[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v4] vnc: disable VNC password authentication (se
Re: [Qemu-devel] [PATCH v4] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Tue, 31 Jul 2012 15:52:33 -0500
Notmuch/0.13.2+93~ged93d79 (http://notmuchmail.org) Emacs/23.3.1 (x86_64-pc-linux-gnu)
"Daniel P. Berrange" <address@hidden> writes:
> On Tue, Jul 31, 2012 at 02:52:07PM -0500, Anthony Liguori wrote:
>> Paul Moore <address@hidden> writes:
>> > On Friday, June 08, 2012 05:38:12 PM Paul Moore wrote:
>> >> FIPS 140-2 requires disabling certain ciphers, including DES, which is
>> >> used
>> >> by VNC to obscure passwords when they are sent over the network. The
>> >> solution for FIPS users is to disable the use of VNC password auth when
>> >> the
>> >> host system is operating in FIPS mode.
>> >> This patch causes QEMU to emit a message to stderr when the host system is
>> >> running in FIPS mode and a VNC password was specified on the commend line.
>> >> If the system is not running in FIPS mode, or is running in FIPS mode but
>> >> VNC password authentication was not requested, QEMU operates normally.
>> >> Signed-off-by: Paul Moore <address@hidden>
>> > Hi Anthony,
>> > Any word on this patch? Other than Daniel Berrange's reviewed-by tag, the
>> > discussion of the v4 patch has been quiet and I think we addressed all the
>> > other remaining issues in the discussion attached to the v2 patch
>> > posting.
>> I asked for the specific language in FIPS mandating this. I don't see
>> any other VNC server implementing a check like this. I would rather do
>> this in a more user friendly fashion like make it a config file option
>> that a user can set while in fips mode.
> The FIPS standard doesn't refer to particular applications like VNC.
> As Paul says earlier, FIP 140-2 requires that DES (and certain other
> ciphers) not be used in any applications which are running in a FIPS
> compliant environment. Since VNC auth uses DES, this auth scheme
> cannot be permitted in a FIPS environment.
OpenSSL requires an explicit function call to enable fips
mode--FIPS_mode_set(). It's not something that happens unconditionally
behind the scenes. From talking to some folks here, it seems like
an -enable-fips option would meet the requirements of FIPS.
> The reason no other VNC server does this is almost certainly because
> none of their developers have ever tried to have their code work in
> a FIPS environment, so I don't think that's a relevant comparison.
> I'm not really sure what addding more configuration options gains
> us here. The choice of auth mode is already configurable. This patch
> is about ensuring that the user is not allowed to configure it, if
> FIPS mode is in effect (as indicated by the kernels syfs tunable).
> So in fact adding config params doesn't really address this.
Disabling options unconditionally based on a magic kernel parameter is
fundamentally wrong. If a user wants QEMU to participate in FIPS,
it should explicitly ask QEMU to.
Since OpenSSL also does this, there seems to be ample precedence for it.
> The proposed patch is already very straightforward, is using the
> official interface exposed by the upstream kernel to userspace &
> has negligable maintenence burden IMHO.
It's not QEMU's role to enforce security policy. Unconditionally
disabling features goes against a very basic architectural assumption in
>From what I'm told, there's nothing in FIPS that prevents us from
masking this behavior behind a command line option. And I think that's
the right thing to do.
> |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org -o- http://virt-manager.org :|
> |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|