about sasl: http://spice-space.org/page/Features/SASL "Testing Running QEMU/KVM standalone, with SASL enabled.
Add the ',sasl' flag when launching QEMU with a Spice server. The choice of SASL mechanism is made in /etc/sasl2/qemu.conf. "digest-md5" is a simple (but not very secure) username+ password method, while "gssapi" enables Kerberos (TODO: Kerberos untested with Spice so far) If using SASL mechanism, then just add the 'sasl' flag eg with TLS: qemu ... -spice tls-port=5930,disable-ticketing,x509-key-file=server-key.pem, x509-key-password=redhat,x509-cert-file=server-cert.pem, x509-cacert-file=ca-cert.pem,sasl" But I don't know if sasl is already implemented in the client. implementation in ovirt: http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal "So what happens when you hit the "Console" button? ovirt-engine sets a new password and it's expiry time (by default 120 s) which compose together a ticket ovirt-engine looks up other connection details (more on them later) in its database ovirt-engine passes all the connection info to the portal portal sets variables on spice-xpi object spice-xpi launches spice client and passes variables to it via unix socket spice client connects directly to a host using data given to it by the portal" So authentification is done internaly in ovirt user database, then a temp ticket of 120s is generated and spice client send it as password. I don't think it's less secure, bruteforcing the ticket in a short time is very difficult.(the ticket is encrypted with rsa) ----- Mail original ----- De: "Michael Rasmussen" <[email protected]> À: [email protected] Envoyé: Lundi 1 Octobre 2012 17:45:56 Objet: Re: [pve-devel] pve-spice 0.12 package + report On Mon, 1 Oct 2012 15:40:33 +0000 Dietmar Maurer <[email protected]> wrote: > > for pve-auth ? > > spicec client only send the password without login, I don't see how we can > > do > > this without hacking the client... > > So how is that expected to work? Authentication needs a user name, else it > does not make much sense? "In addition to encryption, the SPICE protocol allows for a choice of authentication schemes. The original SPICE protocol defined a ticket based authentication scheme using a shared secret. The server would generate an RSA public/private keypair and send its public key to the client. The client would encrypt the ticket (password) with the public key and send the result back to the server, which would decrypt and verify the ticket. The current SPICE protocol also allows for use of the SASL authentication protocol, thus enabling support for a wide range of admin configurable authentication mechanisms, in particular Kerberos" http://en.wikipedia.org/wiki/SPICE_(protocol) -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
