[pve-devel] pve-spice 0.12 package + report
Alexandre DERUMIER
aderumier at odiso.com
Tue Oct 2 10:06:35 CEST 2012
about sasl:
http://spice-space.org/page/Features/SASL
"Testing
Running QEMU/KVM standalone, with SASL enabled.
Add the ',sasl' flag when launching QEMU with a Spice server.
The choice of SASL mechanism is made in /etc/sasl2/qemu.conf. "digest-md5" is a simple (but not very secure) username+ password method, while "gssapi" enables Kerberos (TODO: Kerberos untested with Spice so far)
If using SASL mechanism, then just add the 'sasl' flag eg with TLS:
qemu ... -spice tls-port=5930,disable-ticketing,x509-key-file=server-key.pem,
x509-key-password=redhat,x509-cert-file=server-cert.pem,
x509-cacert-file=ca-cert.pem,sasl"
But I don't know if sasl is already implemented in the client.
implementation in ovirt:
http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
"So what happens when you hit the "Console" button?
ovirt-engine sets a new password and it's expiry time (by default 120 s) which compose together a ticket
ovirt-engine looks up other connection details (more on them later) in its database
ovirt-engine passes all the connection info to the portal
portal sets variables on spice-xpi object
spice-xpi launches spice client and passes variables to it via unix socket
spice client connects directly to a host using data given to it by the portal"
So authentification is done internaly in ovirt user database, then a temp ticket of 120s is generated and spice client send it as password.
I don't think it's less secure, bruteforcing the ticket in a short time is very difficult.(the ticket is encrypted with rsa)
----- Mail original -----
De: "Michael Rasmussen" <mir at datanom.net>
À: pve-devel at pve.proxmox.com
Envoyé: Lundi 1 Octobre 2012 17:45:56
Objet: Re: [pve-devel] pve-spice 0.12 package + report
On Mon, 1 Oct 2012 15:40:33 +0000
Dietmar Maurer <dietmar at proxmox.com> wrote:
> > for pve-auth ?
> > spicec client only send the password without login, I don't see how we can do
> > this without hacking the client...
>
> So how is that expected to work? Authentication needs a user name, else it does not make much sense?
"In addition to encryption, the SPICE protocol allows for a choice of
authentication schemes. The original SPICE protocol defined a ticket
based authentication scheme using a shared secret. The server would
generate an RSA public/private keypair and send its public key to the
client. The client would encrypt the ticket (password) with the public
key and send the result back to the server, which would decrypt and
verify the ticket. The current SPICE protocol also allows for use of
the SASL authentication protocol, thus enabling support for a wide
range of admin configurable authentication mechanisms, in particular
Kerberos"
http://en.wikipedia.org/wiki/SPICE_(protocol)
--
Hilsen/Regards
Michael Rasmussen
Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list