[Spice-devel] [PATCH] spice: add SASL support

Marc-André Lureau marcandre.lureau at gmail.com
Tue May 3 11:44:45 PDT 2011 

wrong patch, just forget this mail.

On Tue, May 3, 2011 at 8:41 PM, Marc-André Lureau
<marcandre.lureau at gmail.com> wrote:
> Turn on SASL support by appending "sasl" to the spice arguments, which
> requires that the client use SASL to authenticate with the spice.  The
> exact choice of authentication method used is controlled from the
> system / user's SASL configuration file for the 'qemu' service. This
> is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
> unprivileged user, an environment variable SASL_CONF_PATH can be used
> to make it search alternate locations for the service config.  While
> some SASL auth methods can also provide data encryption (eg GSSAPI),
> it is recommended that SASL always be combined with the 'tls' and
> 'x509' settings to enable use of SSL and server certificates. This
> ensures a data encryption preventing compromise of authentication
> credentials.
>
> It requires support from spice 0.8.1.
> ---
>  configure       |    2 +-
>  qemu-config.c   |    9 ++++++---
>  qemu-options.hx |   13 +++++++++++++
>  ui/spice-core.c |    4 ++++
>  4 files changed, 24 insertions(+), 4 deletions(-)
>
> diff --git a/configure b/configure
> index fddf515..4583461 100755
> --- a/configure
> +++ b/configure
> @@ -2316,7 +2316,7 @@ int main(void) { spice_server_new(); return 0; }
>  EOF
>   spice_cflags=$($pkgconfig --cflags spice-protocol spice-server 2>/dev/null)
>   spice_libs=$($pkgconfig --libs spice-protocol spice-server 2>/dev/null)
> -  if $pkgconfig --atleast-version=0.5.3 spice-server >/dev/null 2>&1 && \
> +  if $pkgconfig --atleast-version=0.8.1 spice-server >/dev/null 2>&1 && \
>      compile_prog "$spice_cflags" "$spice_libs" ; then
>     spice="yes"
>     libs_softmmu="$libs_softmmu $spice_libs"
> diff --git a/qemu-config.c b/qemu-config.c
> index 6d9c238..bc9a42a 100644
> --- a/qemu-config.c
> +++ b/qemu-config.c
> @@ -311,7 +311,7 @@ static QemuOptsList qemu_trace_opts = {
>             .name = "file",
>             .type = QEMU_OPT_STRING,
>         },
> -        { /* end if list */ }
> +        { /* end of list */ }
>     },
>  };
>  #endif
> @@ -390,6 +390,9 @@ QemuOptsList qemu_spice_opts = {
>             .name = "disable-ticketing",
>             .type = QEMU_OPT_BOOL,
>         },{
> +            .name = "sasl",
> +            .type = QEMU_OPT_BOOL,
> +        },{
>             .name = "x509-dir",
>             .type = QEMU_OPT_STRING,
>         },{
> @@ -435,7 +438,7 @@ QemuOptsList qemu_spice_opts = {
>             .name = "playback-compression",
>             .type = QEMU_OPT_BOOL,
>         },
> -        { /* end if list */ }
> +        { /* end of list */ }
>     },
>  };
>
> @@ -451,7 +454,7 @@ QemuOptsList qemu_option_rom_opts = {
>             .name = "romfile",
>             .type = QEMU_OPT_STRING,
>         },
> -        { /* end if list */ }
> +        { /* end of list */ }
>     },
>  };
>
> diff --git a/qemu-options.hx b/qemu-options.hx
> index d6f80d1..f37a0a8 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -695,6 +695,19 @@ Force using the specified IP version.
>  @item password=<secret>
>  Set the password you need to authenticate.
>
> + at item sasl
> +Require that the client use SASL to authenticate with the spice.
> +The exact choice of authentication method used is controlled from the
> +system / user's SASL configuration file for the 'qemu' service. This
> +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
> +unprivileged user, an environment variable SASL_CONF_PATH can be used
> +to make it search alternate locations for the service config.
> +While some SASL auth methods can also provide data encryption (eg GSSAPI),
> +it is recommended that SASL always be combined with the 'tls' and
> +'x509' settings to enable use of SSL and server certificates. This
> +ensures a data encryption preventing compromise of authentication
> +credentials.
> +
>  @item disable-ticketing
>  Allow client connects without authentication.
>
> diff --git a/ui/spice-core.c b/ui/spice-core.c
> index 1aa1a5e..b9c3aba 100644
> --- a/ui/spice-core.c
> +++ b/ui/spice-core.c
> @@ -549,6 +549,10 @@ void qemu_spice_init(void)
>     if (password) {
>         spice_server_set_ticket(spice_server, password, 0, 0, 0);
>     }
> +    if (qemu_opt_get_bool(opts, "sasl", 0)) {
> +        spice_server_set_sasl_appname(spice_server, "qemu");
> +        spice_server_set_sasl(spice_server, 1);
> +    }
>     if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
>         auth = "none";
>         spice_server_set_noauth(spice_server);
> --
> 1.7.4
>
>



-- 
Marc-André Lureau

More information about the Spice-devel mailing list