[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server

From: Anthony Liguori
Subject: Re: [Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server
Date: Sat, 14 Feb 2009 16:17:44 -0600
User-agent: Thunderbird (X11/20090105)

Daniel P. Berrange wrote:
Previously I provided patches for QEMU's VNC server to support SSL/TLS
and x509 certificates. This provides good encryption capabilities for
the VNC session. It doesn't really address the authentication problem

I have been working to  create a new authentication type in the RFB
protocol to address this need in a generic, extendable way, by mapping
the SASL API into the RFB protocol. Since SASL is a generic plugin based API, this will allow use of a huge range of auth mechanims over VNC, without us having to add any more auth code. For example, PAM,
Digest-MD5, GSSAPI/Kerberos, One-time key/password, LDAP password
lookup, SQL db password lookup, and more.

I have got a VNC auth type assigned by the RFB spec maintainers:


With the full current spec for the SASL extension currently documented here:


This is the 2nd version of the patches I initially posted here


Modulo the comments I made, this series look really nice. I'm going to apply Brian Kress' multiple clients patch once he adds a SoB so you'll want to make sure to rebase against that for the next series.


Anthony Liguori

Changes since last time

 - Re-factor the code to move TLS and SASL methods into separate files,
   vnc-tls.c, vnc-auth-vencrypt.c and vnc-auth-vencrypt.h

 - Added simple access control lists for authorization of client users
   on either SASL username, or x509 distinguished name

 - Added proof of concept external file format for persisting ACLs

 - Extend 'info vnc' to show much more information about clients and

 - Tested with SASL + Digest-MD5,  SASL + GSSAPI. TLS + SASL + Digest-MD5
and TLS + SASL + GSSAPI. This gives coverage off all interesting code paths and/or I/O encryption combinations.

The combined diffstat for all 7 patches about to follow, is

.hgignore | 16 Makefile | 27 + Makefile.target | 5 b/acl.c | 264 ++++++++++++
 b/acl.h               |   71 +++
 b/keymaps.h           |   60 ++
 b/qemu.sasl           |   34 +
 b/vnc-auth-sasl.c     |  640 +++++++++++++++++++++++++++++
 b/vnc-auth-sasl.h     |   76 +++
 b/vnc-auth-vencrypt.c |  175 +++++++
 b/vnc-auth-vencrypt.h |   33 +
 b/vnc-tls.c           |  456 ++++++++++++++++++++
 b/vnc-tls.h           |   76 +++
 configure             |   34 +
curses.c | 3 curses_keys.h | 9 keymaps.c | 45 --
 monitor.c             |   80 +++
 qemu-doc.texi         |  109 ++++
sdl.c | 3 sdl_keysym.h | 7 vl.c | 12 vnc.c | 1100 ++++++++++++++++++--------------------------------
 vnc.h                 |  215 +++++++++
vnc_keysym.h | 5 25 files changed, 2795 insertions(+), 760 deletions(-)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]