Monitor commands related to display server passwords

Monitor commands related to display server passwords

[Markus Armbruster]

We have a couple of password-related commands, and I'm not sure about
which ones should be used.  In order of appearance:

* HMP change vnc

  Change a VNC server password.  Unlike set_password below, there's no
  way to select a display other than the first.

  Note: if change's second argument isn't "vnc", w're changing removable
  media.  If you call your block device "vnc", you cannot change its
  media.  Hilarious.

  Password prompting (with hidden user input) since commit 7084851534
  "VNC password authentication, by Daniel P. Berrange." (v0.9.1,
  2007-08-25).

  Password argument since commit 2569da0cb6 "Accept password as an
  argument to 'change vnc password' monitor command (Chris Webb)"
  (v0.10.0, 2008-12-10).

  Nowadays, this wraps around QMP change-vnc-password, discussed below.

* HMP and QMP set_password, expire_password

  Change a VNC or Spice server password.  For Spice, can optionally fail
  when connections exist, or disconnect them.

  HMP commands wrap around the respective QMP command, as they should.

  HMP set_password does not support password prompting like "change vnc"
  does.

  Commands are present even when both CONFIG_VNC and CONFIG_SPICE are
  off.  Attempts to use them are rejected manually.  Defeats
  introspection.

  Since commit 7572150c18 "vnc/spice: add set_passwd monitor command."
  (v0.14.0, 2010-12-09)

  Support for VNC displays other than the first since commit 675fd3c96b
  "qapi/monitor: allow VNC display id in set/expire_password" (v7.0.0,
  2022-03-02).

* QMP change-vnc-password

  Can only target the first VNC display, unlike set_password.

  Command present only with CONFIG_VNC.

  Since commit 270b243f91 "qapi: Introduce change-vnc-password" (v1.1,
  2012-01-18).

Do we really need / want both set_password and change-vnc-password in
QMP?

On the one hand, set_password feels outdated from a QAPI point of view:
it violates the naming rules, and it defeats introspection.  On the
other hand, it's more powerful.

Do we really need / want both set_password and "change vnc" in HMP?
set_password is more powerful, but only "change vnc" supports password
prompting.

Getting rid of "change vnc" would fix the "cannot change media for block
device named 'vnc'" wart.


Related: QCryptoSecret objects.

commit ac1d88784907c9603b3849b2c3043259f75ed2a5
Author: Daniel P. Berrangé <berrange@redhat.com>
Date:   Wed Oct 14 09:58:38 2015 +0100

    crypto: add QCryptoSecret object class for password/key handling
    
    Introduce a new QCryptoSecret object class which will be used
    for providing passwords and keys to other objects which need
    sensitive credentials.
    
    The new object can provide secret values directly as properties,
    or indirectly via a file. The latter includes support for file
    descriptor passing syntax on UNIX platforms. Ordinarily passing
    secret values directly as properties is insecure, since they
    are visible in process listings, or in log files showing the
    CLI args / QMP commands. It is possible to use AES-256-CBC to
    encrypt the secret values though, in which case all that is
    visible is the ciphertext.  For ad hoc developer testing though,
    it is fine to provide the secrets directly without encryption
    so this is not explicitly forbidden.
    
    The anticipated scenario is that libvirtd will create a random
    master key per QEMU instance (eg /var/run/libvirt/qemu/$VMNAME.key)
    and will use that key to encrypt all passwords it provides to
    QEMU via '-object secret,....'.  This avoids the need for libvirt
    (or other mgmt apps) to worry about file descriptor passing.
    
    It also makes life easier for people who are scripting the
    management of QEMU, for whom FD passing is significantly more
    complex.
    
    Providing data inline (insecure, only for ad hoc dev testing)
    
      $QEMU -object secret,id=sec0,data=letmein
    
    Providing data indirectly in raw format
    
      printf "letmein" > mypasswd.txt
      $QEMU -object secret,id=sec0,file=mypasswd.txt
    
    Providing data indirectly in base64 format
    
      $QEMU -object secret,id=sec0,file=mykey.b64,format=base64
    
    Providing data with encryption
    
      $QEMU -object secret,id=master0,file=mykey.b64,format=base64 \
            -object secret,id=sec0,data=[base64 ciphertext],\
                       keyid=master0,iv=[base64 IV],format=base64
    
    Note that 'format' here refers to the format of the ciphertext
    data. The decrypted data must always be in raw byte format.
    
