[Spice-devel] [spice-gtk v2] sasl: fix SASL GSSAPI by allowing NULL username

Alexander Bokovoy abokovoy at redhat.com
Tue Jun 7 08:25:11 UTC 2016 

On Tue, 07 Jun 2016, Pavel Grunt wrote:
>Hi,
>
>On Mon, 2016-06-06 at 18:04 +0200, Fabiano Fidêncio wrote:
>> From: Alexander Bokovoy <abokovoy at redhat.com>
>>
>> SASL GSSAPI module will try to negotiate authentication based on the
>> credentials in the default credentials cache. It does not matter if
>> SPICE knows username or not as SASL negotiation will pass through the
>> discovered name from the GSSAPI module.
>>
>> Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
>> Acked-by: Fabiano Fidêncio <fidencio at redhat.com>
>> ---
>> Sending the patch to the ML for the record.
>> I already ACKed the patch and anyone objects I'll push it Tomorrow.
>> ---
>>  src/spice-channel.c | 9 ++++-----
>>  1 file changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/src/spice-channel.c b/src/spice-channel.c
>> index c6e548d..0eb0e61 100644
>> --- a/src/spice-channel.c
>> +++ b/src/spice-channel.c
>> @@ -1387,11 +1387,10 @@ spice_channel_gather_sasl_credentials(SpiceChannel
>> *channel,
>>          switch (interact[ninteract].id) {
>>          case SASL_CB_AUTHNAME:
>>          case SASL_CB_USER:
>> -            if (spice_session_get_username(c->session) == NULL)
>> -                return FALSE;
>so few lines above 'c->auth_needs_username = TRUE' is set, but it is ok to
>ignore the missing username ? It is really confusing for me.
>
>How does it affect info about auth failure provided by
>spice_channel_failed_authentication() ?
If c->auth_needs_username is set, spice_channel_failed_authentication()
will tell that a username is required. This is certainly true -- if SASL
GSSAPI failed, username/password are indeed required. So it wouldn't be
a problem, at least from my reading of the code and tests with spicy
tool.

However, there is a problem with cases like virt-manager which assumes
there is only a password per channel required and never shows you a
request to enter username in case of SASL GSSAPI failure. When you enter
a password, the underlying code would complain that username is missing
but no way to enter username would be provided. This is virt-manager's
issue, not spice-gtk.

-- 
/ Alexander Bokovoy

More information about the Spice-devel mailing list