[Spice-devel] [PATCH] spice: add SASL support

Alon Levy alevy at redhat.com
Wed May 4 03:08:57 PDT 2011 

On Tue, May 03, 2011 at 10:31:11PM +0200, Marc-André Lureau wrote:

ACK by me, but you should send this to qemu-devel at nongnu.org too.

> Turn on SASL support by appending "sasl" to the spice arguments, which
> requires that the client use SASL to authenticate with the spice.  The
> exact choice of authentication method used is controlled from the
> system / user's SASL configuration file for the 'qemu' service. This
> is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
> unprivileged user, an environment variable SASL_CONF_PATH can be used
> to make it search alternate locations for the service config.  While
> some SASL auth methods can also provide data encryption (eg GSSAPI),
> it is recommended that SASL always be combined with the 'tls' and
> 'x509' settings to enable use of SSL and server certificates. This
> ensures a data encryption preventing compromise of authentication
> credentials.
> 
> It requires support from spice 0.8.1.
> ---
>  qemu-config.c   |    9 ++++++---
>  qemu-options.hx |   13 +++++++++++++
>  ui/spice-core.c |   12 ++++++++++++
>  3 files changed, 31 insertions(+), 3 deletions(-)
> 
> diff --git a/qemu-config.c b/qemu-config.c
> index 6d9c238..bc9a42a 100644
> --- a/qemu-config.c
> +++ b/qemu-config.c
> @@ -311,7 +311,7 @@ static QemuOptsList qemu_trace_opts = {
>              .name = "file",
>              .type = QEMU_OPT_STRING,
>          },
> -        { /* end if list */ }
> +        { /* end of list */ }
>      },
>  };
>  #endif
> @@ -390,6 +390,9 @@ QemuOptsList qemu_spice_opts = {
>              .name = "disable-ticketing",
>              .type = QEMU_OPT_BOOL,
>          },{
> +            .name = "sasl",
> +            .type = QEMU_OPT_BOOL,
> +        },{
>              .name = "x509-dir",
>              .type = QEMU_OPT_STRING,
>          },{
> @@ -435,7 +438,7 @@ QemuOptsList qemu_spice_opts = {
>              .name = "playback-compression",
>              .type = QEMU_OPT_BOOL,
>          },
> -        { /* end if list */ }
> +        { /* end of list */ }
>      },
>  };
>  
> @@ -451,7 +454,7 @@ QemuOptsList qemu_option_rom_opts = {
>              .name = "romfile",
>              .type = QEMU_OPT_STRING,
>          },
> -        { /* end if list */ }
> +        { /* end of list */ }
>      },
>  };
>  
> diff --git a/qemu-options.hx b/qemu-options.hx
> index d6f80d1..f37a0a8 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -695,6 +695,19 @@ Force using the specified IP version.
>  @item password=<secret>
>  Set the password you need to authenticate.
>  
> + at item sasl
> +Require that the client use SASL to authenticate with the spice.
> +The exact choice of authentication method used is controlled from the
> +system / user's SASL configuration file for the 'qemu' service. This
> +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
> +unprivileged user, an environment variable SASL_CONF_PATH can be used
> +to make it search alternate locations for the service config.
> +While some SASL auth methods can also provide data encryption (eg GSSAPI),
> +it is recommended that SASL always be combined with the 'tls' and
> +'x509' settings to enable use of SSL and server certificates. This
> +ensures a data encryption preventing compromise of authentication
> +credentials.
> +
>  @item disable-ticketing
>  Allow client connects without authentication.
>  
> diff --git a/ui/spice-core.c b/ui/spice-core.c
> index 1aa1a5e..2d83776 100644
> --- a/ui/spice-core.c
> +++ b/ui/spice-core.c
> @@ -549,6 +549,18 @@ void qemu_spice_init(void)
>      if (password) {
>          spice_server_set_ticket(spice_server, password, 0, 0, 0);
>      }
> +    if (qemu_opt_get_bool(opts, "sasl", 0)) {
> +#if SPICE_SERVER_VERSION >= 0x000900 /* 0.9.0 */
> +        if (spice_server_set_sasl_appname(spice_server, "qemu") == -1 ||
> +            spice_server_set_sasl(spice_server, 1) == -1) {
> +            fprintf(stderr, "spice: failed to enable sasl\n");
> +            exit(1);
> +        }
> +#else
> +        fprintf(stderr, "spice: sasl is not available (spice >= 0.9 required)\n");
> +        exit(1);
> +#endif
> +    }
>      if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
>          auth = "none";
>          spice_server_set_noauth(spice_server);
> -- 
> 1.7.4
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list