Re: [Qemu-devel] QEMU: VNC

[Anthony Liguori]

Luke -Jr wrote:
> On Thursday 22 February 2007 10:35, you wrote:
>   
> > I would be happy with a patch that allowed a password to be set from the
> > monitor.  Storing a password in a file on disk is, IMHO, ugly.  If no
> > one beats me to it, I'll probably write something up this weekend.
> >     
>
> That doesn't make it too simple to start a qemu session without a human 
> present. It also means there's a vulnerable window of time without a 
> password.
>   

In my patch queue, I have a patch that adds a null VNC target along with 
another patch to allow you to change what the VNC server listens to in 
the monitor.

I also have a small program that lets you execute monitor commands 
outside of QEMU (assuming the monitor is a unix socket).

So, without human intervention, you would do:

qemu -vnc null ...
connect to monitor and set password
connect to monitor and change vnc server to listen on :3

Regards,

Anthony Liguori

> > For real security, TLS integration is most certainly the way to go.  I
> > want to make sure anything we do though doesn't violate the RFB spec so
> > we have to validate the the authentication ids are reserved and the
> > protocol isn't violated in anyway (realizing there's no absolutely
> > secure way to do RFB and still be compatible to the spec).
> >     
>
> Well, in theory I can use iptables to restrict connections only from an 
> individual local user (--uid-owner) and thus require SSH authentication, but 
> I'm not sure how simple that will be to do from Java...
>
>