From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59531)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1Vqmsi-00061U-KR
	for qemu-devel@nongnu.org; Wed, 11 Dec 2013 11:43:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1Vqmsc-0000rp-Ho
	for qemu-devel@nongnu.org; Wed, 11 Dec 2013 11:43:28 -0500
Received: from mx1.redhat.com ([209.132.183.28]:17353)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1Vqmsc-0000ri-8q
	for qemu-devel@nongnu.org; Wed, 11 Dec 2013 11:43:22 -0500
Message-ID: <52A89622.8010504@redhat.com>
Date: Wed, 11 Dec 2013 17:43:14 +0100
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <1386777271-12667-1-git-send-email-kraxel@redhat.com>
	<52A88D9E.2070306@redhat.com>
	<1386779361.26258.48.camel@nilsson.home.kraxel.org>
In-Reply-To: <1386779361.26258.48.camel@nilsson.home.kraxel.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] vnc: refuse to set a password with
	VNC_AUTH_NONE
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: qemu-devel@nongnu.org, Anthony Liguori <aliguori@amazon.com>

Il 11/12/2013 17:29, Gerd Hoffmann ha scritto:
> On Mi, 2013-12-11 at 17:06 +0100, Paolo Bonzini wrote:
>> Il 11/12/2013 16:54, Gerd Hoffmann ha scritto:
>>> Current code silently changes the authentication settings
>>> in case you try to set a password without password authentication
>>> turned on.  This is bad.  Return an error instead.
>>>
>>> If we want allow changing auth settings at runtime this should
>>> be done explicitly using a separate monitor command, not as
>>> side effect of set_passwd.
>>>
>>> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>>
>> Isn't this backwards-incompatible?
> 
> Yes.  I think it is the correct thing nevertheless.

Fine by me, let's just make sure we document it well.  Can you start the
2.0 changelog wiki page?

> Users which want a passwort protected guests should configure vnc
> correctly to avoid a unprotected window between qemu start and setting
> the password.
> 
> Also note that enabling passwd auth via "set_passwd" side-effect
> bypasses fips restrictions.

That'd be a clear bug, even one that could be fixed in stable versions.

Paolo

> So this is a clear security improvement IMHO.
> 
> cheers,
>   Gerd
> 
> 
>