[Spice-devel] [PATCH] spice: add SASL support
Marc-André Lureau
marcandre.lureau at gmail.com
Tue May 3 11:44:45 PDT 2011
wrong patch, just forget this mail.
On Tue, May 3, 2011 at 8:41 PM, Marc-André Lureau
<marcandre.lureau at gmail.com> wrote:
> Turn on SASL support by appending "sasl" to the spice arguments, which
> requires that the client use SASL to authenticate with the spice. The
> exact choice of authentication method used is controlled from the
> system / user's SASL configuration file for the 'qemu' service. This
> is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
> unprivileged user, an environment variable SASL_CONF_PATH can be used
> to make it search alternate locations for the service config. While
> some SASL auth methods can also provide data encryption (eg GSSAPI),
> it is recommended that SASL always be combined with the 'tls' and
> 'x509' settings to enable use of SSL and server certificates. This
> ensures a data encryption preventing compromise of authentication
> credentials.
>
> It requires support from spice 0.8.1.
> ---
> configure | 2 +-
> qemu-config.c | 9 ++++++---
> qemu-options.hx | 13 +++++++++++++
> ui/spice-core.c | 4 ++++
> 4 files changed, 24 insertions(+), 4 deletions(-)
>
> diff --git a/configure b/configure
> index fddf515..4583461 100755
> --- a/configure
> +++ b/configure
> @@ -2316,7 +2316,7 @@ int main(void) { spice_server_new(); return 0; }
> EOF
> spice_cflags=$($pkgconfig --cflags spice-protocol spice-server 2>/dev/null)
> spice_libs=$($pkgconfig --libs spice-protocol spice-server 2>/dev/null)
> - if $pkgconfig --atleast-version=0.5.3 spice-server >/dev/null 2>&1 && \
> + if $pkgconfig --atleast-version=0.8.1 spice-server >/dev/null 2>&1 && \
> compile_prog "$spice_cflags" "$spice_libs" ; then
> spice="yes"
> libs_softmmu="$libs_softmmu $spice_libs"
> diff --git a/qemu-config.c b/qemu-config.c
> index 6d9c238..bc9a42a 100644
> --- a/qemu-config.c
> +++ b/qemu-config.c
> @@ -311,7 +311,7 @@ static QemuOptsList qemu_trace_opts = {
> .name = "file",
> .type = QEMU_OPT_STRING,
> },
> - { /* end if list */ }
> + { /* end of list */ }
> },
> };
> #endif
> @@ -390,6 +390,9 @@ QemuOptsList qemu_spice_opts = {
> .name = "disable-ticketing",
> .type = QEMU_OPT_BOOL,
> },{
> + .name = "sasl",
> + .type = QEMU_OPT_BOOL,
> + },{
> .name = "x509-dir",
> .type = QEMU_OPT_STRING,
> },{
> @@ -435,7 +438,7 @@ QemuOptsList qemu_spice_opts = {
> .name = "playback-compression",
> .type = QEMU_OPT_BOOL,
> },
> - { /* end if list */ }
> + { /* end of list */ }
> },
> };
>
> @@ -451,7 +454,7 @@ QemuOptsList qemu_option_rom_opts = {
> .name = "romfile",
> .type = QEMU_OPT_STRING,
> },
> - { /* end if list */ }
> + { /* end of list */ }
> },
> };
>
> diff --git a/qemu-options.hx b/qemu-options.hx
> index d6f80d1..f37a0a8 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -695,6 +695,19 @@ Force using the specified IP version.
> @item password=<secret>
> Set the password you need to authenticate.
>
> + at item sasl
> +Require that the client use SASL to authenticate with the spice.
> +The exact choice of authentication method used is controlled from the
> +system / user's SASL configuration file for the 'qemu' service. This
> +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
> +unprivileged user, an environment variable SASL_CONF_PATH can be used
> +to make it search alternate locations for the service config.
> +While some SASL auth methods can also provide data encryption (eg GSSAPI),
> +it is recommended that SASL always be combined with the 'tls' and
> +'x509' settings to enable use of SSL and server certificates. This
> +ensures a data encryption preventing compromise of authentication
> +credentials.
> +
> @item disable-ticketing
> Allow client connects without authentication.
>
> diff --git a/ui/spice-core.c b/ui/spice-core.c
> index 1aa1a5e..b9c3aba 100644
> --- a/ui/spice-core.c
> +++ b/ui/spice-core.c
> @@ -549,6 +549,10 @@ void qemu_spice_init(void)
> if (password) {
> spice_server_set_ticket(spice_server, password, 0, 0, 0);
> }
> + if (qemu_opt_get_bool(opts, "sasl", 0)) {
> + spice_server_set_sasl_appname(spice_server, "qemu");
> + spice_server_set_sasl(spice_server, 1);
> + }
> if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
> auth = "none";
> spice_server_set_noauth(spice_server);
> --
> 1.7.4
>
>
--
Marc-André Lureau
More information about the Spice-devel
mailing list