From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: libvir-list@redhat.com, "Markus Armbruster" <armbru@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: [PATCH 2/4] ui: introduce "password-secret" option for SPICE server
Date: Fri, 19 Feb 2021 18:45:54 +0000 [thread overview]
Message-ID: <20210219184556.154972-3-berrange@redhat.com> (raw)
In-Reply-To: <20210219184556.154972-1-berrange@redhat.com>
Currently when using SPICE the "password" option provides the password
in plain text on the command line. This is insecure as it is visible
to all processes on the host. As an alternative, the password can be
provided separately via the monitor.
This introduces a "password-secret" option which lets the password be
provided up front.
$QEMU --object secret,id=vncsec0,file=passwd.txt \
--spice port=5901,password-secret=vncsec0
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
qemu-options.hx | 8 ++++++--
ui/spice-core.c | 28 ++++++++++++++++++++++++++--
2 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/qemu-options.hx b/qemu-options.hx
index 893d0f500b..ff4ef3b708 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1898,7 +1898,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice,
" [,tls-ciphers=<list>]\n"
" [,tls-channel=[main|display|cursor|inputs|record|playback]]\n"
" [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n"
- " [,sasl][,password=<secret>][,disable-ticketing]\n"
+ " [,sasl][,password=<string>][,password-secret=<secret-id>][,disable-ticketing]\n"
" [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n"
" [,jpeg-wan-compression=[auto|never|always]]\n"
" [,zlib-glz-wan-compression=[auto|never|always]]\n"
@@ -1923,9 +1923,13 @@ SRST
``ipv4``; \ ``ipv6``; \ ``unix``
Force using the specified IP version.
- ``password=<secret>``
+ ``password=<string>``
Set the password you need to authenticate.
+ ``password-secret=<secret-id>``
+ Set the ID of the ``secret`` object containing the password
+ you need to authenticate.
+
``sasl``
Require that the client use SASL to authenticate with the spice.
The exact choice of authentication method used is controlled
diff --git a/ui/spice-core.c b/ui/spice-core.c
index beee932f55..353848b244 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -34,6 +34,7 @@
#include "qapi/qapi-events-ui.h"
#include "qemu/notify.h"
#include "qemu/option.h"
+#include "crypto/secret_common.h"
#include "migration/misc.h"
#include "hw/pci/pci_bus.h"
#include "ui/spice-display.h"
@@ -415,6 +416,9 @@ static QemuOptsList qemu_spice_opts = {
},{
.name = "password",
.type = QEMU_OPT_STRING,
+ },{
+ .name = "password-secret",
+ .type = QEMU_OPT_STRING,
},{
.name = "disable-ticketing",
.type = QEMU_OPT_BOOL,
@@ -636,7 +640,9 @@ void qemu_spice_display_init_done(void)
static void qemu_spice_init(void)
{
QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
- const char *password, *str, *x509_dir, *addr,
+ char *password = NULL;
+ const char *passwordSecret;
+ const char *str, *x509_dir, *addr,
*x509_key_password = NULL,
*x509_dh_file = NULL,
*tls_ciphers = NULL;
@@ -663,7 +669,24 @@ static void qemu_spice_init(void)
error_report("spice tls-port is out of range");
exit(1);
}
- password = qemu_opt_get(opts, "password");
+ passwordSecret = qemu_opt_get(opts, "password-secret");
+ if (passwordSecret) {
+ Error *local_err = NULL;
+ if (qemu_opt_get(opts, "password")) {
+ error_report("'password' option is mutually exclusive with "
+ "'password-secret'");
+ exit(1);
+ }
+ password = qcrypto_secret_lookup_as_utf8(passwordSecret,
+ &local_err);
+ if (!password) {
+ error_report_err(local_err);
+ exit(1);
+ }
+ } else {
+ str = qemu_opt_get(opts, "password");
+ password = g_strdup(str);
+ }
if (tls_port) {
x509_dir = qemu_opt_get(opts, "x509-dir");
@@ -809,6 +832,7 @@ static void qemu_spice_init(void)
g_free(x509_key_file);
g_free(x509_cert_file);
g_free(x509_cacert_file);
+ g_free(password);
#ifdef HAVE_SPICE_GL
if (qemu_opt_get_bool(opts, "gl", 0)) {
--
2.29.2
next prev parent reply other threads:[~2021-02-19 18:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-19 18:45 [PATCH 0/4] ui: add support for 'secret' object to provide VNC/SPICE passwords Daniel P. Berrangé
2021-02-19 18:45 ` [PATCH 1/4] ui: introduce "password-secret" option for VNC servers Daniel P. Berrangé
2021-02-19 18:45 ` Daniel P. Berrangé [this message]
2021-02-19 18:45 ` [PATCH 3/4] ui: deprecate "password" option for SPICE server Daniel P. Berrangé
2021-02-19 18:45 ` [PATCH 4/4] ui, monitor: remove deprecated VNC ACL option and HMP commands Daniel P. Berrangé
2021-02-22 10:40 ` Dr. David Alan Gilbert
2021-03-11 10:37 ` [PATCH 0/4] ui: add support for 'secret' object to provide VNC/SPICE passwords Daniel P. Berrangé
2021-03-11 11:13 ` Gerd Hoffmann
2021-03-11 11:20 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210219184556.154972-3-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=kraxel@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).