gerd Hoffmann
2010-11-24 17:03 ` [Qemu-devel] [PATCH 2/3] vnc: support password expire Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CDBD5E3.8080008@redhat.com \
--to=kraxel@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).