    More examples are shown in the updated docs.
    
    Reviewed-by: Eric Blake <eblake@redhat.com>
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Currently used by various block backends and the tls-creds-x509 object.

Would it make sense with display servers, too?

Re: Monitor commands related to display server passwords

[Daniel P. Berrangé]

On Wed, Nov 30, 2022 at 09:02:56AM +0100, Markus Armbruster wrote:
> We have a couple of password-related commands, and I'm not sure about
> which ones should be used.  In order of appearance:
> 
> * HMP change vnc
> 
>   Change a VNC server password.  Unlike set_password below, there's no
>   way to select a display other than the first.
> 
>   Note: if change's second argument isn't "vnc", w're changing removable
>   media.  If you call your block device "vnc", you cannot change its
>   media.  Hilarious.

Note, QMP equivalent is blockdev-change-medium, which is an wrapper
around a blockdev-open-tray/remove-medium/insert-medium/close-tray
sequence.  'change <blockdev>' maps to this.

If you call your blockdev 'vnc' you're not getting sympathy
from me ;-P But seriously, I agree with your point.

>   Password prompting (with hidden user input) since commit 7084851534
>   "VNC password authentication, by Daniel P. Berrange." (v0.9.1,
>   2007-08-25).
> 
>   Password argument since commit 2569da0cb6 "Accept password as an
>   argument to 'change vnc password' monitor command (Chris Webb)"
>   (v0.10.0, 2008-12-10).
> 
>   Nowadays, this wraps around QMP change-vnc-password, discussed below.

> * HMP and QMP set_password, expire_password
> 
>   Change a VNC or Spice server password.  For Spice, can optionally fail
>   when connections exist, or disconnect them.
> 
>   HMP commands wrap around the respective QMP command, as they should.
> 
>   HMP set_password does not support password prompting like "change vnc"
>   does.
> 
>   Commands are present even when both CONFIG_VNC and CONFIG_SPICE are
>   off.  Attempts to use them are rejected manually.  Defeats
>   introspection.
> 
>   Since commit 7572150c18 "vnc/spice: add set_passwd monitor command."
>   (v0.14.0, 2010-12-09)
> 
>   Support for VNC displays other than the first since commit 675fd3c96b
>   "qapi/monitor: allow VNC display id in set/expire_password" (v7.0.0,
>   2022-03-02).
> 
> * QMP change-vnc-password
> 
>   Can only target the first VNC display, unlike set_password.
> 
>   Command present only with CONFIG_VNC.
> 
>   Since commit 270b243f91 "qapi: Introduce change-vnc-password" (v1.1,
>   2012-01-18).

IIRC, this was designed as a 1-1 mapping to replace the QMP
'change vnc' command, except it was obviously redundant
since we had already added 'set_passwd' by that point. I
vaguely recall this was all just an oversight on part of
author and reviewers. 

> Do we really need / want both set_password and change-vnc-password in
> QMP?

Nope.

> On the one hand, set_password feels outdated from a QAPI point of view:
> it violates the naming rules, and it defeats introspection.  On the
> other hand, it's more powerful.
> 
> Do we really need / want both set_password and "change vnc" in HMP?
> set_password is more powerful, but only "change vnc" supports password
> prompting.
> 
> Getting rid of "change vnc" would fix the "cannot change media for block
> device named 'vnc'" wart.

> Related: QCryptoSecret objects.

snip

> Currently used by various block backends and the tls-creds-x509 object.
> 
> Would it make sense with display servers, too?

In 6.0 I introduced support for 'password-secret' to SPICE and VNC
command line.

I don't know why, but I only deprecated 'password' in SPICE and
not in VNC.

I didn't wire up any QMP commands todo live password changes. If
the display was already configured with 'password-secret', you
could delete and re-create the existing named secret object
using object-add/object-del, since we fetch the secret value
on every auth check.

There's no way to change from password-off to password-on mode
and vica-verca.

Also no way to change other things like expiry time,

We since gained the 'display-update' command, which could be
extended to allow change expiry time, and turning on/off
use of passwords, and even changing what 'secret' they
point to.

