[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (se
From: |
Alexander Graf |
Subject: |
Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode |
Date: |
Tue, 5 Jun 2012 23:51:40 +0200 |
On 05.06.2012, at 23:45, Paul Moore wrote:
> On Tuesday, June 05, 2012 03:08:26 AM Alexander Graf wrote:
>> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a
>> password is set? I agree with the assessment that we should never silently
>> drop features. So the best way to make sure that the user knows he did
>> something stupid (enable FIPS, but require a non-FIPS compliant
>> authentication method) would be to just quit, no?
>
> That is basically what the patch does now. In vnc_display_open() if it
> detects that the user has supplied a VNC password it prints an error to
> stderr
> and returns an error which causes QEMU to exit.
>
> The error message displayed is shown below:
>
> "VNC password auth disabled due to FIPS mode, consider using the VeNCrypt
> or SASL authentication methods as an alernative"
>
> ... which seems pretty obvious to me. If anyone would prefer something
> different, let me know.
No, as long as the spelling is actually correct and not the one above, that's
perfectly fine. I just have a habit of not reading the patches I comment on :).
>
> On Tuesday, June 05, 2012 09:23:04 AM Anthony Liguori wrote:
>> I think my primary requirement is: allow a user to use vnc authentication
>> even when fips mode is active by using some command line option.
>
> I'll agree that FIPS mode can be a bit silly in the case of QEMU and VNC but
> to be honest, that requirement above seems just as silly to me, if not more
> so. However, if making this behavior optional is what it takes to get the
> patch accepted, so be it.
>
> I'll start working on v4 of the patch tomorrow.
Let's just wait for Anthony to reply. I'm sure he'll find it reasonable to just
quit when the environment dictates something that can't be fulfilled. After
all, enabling FIPS mode globally is like setting a global ulimit, or like
setting a disk quota, or like starting QEMU with strace. We don't randomly
ignore what our parents dictate on us ;).
Alex
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, (continued)
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Gerd Hoffmann, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode,
Alexander Graf <=
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/06
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/06
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/07
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/07
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/08
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Roman Drahtmueller, 2012/06/11