|
From: | Anthony Liguori |
Subject: | Re: [Qemu-devel] QEMU: VNC |
Date: | Thu, 22 Feb 2007 11:27:56 -0600 |
User-agent: | Thunderbird 1.5.0.9 (X11/20070103) |
Luke -Jr wrote:
On Thursday 22 February 2007 10:35, you wrote:I would be happy with a patch that allowed a password to be set from the monitor. Storing a password in a file on disk is, IMHO, ugly. If no one beats me to it, I'll probably write something up this weekend.That doesn't make it too simple to start a qemu session without a human present. It also means there's a vulnerable window of time without a password.
In my patch queue, I have a patch that adds a null VNC target along with another patch to allow you to change what the VNC server listens to in the monitor.
I also have a small program that lets you execute monitor commands outside of QEMU (assuming the monitor is a unix socket).
So, without human intervention, you would do: qemu -vnc null ... connect to monitor and set password connect to monitor and change vnc server to listen on :3 Regards, Anthony Liguori
For real security, TLS integration is most certainly the way to go. I want to make sure anything we do though doesn't violate the RFB spec so we have to validate the the authentication ids are reserved and the protocol isn't violated in anyway (realizing there's no absolutely secure way to do RFB and still be compatible to the spec).Well, in theory I can use iptables to restrict connections only from an individual local user (--uid-owner) and thus require SSH authentication, but I'm not sure how simple that will be to do from Java...
[Prev in Thread] | Current Thread | [Next in Thread] |