From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=51555 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PozFm-0003NJ-JE
	for qemu-devel@nongnu.org; Mon, 14 Feb 2011 09:18:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <aliguori@linux.vnet.ibm.com>) id 1PozFl-0003Lo-Fa
	for qemu-devel@nongnu.org; Mon, 14 Feb 2011 09:18:14 -0500
Received: from e4.ny.us.ibm.com ([32.97.182.144]:55443)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aliguori@linux.vnet.ibm.com>) id 1PozFl-0003La-9N
	for qemu-devel@nongnu.org; Mon, 14 Feb 2011 09:18:13 -0500
Received: from d01dlp01.pok.ibm.com (d01dlp01.pok.ibm.com [9.56.224.56])
	by e4.ny.us.ibm.com (8.14.4/8.13.1) with ESMTP id p1EDxK1i024204
	for <qemu-devel@nongnu.org>; Mon, 14 Feb 2011 08:59:29 -0500
Received: from d01relay01.pok.ibm.com (d01relay01.pok.ibm.com [9.56.227.233])
	by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 6D85972813F
	for <qemu-devel@nongnu.org>; Mon, 14 Feb 2011 09:17:07 -0500 (EST)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216])
	by d01relay01.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	p1EEH7C1406050
	for <qemu-devel@nongnu.org>; Mon, 14 Feb 2011 09:17:07 -0500
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1])
	by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	p1EEH6c5023468
	for <qemu-devel@nongnu.org>; Mon, 14 Feb 2011 12:17:06 -0200
Message-ID: <4D59395A.6030206@linux.vnet.ibm.com>
Date: Mon, 14 Feb 2011 08:16:58 -0600
From: Anthony Liguori <aliguori@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1296506599-7126-1-git-send-email-aliguori@us.ibm.com>
	<4D590A93.8080407@redhat.com> <4D591B9C.8060705@linux.vnet.ibm.com>
	<4D59349C.5050005@redhat.com>
In-Reply-To: <4D59349C.5050005@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] Re: [PATCH] vnc: Fix password expiration through
	'change vnc ""'
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Neil Wilson <neil@aldur.co.uk>, qemu-devel@nongnu.org

On 02/14/2011 07:56 AM, Gerd Hoffmann wrote:
> On 02/14/11 13:10, Anthony Liguori wrote:
>> On 02/14/2011 04:57 AM, Gerd Hoffmann wrote:
>>> On 01/31/11 21:43, Anthony Liguori wrote:
>>>> commit 52c18be9e99dabe295321153fda7fce9f76647ac introduced a
>>>> regression in the
>>>> change vnc password command that changed the behavior of setting 
>>>> the VNC
>>>> password to an empty string from disabling login to disabling
>>>> authentication.
>>>>
>>>> This commit refactors the code to eliminate this overloaded 
>>>> semantics in
>>>> vnc_display_password and instead introduces the
>>>> vnc_display_disable_login. The
>>>> monitor implementation then determines the behavior of an empty or
>>>> missing
>>>> string.
>>>
>>> Hmm, now about simply never ever changing vs->auth?
>>
>> If auth is none and you do a vnc change password "" then if we don't set
>> vs->auth to vnc, it won't have the desired effect.
>
> If you want a password-protected vnc session you should better 
> explicitly say so using '-vnc :0,password', otherwise you'll have a 
> window (between qemu start and setting the password) where vnc clients 
> can connect without a password.
>
> Going from "none" to "vnc" automagically when setting a password 
> encourages this insecure way to enable password protection.  IMHO we 
> should stop doing this.  There are backward compatibility issues 
> though as qemu did this for quite some time ...

Yeah, change vnc is deprecated, set-password has sane semantics.

> Going from "vnc" to "none" automagically when setting a empty password 
> is a no-go from a security point of view, especially as older qemu 
> versions did *not* do that. ]

Yup, this was the reason for the CVE.

> I don't think we'll need a monitor command to switch authentication 
> methods on the fly.  YMMV.

Actually, I do, but that's far off on my radar screen.

One thing we're noticing is that QEMU is not terribly forgiving in a 
hosting environment.  If you make a mistake configuring something (like 
use the wrong auth type), you're only recourse is restarting the guest 
with the new options.  Restarting a guest of a paying customer == 
unhappy customer.

The more we can change without restarting a guest the better IMHO.

Regards,

Anthony Liguori

> cheers,
>   Gerd
>