| #
1ea06abc |
| 14-Jun-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging
Merge misc patches
# gpg: Signature made Mon 14 Jun 2021 15:14:48 BST
# gpg: using RS
Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging
Merge misc patches
# gpg: Signature made Mon 14 Jun 2021 15:14:48 BST
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* remotes/berrange-gitlab/tags/misc-fixes-pull-request:
usb/dev-mtp: use GDateTime for formatting timestamp for objects
block: use GDateTime for formatting timestamp when dumping snapshot info
migration: use GDateTime for formatting timestamp in snapshot names
block: remove duplicate trace.h include
block: add trace point when fdatasync fails
block: preserve errno from fdatasync failures
softmmu: add trace point when bdrv_flush_all fails
migration: add trace point when vm_stop_force_state fails
sasl: remove comment about obsolete kerberos versions
docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant
docs: document usage of the authorization framework
docs: document how to pass secret data to QEMU
docs: add table of contents to QAPI references
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
| #
e2bf32df |
| 04-Mar-2021 |
Daniel P. Berrangé <berrange@redhat.com> |
docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant
The SHA-256 variant better meats modern security expectations.
Also warn that the password file is storing entries in clear
text.
Re
docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant
The SHA-256 variant better meats modern security expectations.
Also warn that the password file is storing entries in clear
text.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
show more ...
|
| #
1effe6ad |
| 10-May-2017 |
Stefan Hajnoczi <stefanha@redhat.com> |
Merge remote-tracking branch 'danpb/tags/pull-qcrypto-2017-05-09-1' into staging
Merge qcrypto 2017/05/09 v1
# gpg: Signature made Tue 09 May 2017 09:43:47 AM EDT
# gpg: using RSA ke
Merge remote-tracking branch 'danpb/tags/pull-qcrypto-2017-05-09-1' into staging
Merge qcrypto 2017/05/09 v1
# gpg: Signature made Tue 09 May 2017 09:43:47 AM EDT
# gpg: using RSA key 0xBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>"
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* danpb/tags/pull-qcrypto-2017-05-09-1:
crypto: qcrypto_random_bytes() now works on windows w/o any other crypto libs
crypto: move 'opaque' parameter to (nearly) the end of parameter list
List SASL config file under the cryptography maintainer's realm
Default to GSSAPI (Kerberos) instead of DIGEST-MD5 for SASL
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
show more ...
|
| #
c6a9a9f5 |
| 15-Mar-2017 |
Daniel P. Berrange <berrange@redhat.com> |
Default to GSSAPI (Kerberos) instead of DIGEST-MD5 for SASL
RFC 6331 documents a number of serious security weaknesses in
the SASL DIGEST-MD5 mechanism. As such, QEMU should not be
using or recommen
Default to GSSAPI (Kerberos) instead of DIGEST-MD5 for SASL
RFC 6331 documents a number of serious security weaknesses in
the SASL DIGEST-MD5 mechanism. As such, QEMU should not be
using or recommending it as a default mechanism for VNC auth
with SASL.
GSSAPI (Kerberos) is the only other viable SASL mechanism that
can provide secure session encryption so enable that by defalt
as the replacement. If users have TLS enabled for VNC, they can
optionally decide to use SCRAM-SHA-1 instead of GSSAPI, allowing
plain username and password auth.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
show more ...
|
| #
6fffa262 |
| 15-Mar-2014 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-03-15' into staging
trivial patches for 2014-03-15
# gpg: Signature made Sat 15 Mar 2014 09:54:30 GMT using RSA key ID 74F0C838
#
Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-03-15' into staging
trivial patches for 2014-03-15
# gpg: Signature made Sat 15 Mar 2014 09:54:30 GMT using RSA key ID 74F0C838
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg: aka "Michael Tokarev <mjt@corpit.ru>"
# gpg: aka "Michael Tokarev <mjt@debian.org>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5
# Subkey fingerprint: E190 8639 3B10 B51B AC2C 8B73 5253 C5AD 74F0 C838
* remotes/mjt/tags/trivial-patches-2014-03-15:
FSL eTSEC: Fix typo in rx ring
scripts/make-release: Don't distribute .git directories
configure: Don't use __int128_t for clang versions before 3.2
audio: Add 'static' attributes to several variables
tests: Fix 'make test' for i686 hosts (build regression)
misc: Fix typos in comments
Add qga/qapi-generated to .gitignore
hw/timer/grlib_gptimer: Avoid integer overflows
.travis.yml: add IRC notifications for build failures
.travis.yml: trivial whitespace fixup
.travis.yml: re-enable lttng user space trace test
.travis.yml: add a new build target with non-core devlibs
sasl: Avoid 'Could not find keytab file' in syslog
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
| #
dfb3804d |
| 14-Mar-2014 |
Laszlo Ersek <lersek@redhat.com> |
sasl: Avoid 'Could not find keytab file' in syslog
The "keytab" specification in "qemu.sasl" only makes sense if "gssapi" is
selected in "mech_list". Even if the latter is not done (ie. "gssapi" is
sasl: Avoid 'Could not find keytab file' in syslog
The "keytab" specification in "qemu.sasl" only makes sense if "gssapi" is
selected in "mech_list". Even if the latter is not done (ie. "gssapi" is
not selected), the cyrus-sasl library tries to open the specified keytab
file, although nothing has a use for it outside the gssapi backend.
