From patchwork Tue Nov 2 11:15:26 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 69891 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 28FCBB70AF for ; Wed, 3 Nov 2010 01:43:24 +1100 (EST) Received: from localhost ([127.0.0.1]:60108 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PDI3W-0005Z1-P7 for incoming@patchwork.ozlabs.org; Tue, 02 Nov 2010 10:41:46 -0400 Received: from [140.186.70.92] (port=37744 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PDGzw-0007Jt-L3 for qemu-devel@nongnu.org; Tue, 02 Nov 2010 09:34:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PDEq2-0003T5-5X for qemu-devel@nongnu.org; Tue, 02 Nov 2010 07:15:39 -0400 Received: from mx1.redhat.com ([209.132.183.28]:62133) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PDEq1-0003Su-Os for qemu-devel@nongnu.org; Tue, 02 Nov 2010 07:15:38 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id oA2BFYZd009342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Nov 2010 07:15:34 -0400 Received: from rincewind.home.kraxel.org (vpn1-4-20.ams2.redhat.com [10.36.4.20]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id oA2BFRBa010593; Tue, 2 Nov 2010 07:15:28 -0400 Message-ID: <4CCFF2CE.1040902@redhat.com> Date: Tue, 02 Nov 2010 12:15:26 +0100 From: Gerd Hoffmann User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100827 Red Hat/3.1.3-1.el6 Thunderbird/3.1.3 MIME-Version: 1.0 To: "Daniel P. Berrange" Subject: Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire References: <1286450121-17153-1-git-send-email-kraxel@redhat.com> <1286450121-17153-3-git-send-email-kraxel@redhat.com> <4CAE2521.2070500@codemonkey.ws> <20101008100841.GB9279@redhat.com> In-Reply-To: <20101008100841.GB9279@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. Cc: qemu-devel@nongnu.org X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Hi, >> How does password expiration help with security at all? > > VNC passwords are obviously rather weak, so if you can limit > the time the password is valid to the window in which you > are expecting the incoming VNC connection this limits the > time to attack the VNC password. A mgmt tool could do > > - Set a VNC password > - Open the VNC connection > - Clear the VNC password > > If anything goes wrong in the mgmt tool at step 2 though, > then it may never to step 3, leaving the VNC server accessible. > If it had set a password expiry at step 1, it would have a > safety net that guarentees the password will be invalid after > 'n' seconds, even if not explicitly cleared. Given how little > code this is in QEMU, I think it is a worthwhile feature. Anthony? Do you agree? If so I have a updated tree to pull from for you (rebased to latest master, added sign-offs, otherwise unmodified). thanks, Gerd The following changes since commit 7d72e76228351d18a856f1e4f5365b59d3205dc3: intel-hda: documentation update (2010-11-02 00:41:04 +0300) are available in the git repository at: git://anongit.freedesktop.org/spice/qemu passwd.2 Gerd Hoffmann (3): vnc: auth reject cleanup vnc: support password expire vnc/spice: add set_passwd monitor command. console.h | 2 +- hmp-commands.hx | 23 ++++++++++++++++++++ monitor.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++- ui/qemu-spice.h | 3 ++ ui/spice-core.c | 7 ++++++ ui/vnc.c | 43 +++++++++++++++++++++++--------------- ui/vnc.h | 1 + 7 files changed, 120 insertions(+), 20 deletions(-)