[Spice-devel] SASL authentication & plans

Daniel P. Berrange berrange at redhat.com
Mon May 21 03:23:38 PDT 2012


On Mon, May 21, 2012 at 12:20:02PM +0200, Tiziano Müller wrote:
> Am Montag, den 21.05.2012, 10:57 +0100 schrieb Daniel P. Berrange:
> > On Mon, May 21, 2012 at 11:50:48AM +0200, Tiziano Müller wrote:
> > > Hi
> > > 
> > > Currently I'm trying to get SASL working and succeeded so far but I've
> > > some questions:
> > > 
> > > * Is it correct that the username SASL gets is the UID of the qemu
> > > process? If yes: what is the plan here (I saw that there's the username
> > > attribute in the RedSASL struct already)?
> > 
> > No, the SASL username is something that comes from the SPICE
> > client application. What it looks like will depend on what
> > mechanism you have enabled. For example if you have GSSAPI
> > enabled, the SASL username will be the Kerberos principal
> > name eg  fred at EXAMPLE.COM. 
> That makes sense.
> 
> >  If you have Digest-MD5 enabled
> > then the username is just whatever you configured with the
> > saslpasswd2 program.
> Can you please explain this? As far as I know is the saslpasswd2 a tool
> to manage the sasl (gdbm) database of users and passwords. So you can
> have many users in that database.
> 
> But you're right, the username does not come from the server but somehow
> from the client even if I don't get asked for it.
> 
> And from the spice-channel.c (spice-gtk-0.11):
> [...]
>         case SASL_CB_AUTHNAME:
>         case SASL_CB_USER:
>             g_warn_if_reached();
>             break;
> 
>         case SASL_CB_PASS:
>             if (spice_session_get_password(c->session) == NULL)
>                 return FALSE;
> [...]
> but where does it come from then?

The spice-gtk client is missing functionality. As that is written,
it is impossible to use any mechanism that requests a username.
It needs to wire up the CB_AUTHNAME callbacks too.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


More information about the Spice-devel mailing list