Previously I provided patches for QEMU's VNC server to support SSL/TLS
and x509 certificates. This provides good encryption capabilities for
the VNC session. It doesn't really address the authentication problem
though.
I have been working to create a new authentication type in the RFB
protocol to address this need in a generic, extendable way, by mapping
the SASL API into the RFB protocol. Since SASL is a generic plugin
based API, this will allow use of a huge range of auth mechanims over
VNC, without us having to add any more auth code. For example, PAM,
Digest-MD5, GSSAPI/Kerberos, One-time key/password, LDAP password
lookup, SQL db password lookup, and more.
I have got a VNC auth type assigned by the RFB spec maintainers:
http://realvnc.com/pipermail/vnc-list/2008-December/059463.html
With the full current spec for the SASL extension currently documented
here:
http://realvnc.com/pipermail/vnc-list/2008-December/059462.html
This is the 2nd version of the patches I initially posted here
http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00255.html
Changes since last time
- Re-factor the code to move TLS and SASL methods into separate files,
vnc-tls.c, vnc-auth-vencrypt.c and vnc-auth-vencrypt.h
- Added simple access control lists for authorization of client users
on either SASL username, or x509 distinguished name
- Added proof of concept external file format for persisting ACLs
- Extend 'info vnc' to show much more information about clients and
auth
- Tested with SASL + Digest-MD5, SASL + GSSAPI. TLS + SASL + Digest-MD5
and TLS + SASL + GSSAPI. This gives coverage off all interesting
code paths and/or I/O encryption combinations.
The combined diffstat for all 7 patches about to follow, is
.hgignore | 16
Makefile | 27 +
Makefile.target | 5
b/acl.c | 264 ++++++++++++
b/acl.h | 71 +++
b/keymaps.h | 60 ++
b/qemu.sasl | 34 +
b/vnc-auth-sasl.c | 640 +++++++++++++++++++++++++++++
b/vnc-auth-sasl.h | 76 +++
b/vnc-auth-vencrypt.c | 175 +++++++
b/vnc-auth-vencrypt.h | 33 +
b/vnc-tls.c | 456 ++++++++++++++++++++
b/vnc-tls.h | 76 +++
configure | 34 +
curses.c | 3
curses_keys.h | 9
keymaps.c | 45 --
monitor.c | 80 +++
qemu-doc.texi | 109 ++++
sdl.c | 3
sdl_keysym.h | 7
vl.c | 12
vnc.c | 1100 ++++++++++++++++++--------------------------------
vnc.h | 215 +++++++++
vnc_keysym.h | 5
25 files changed, 2795 insertions(+), 760 deletions(-)
Daniel