Patchwork vnc: Don't demote authentication scheme when changing password/disabling login

login
register
mail settings
Submitter Daniel P. Berrange
Date Feb. 14, 2012, 12:37 p.m.
Message ID <1329223049-26896-1-git-send-email-berrange@redhat.com>
Download mbox | patch
Permalink /patch/141108/
State New
Headers show

Comments

Daniel P. Berrange - Feb. 14, 2012, 12:37 p.m.
From: "Daniel P. Berrange" <berrange@redhat.com>

Currently when disabling login in VNC, the password is cleared out and the
authentication protocol is forced to AUTH_VNC.  If you're using a stronger
authentication protocol, this has the effect of downgrading your security
protocol.

Fix this by only changing the authentication protocol if the current
authentication protocol is AUTH_NONE.  That ensures we're never downgrading.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
--
NB. This patch is derived from one posted by Anthony last year, which got
accidentally lost after Luiz took over the QMP series work

  https://lists.gnu.org/archive/html/qemu-devel/2011-09/msg00392.html

 v1 -> v2
 - Make sure to not demote when changing password (Daniel)
 v2 -> v3 
 - Rebase to latest GIT master wrt QMP changes
---
 ui/vnc.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)
Anthony Liguori - Feb. 17, 2012, 6:14 p.m.
On 02/14/2012 06:37 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange@redhat.com>
>
> Currently when disabling login in VNC, the password is cleared out and the
> authentication protocol is forced to AUTH_VNC.  If you're using a stronger
> authentication protocol, this has the effect of downgrading your security
> protocol.
>
> Fix this by only changing the authentication protocol if the current
> authentication protocol is AUTH_NONE.  That ensures we're never downgrading.
>
> Signed-off-by: Daniel P. Berrange<berrange@redhat.com>
> Signed-off-by: Anthony Liguori<aliguori@us.ibm.com>

Applied.  Thanks.

Regards,

Anthony Liguori

> --
> NB. This patch is derived from one posted by Anthony last year, which got
> accidentally lost after Luiz took over the QMP series work
>
>    https://lists.gnu.org/archive/html/qemu-devel/2011-09/msg00392.html
>
>   v1 ->  v2
>   - Make sure to not demote when changing password (Daniel)
>   v2 ->  v3
>   - Rebase to latest GIT master wrt QMP changes
> ---
>   ui/vnc.c |    8 ++++++--
>   1 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 16b79ec..c449fcd 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2679,7 +2679,9 @@ int vnc_display_disable_login(DisplayState *ds)
>       }
>
>       vs->password = NULL;
> -    vs->auth = VNC_AUTH_VNC;
> +    if (vs->auth == VNC_AUTH_NONE) {
> +        vs->auth = VNC_AUTH_VNC;
> +    }
>
>       return 0;
>   }
> @@ -2703,7 +2705,9 @@ int vnc_display_password(DisplayState *ds, const char *password)
>           vs->password = NULL;
>       }
>       vs->password = g_strdup(password);
> -    vs->auth = VNC_AUTH_VNC;
> +    if (vs->auth == VNC_AUTH_NONE) {
> +        vs->auth = VNC_AUTH_VNC;
> +    }
>
>       return 0;
>   }

Patch

diff --git a/ui/vnc.c b/ui/vnc.c
index 16b79ec..c449fcd 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2679,7 +2679,9 @@  int vnc_display_disable_login(DisplayState *ds)
     }
 
     vs->password = NULL;
-    vs->auth = VNC_AUTH_VNC;
+    if (vs->auth == VNC_AUTH_NONE) {
+        vs->auth = VNC_AUTH_VNC;
+    }
 
     return 0;
 }
@@ -2703,7 +2705,9 @@  int vnc_display_password(DisplayState *ds, const char *password)
         vs->password = NULL;
     }
     vs->password = g_strdup(password);
-    vs->auth = VNC_AUTH_VNC;
+    if (vs->auth == VNC_AUTH_NONE) {
+        vs->auth = VNC_AUTH_VNC;
+    }
 
     return 0;
 }