[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-com
Re: [Qemu-devel] [Bug 1809252] [NEW] Password authentication in FIPS-compliant mode
Thu, 20 Dec 2018 08:41:19 -0600
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
On 12/20/18 6:59 AM, Tomasz Barański wrote:
Public bug reported:
The documentation states, that:
"The VNC protocol has limited support for password based authentication.
(...) Password authentication is not supported when operating in FIPS
140-2 compliance mode as it requires the use of the DES cipher."
Would it be possible for qemu to use a different cipher and re-enable
password as an option in VNC console? Is there a technical reason for
not using a stronger cipher?
The technical reason is that there are no other VNC endpoints out there
that support a different cipher. The VNC protocol itself declares what
all compliant servers/clients must use - and that spec is what makes the
non-FIPS-compliant requirement. You wouldn't have to patch just qemu,
but every other VNC endpoint out there that you want to interoperate
with a patched qemu. But it's really not worth doing that when there
are already better solutions available. That is, rather than trying to
fix VNC, just use an alternative protocol that doesn't have a baked-in
authentication limitation in the first place - namely, Spice.
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org