[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (se

From: Paul Moore
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Tue, 05 Jun 2012 18:06:49 -0400
User-agent: KMail/4.8.3 (Linux/3.3.7-gentoo; KDE/4.8.3; x86_64; ; )

On Tuesday, June 05, 2012 11:51:40 PM Alexander Graf wrote:
> On 05.06.2012, at 23:45, Paul Moore wrote:
> > On Tuesday, June 05, 2012 03:08:26 AM Alexander Graf wrote:
> >> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a
> >> password is set? I agree with the assessment that we should never
> >> silently drop features. So the best way to make sure that the user knows
> >> he did something stupid (enable FIPS, but require a non-FIPS compliant
> >> authentication method) would be to just quit, no?
> > 
> > That is basically what the patch does now.  In vnc_display_open() if it
> > detects that the user has supplied a VNC password it prints an error to
> > stderr and returns an error which causes QEMU to exit.
> > 
> > The error message displayed is shown below:
> > 
> > "VNC password auth disabled due to FIPS mode, consider using the VeNCrypt
> >  or SASL authentication methods as an alernative"
> > 
> > ... which seems pretty obvious to me.  If anyone would prefer something
> > different, let me know.
> No, as long as the spelling is actually correct and not the one above,
> that's perfectly fine.

What, not a fan of my "alernative" spelling?  Fixed in the next version of the 
patch :)

> I just have a habit of not reading the patches I comment on :).

If nothing else, it makes the discussions much more interesting :)

> > On Tuesday, June 05, 2012 09:23:04 AM Anthony Liguori wrote:
> >> I think my primary requirement is: allow a user to use vnc authentication
> >> even when fips mode is active by using some command line option.
> > 
> > I'll agree that FIPS mode can be a bit silly in the case of QEMU and VNC
> > but to be honest, that requirement above seems just as silly to me, if
> > not more so.  However, if making this behavior optional is what it takes
> > to get the patch accepted, so be it.
> > 
> > I'll start working on v4 of the patch tomorrow.
> Let's just wait for Anthony to reply ...

Fine with me, I've got plenty else to do in the meantime and I don't think 
this is 1.1 material anyway.

paul moore
security and virtualization @ redhat

reply via email to

[Prev in Thread] Current Thread [Next in Thread]