[Spice-devel] [PATCH] spice: add SASL support

Marc-André Lureau marcandre.lureau at gmail.com
Tue May 3 13:31:11 PDT 2011


Turn on SASL support by appending "sasl" to the spice arguments, which
requires that the client use SASL to authenticate with the spice.  The
exact choice of authentication method used is controlled from the
system / user's SASL configuration file for the 'qemu' service. This
is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
unprivileged user, an environment variable SASL_CONF_PATH can be used
to make it search alternate locations for the service config.  While
some SASL auth methods can also provide data encryption (eg GSSAPI),
it is recommended that SASL always be combined with the 'tls' and
'x509' settings to enable use of SSL and server certificates. This
ensures a data encryption preventing compromise of authentication
credentials.

It requires support from spice 0.8.1.
---
 qemu-config.c   |    9 ++++++---
 qemu-options.hx |   13 +++++++++++++
 ui/spice-core.c |   12 ++++++++++++
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/qemu-config.c b/qemu-config.c
index 6d9c238..bc9a42a 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -311,7 +311,7 @@ static QemuOptsList qemu_trace_opts = {
             .name = "file",
             .type = QEMU_OPT_STRING,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 #endif
@@ -390,6 +390,9 @@ QemuOptsList qemu_spice_opts = {
             .name = "disable-ticketing",
             .type = QEMU_OPT_BOOL,
         },{
+            .name = "sasl",
+            .type = QEMU_OPT_BOOL,
+        },{
             .name = "x509-dir",
             .type = QEMU_OPT_STRING,
         },{
@@ -435,7 +438,7 @@ QemuOptsList qemu_spice_opts = {
             .name = "playback-compression",
             .type = QEMU_OPT_BOOL,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
@@ -451,7 +454,7 @@ QemuOptsList qemu_option_rom_opts = {
             .name = "romfile",
             .type = QEMU_OPT_STRING,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
diff --git a/qemu-options.hx b/qemu-options.hx
index d6f80d1..f37a0a8 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -695,6 +695,19 @@ Force using the specified IP version.
 @item password=<secret>
 Set the password you need to authenticate.
 
+ at item sasl
+Require that the client use SASL to authenticate with the spice.
+The exact choice of authentication method used is controlled from the
+system / user's SASL configuration file for the 'qemu' service. This
+is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
+unprivileged user, an environment variable SASL_CONF_PATH can be used
+to make it search alternate locations for the service config.
+While some SASL auth methods can also provide data encryption (eg GSSAPI),
+it is recommended that SASL always be combined with the 'tls' and
+'x509' settings to enable use of SSL and server certificates. This
+ensures a data encryption preventing compromise of authentication
+credentials.
+
 @item disable-ticketing
 Allow client connects without authentication.
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 1aa1a5e..2d83776 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -549,6 +549,18 @@ void qemu_spice_init(void)
     if (password) {
         spice_server_set_ticket(spice_server, password, 0, 0, 0);
     }
+    if (qemu_opt_get_bool(opts, "sasl", 0)) {
+#if SPICE_SERVER_VERSION >= 0x000900 /* 0.9.0 */
+        if (spice_server_set_sasl_appname(spice_server, "qemu") == -1 ||
+            spice_server_set_sasl(spice_server, 1) == -1) {
+            fprintf(stderr, "spice: failed to enable sasl\n");
+            exit(1);
+        }
+#else
+        fprintf(stderr, "spice: sasl is not available (spice >= 0.9 required)\n");
+        exit(1);
+#endif
+    }
     if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
         auth = "none";
         spice_server_set_noauth(spice_server);
-- 
1.7.4



More information about the Spice-devel mailing list