[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1809252] Re: Password authentication in FIPS-compliant
From: |
Daniel Berrange |
Subject: |
[Qemu-devel] [Bug 1809252] Re: Password authentication in FIPS-compliant mode |
Date: |
Thu, 20 Dec 2018 14:47:55 -0000 |
The VNC password authentication scheme is not extensible. It is
unfixably broken by design.
QEMU provides the SASL authentication scheme for VNC which allows for
strong authentication, when combined with the VeNCrypt authentication
scheme that uses TLS.
These extensions are supported by the gtk-vnc client used by remote-
viewer, virt-viewer, virt-manager, GNOME Boxes and more. Other VNC
clients are also known to implement VeNCrypt, though SASL support is
less wide spread.
>From a QEMU POV, there's nothing more we need todo really - any
remaining gaps are client side.
** Changed in: qemu
Status: New => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1809252
Title:
Password authentication in FIPS-compliant mode
Status in QEMU:
Invalid
Bug description:
The documentation states, that:
"The VNC protocol has limited support for password based
authentication. (...) Password authentication is not supported when
operating in FIPS 140-2 compliance mode as it requires the use of the
DES cipher."
Would it be possible for qemu to use a different cipher and re-enable
password as an option in VNC console? Is there a technical reason for
not using a stronger cipher?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1809252/+subscriptions