From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:55172)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1Sbo74-0004e8-1S
	for qemu-devel@nongnu.org; Tue, 05 Jun 2012 03:23:38 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1Sbo6z-0001YS-BL
	for qemu-devel@nongnu.org; Tue, 05 Jun 2012 03:23:33 -0400
Received: from mx1.redhat.com ([209.132.183.28]:55842)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1Sbo6z-0001YJ-3l
	for qemu-devel@nongnu.org; Tue, 05 Jun 2012 03:23:29 -0400
Message-ID: <4FCDB3E9.4070805@redhat.com>
Date: Tue, 05 Jun 2012 09:23:21 +0200
From: Gerd Hoffmann <kraxel@redhat.com>
MIME-Version: 1.0
References: <20120502193256.6508.86360.stgit@sifl>
	<4FCAB60E.1070107@codemonkey.ws> <10302697.mednriu9QL@sifl>
	<4FCD409C.70003@codemonkey.ws>
	<1E364312-A64D-4D14-90A4-89C8F2BA8A54@suse.de>
	<4FCD4ACF.4000809@codemonkey.ws>
	<A4BD8D9E-1176-4AA9-8468-39E8E1DD42A8@suse.de>
	<4FCD5AD1.9080406@codemonkey.ws>
	<FF828E1A-3C24-4CE6-B0FE-31BA668FFA38@suse.de>
	<4FCD5F78.9090102@codemonkey.ws>
In-Reply-To: <4FCD5F78.9090102@codemonkey.ws>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password
 authentication (security type 2) when in FIPS mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: Paul Moore <pmoore@redhat.com>, Roman Drahtmueller <draht@suse.de>, Alexander Graf <agraf@suse.de>, qemu-devel Developers <qemu-devel@nongnu.org>

  Hi,

>> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a
>> password is set? I agree with the assessment that we should never
>> silently drop features. So the best way to make sure that the user
>> knows he did something stupid (enable FIPS, but require a non-FIPS
>> compliant authentication method) would be to just quit, no?
> 
> I think my primary requirement is: allow a user to use vnc
> authentication even when fips mode is active by using some command line
> option.

That doesn't make sense to me at all.  If fips is enabled by accident
just disable it.  If fips is enabled intentionally I don't think qemu
should ignore it and allow to use weak vnc auth.  Fips users should
setup sasl instead I guess ...

cheers,
  Gerd