[2/3] vnc: support password expire

Hi,

>> How does password expiration help with security at all?
>
> VNC passwords are obviously rather weak, so if you can limit
> the time the password is valid to the window in which you
> are expecting the incoming VNC connection this limits the
> time to attack the VNC password. A mgmt tool could do
>
>    - Set a VNC password
>    - Open the VNC connection
>    - Clear the VNC password
>
> If anything goes wrong in the mgmt tool at step 2 though,
> then it may never to step 3, leaving the VNC server accessible.
> If it had set a password expiry at step 1, it would have a
> safety net that guarentees the password will be invalid after
> 'n' seconds, even if not explicitly cleared. Given how little
> code this is in QEMU, I think it is a worthwhile feature.

Anthony?  Do you agree?  If so I have a updated tree to pull from for 
you (rebased to latest master, added sign-offs, otherwise unmodified).

thanks,
   Gerd

The following changes since commit 7d72e76228351d18a856f1e4f5365b59d3205dc3:

   intel-hda: documentation update (2010-11-02 00:41:04 +0300)

are available in the git repository at:
   git://anongit.freedesktop.org/spice/qemu passwd.2

Gerd Hoffmann (3):
       vnc: auth reject cleanup
       vnc: support password expire
       vnc/spice: add set_passwd monitor command.

  console.h       |    2 +-
  hmp-commands.hx |   23 ++++++++++++++++++++
  monitor.c       |   61 
+++++++++++++++++++++++++++++++++++++++++++++++++++++-
  ui/qemu-spice.h |    3 ++
  ui/spice-core.c |    7 ++++++
  ui/vnc.c        |   43 +++++++++++++++++++++++---------------
  ui/vnc.h        |    1 +
  7 files changed, 120 insertions(+), 20 deletions(-)

On 11/02/10 12:15, Gerd Hoffmann wrote:
>   Hi,
>
>>> How does password expiration help with security at all?
>>
>> VNC passwords are obviously rather weak, so if you can limit
>> the time the password is valid to the window in which you
>> are expecting the incoming VNC connection this limits the
>> time to attack the VNC password. A mgmt tool could do
>>
>> - Set a VNC password
>> - Open the VNC connection
>> - Clear the VNC password
>>
>> If anything goes wrong in the mgmt tool at step 2 though,
>> then it may never to step 3, leaving the VNC server accessible.
>> If it had set a password expiry at step 1, it would have a
>> safety net that guarentees the password will be invalid after
>> 'n' seconds, even if not explicitly cleared. Given how little
>> code this is in QEMU, I think it is a worthwhile feature.
>
> Anthony? Do you agree? If so I have a updated tree to pull from for you
> (rebased to latest master, added sign-offs, otherwise unmodified).

[ ... ]

> are available in the git repository at:
> git://anongit.freedesktop.org/spice/qemu passwd.2

Ping?  What is the status here?

cheers,
   Gerd

On 11/09/2010 07:42 AM, Gerd Hoffmann wrote:
>> are available in the git repository at:
>> git://anongit.freedesktop.org/spice/qemu passwd.2
>
> Ping?  What is the status here?

My view is that it's wrong for QEMU because it's a specific management 
policy that isn't generally useful.  It can be easily implemented 
outside of QEMU.

Of course, if both you and Dan disagree strongly, since this is so 
little code, I'll leave the final decision up to you.

Regards,

Anthony Liguori

> cheers,
>   Gerd
>