|
From: | Gerd Hoffmann |
Subject: | Re: [Qemu-devel] [PATCH 2/3] vnc: support password expire |
Date: | Tue, 02 Nov 2010 12:15:26 +0100 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100827 Red Hat/3.1.3-1.el6 Thunderbird/3.1.3 |
Hi,
How does password expiration help with security at all?VNC passwords are obviously rather weak, so if you can limit the time the password is valid to the window in which you are expecting the incoming VNC connection this limits the time to attack the VNC password. A mgmt tool could do - Set a VNC password - Open the VNC connection - Clear the VNC password If anything goes wrong in the mgmt tool at step 2 though, then it may never to step 3, leaving the VNC server accessible. If it had set a password expiry at step 1, it would have a safety net that guarentees the password will be invalid after 'n' seconds, even if not explicitly cleared. Given how little code this is in QEMU, I think it is a worthwhile feature.
Anthony? Do you agree? If so I have a updated tree to pull from for you (rebased to latest master, added sign-offs, otherwise unmodified).
thanks, Gerd The following changes since commit 7d72e76228351d18a856f1e4f5365b59d3205dc3: intel-hda: documentation update (2010-11-02 00:41:04 +0300) are available in the git repository at: git://anongit.freedesktop.org/spice/qemu passwd.2 Gerd Hoffmann (3): vnc: auth reject cleanup vnc: support password expire vnc/spice: add set_passwd monitor command. console.h | 2 +- hmp-commands.hx | 23 ++++++++++++++++++++monitor.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
ui/qemu-spice.h | 3 ++ ui/spice-core.c | 7 ++++++ ui/vnc.c | 43 +++++++++++++++++++++++--------------- ui/vnc.h | 1 + 7 files changed, 120 insertions(+), 20 deletions(-)
[Prev in Thread] | Current Thread | [Next in Thread] |