All of lore.kernel.org
 help / color / mirror / Atom feed
From: Attila-Mihaly Balazs <dify.ltd@gmail.com>
To: qemu-devel@nongnu.org
Cc: kraxel@redhat.com
Subject: [Qemu-devel] [PATCH] Make password based authentication the default for VNC
Date: Tue, 7 Jun 2016 12:13:06 +0300	[thread overview]
Message-ID: <CAOqyLXj2KizZN=PAT2hukWoTGD+vc=5TrAJFH05q4zWyZdXjdg@mail.gmail.com> (raw)

To improve the security of the embedded VNC server make password
based authentication the default when no authentication mechanism
is specified.

If you really want to use "no authentication", a new authentication
option called "insecure" is introduced which needs to be explicitly
specified.

Note: because password authentication is not availble in FIPS mode,
you must explicitly set an authentication method when using VNC with
QEMU compiled in FIPS mode or it won't start.

Signed-off-by: Attila-Mihaly Balazs
---
 qemu-doc.texi   | 10 ++++++----
 qemu-options.hx |  7 ++++++-
 ui/vnc.c        | 51 ++++++++++++++++++++++++++++++++++-----------------
 3 files changed, 46 insertions(+), 22 deletions(-)

diff --git a/qemu-doc.texi b/qemu-doc.texi
index f37fd31..a8795b6 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -1493,12 +1493,14 @@ considerations depending on the deployment scenarios.
 @node vnc_sec_none
 @subsection Without passwords

-The simplest VNC server setup does not include any form of authentication.
-For this setup it is recommended to restrict it to listen on a UNIX domain
-socket only. For example
+Unless otherwise specified, the VNC server starts in password authentication
+mode (see the next section for details). It is possible to disable
+authentication entirely when needed however it is strongly recommended to use
+other methods of access control to ensure that only trusted persons can access
+it. For example you could restrict it to listen on a UNIX domain socket only:

 @example
-qemu-system-i386 [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc
+qemu-system-i386 [...OPTIONS...] -vnc unix:/home/jb/.qemu-myvm-vnc,insecure
 @end example

 This ensures that only users on local box with read/write access to that
diff --git a/qemu-options.hx b/qemu-options.hx
index 9f33361..25a17cb 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1284,7 +1284,8 @@ requires encrypted client connections.

 @item password

-Require that password based authentication is used for client connections.
+Require that password based authentication is used for client connections. This
+is the default if no authentiation mechanism is specified.

 The password must be set separately using the @code{set_password} command in
 the @ref{pcsys_monitor}. The syntax to change your password is:
@@ -1301,6 +1302,10 @@ date and time).
 You can also use keywords "now" or "never" for the expiration time to
 allow <protocol> password to expire immediately or never expire.

+@item insecure
+
+Run the VNC server without any authentication.
+
 @item tls-creds=@var{ID}

 Provides the ID of a set of TLS credentials to use to secure the
diff --git a/ui/vnc.c b/ui/vnc.c
index c862fdc..c58db4b 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3275,6 +3275,9 @@ static QemuOptsList qemu_vnc_opts = {
             .name = "password",
             .type = QEMU_OPT_BOOL,
         },{
+            .name = "insecure",
+            .type = QEMU_OPT_BOOL,
+        },{
             .name = "reverse",
             .type = QEMU_OPT_BOOL,
         },{
@@ -3312,6 +3315,7 @@ static QemuOptsList qemu_vnc_opts = {
 static int
 vnc_display_setup_auth(VncDisplay *vs,
                        bool password,
+                       bool insecure,
                        bool sasl,
                        bool websocket,
                        Error **errp)
@@ -3454,6 +3458,16 @@ vnc_display_setup_auth(VncDisplay *vs,
             vs->ws_auth = VNC_AUTH_INVALID;
         }
     }
+
+    if (vs->auth == VNC_AUTH_NONE && !insecure) {
+        /*
+         * If authentication is not specified use password authentication.
+         */
+        VNC_DEBUG("Initializing VNC server with password auth\n");
+        vs->auth = VNC_AUTH_VNC;
+        vs->subauth = VNC_AUTH_INVALID;
+    }
+
     return 0;
 }

@@ -3511,6 +3525,7 @@ void vnc_display_open(const char *id, Error **errp)
     const char *share, *device_id;
     QemuConsole *con;
     bool password = false;
+    bool insecure = false;
     bool reverse = false;
     const char *vnc;
     char *h;
@@ -3622,22 +3637,7 @@ void vnc_display_open(const char *id, Error **errp)
     }

     password = qemu_opt_get_bool(opts, "password", false);
-    if (password) {
-        if (fips_get_state()) {
-            error_setg(errp,
-                       "VNC password auth disabled due to FIPS mode, "
-                       "consider using the VeNCrypt or SASL authentication "
-                       "methods as an alternative");
-            goto fail;
-        }
-        if (!qcrypto_cipher_supports(
-                QCRYPTO_CIPHER_ALG_DES_RFB)) {
-            error_setg(errp,
-                       "Cipher backend does not support DES RFB algorithm");
-            goto fail;
-        }
-    }
-
+    insecure = qemu_opt_get_bool(opts, "insecure", false);
     reverse = qemu_opt_get_bool(opts, "reverse", false);
     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
     key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 1);
@@ -3760,10 +3760,27 @@ void vnc_display_open(const char *id, Error **errp)
     }
 #endif

-    if (vnc_display_setup_auth(vs, password, sasl, vs->ws_enabled, errp) < 0) {
+    if (vnc_display_setup_auth(
+            vs, password, insecure, sasl, vs->ws_enabled, errp) < 0) {
         goto fail;
     }

+    if (vs->auth == VNC_AUTH_VNC) {
+        if (fips_get_state()) {
+            error_setg(errp,
+                       "VNC password auth disabled due to FIPS mode, "
+                       "consider using the VeNCrypt or SASL authentication "
+                       "methods as an alternative");
+            goto fail;
+        }
+        if (!qcrypto_cipher_supports(
+                QCRYPTO_CIPHER_ALG_DES_RFB)) {
+            error_setg(errp,
+                       "Cipher backend does not support DES RFB algorithm");
+            goto fail;
+        }
+    }
+
 #ifdef CONFIG_VNC_SASL
     if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
         error_setg(errp, "Failed to initialize SASL auth: %s",
-- 
2.7.4

             reply	other threads:[~2016-06-07  9:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-07  9:13 Attila-Mihaly Balazs [this message]
2016-06-07  9:24 ` [Qemu-devel] [PATCH] Make password based authentication the default for VNC Daniel P. Berrange
2016-06-07 17:46   ` Attila-Mihaly Balazs
2016-06-07 20:35     ` Gerd Hoffmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAOqyLXj2KizZN=PAT2hukWoTGD+vc=5TrAJFH05q4zWyZdXjdg@mail.gmail.com' \
    --to=dify.ltd@gmail.com \
    --cc=kraxel@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.