From: Anthony Liguori <anthony@codemonkey.ws>
To: George Wilson <gcwilson@us.ibm.com>
Cc: Paul Moore <pmoore@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Tue, 01 May 2012 18:45:47 -0500 [thread overview]
Message-ID: <4FA075AB.5000002@codemonkey.ws> (raw)
In-Reply-To: <OF147BC4EA.478FD40F-ON862579F1.0081078A-862579F1.00824EAB@us.ibm.com>
On 05/01/2012 06:43 PM, George Wilson wrote:
>
> Anthony Liguori<anthony@codemonkey.ws> wrote on 05/01/2012 06:26:05 PM:
>
>> Anthony Liguori<anthony@codemonkey.ws>
>> 05/01/2012 06:26 PM
>>
>> To
>>
>> Paul Moore<pmoore@redhat.com>
>>
>> cc
>>
>> qemu-devel@nongnu.org, George Wilson/Austin/IBM@IBMUS
>>
>> Subject
>>
>> Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication
>> (security type 2) when in FIPS mode
>>
>> On 05/01/2012 04:20 PM, Paul Moore wrote:
>>> FIPS 140-2 requires disabling certain ciphers, including DES, which is
> used
>>> by VNC to obscure passwords when they are sent over the network. The
>>> solution for FIPS users is to disable the use of VNC password auth when
> the
>>> host system is operating in FIPS mode.
>>
>> Sorry, what?
>>
>> Does FIPS really require software to detect when FIPS is enabled
> andactively
>> disable features??? That's absurd.
>>
>> Can you point to another software package that does something like this?
>
> Yes, it's true that only FIPS-approved algorithms are permitted for use in
> FIPS
> mode. The kernel and all other FIPS 140-2 validated crypto modules like
> OpenSSL
> and NSS are required to restrict algorithms to the approved set. The
> kernel
> sets /proc/sys/crypto/fips_enabled so that programs can detect FIPS mode
> and
> behave in accordance with the standard.
But this is nonsensical. It would allow no-password to be configured for the VNC
server but not DES? Why is that okay? It's not like we enable DES passwords by
default. A user has to explicitly configure it.
Is there an open source app that actually keys off of fips_enabled?
Regards,
Anthony Liguori
>
>>
>> Regards,
>>
>> Anthony Liguori
>>
>>>
>>> This patch causes qemu to emits a syslog entry indicating that VNC
> password
>>> auth is disabled when it detects the host is running in FIPS mode, and
>>> unless a VNC password was specified on the command line it continues
>>> normally. However, if a VNC password was given on the command line,
> qemu
>>> fails with an error message to stderr explaining that that VNC password
>>> auth is not allowed in FIPS mode.
>>>
>>> Signed-off-by: Paul Moore<pmoore@redhat.com>
>>> ---
>>> qemu-doc.texi | 8 +++++---
>>> ui/vnc.c | 32 ++++++++++++++++++++++++++++++++
>>> ui/vnc.h | 1 +
>>> 3 files changed, 38 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/qemu-doc.texi b/qemu-doc.texi
>>> index e5d7ac4..f9b113e 100644
>>> --- a/qemu-doc.texi
>>> +++ b/qemu-doc.texi
>>> @@ -1124,9 +1124,11 @@ the protocol limits passwords to 8
>> characters it should not be considered
>>> to provide high security. The password can be fairly easily
>> brute-forced by
>>> a client making repeat connections. For this reason, a VNC
>> server using password
>>> authentication should be restricted to only listen on the
>> loopback interface
>>> -or UNIX domain sockets. Password authentication is requested with
>> the @code{password}
>>> -option, and then once QEMU is running the password is set with
>> the monitor. Until
>>> -the monitor is used to set the password all clients will be rejected.
>>> +or UNIX domain sockets. Password authentication is not supported
>> when operating
>>> +in FIPS 140-2 compliance mode as it requires the use of the DES
>> cipher. Password
>>> +authentication is requested with the @code{password} option, and
>> then once QEMU
>>> +is running the password is set with the monitor. Until the
>> monitor is used to
>>> +set the password all clients will be rejected.
