[Spice-devel] [spice-gtk v2] sasl: fix SASL GSSAPI by allowing NULL username
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 10 09:22:26 UTC 2016
On Fri, 10 Jun 2016, Pavel Grunt wrote:
>> > How does it affect info about auth failure provided by
>> > spice_channel_failed_authentication() ?
>> If c->auth_needs_username is set, spice_channel_failed_authentication()
>> will tell that a username is required. This is certainly true -- if SASL
>> GSSAPI failed, username/password are indeed required. So it wouldn't be
>> a problem, at least from my reading of the code and tests with spicy
>> tool.
>>
>> However, there is a problem with cases like virt-manager which assumes
>> there is only a password per channel required and never shows you a
>> request to enter username in case of SASL GSSAPI failure. When you enter
>> a password, the underlying code would complain that username is missing
>> but no way to enter username would be provided. This is virt-manager's
>> issue
>Is there a bug ?
No, now I'm not able to reproduce it when SASL GSSAPI is fixed.
Do you want a bug for the case when you don't have a valid ticket in the
ccache?
>(not related to the patch - it would be nice to rewrite/clean up the "SASL" part
>of spice-channel.c)
There could be a bit of clean up but the main auth code is correct.
I would perhaps added support to optionally allow TGT delegation but we
would need it only once we would build up a channel to sign in into a
VM so that TGT could be forwarded into a VM's ccache.
--
/ Alexander Bokovoy
More information about the Spice-devel
mailing list