So overall I say

 * Deprecate VNC 'password' option
 * Deprecated QMP and HMP commands for changing VNC/SPICE
   password
 * Extend 'display-update' other other misc live changes

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: Monitor commands related to display server passwords

[Markus Armbruster]

Daniel P. Berrangé <berrange@redhat.com> writes:

> On Wed, Nov 30, 2022 at 09:02:56AM +0100, Markus Armbruster wrote:
>> We have a couple of password-related commands, and I'm not sure about
>> which ones should be used.  In order of appearance:
>> 
>> * HMP change vnc
>> 
>>   Change a VNC server password.  Unlike set_password below, there's no
>>   way to select a display other than the first.
>> 
>>   Note: if change's second argument isn't "vnc", w're changing removable
>>   media.  If you call your block device "vnc", you cannot change its
>>   media.  Hilarious.
>
> Note, QMP equivalent is blockdev-change-medium, which is an wrapper
> around a blockdev-open-tray/remove-medium/insert-medium/close-tray
> sequence.  'change <blockdev>' maps to this.

Yes.

> If you call your blockdev 'vnc' you're not getting sympathy
> from me ;-P But seriously, I agree with your point.
>
>>   Password prompting (with hidden user input) since commit 7084851534
>>   "VNC password authentication, by Daniel P. Berrange." (v0.9.1,
>>   2007-08-25).
>> 
>>   Password argument since commit 2569da0cb6 "Accept password as an
>>   argument to 'change vnc password' monitor command (Chris Webb)"
>>   (v0.10.0, 2008-12-10).
>> 
>>   Nowadays, this wraps around QMP change-vnc-password, discussed below.
>
>> * HMP and QMP set_password, expire_password
>> 
>>   Change a VNC or Spice server password.  For Spice, can optionally fail
>>   when connections exist, or disconnect them.
>> 
>>   HMP commands wrap around the respective QMP command, as they should.
>> 
>>   HMP set_password does not support password prompting like "change vnc"
>>   does.
>> 
>>   Commands are present even when both CONFIG_VNC and CONFIG_SPICE are
>>   off.  Attempts to use them are rejected manually.  Defeats
>>   introspection.
>> 
>>   Since commit 7572150c18 "vnc/spice: add set_passwd monitor command."
>>   (v0.14.0, 2010-12-09)
>> 
>>   Support for VNC displays other than the first since commit 675fd3c96b
>>   "qapi/monitor: allow VNC display id in set/expire_password" (v7.0.0,
>>   2022-03-02).
>> 
>> * QMP change-vnc-password
>> 
>>   Can only target the first VNC display, unlike set_password.
>> 
>>   Command present only with CONFIG_VNC.
>> 
>>   Since commit 270b243f91 "qapi: Introduce change-vnc-password" (v1.1,
>>   2012-01-18).
>
> IIRC, this was designed as a 1-1 mapping to replace the QMP
> 'change vnc' command, except it was obviously redundant
> since we had already added 'set_passwd' by that point. I
> vaguely recall this was all just an oversight on part of
> author and reviewers. 

Happens.

>> Do we really need / want both set_password and change-vnc-password in
>> QMP?
>
> Nope.
>
>> On the one hand, set_password feels outdated from a QAPI point of view:
>> it violates the naming rules, and it defeats introspection.  On the
>> other hand, it's more powerful.
>> 
>> Do we really need / want both set_password and "change vnc" in HMP?
>> set_password is more powerful, but only "change vnc" supports password
>> prompting.
>> 
>> Getting rid of "change vnc" would fix the "cannot change media for block
>> device named 'vnc'" wart.
>
>> Related: QCryptoSecret objects.
>
> snip
>
>> Currently used by various block backends and the tls-creds-x509 object.
>> 
>> Would it make sense with display servers, too?
>
> In 6.0 I introduced support for 'password-secret' to SPICE and VNC
> command line.
>
> I don't know why, but I only deprecated 'password' in SPICE and
> not in VNC.

I figure you mean

    ``-spice password=string`` (since 6.0)
    ''''''''''''''''''''''''''''''''''''''

    This option is insecure because the SPICE password remains visible in
    the process listing. This is replaced by the new ``password-secret``
    option which lets the password be securely provided on the command
    line using a ``secret`` object instance.

and -vnc password=...

There's also -iscsi password=..., and possibly more.

> I didn't wire up any QMP commands todo live password changes. If
> the display was already configured with 'password-secret', you
> could delete and re-create the existing named secret object
> using object-add/object-del, since we fetch the secret value
> on every auth check.

