From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:36545) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Sc2qK-0004Oc-SU for qemu-devel@nongnu.org; Tue, 05 Jun 2012 19:07:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Sc2qG-0000lX-Bp for qemu-devel@nongnu.org; Tue, 05 Jun 2012 19:07:16 -0400 Received: from mail-pz0-f45.google.com ([209.85.210.45]:49644) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Sc2qG-0000lI-5O for qemu-devel@nongnu.org; Tue, 05 Jun 2012 19:07:12 -0400 Received: by dadv2 with SMTP id v2so8585058dad.4 for ; Tue, 05 Jun 2012 16:07:10 -0700 (PDT) Message-ID: <4FCE9117.7080908@codemonkey.ws> Date: Wed, 06 Jun 2012 07:07:03 +0800 From: Anthony Liguori MIME-Version: 1.0 References: <20120502193256.6508.86360.stgit@sifl> <19991522.vNS8Qaqbpf@sifl> <58221974.kN8gObynPi@sifl> In-Reply-To: <58221974.kN8gObynPi@sifl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paul Moore Cc: Roman Drahtmueller , Alexander Graf , qemu-devel Developers On 06/06/2012 06:06 AM, Paul Moore wrote: > On Tuesday, June 05, 2012 11:51:40 PM Alexander Graf wrote: >> On 05.06.2012, at 23:45, Paul Moore wrote: >>> On Tuesday, June 05, 2012 03:08:26 AM Alexander Graf wrote: >>>> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a >>>> password is set? I agree with the assessment that we should never >>>> silently drop features. So the best way to make sure that the user knows >>>> he did something stupid (enable FIPS, but require a non-FIPS compliant >>>> authentication method) would be to just quit, no? >>> >>> That is basically what the patch does now. In vnc_display_open() if it >>> detects that the user has supplied a VNC password it prints an error to >>> stderr and returns an error which causes QEMU to exit. >>> >>> The error message displayed is shown below: >>> >>> "VNC password auth disabled due to FIPS mode, consider using the VeNCrypt >>> or SASL authentication methods as an alernative" >>> >>> ... which seems pretty obvious to me. If anyone would prefer something >>> different, let me know. >> >> No, as long as the spelling is actually correct and not the one above, >> that's perfectly fine. > > What, not a fan of my "alernative" spelling? Fixed in the next version of the > patch :) > >> I just have a habit of not reading the patches I comment on :). > > If nothing else, it makes the discussions much more interesting :) > >>> On Tuesday, June 05, 2012 09:23:04 AM Anthony Liguori wrote: >>>> I think my primary requirement is: allow a user to use vnc authentication >>>> even when fips mode is active by using some command line option. >>> >>> I'll agree that FIPS mode can be a bit silly in the case of QEMU and VNC >>> but to be honest, that requirement above seems just as silly to me, if >>> not more so. However, if making this behavior optional is what it takes >>> to get the patch accepted, so be it. >>> >>> I'll start working on v4 of the patch tomorrow. >> >> Let's just wait for Anthony to reply ... > > Fine with me, I've got plenty else to do in the meantime and I don't think > this is 1.1 material anyway. What's the actual requirement from FIPS for applications? Regards, Anthony Liguori