[pve-devel] [PATCH] Enable VeNCrypt PLAIN authentication

Alexandre Derumier aderumier at odiso.com
Wed Aug 8 10:17:34 CEST 2012


https://bugzilla.proxmox.com/show_bug.cgi?id=84

this enable vnc plain authentication.

So external vnc client withtout x509 can connect without hacking code.

And also we can use novnc console with plain authentifcation (over ssl) or java console with x509 authentification

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 debian/patches/series                    |    1 +
 debian/patches/vencrypt-auth-plain.patch |   77 ++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/vencrypt-auth-plain.patch

diff --git a/debian/patches/series b/debian/patches/series
index ab59a91..d20745b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ set-max-nics.patch
 pve-auth.patch
 update-cpus-x86_64.conf-to-rhel6.2-version.patch
 rbd-enable-cacheoption.patch
+vencrypt-auth-plain.patch
diff --git a/debian/patches/vencrypt-auth-plain.patch b/debian/patches/vencrypt-auth-plain.patch
new file mode 100644
index 0000000..9c30224
--- /dev/null
+++ b/debian/patches/vencrypt-auth-plain.patch
@@ -0,0 +1,77 @@
+--- qemu-kvm/ui/vnc-auth-vencrypt.c	2012-01-17 01:31:17.000000000 +0100
++++ qemu-kvm.new/ui/vnc-auth-vencrypt.c	2012-01-17 01:31:48.000000000 +0100
+@@ -143,6 +143,11 @@
+        vnc_read_when(vs, protocol_client_auth_plain_start, 8);
+        break;
+ 
++    case VNC_AUTH_VENCRYPT_PLAIN:
++       VNC_DEBUG("Start auth PLAIN\n");
++       vnc_read_when(vs, protocol_client_auth_plain_start, 8);
++       break;
++
+     case VNC_AUTH_VENCRYPT_TLSVNC:
+     case VNC_AUTH_VENCRYPT_X509VNC:
+        VNC_DEBUG("Start TLS auth VNC\n");
+@@ -226,25 +231,32 @@
+ {
+     int auth = read_u32(data, 0);
+ 
+-    if (auth != vs->subauth) {
++    if (auth != vs->subauth && auth != VNC_AUTH_VENCRYPT_PLAIN) {
+         VNC_DEBUG("Rejecting auth %d\n", auth);
+         vnc_write_u8(vs, 0); /* Reject auth */
+         vnc_flush(vs);
+         vnc_client_error(vs);
+     } else {
+-        VNC_DEBUG("Accepting auth %d, setting up TLS for handshake\n", auth);
+-        vnc_write_u8(vs, 1); /* Accept auth */
+-        vnc_flush(vs);
+-
+-        if (vnc_tls_client_setup(vs, NEED_X509_AUTH(vs)) < 0) {
+-            VNC_DEBUG("Failed to setup TLS\n");
+-            return 0;
++        if (auth == VNC_AUTH_VENCRYPT_PLAIN) {
++            vs->subauth = auth; 
++            start_auth_vencrypt_subauth(vs);
+         }
+-
+-        VNC_DEBUG("Start TLS VeNCrypt handshake process\n");
+-        if (vnc_start_vencrypt_handshake(vs) < 0) {
+-            VNC_DEBUG("Failed to start TLS handshake\n");
+-            return 0;
++        else
++        {
++            VNC_DEBUG("Accepting auth %d, setting up TLS for handshake\n", auth);
++            vnc_write_u8(vs, 1); /* Accept auth */
++            vnc_flush(vs); 
++
++	     if (vnc_tls_client_setup(vs, NEED_X509_AUTH(vs)) < 0) {
++                VNC_DEBUG("Failed to setup TLS\n");
++                return 0;
++            }
++
++            VNC_DEBUG("Start TLS VeNCrypt handshake process\n");
++            if (vnc_start_vencrypt_handshake(vs) < 0) {
++                VNC_DEBUG("Failed to start TLS handshake\n");
++                return 0;
++            }
+         }
+     }
+     return 0;
+@@ -259,10 +271,11 @@
+         vnc_flush(vs);
+         vnc_client_error(vs);
+     } else {
+-        VNC_DEBUG("Sending allowed auth %d\n", vs->subauth);
++        VNC_DEBUG("Sending allowed auths %d %d\n", vs->subauth, VNC_AUTH_VENCRYPT_PLAIN);
+         vnc_write_u8(vs, 0); /* Accept version */
+-        vnc_write_u8(vs, 1); /* Number of sub-auths */
++        vnc_write_u8(vs, 2); /* Number of sub-auths */
+         vnc_write_u32(vs, vs->subauth); /* The supported auth */
++	 vnc_write_u32(vs, VNC_AUTH_VENCRYPT_PLAIN); /* Alternative supported auth */
+         vnc_flush(vs);
+         vnc_read_when(vs, protocol_client_vencrypt_auth, 4);
+     }
+-- 
+1.7.2.5
+
-- 
1.7.2.5



More information about the pve-devel mailing list