From: Simon Waterman <watermansrdev@gmail.com>
To: Ian Jackson <ian.jackson@eu.citrix.com>,
George Dunlap <george.dunlap@citrix.com>
Cc: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [PATCH RFC 0/6] qemu-xen-trad: sasl: add SASL support to VNC
Date: Wed, 17 May 2017 19:49:41 +0100 [thread overview]
Message-ID: <117911b6-e7e4-1f35-533b-a544a1aa76e7@gmail.com> (raw)
In-Reply-To: <22810.65156.943441.345996@mariner.uk.xensource.com>
On 16/05/17 14:28, Ian Jackson wrote:
> George Dunlap writes ("Re: [PATCH RFC 0/6] qemu-xen-trad: sasl: add SASL support to VNC"):
>> On 16/05/17 14:16, Ian Jackson wrote:
>>> Simon: What is stopping you moving to a modern version of qemu ?
>> I think from his previous query, it was the fact that there is no
>> suitable stubdom for qemu-upstream.
> Hrm. I think fixing this is probably a better approach. Although it
> seems likely to be more involved, it would have better overall
> viability. Another stopgap would be to use a proxy somewhere to do
> the SASL etc.
>
> Ian.
It's not the QEMU in the stubdom that would need to be newer
but rather the one that's spawned in domain-0 to provide the
VNC backend when you use an IOEMU stubdom. As I understand
it this also needs to be qemu-xen-traditional but maybe
I've got that wrong?
I agree entirely that enabling upstream QEMU to be used
here would be a better approach and that might be easier
than getting it running inside the stubdom itself.
Maybe I could look into that if it's not already supported.
The port itself is pretty simple. The biggest change is
probably the refactor of definitions into the header. I
think it should be relatively easy to verify it's
correctness but I get the point about maintenance of
older versions of qemu-xen-traditional needing different
patches if there was a vulnerability in QEMU VNC.
I think it would be nice to have a better set of options
for authenticating VNC than a fixed shared password and
with SASL you can do GSSAPI, LDAP and a host of others.
To be honest I'm not sure how much it would be used generally.
You can get most of the same benefits using an SSH tunnel
but then again you've got to get that config correct to
keep your domain-0 secure and the client setup is a bit
more fiddly.
In it's favour, there are quite a few VNC clients with
SASL support built-in including virt-viewer and anything
based upon gtk-vnc. I submitted a patch to libvncserver
so that it's available in Guacamole too.
Has any thought been put into running the VNC server in
the stubdom itself? That might be nice as VNC access
would be possible without access to the domain-0 at all.
It might help with the 'rebootable' domain-0 work too as
VNC connections wouldn't drop when the domain-0 is restarted.
Thanks for considering the patch, whether it goes in
or not.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-05-17 18:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-15 23:03 [PATCH RFC 0/6] qemu-xen-trad: sasl: add SASL support to VNC Simon Waterman
2017-05-15 23:03 ` [PATCH RFC 1/6] qemu-xen-trad: sasl: expose vnc API to SASL auth Simon Waterman
2017-05-15 23:03 ` [PATCH RFC 2/6] qemu-xen-trad: sasl: define SASL auth API Simon Waterman
2017-05-15 23:03 ` [PATCH RFC 3/6] qemu-xen-trad: sasl: implement SASL auth Simon Waterman
2017-05-15 23:03 ` [PATCH RFC 4/6] qemu-xen-trad: sasl: compatibility with vnc.h Simon Waterman
2017-05-15 23:03 ` [PATCH RFC 5/6] qemu-xen-trad: sasl: introduce SASL authentication and encryption layer Simon Waterman
2017-05-15 23:03 ` [PATCH RFC 6/6] qemu-xen-trad: sasl: add SASL option at build time Simon Waterman
2017-05-16 13:11 ` [PATCH RFC 0/6] qemu-xen-trad: sasl: add SASL support to VNC George Dunlap
2017-05-16 13:16 ` Ian Jackson
2017-05-16 13:19 ` George Dunlap
2017-05-16 13:28 ` Ian Jackson
2017-05-17 18:49 ` Simon Waterman [this message]
2017-05-18 14:43 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=117911b6-e7e4-1f35-533b-a544a1aa76e7@gmail.com \
--to=watermansrdev@gmail.com \
--cc=george.dunlap@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).