>>>
>>> @example
>>> qemu [...OPTIONS...] -vnc :1,password -monitor stdio
>>> diff --git a/ui/vnc.c b/ui/vnc.c
>>> index deb9ecd..620791e 100644
>>> --- a/ui/vnc.c
>>> +++ b/ui/vnc.c
>>> @@ -32,6 +32,7 @@
>>> #include "acl.h"
>>> #include "qemu-objects.h"
>>> #include "qmp-commands.h"
>>> +#include<syslog.h>
>>>
>>> #define VNC_REFRESH_INTERVAL_BASE 30
>>> #define VNC_REFRESH_INTERVAL_INC 50
>>> @@ -48,6 +49,24 @@ static DisplayChangeListener *dcl;
>>> static int vnc_cursor_define(VncState *vs);
>>> static void vnc_release_modifiers(VncState *vs);
>>>
>>> +static int fips_enabled(void)
>>> +{
>>> + int enabled = 0;
>>> + char value;
>>> + FILE *fds;
>>> +
>>> + fds = fopen("/proc/sys/crypto/fips_enabled", "r");
>>> + if (fds == NULL) {
>>> + return 0;
>>> + }
>>> + if (fread(&value, sizeof(value), 1, fds) == 1&& value == '1') {
>>> + enabled = 1;
>>> + }
>>> + fclose(fds);
>>> +
>>> + return enabled;
>>> +}
>>> +
>>> static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
>>> {
>>> #ifdef _VNC_DEBUG
>>> @@ -2748,6 +2767,12 @@ void vnc_display_init(DisplayState *ds)
>>> dcl->idle = 1;
>>> vnc_display = vs;
>>>
>>> + vs->fips = fips_enabled();
>>> + VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
>>> + if (vs->fips) {
>>> + syslog(LOG_NOTICE, "Disabling VNC password auth due to
>> FIPS mode\n");
>>> + }
>>> +
>>> vs->lsock = -1;
>>>
>>> vs->ds = ds;
>>> @@ -2892,6 +2917,13 @@ int vnc_display_open(DisplayState *ds,
>> const char *display)
>>> while ((options = strchr(options, ','))) {
>>> options++;
>>> if (strncmp(options, "password", 8) == 0) {
>>> + if (vs->fips) {
>>> + fprintf(stderr,
>>> + "VNC password auth disabled due to FIPS mode
> \n");
>>> + g_free(vs->display);
>>> + vs->display = NULL;
>>> + return -1;
>>> + }
>>> password = 1; /* Require password auth */
>>> } else if (strncmp(options, "reverse", 7) == 0) {
>>> reverse = 1;
>>> diff --git a/ui/vnc.h b/ui/vnc.h
>>> index a851ebd..8746a98 100644
>>> --- a/ui/vnc.h
>>> +++ b/ui/vnc.h
>>> @@ -160,6 +160,7 @@ struct VncDisplay
>>> char *display;
>>> char *password;
>>> time_t expires;
>>> + int fips;
>>> int auth;
>>> bool lossy;
>>> bool non_adaptive;
>>>
>>>
>>>
>>
>
> Regards,
> George Wilson
next prev parent reply other threads:[~2012-05-01 23:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-01 21:20 [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-01 22:54 ` Andreas Färber
2012-05-02 10:28 ` Christoph Hellwig
2012-05-02 11:05 ` Daniel P. Berrange
2012-05-02 15:45 ` Paul Moore
2012-05-01 23:26 ` Anthony Liguori
2012-05-01 23:43 ` George Wilson
2012-05-01 23:45 ` Anthony Liguori [this message]
2012-05-02 0:17 ` George Wilson
2012-05-02 9:29 ` Daniel P. Berrange
2012-05-02 9:16 ` Daniel P. Berrange
2012-05-02 9:18 ` Daniel P. Berrange
2012-05-02 15:50 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FA075AB.5000002@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=gcwilson@us.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).