From patchwork Mon Jun 6 12:49:37 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 98940 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [140.186.70.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 84AB4B6FAC for ; Tue, 7 Jun 2011 01:06:23 +1000 (EST) Received: from localhost ([::1]:43016 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QTbNi-00057G-WC for incoming@patchwork.ozlabs.org; Mon, 06 Jun 2011 11:06:19 -0400 Received: from eggs.gnu.org ([140.186.70.92]:44018) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QTZFh-0002Qb-Iq for qemu-devel@nongnu.org; Mon, 06 Jun 2011 08:49:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QTZFc-0007hB-8z for qemu-devel@nongnu.org; Mon, 06 Jun 2011 08:49:53 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53977) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QTZFb-0007gf-E7 for qemu-devel@nongnu.org; Mon, 06 Jun 2011 08:49:48 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p56Cnj82002396 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 6 Jun 2011 08:49:45 -0400 Received: from rincewind.home.kraxel.org (vpn2-8-52.ams2.redhat.com [10.36.8.52]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p56Cnf6u000337; Mon, 6 Jun 2011 08:49:43 -0400 Received: by rincewind.home.kraxel.org (Postfix, from userid 500) id 51DBA441BF; Mon, 6 Jun 2011 14:49:40 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 6 Jun 2011 14:49:37 +0200 Message-Id: <1307364580-28385-5-git-send-email-kraxel@redhat.com> In-Reply-To: <1307364580-28385-1-git-send-email-kraxel@redhat.com> References: <1307364580-28385-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-MIME-Autoconverted: from 8bit to quoted-printable by mx1.redhat.com id p56Cnj82002396 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.132.183.28 Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Gerd Hoffmann Subject: [Qemu-devel] [PATCH 4/7] spice: add SASL support X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Marc-André Lureau Turn on SASL support by appending "sasl" to the spice arguments, which requires that the client use SASL to authenticate with the spice. The exact choice of authentication method used is controlled from the system / user's SASL configuration file for the 'qemu' service. This is typically found in /etc/sasl2/qemu.conf. If running QEMU as an unprivileged user, an environment variable SASL_CONF_PATH can be used to make it search alternate locations for the service config. While some SASL auth methods can also provide data encryption (eg GSSAPI), it is recommended that SASL always be combined with the 'tls' and 'x509' settings to enable use of SSL and server certificates. This ensures a data encryption preventing compromise of authentication credentials. It requires support from spice 0.8.1. [ kraxel: moved spell fix to separate commit ] Signed-off-by: Gerd Hoffmann --- qemu-config.c | 3 +++ qemu-options.hx | 13 +++++++++++++ ui/spice-core.c | 12 ++++++++++++ 3 files changed, 28 insertions(+), 0 deletions(-) diff --git a/qemu-config.c b/qemu-config.c index 04c97e5..b00aa3a 100644 --- a/qemu-config.c +++ b/qemu-config.c @@ -388,6 +388,9 @@ QemuOptsList qemu_spice_opts = { .name = "disable-copy-paste", .type = QEMU_OPT_BOOL, },{ + .name = "sasl", + .type = QEMU_OPT_BOOL, + },{ .name = "x509-dir", .type = QEMU_OPT_STRING, },{ diff --git a/qemu-options.hx b/qemu-options.hx index 63e8cb0..d9edff7 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -714,6 +714,19 @@ Force using the specified IP version. @item password= Set the password you need to authenticate. +@item sasl +Require that the client use SASL to authenticate with the spice. +The exact choice of authentication method used is controlled from the +system / user's SASL configuration file for the 'qemu' service. This +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an +unprivileged user, an environment variable SASL_CONF_PATH can be used +to make it search alternate locations for the service config. +While some SASL auth methods can also provide data encryption (eg GSSAPI), +it is recommended that SASL always be combined with the 'tls' and +'x509' settings to enable use of SSL and server certificates. This +ensures a data encryption preventing compromise of authentication +credentials. + @item disable-ticketing Allow client connects without authentication. diff --git a/ui/spice-core.c b/ui/spice-core.c index a3351f3..457d34d 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -549,6 +549,18 @@ void qemu_spice_init(void) if (password) { spice_server_set_ticket(spice_server, password, 0, 0, 0); } + if (qemu_opt_get_bool(opts, "sasl", 0)) { +#if SPICE_SERVER_VERSION >= 0x000900 /* 0.9.0 */ + if (spice_server_set_sasl_appname(spice_server, "qemu") == -1 || + spice_server_set_sasl(spice_server, 1) == -1) { + fprintf(stderr, "spice: failed to enable sasl\n"); + exit(1); + } +#else + fprintf(stderr, "spice: sasl is not available (spice >= 0.9 required)\n"); + exit(1); +#endif + } if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) { auth = "none"; spice_server_set_noauth(spice_server);