[Spice-devel] [PATCH v2 spice-gtk 1/2] authentication: Handle failed SASL authentication separately
Daniel P. Berrange
berrange at redhat.com
Wed Feb 22 11:30:00 UTC 2017
On Wed, Feb 22, 2017 at 11:47:10AM +0100, Christophe Fergeau wrote:
> On Wed, Feb 22, 2017 at 11:50:21AM +0200, Snir Sheriber wrote:
> > Hi,
> >
> >
> > On 02/21/2017 06:37 PM, Christophe Fergeau wrote:
> > > On Sun, Feb 19, 2017 at 04:47:17PM +0200, Snir Sheriber wrote:
> > > > Remove handling with failures in the SASL authentication
> > > > process to separate function
> > > > ---
> > > > src/spice-channel.c | 44 +++++++++++++++++++++++++++-----------------
> > > > 1 file changed, 27 insertions(+), 17 deletions(-)
> > > >
> > > > diff --git a/src/spice-channel.c b/src/spice-channel.c
> > > > index af67931..cbf1291 100644
> > > > --- a/src/spice-channel.c
> > > > +++ b/src/spice-channel.c
> > > > @@ -1113,28 +1113,38 @@ static int spice_channel_read(SpiceChannel *channel, void *data, size_t length)
> > > > return length;
> > > > }
> > > > +#if HAVE_SASL
> > > > /* coroutine context */
> > > > -static void spice_channel_failed_authentication(SpiceChannel *channel,
> > > > - gboolean invalidPassword)
> > > > +static void spice_channel_failed_sasl_authentication(SpiceChannel *channel)
> > > > {
> > > > SpiceChannelPrivate *c = channel->priv;
> > > > + gint err_code; /* Affects the authentication window activated fileds */
> > > > if (c->auth_needs_username && c->auth_needs_password)
> > > > - g_set_error_literal(&c->error,
> > > > - SPICE_CLIENT_ERROR,
> > > > - SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
> > > > - _("Authentication failed: password and username are required"));
> > > > + err_code = SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME;
> > > > else if (c->auth_needs_username)
> > > > - g_set_error_literal(&c->error,
> > > > - SPICE_CLIENT_ERROR,
> > > > - SPICE_CLIENT_ERROR_AUTH_NEEDS_USERNAME,
> > > > - _("Authentication failed: username is required"));
> > Is there a mechanism that allows only username ?
>
> I guess in SSO setups, it makes sense to first ask for just a username,
> then check for a valid kerberos ticket for that username (or whatever
> you use for SSO), and if there is no such ticket, then ask for an
> additional authentication token.
If you want to correctly use SASL then you should not make any
assumptions about which credentials you'll be asked for. Even if a
mechanism wants the username *and* password, it is permitted to
ask for them in separate steps of the handshake. So you might need
to popup a dialog to ask for username, and then later ask for
password in a new dialog popup. It is upto the mechanism plugin
to decide which to ask for at which point, so the app can not
predict that.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
More information about the Spice-devel
mailing list