[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (se
From: |
Paul Moore |
Subject: |
Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode |
Date: |
Tue, 05 Jun 2012 18:06:49 -0400 |
User-agent: |
KMail/4.8.3 (Linux/3.3.7-gentoo; KDE/4.8.3; x86_64; ; ) |
On Tuesday, June 05, 2012 11:51:40 PM Alexander Graf wrote:
> On 05.06.2012, at 23:45, Paul Moore wrote:
> > On Tuesday, June 05, 2012 03:08:26 AM Alexander Graf wrote:
> >> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a
> >> password is set? I agree with the assessment that we should never
> >> silently drop features. So the best way to make sure that the user knows
> >> he did something stupid (enable FIPS, but require a non-FIPS compliant
> >> authentication method) would be to just quit, no?
> >
> > That is basically what the patch does now. In vnc_display_open() if it
> > detects that the user has supplied a VNC password it prints an error to
> > stderr and returns an error which causes QEMU to exit.
> >
> > The error message displayed is shown below:
> >
> > "VNC password auth disabled due to FIPS mode, consider using the VeNCrypt
> > or SASL authentication methods as an alernative"
> >
> > ... which seems pretty obvious to me. If anyone would prefer something
> > different, let me know.
>
> No, as long as the spelling is actually correct and not the one above,
> that's perfectly fine.
What, not a fan of my "alernative" spelling? Fixed in the next version of the
patch :)
> I just have a habit of not reading the patches I comment on :).
If nothing else, it makes the discussions much more interesting :)
> > On Tuesday, June 05, 2012 09:23:04 AM Anthony Liguori wrote:
> >> I think my primary requirement is: allow a user to use vnc authentication
> >> even when fips mode is active by using some command line option.
> >
> > I'll agree that FIPS mode can be a bit silly in the case of QEMU and VNC
> > but to be honest, that requirement above seems just as silly to me, if
> > not more so. However, if making this behavior optional is what it takes
> > to get the patch accepted, so be it.
> >
> > I'll start working on v4 of the patch tomorrow.
>
> Let's just wait for Anthony to reply ...
Fine with me, I've got plenty else to do in the meantime and I don't think
this is 1.1 material anyway.
--
paul moore
security and virtualization @ redhat
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, (continued)
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/04
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Gerd Hoffmann, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode,
Paul Moore <=
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/05
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/06
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Anthony Liguori, 2012/06/06
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Alexander Graf, 2012/06/07
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/07
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Paul Moore, 2012/06/08
- Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode, Roman Drahtmueller, 2012/06/11