[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Monitor commands related to display server passwords
From: |
Markus Armbruster |
Subject: |
Re: Monitor commands related to display server passwords |
Date: |
Wed, 30 Nov 2022 14:25:53 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Daniel P. Berrangé <berrange@redhat.com> writes:
> On Wed, Nov 30, 2022 at 09:02:56AM +0100, Markus Armbruster wrote:
>> We have a couple of password-related commands, and I'm not sure about
>> which ones should be used. In order of appearance:
>>
>> * HMP change vnc
>>
>> Change a VNC server password. Unlike set_password below, there's no
>> way to select a display other than the first.
>>
>> Note: if change's second argument isn't "vnc", w're changing removable
>> media. If you call your block device "vnc", you cannot change its
>> media. Hilarious.
>
> Note, QMP equivalent is blockdev-change-medium, which is an wrapper
> around a blockdev-open-tray/remove-medium/insert-medium/close-tray
> sequence. 'change <blockdev>' maps to this.
Yes.
> If you call your blockdev 'vnc' you're not getting sympathy
> from me ;-P But seriously, I agree with your point.
>
>> Password prompting (with hidden user input) since commit 7084851534
>> "VNC password authentication, by Daniel P. Berrange." (v0.9.1,
>> 2007-08-25).
>>
>> Password argument since commit 2569da0cb6 "Accept password as an
>> argument to 'change vnc password' monitor command (Chris Webb)"
>> (v0.10.0, 2008-12-10).
>>
>> Nowadays, this wraps around QMP change-vnc-password, discussed below.
>
>> * HMP and QMP set_password, expire_password
>>
>> Change a VNC or Spice server password. For Spice, can optionally fail
>> when connections exist, or disconnect them.
>>
>> HMP commands wrap around the respective QMP command, as they should.
>>
>> HMP set_password does not support password prompting like "change vnc"
>> does.
>>
>> Commands are present even when both CONFIG_VNC and CONFIG_SPICE are
>> off. Attempts to use them are rejected manually. Defeats
>> introspection.
>>
>> Since commit 7572150c18 "vnc/spice: add set_passwd monitor command."
>> (v0.14.0, 2010-12-09)
>>
>> Support for VNC displays other than the first since commit 675fd3c96b
>> "qapi/monitor: allow VNC display id in set/expire_password" (v7.0.0,
>> 2022-03-02).
>>
>> * QMP change-vnc-password
>>
>> Can only target the first VNC display, unlike set_password.
>>
>> Command present only with CONFIG_VNC.
>>
>> Since commit 270b243f91 "qapi: Introduce change-vnc-password" (v1.1,
>> 2012-01-18).
>
> IIRC, this was designed as a 1-1 mapping to replace the QMP
> 'change vnc' command, except it was obviously redundant
> since we had already added 'set_passwd' by that point. I
> vaguely recall this was all just an oversight on part of
> author and reviewers.
Happens.
>> Do we really need / want both set_password and change-vnc-password in
>> QMP?
>
> Nope.
>
>> On the one hand, set_password feels outdated from a QAPI point of view:
>> it violates the naming rules, and it defeats introspection. On the
>> other hand, it's more powerful.
>>
>> Do we really need / want both set_password and "change vnc" in HMP?
>> set_password is more powerful, but only "change vnc" supports password
>> prompting.
>>
>> Getting rid of "change vnc" would fix the "cannot change media for block
>> device named 'vnc'" wart.
>
>> Related: QCryptoSecret objects.
>
> snip
>
>> Currently used by various block backends and the tls-creds-x509 object.
>>
>> Would it make sense with display servers, too?
>
> In 6.0 I introduced support for 'password-secret' to SPICE and VNC
> command line.
>
> I don't know why, but I only deprecated 'password' in SPICE and
> not in VNC.
I figure you mean
``-spice password=string`` (since 6.0)
''''''''''''''''''''''''''''''''''''''
This option is insecure because the SPICE password remains visible in
the process listing. This is replaced by the new ``password-secret``
option which lets the password be securely provided on the command
line using a ``secret`` object instance.
and -vnc password=...
There's also -iscsi password=..., and possibly more.
> I didn't wire up any QMP commands todo live password changes. If
> the display was already configured with 'password-secret', you
> could delete and re-create the existing named secret object
> using object-add/object-del, since we fetch the secret value
> on every auth check.
Is this behavior documented?
> There's no way to change from password-off to password-on mode
> and vica-verca.
>
> Also no way to change other things like expiry time,
>
> We since gained the 'display-update' command, which could be
> extended to allow change expiry time, and turning on/off
> use of passwords, and even changing what 'secret' they
> point to.
>
> So overall I say
>
> * Deprecate VNC 'password' option
> * Deprecated QMP and HMP commands for changing VNC/SPICE
> password
> * Extend 'display-update' other other misc live changes
Makes sense.
Of course, we can deprecate the old commands for changing passwords only
after we extended display-update to replace them.