Is this behavior documented?

> There's no way to change from password-off to password-on mode
> and vica-verca.
>
> Also no way to change other things like expiry time,
>
> We since gained the 'display-update' command, which could be
> extended to allow change expiry time, and turning on/off
> use of passwords, and even changing what 'secret' they
> point to.
>
> So overall I say
>
>  * Deprecate VNC 'password' option
>  * Deprecated QMP and HMP commands for changing VNC/SPICE
>    password
>  * Extend 'display-update' other other misc live changes

Makes sense.

Of course, we can deprecate the old commands for changing passwords only
after we extended display-update to replace them.

Re: Monitor commands related to display server passwords

[Daniel P. Berrangé]

On Wed, Nov 30, 2022 at 02:25:53PM +0100, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:

> > In 6.0 I introduced support for 'password-secret' to SPICE and VNC
> > command line.
> >
> > I don't know why, but I only deprecated 'password' in SPICE and
> > not in VNC.
> 
> I figure you mean
> 
>     ``-spice password=string`` (since 6.0)
>     ''''''''''''''''''''''''''''''''''''''
> 
>     This option is insecure because the SPICE password remains visible in
>     the process listing. This is replaced by the new ``password-secret``
>     option which lets the password be securely provided on the command
>     line using a ``secret`` object instance.
> 
> and -vnc password=...
> 
> There's also -iscsi password=..., and possibly more.

Oh, iSCSI already has password-secret=, so yeah, we should
deprecate the old way there too.

Basically I want nothing in QMP/CLI to accept passwords,
everything must use the 'secret' objects.


> > I didn't wire up any QMP commands todo live password changes. If
> > the display was already configured with 'password-secret', you
> > could delete and re-create the existing named secret object
> > using object-add/object-del, since we fetch the secret value
> > on every auth check.
> 
> Is this behavior documented?

I don't believe so


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: Monitor commands related to display server passwords

[Markus Armbruster]

Daniel P. Berrangé <berrange@redhat.com> writes:

> On Wed, Nov 30, 2022 at 02:25:53PM +0100, Markus Armbruster wrote:
>> Daniel P. Berrangé <berrange@redhat.com> writes:
>
>> > In 6.0 I introduced support for 'password-secret' to SPICE and VNC
>> > command line.
>> >
>> > I don't know why, but I only deprecated 'password' in SPICE and
>> > not in VNC.
>> 
>> I figure you mean
>> 
>>     ``-spice password=string`` (since 6.0)
>>     ''''''''''''''''''''''''''''''''''''''
>> 
>>     This option is insecure because the SPICE password remains visible in
>>     the process listing. This is replaced by the new ``password-secret``
>>     option which lets the password be securely provided on the command
>>     line using a ``secret`` object instance.
>> 
>> and -vnc password=...
>> 
>> There's also -iscsi password=..., and possibly more.
>
> Oh, iSCSI already has password-secret=, so yeah, we should
> deprecate the old way there too.

Would you like to prepare the patch?

> Basically I want nothing in QMP/CLI to accept passwords,
> everything must use the 'secret' objects.

Understood.

>> > I didn't wire up any QMP commands todo live password changes. If
>> > the display was already configured with 'password-secret', you
>> > could delete and re-create the existing named secret object
>> > using object-add/object-del, since we fetch the secret value
>> > on every auth check.
>> 
>> Is this behavior documented?
>
> I don't believe so

No need if we provide a more direct solution, like the one you sketched
(extending display-update).

Re: Monitor commands related to display server passwords

[Daniel P. Berrangé]

On Wed, Nov 30, 2022 at 09:03:03AM +0000, Daniel P. Berrangé wrote:
> On Wed, Nov 30, 2022 at 09:02:56AM +0100, Markus Armbruster wrote:

> > Related: QCryptoSecret objects.
> 
> snip
> 
> > Currently used by various block backends and the tls-creds-x509 object.
> > 
> > Would it make sense with display servers, too?
> 
> In 6.0 I introduced support for 'password-secret' to SPICE and VNC
> command line.
> 
> I don't know why, but I only deprecated 'password' in SPICE and
> not in VNC.

The 'password' option in VNC isn't actually setting a password,
it is more like saying  'auth=password'. The actualpassword
had to be set via the 'change' command, we never allowed it on
the CLI before. So there was nothing to deprecate for VNC, only
SPICE.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|