Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode

[Paul Moore]

On Thursday, May 03, 2012 09:29:15 AM Daniel P. Berrange wrote:
> On Wed, May 02, 2012 at 03:32:56PM -0400, Paul Moore wrote:
> >  static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
> >  {
> >  #ifdef _VNC_DEBUG
> > 
> > @@ -2748,6 +2772,14 @@ void vnc_display_init(DisplayState *ds)
> > 
> >      dcl->idle = 1;
> >      vnc_display = vs;
> > 
> > +    vs->fips = fips_enabled();
> > +    VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
> > +#ifndef _WIN32
> > +    if (vs->fips) {
> > +        syslog(LOG_NOTICE, "Disabling VNC password auth due to FIPS
> > mode\n"); +    }
> > +#endif /* _WIN32 */
> 
> I really think this should only be done if a password is actually set.
> With the code as it is, then every single time you launch a VM you're
> going to get this message in syslog, which makes it appear as if something
> is trying to illegally use passwords in FIPS mode. I feel this will cause
> admins/auditors to be worried about something being wrong, when in fact
> everything is normal.

Yep.  I can see arguments for either location but I'll go ahead and move it in 
v3 which I will be posting shortly.

-- 
paul moore
security and virtualization @ redhat