From patchwork Tue Jun 7 09:13:06 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Attila-Mihaly Balazs X-Patchwork-Id: 9160171 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 609EB60467 for ; Tue, 7 Jun 2016 09:13:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 486F7264F4 for ; Tue, 7 Jun 2016 09:13:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3D2F026E1A; Tue, 7 Jun 2016 09:13:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A64B7264F4 for ; Tue, 7 Jun 2016 09:13:36 +0000 (UTC) Received: from localhost ([::1]:47968 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bAD4o-0000xJ-Ja for patchwork-qemu-devel@patchwork.kernel.org; Tue, 07 Jun 2016 05:13:34 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47132) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bAD4S-0000vE-Iv for qemu-devel@nongnu.org; Tue, 07 Jun 2016 05:13:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bAD4N-0007R5-44 for qemu-devel@nongnu.org; Tue, 07 Jun 2016 05:13:11 -0400 Received: from mail-oi0-x242.google.com ([2607:f8b0:4003:c06::242]:33486) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bAD4M-0007R1-Su for qemu-devel@nongnu.org; Tue, 07 Jun 2016 05:13:07 -0400 Received: by mail-oi0-x242.google.com with SMTP id x204so3022778oia.0 for ; Tue, 07 Jun 2016 02:13:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=da9bYS424e3wH0UdSI5dqvq/HB8KlwVoDQ603MYBIWg=; b=QpiH0i6FpOdCNK6HSIfkFoUn4BeyxHk47mwPew+1rgHCnB1D/3LHa6CtwfaBbKumLm 4OR55gcCQK4K6XsYSIY0cfdzpITnZnjeuEo9dd734veUrIRdeWWMgFCA9X/UMANd8fak PMxY5MUZtmpQszbiPDNPrJpK9kKXdorJ/1u46jBPGJHr0NZUxvd7bzZEFAYs74M7s1S3 4wUUtJLccS0rtZVbksJ98ADYO11SmmvuF6gRLg2LFcg0NgxRenMoMBBRrk0c4JDlVT2U F2EH42y6BWXpvMT3pPpiogP4Hijp1UUcMkaMykjYRjc/hUJHGPA0dwUP+BG4g5x4/yHK HazQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=da9bYS424e3wH0UdSI5dqvq/HB8KlwVoDQ603MYBIWg=; b=BG4kd81UVqxqkO9v7AExp1BsPG8ZbHcbRwBcaUOKa3GmeUvv27urxRv5reJu6dI9bD gK+tKZ9WJUWFWX0QZc1BrdrmzBzUWAIwOISJxjq0Jiun85C+MBopHHOk8dmLpXRAHX5p 45n/xFc7d8Zln6uWgbqmYyLcsdO2MOCIHiHsLPJI7NbVqY5eeQN5yA/sYy46xC82QU8N jGgPbj1dxM6aBd3pNIvQmIErCRsvNqnm/RNya5cY3p58cUULnrNNM5GhQqNZ1vVsPmS2 nKEC0yI3VzLYoJxv2iOkvRNDohuu9QTWQX86UNkfJ3gMNARw9FUFJDeMkTLc4QURf5bn GtCQ== X-Gm-Message-State: ALyK8tJvSyqiLLzuAjaMtMtFmywkESZP6gcvexJVC9pFTXEZNUdR7yRNrDFWFwPmICQZ7LCsSzrc4RxygLvPWA== X-Received: by 10.202.187.10 with SMTP id l10mr11112397oif.125.1465290786358; Tue, 07 Jun 2016 02:13:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.104.202 with HTTP; Tue, 7 Jun 2016 02:13:06 -0700 (PDT) From: Attila-Mihaly Balazs Date: Tue, 7 Jun 2016 12:13:06 +0300 Message-ID: To: qemu-devel@nongnu.org X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2607:f8b0:4003:c06::242 Subject: [Qemu-devel] [PATCH] Make password based authentication the default for VNC X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kraxel@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP To improve the security of the embedded VNC server make password based authentication the default when no authentication mechanism is specified. If you really want to use "no authentication", a new authentication option called "insecure" is introduced which needs to be explicitly specified. Note: because password authentication is not availble in FIPS mode, you must explicitly set an authentication method when using VNC with QEMU compiled in FIPS mode or it won't start. Signed-off-by: Attila-Mihaly Balazs --- qemu-doc.texi | 10 ++++++---- qemu-options.hx | 7 ++++++- ui/vnc.c | 51 ++++++++++++++++++++++++++++++++++----------------- 3 files changed, 46 insertions(+), 22 deletions(-) diff --git a/qemu-doc.texi b/qemu-doc.texi index f37fd31..a8795b6 100644 --- a/qemu-doc.texi +++ b/qemu-doc.texi @@ -1493,12 +1493,14 @@ considerations depending on the deployment scenarios. @node vnc_sec_none @subsection Without passwords -The simplest VNC server setup does not include any form of authentication. -For this setup it is recommended to restrict it to listen on a UNIX domain -socket only. For example +Unless otherwise specified, the VNC server starts in password