[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1809252] Re: Password authentication in FIPS-compliant

From: Daniel Berrange
Subject: [Qemu-devel] [Bug 1809252] Re: Password authentication in FIPS-compliant mode
Date: Thu, 20 Dec 2018 14:47:55 -0000

The VNC password authentication scheme is not extensible. It is
unfixably broken by design.

QEMU provides the SASL authentication scheme for VNC which allows for
strong authentication, when combined with the VeNCrypt authentication
scheme that uses TLS.

These extensions are supported by the gtk-vnc client used by remote-
viewer, virt-viewer, virt-manager, GNOME Boxes and more.  Other VNC
clients are also known to implement VeNCrypt, though SASL support is
less wide spread.

>From a QEMU POV, there's nothing more we need todo really - any
remaining gaps are client side.

** Changed in: qemu
       Status: New => Invalid

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  Password authentication in FIPS-compliant mode

Status in QEMU:

Bug description:
  The documentation states, that:

  "The VNC protocol has limited support for password based
  authentication. (...) Password authentication is not supported when
  operating in FIPS 140-2 compliance mode as it requires the use of the
  DES cipher."

  Would it be possible for qemu to use a different cipher and re-enable
  password as an option in VNC console? Is there a technical reason for
  not using a stronger cipher?

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]