[Spice-devel] SASL authentication & plans

Tiziano Müller tiziano.mueller at stepping-stone.ch
Mon May 21 03:20:02 PDT 2012 

Am Montag, den 21.05.2012, 10:57 +0100 schrieb Daniel P. Berrange:
> On Mon, May 21, 2012 at 11:50:48AM +0200, Tiziano Müller wrote:
> > Hi
> > 
> > Currently I'm trying to get SASL working and succeeded so far but I've
> > some questions:
> > 
> > * Is it correct that the username SASL gets is the UID of the qemu
> > process? If yes: what is the plan here (I saw that there's the username
> > attribute in the RedSASL struct already)?
> 
> No, the SASL username is something that comes from the SPICE
> client application. What it looks like will depend on what
> mechanism you have enabled. For example if you have GSSAPI
> enabled, the SASL username will be the Kerberos principal
> name eg  fred at EXAMPLE.COM. 
That makes sense.

>  If you have Digest-MD5 enabled
> then the username is just whatever you configured with the
> saslpasswd2 program.
Can you please explain this? As far as I know is the saslpasswd2 a tool
to manage the sasl (gdbm) database of users and passwords. So you can
have many users in that database.

But you're right, the username does not come from the server but somehow
from the client even if I don't get asked for it.

And from the spice-channel.c (spice-gtk-0.11):
[...]
        case SASL_CB_AUTHNAME:
        case SASL_CB_USER:
            g_warn_if_reached();
            break;

        case SASL_CB_PASS:
            if (spice_session_get_password(c->session) == NULL)
                return FALSE;
[...]
but where does it come from then?

> > * Is there a way to pass some information from the VM to SASL (and it's
> > backend) to have a password per domain and user?
> 
> In theory yes, in practice no (or not yet). SASL is a nicely
> pluggable API, so in theory you could write a plugin that
> does what you describe. AFAIK, there is no such plugin in
> existance today though.
> 
> > * Is support for client certification authentication planned? Together
> > with SASL this could be used to identify the user.
> 
> I'm not entirely sure what you mean here ? Do you mean you want
> to use x509 client certificates to authenticate users ? Conceptually
> it would be perfectly possible to combine x509 certs and SASL to get
> two factor auth.
That's what I meant, yes.

Thanks,
Tiziano

-- 
stepping stone GmbH
Neufeldstrasse 9
CH-3012 Bern
Telefon: +41 31 332 53 63
www.stepping-stone.ch
tiziano.mueller at stepping-stone.ch

More information about the Spice-devel mailing list