1. 19 Jul, 2013 1 commit
  2. 06 Mar, 2009 1 commit
    • aliguori's avatar
      Add SASL authentication support ("Daniel P. Berrange") · 2f9606b3
      aliguori authored
      This patch adds the new SASL authentication protocol to the VNC server.
      It is enabled by setting the 'sasl' flag when launching VNC. SASL can
      optionally provide encryption via its SSF layer, if a suitable mechanism
      is configured (eg, GSSAPI/Kerberos, or Digest-MD5).  If an SSF layer is
      not available, then it should be combined with the x509 VNC authentication
      protocol which provides encryption.
      eg, if using GSSAPI
         qemu -vnc localhost:1,sasl
      eg if using  TLS/x509 for encryption
         qemu -vnc localhost:1,sasl,tls,x509
      By default the Cyrus SASL library will look for its configuration in
      the file /etc/sasl2/qemu.conf.  For non-root users, this can be overridden
      by setting the SASL_CONF_PATH environment variable, eg to make it look in
      $HOME/.sasl2.  NB unprivileged users may not have access to the full range
      of SASL mechanisms, since some of them require some administrative privileges
      to configure. The patch includes an example SASL configuration file which
      illustrates config for GSSAPI and Digest-MD5, though it should be noted that
      the latter is not really considered secure any more.
      Most of the SASL authentication code is located in a separate source file,
      vnc-auth-sasl.c.  The main vnc.c file only contains minimal integration
      glue, specifically parsing of command line flags / setup, and calls to
      start the SASL auth process, to do encoding/decoding for data.
      There are several possible stacks for reading & writing of data, depending
      on the combo of VNC authentication methods in use
       - Clear.    read/write straight to socket
       - TLS.      read/write via GNUTLS helpers
       - SASL.     encode/decode via SASL SSF layer, then read/write to socket
       - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS
      Hence, the vnc_client_read & vnc_client_write methods have been refactored
      a little.
         vnc_client_read:  main entry point for reading, calls either
             - vnc_client_read_plain   reading, with no intermediate decoding
             - vnc_client_read_sasl    reading, with SASL SSF decoding
         These two methods, then call vnc_client_read_buf(). This decides
         whether to write to the socket directly or write via GNUTLS.
      The situation is the same for writing data. More extensive comments
      have been added in the code / patch. The vnc_client_read_sasl and
      vnc_client_write_sasl method implementations live in the separate
      vnc-auth-sasl.c file.
      The state required for the SASL auth mechanism is kept in a separate
      VncStateSASL struct, defined in vnc-auth-sasl.h and included in the
      main VncState.
      The configure script probes for SASL and automatically enables it
      if found, unless --disable-vnc-sasl was given to override it.
       Makefile            |    7 
       Makefile.target     |    5 
       b/qemu.sasl         |   34 ++
       b/vnc-auth-sasl.c   |  626 ++++++++++++++++++++++++++++++++++++++++++++++++++++
       b/vnc-auth-sasl.h   |   67 +++++
       configure           |   34 ++
       qemu-doc.texi       |   97 ++++++++
       vnc-auth-vencrypt.c |   12 
       vnc.c               |  249 ++++++++++++++++++--
       vnc.h               |   31 ++
       10 files changed, 1129 insertions(+), 33 deletions(-)
      Signed-off-by: default avatarDaniel P. Berrange <berrange@redhat.com>
      Signed-off-by: default avatarAnthony Liguori <aliguori@us.ibm.com>
      git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162