authentication +mode (see the next section for details). It is possible to disable +authentication entirely when needed however it is strongly recommended to use +other methods of access control to ensure that only trusted persons can access +it. For example you could restrict it to listen on a UNIX domain socket only: @example -qemu-system-i386 [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc +qemu-system-i386 [...OPTIONS...] -vnc unix:/home/jb/.qemu-myvm-vnc,insecure @end example This ensures that only users on local box with read/write access to that diff --git a/qemu-options.hx b/qemu-options.hx index 9f33361..25a17cb 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1284,7 +1284,8 @@ requires encrypted client connections. @item password -Require that password based authentication is used for client connections. +Require that password based authentication is used for client connections. This +is the default if no authentiation mechanism is specified. The password must be set separately using the @code{set_password} command in the @ref{pcsys_monitor}. The syntax to change your password is: @@ -1301,6 +1302,10 @@ date and time). You can also use keywords "now" or "never" for the expiration time to allow password to expire immediately or never expire. +@item insecure + +Run the VNC server without any authentication. + @item tls-creds=@var{ID} Provides the ID of a set of TLS credentials to use to secure the diff --git a/ui/vnc.c b/ui/vnc.c index c862fdc..c58db4b 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3275,6 +3275,9 @@ static QemuOptsList qemu_vnc_opts = { .name = "password", .type = QEMU_OPT_BOOL, },{ + .name = "insecure", + .type = QEMU_OPT_BOOL, + },{ .name = "reverse", .type = QEMU_OPT_BOOL, },{ @@ -3312,6 +3315,7 @@ static QemuOptsList qemu_vnc_opts = { static int vnc_display_setup_auth(VncDisplay *vs, bool password, + bool insecure, bool sasl, bool websocket, Error **errp) @@ -3454,6 +3458,16 @@ vnc_display_setup_auth(VncDisplay *vs, vs->ws_auth = VNC_AUTH_INVALID; } } + + if (vs->auth == VNC_AUTH_NONE && !insecure) { + /* + * If authentication is not specified use password authentication. + */ + VNC_DEBUG("Initializing VNC server with password auth\n"); + vs->auth = VNC_AUTH_VNC; + vs->subauth = VNC_AUTH_INVALID; + } + return 0; } @@ -3511,6 +3525,7 @@ void vnc_display_open(const char *id, Error **errp) const char *share, *device_id; QemuConsole *con; bool password = false; + bool insecure = false; bool reverse = false; const char *vnc; char *h; @@ -3622,22 +3637,7 @@ void vnc_display_open(const char *id, Error **errp) } password = qemu_opt_get_bool(opts, "password", false); - if (password) { - if (fips_get_state()) { - error_setg(errp, - "VNC password auth disabled due to FIPS mode, " - "consider using the VeNCrypt or SASL authentication " - "methods as an alternative"); - goto fail; - } - if (!qcrypto_cipher_supports( - QCRYPTO_CIPHER_ALG_DES_RFB)) { - error_setg(errp, - "Cipher backend does not support DES RFB algorithm"); - goto fail; - } - } - + insecure = qemu_opt_get_bool(opts, "insecure", false); reverse = qemu_opt_get_bool(opts, "reverse", false); lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true); key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 1); @@ -3760,10 +3760,27 @@ void vnc_display_open(const char *id, Error **errp) } #endif - if (vnc_display_setup_auth(vs, password, sasl, vs->ws_enabled, errp) < 0) { + if (vnc_display_setup_auth( + vs, password, insecure, sasl, vs->ws_enabled, errp) < 0) { goto fail; } + if (vs->auth == VNC_AUTH_VNC) { + if (fips_get_state()) { + error_setg(errp, + "VNC password auth disabled due to FIPS mode, " + "consider using the VeNCrypt or SASL authentication " + "methods as an alternative"); + goto fail; + } + if (!qcrypto_cipher_supports( + QCRYPTO_CIPHER_ALG_DES_RFB)) { + error_setg(errp, + "Cipher backend does not support DES RFB algorithm"); + goto fail; + } + } + #ifdef CONFIG_VNC_SASL if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) { error_setg(errp, "Failed to initialize SASL auth: %s",