* [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-compliant mode
@ 2018-12-20 12:59 Tomasz Barański
2018-12-20 14:41 ` Eric Blake
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Tomasz Barański @ 2018-12-20 12:59 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
The documentation states, that:
"The VNC protocol has limited support for password based authentication.
(...) Password authentication is not supported when operating in FIPS
140-2 compliance mode as it requires the use of the DES cipher."
Would it be possible for qemu to use a different cipher and re-enable
password as an option in VNC console? Is there a technical reason for
not using a stronger cipher?
** Affects: qemu
Importance: Undecided
Status: New
** Tags: fips vnc
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1809252
Title:
Password authentication in FIPS-compliant mode
Status in QEMU:
New
Bug description:
The documentation states, that:
"The VNC protocol has limited support for password based
authentication. (...) Password authentication is not supported when
operating in FIPS 140-2 compliance mode as it requires the use of the
DES cipher."
Would it be possible for qemu to use a different cipher and re-enable
password as an option in VNC console? Is there a technical reason for
not using a stronger cipher?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1809252/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-compliant mode
2018-12-20 12:59 [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-compliant mode Tomasz Barański
@ 2018-12-20 14:41 ` Eric Blake
2018-12-20 14:47 ` [Qemu-devel] [Bug 1809252] " Daniel Berrange
2018-12-21 8:12 ` Tomasz Barański
2 siblings, 0 replies; 4+ messages in thread
From: Eric Blake @ 2018-12-20 14:41 UTC (permalink / raw)
To: Bug 1809252, qemu-devel
On 12/20/18 6:59 AM, Tomasz Barański wrote:
> Public bug reported:
>
> The documentation states, that:
>
> "The VNC protocol has limited support for password based authentication.
> (...) Password authentication is not supported when operating in FIPS
> 140-2 compliance mode as it requires the use of the DES cipher."
>
> Would it be possible for qemu to use a different cipher and re-enable
> password as an option in VNC console? Is there a technical reason for
> not using a stronger cipher?
The technical reason is that there are no other VNC endpoints out there
that support a different cipher. The VNC protocol itself declares what
all compliant servers/clients must use - and that spec is what makes the
non-FIPS-compliant requirement. You wouldn't have to patch just qemu,
but every other VNC endpoint out there that you want to interoperate
with a patched qemu. But it's really not worth doing that when there
are already better solutions available. That is, rather than trying to
fix VNC, just use an alternative protocol that doesn't have a baked-in
authentication limitation in the first place - namely, Spice.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Qemu-devel] [Bug 1809252] Re: Password authentication in FIPS-compliant mode
2018-12-20 12:59 [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-compliant mode Tomasz Barański
2018-12-20 14:41 ` Eric Blake
@ 2018-12-20 14:47 ` Daniel Berrange
2018-12-21 8:12 ` Tomasz Barański
2 siblings, 0 replies; 4+ messages in thread
From: Daniel Berrange @ 2018-12-20 14:47 UTC (permalink / raw)
To: qemu-devel
The VNC password authentication scheme is not extensible. It is
unfixably broken by design.
QEMU provides the SASL authentication scheme for VNC which allows for
strong authentication, when combined with the VeNCrypt authentication
scheme that uses TLS.
These extensions are supported by the gtk-vnc client used by remote-
viewer, virt-viewer, virt-manager, GNOME Boxes and more. Other VNC
clients are also known to implement VeNCrypt, though SASL support is
less wide spread.
>From a QEMU POV, there's nothing more we need todo really - any
remaining gaps are client side.
** Changed in: qemu
Status: New => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1809252
Title:
Password authentication in FIPS-compliant mode
Status in QEMU:
Invalid
Bug description:
The documentation states, that:
"The VNC protocol has limited support for password based
authentication. (...) Password authentication is not supported when
operating in FIPS 140-2 compliance mode as it requires the use of the
DES cipher."
Would it be possible for qemu to use a different cipher and re-enable
password as an option in VNC console? Is there a technical reason for
not using a stronger cipher?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1809252/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Qemu-devel] [Bug 1809252] Re: Password authentication in FIPS-compliant mode
2018-12-20 12:59 [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-compliant mode Tomasz Barański
2018-12-20 14:41 ` Eric Blake
2018-12-20 14:47 ` [Qemu-devel] [Bug 1809252] " Daniel Berrange
@ 2018-12-21 8:12 ` Tomasz Barański
2 siblings, 0 replies; 4+ messages in thread
From: Tomasz Barański @ 2018-12-21 8:12 UTC (permalink / raw)
To: qemu-devel
I understand. Thank you, guys!
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1809252
Title:
Password authentication in FIPS-compliant mode
Status in QEMU:
Invalid
Bug description:
The documentation states, that:
"The VNC protocol has limited support for password based
authentication. (...) Password authentication is not supported when
operating in FIPS 140-2 compliance mode as it requires the use of the
DES cipher."
Would it be possible for qemu to use a different cipher and re-enable
password as an option in VNC console? Is there a technical reason for
not using a stronger cipher?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1809252/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-12-21 8:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-20 12:59 [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-compliant mode Tomasz Barański
2018-12-20 14:41 ` Eric Blake
2018-12-20 14:47 ` [Qemu-devel] [Bug 1809252] " Daniel Berrange
2018-12-21 8:12 ` Tomasz Barański
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.