Since the default keytab file "/etc/qemu/krb5.tab" is usually absent, the
cyrus-sasl library emits a warning to syslog at startup, which tends to
annoy users (who didn't ask for gssapi in the first place).
Comment out the keytab specification per default.
"qemu-doc.texi" already correctly explains how to use "mech_list: gssapi"
together with "keytab:".
See also:
- upstream libvirt commit fe772f24,
- Red Hat Bugzilla <https://bugzilla.redhat.com/show_bug.cgi?id=1018434>.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
ACKed-By: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
show more ...
|
| #
a20bd9ee |
| 22-Jul-2013 |
Anthony Liguori <aliguori@us.ibm.com> |
Merge remote-tracking branch 'mjt/trivial-patches' into staging
# By Michael Tokarev (2) and others
# Via Michael Tokarev
* mjt/trivial-patches:
doc: monitor multiplexing rewording
block/m25p80:
Merge remote-tracking branch 'mjt/trivial-patches' into staging
# By Michael Tokarev (2) and others
# Via Michael Tokarev
* mjt/trivial-patches:
doc: monitor multiplexing rewording
block/m25p80: Update Micron entries
Fix command example in qemu.sasl
slirp: remove mbuf(m_hdr,m_dat) indirection
linux-user: declare sys_futex to have 6 arguments
Message-id: 1374225073-12959-1-git-send-email-mjt@msgid.tls.msk.ru
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
show more ...
|
| #
2f9606b3 |
| 06-Mar-2009 |
aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> |
Add SASL authentication support ("Daniel P. Berrange")
This patch adds the new SASL authentication protocol to the VNC server.
It is enabled by setting the 'sasl' flag when launching VNC. SASL can
Add SASL authentication support ("Daniel P. Berrange")
This patch adds the new SASL authentication protocol to the VNC server.
It is enabled by setting the 'sasl' flag when launching VNC. SASL can
optionally provide encryption via its SSF layer, if a suitable mechanism
is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is
not available, then it should be combined with the x509 VNC authentication
protocol which provides encryption.
eg, if using GSSAPI
qemu -vnc localhost:1,sasl
eg if using TLS/x509 for encryption
qemu -vnc localhost:1,sasl,tls,x509
By default the Cyrus SASL library will look for its configuration in
the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden
by setting the SASL_CONF_PATH environment variable, eg to make it look in
$HOME/.sasl2. NB unprivileged users may not have access to the full range
of SASL mechanisms, since some of them require some administrative privileges
to configure. The patch includes an example SASL configuration file which
illustrates config for GSSAPI and Digest-MD5, though it should be noted that
the latter is not really considered secure any more.
Most of the SASL authentication code is located in a separate source file,
vnc-auth-sasl.c. The main vnc.c file only contains minimal integration
glue, specifically parsing of command line flags / setup, and calls to
start the SASL auth process, to do encoding/decoding for data.
There are several possible stacks for reading & writing of data, depending
on the combo of VNC authentication methods in use
- Clear. read/write straight to socket
- TLS. read/write via GNUTLS helpers
- SASL. encode/decode via SASL SSF layer, then read/write to socket
- SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS
Hence, the vnc_client_read & vnc_client_write methods have been refactored
a little.
vnc_client_read: main entry point for reading, calls either
- vnc_client_read_plain reading, with no intermediate decoding
- vnc_client_read_sasl reading, with SASL SSF decoding
These two methods, then call vnc_client_read_buf(). This decides
whether to write to the socket directly or write via GNUTLS.
The situation is the same for writing data. More extensive comments
have been added in the code / patch. The vnc_client_read_sasl and
vnc_client_write_sasl method implementations live in the separate
vnc-auth-sasl.c file.
The state required for the SASL auth mechanism is kept in a separate
VncStateSASL struct, defined in vnc-auth-sasl.h and included in the
main VncState.
The configure script probes for SASL and automatically enables it
if found, unless --disable-vnc-sasl was given to override it.
Makefile | 7
Makefile.target | 5
b/qemu.sasl | 34 ++
b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++
b/vnc-auth-sasl.h | 67 +++++
configure | 34 ++
qemu-doc.texi | 97 ++++++++
vnc-auth-vencrypt.c | 12
vnc.c | 249 ++++++++++++++++++--
vnc.h | 31 ++
10 files changed, 1129 insertions(+), 33 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
show more ...
|