[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support |
Date: |
Fri, 27 Feb 2009 10:46:23 +0000 |
User-agent: |
Mutt/1.4.1i |
On Thu, Feb 26, 2009 at 11:56:24AM +0000, Daniel P. Berrange wrote:
> This patch adds the new SASL authentication protocol to the VNC server.
>
> diff -r 0eb0b12c0673 vnc-auth-sasl.c
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++ b/vnc-auth-sasl.c Mon Feb 23 13:40:03 2009 +0000
> +
> +#include "vnc.h"
> +
> +/* Max amount of data we send/recv for SASL steps to prevent DOS */
> +#define SASL_DATA_MAX_LEN (1024 * 1024)
> +
FYI, last time I posted this series, a question was raised about whether
this limit is large enough for Windows Kerberos tickets with lots of
groups. I've done a little googling and found this MicroSoft technote
http://technet.microsoft.com/en-us/library/cc756101.aspx
"Recommended Maximum Kerberos Settings
The maximum recommended size for a Kerberos ticket is 65,535 bytes,
which is configured through the MaxTokenSize REG_DWORD value in the
registry
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Kerberos\Parameters).
Increasing this value from the default may cause errors, particularly
when Web browsers or Web servers are used. "
Given that Microsoft recommends a max size of 65,535 bytes I think we
should be OK with this 1MB limit on a SASL auth step. In any case this
is only a server side sanity check, not a fundamental part of the auth
protocol definition, so we can easily increase in future should it become
a problem
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
- [Qemu-devel] PATCH: 0/9: Support SASL authentication in VNC server (version 3), Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 1/9: Fix bug in TLS authenticataion, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 2/9: Enhance 'info vnc' monitor output, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 3/9: Refactor keymap code to avoid duplication, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 4/9: Move VNC structs into header file, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 5/9: Move TLS auth into separate file, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 7/9: Include auth credentials in 'info vnc', Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 9/9: Persist ACLs in external files, Daniel P. Berrange, 2009/02/26