[Spice-devel] [PATCH] protocol: RFC: add common channel caps for AUTH mechanism selection
Hans de Goede
hdegoede at redhat.com
Sun Feb 13 07:32:40 PST 2011
Hi,
On 02/13/2011 04:15 PM, Marc-André Lureau wrote:
> hi
>
> ----- Original Message -----
>> Hi,
>>
>> On 02/13/2011 03:34 PM, Yaniv Kaul wrote:
>>> On 2/13/2011 4:23 PM, Marc-André Lureau wrote:
>>>> Current version 2.0 of the SPICE protocol describes how the client
>>>> reply to the server SpiceLinkReply message with a
>>>> RSA_public_encrypt()
>>>> of the password.
>>>>
>>>> Instead of using the current Spice AUTH mechanism, we would like to
>>>> offer different AUTH mechanisms, in particular SASL, which is a
>>>> framework allowing different underlying mechanisms such as
>>>> GSSAPI/Kerberos v5 (and optionally adding a data security layer).
>>>
>>> How can we re-use the authentication result of the first channel
>>> with the other channels?
>>> It never made sense to me to perform the authentication per-channel.
>>
>> Well given that each channel is a separate tcp connection, and any one
>> of
>> the connections could be hijacked, it does make sense IMHO. We would
>> of
>> course only do the AUTH mechanism negotation for the main channel and
>> then reuse the result for the others.
>>
>
>
> The AUTH mechanism selection is fairly cheap: 2 x 1 bit + u32 (we could use a u8 instead). There is no extra round trip.
>
> Enforcing the same AUTH mechanism on each channel would make us lose some flexibility, we could imagine that a channel is public, for instance display and audio, for read-only / multi-client cases.
Good point, agreed.
Regards,
Hans
More information about the Spice-devel
mailing list