[Spice-devel] [spice-gtk] Support SASL GSSAPI

Mon Jun 6 13:38:51 UTC 2016

On Mon, Jun 06, 2016 at 04:34:09PM +0300, Alexander Bokovoy wrote:
> On Mon, 06 Jun 2016, Daniel P. Berrange wrote:
> > On Mon, Jun 06, 2016 at 09:01:10AM -0400, Marc-André Lureau wrote:
> > > Hi
> > > 
> > > ----- Original Message -----
> > > > I'm sending Alexander Bokovoy's patch as it is, also here is some notes from
> > > > him:
> > > >
> > > > "I'd really like to find a way to do it with pure SASL properties so that the
> > > > code would work for both SPNEGO and Kerberos. SPNEGO NTLMSSP would make it
> > > > working for environments where you don't have Kerberos but what we have
> > > > right now should be fine for pure Kerberos environments like FreeIPA or
> > > > Active Directory."
> > > >
> > > > And also his blog post:
> > > > https://vda.li/en/posts/2016/05/30/Single-sign-on-to-virtual-machines/
> > > >
> > > > On one hand I think would be good to have this issue partially fixed (as per
> > > > Alexander's comment) for 0.32, on the other hand I don't like calling these
> > > > kerberos functions directly. Also, we probably would have to add a kerberos
> > > > check/option on configure, right? I can do that without any problems, but I
> > > > firstly would like to hear the opinions from other people in the project.
> > > 
> > > Yes, it will have to be optional (especially because compiling krb5 on mingw is *hard* - last time I checked)
> > 
> > Even compiling cryus-sasl is hard - indeed last I looked fedora didn't
> > have any mingw packages for it.
> > 
> > > 
> > > > I'm willing to re-work this patch after the release and try to find an ideal
> > > > solution (if possible) and also spend some more time digging into the
> > > > differences on handling this between gtk-vnc and spice-gtk.
> > > 
> > > From his blog, I gathered that it worked with gtk-vnc but not with
> > > spice-gtk. Why do we need krb specific code when gtk-vnc doesn't need it?
> > 
> > It looks like the code is trying to set a default username based on the
> > current kerberos credential the user has. gtk-vnc doesn't bother trying
> > todo this - the user just always has to supply the username explicitly
> > IMHO it would be fine for spice-gtk todo the same and avoid the krb dep/
> I tried that. Let me get a bit deeper into details, though.
> 
> Cyrus SASL GSSAPI would work if you provide NULL username but the code
> in spice-gtk rejects such usernames:
> https://cgit.freedesktop.org/spice/spice-gtk/tree/src/spice-channel.c#n1390

Hmm, that code looks really rather wrong - it is clearly making a bogus
assumption that a NULL username will result in auth failure - it should
definitely be left upto the SASL library to decide that on the server
side.

> I tried to allow NULL username here but the problem is that we need
> eventually to set actual username so that SPICE communication can
> continue. And if SASL GSSAPI module did find default credentials, we
> need to pick up the username from them. This is possible theoretically
> but all my attempts to do so caused SPICE server side to drop actual
> SPICE connection.

I'm not sure what failure you just remove that check, but I think we
need to investigate that further, as I don't think that check for
NULL is right.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|