[Spice-devel] [PATCH] QEMU: spice: add SASL support
Marc-André Lureau
marcandre.lureau at gmail.com
Tue Feb 22 08:02:31 PST 2011
From: Marc-André Lureau <marcandre.lureau at redhat.com>
Hi fellow spicers,
This is the patch in qemu I use to test SASL support.
About usage, see comment in the patch, it is similar to VNC SASL
support.
It requires support from spice-server.
---
qemu-config.c | 9 ++++++---
qemu-options.hx | 13 +++++++++++++
ui/spice-core.c | 4 ++++
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/qemu-config.c b/qemu-config.c
index 6d9c238..bc9a42a 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -311,7 +311,7 @@ static QemuOptsList qemu_trace_opts = {
.name = "file",
.type = QEMU_OPT_STRING,
},
- { /* end if list */ }
+ { /* end of list */ }
},
};
#endif
@@ -390,6 +390,9 @@ QemuOptsList qemu_spice_opts = {
.name = "disable-ticketing",
.type = QEMU_OPT_BOOL,
},{
+ .name = "sasl",
+ .type = QEMU_OPT_BOOL,
+ },{
.name = "x509-dir",
.type = QEMU_OPT_STRING,
},{
@@ -435,7 +438,7 @@ QemuOptsList qemu_spice_opts = {
.name = "playback-compression",
.type = QEMU_OPT_BOOL,
},
- { /* end if list */ }
+ { /* end of list */ }
},
};
@@ -451,7 +454,7 @@ QemuOptsList qemu_option_rom_opts = {
.name = "romfile",
.type = QEMU_OPT_STRING,
},
- { /* end if list */ }
+ { /* end of list */ }
},
};
diff --git a/qemu-options.hx b/qemu-options.hx
index d6f80d1..f37a0a8 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -695,6 +695,19 @@ Force using the specified IP version.
@item password=<secret>
Set the password you need to authenticate.
+ at item sasl
+Require that the client use SASL to authenticate with the spice.
+The exact choice of authentication method used is controlled from the
+system / user's SASL configuration file for the 'qemu' service. This
+is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
+unprivileged user, an environment variable SASL_CONF_PATH can be used
+to make it search alternate locations for the service config.
+While some SASL auth methods can also provide data encryption (eg GSSAPI),
+it is recommended that SASL always be combined with the 'tls' and
+'x509' settings to enable use of SSL and server certificates. This
+ensures a data encryption preventing compromise of authentication
+credentials.
+
@item disable-ticketing
Allow client connects without authentication.
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 1aa1a5e..b9c3aba 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -549,6 +549,10 @@ void qemu_spice_init(void)
if (password) {
spice_server_set_ticket(spice_server, password, 0, 0, 0);
}
+ if (qemu_opt_get_bool(opts, "sasl", 0)) {
+ spice_server_set_sasl_appname(spice_server, "qemu");
+ spice_server_set_sasl(spice_server, 1);
+ }
if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
auth = "none";
spice_server_set_noauth(spice_server);
--
1.7.4
More information about the Spice-devel
mailing list