Re: [Spice-devel] Help with SmartCards and XSpice
I think I have a tentative, but sufficient grasp of how the Smart Card stuff flows from the client into the server. It's not quite as clear how the server bridges it into qemu, but I think I have the gist of it. However, that doesn't work for XSpice sessions. I'm not sure why it shouldn't. The qemu portion simply forwards the ccid APDU's from the host. Spice has libcaccard which translates the CAC requests into calls against your PKCS #11 token on your client side. Alright, my ignorance is showing; perhaps I need to understand the qemu path better. In what I think of a typical use case, you have a client with a smart card reader attached. Let's say that is a Fedora 20 box. Then you have a host system which runs qemu to start a guest VM; let's say the host system is RHEL and the guest VM is Fedora RawHide. My understanding is that the client (essentially spice-gtk) interacts with the physical hardware, and uses libcacard to put the smartcard data onto the Spice smartcard channel. This is passed over the spice channel into qemu (running on the host), which uses the spice server calls to decode the data, and then it writes the data to a virtual character device that appears in the guest as a USB CCID device. RawHide detects that and treats it a 'real' hardware device. How am I doing so far? Is that about right? In the XSpice case, we have no qemu. Instead, the host system runs Xorg against what is a virtual framebuffer, and runs the xf86-video-qxl xorg driver. In my use case, I've got Xorg running, with spice, and I'm just about to launch xdm. I'd really like to have a smartcard, if available, be part of the pam stack prior to launching xdm, so that it can be used by pam. Given that, how do you expect the smartcard data to flow into that Xorg session?I imagine that either the qxl driver, or a different utility (e.g. vd_agent) would be required in order to relay the smartcard data from the channel and into the pam stack. Is there something I'm missing? It looks to me that this should be possible. My research suggests that pam_pkcs11 is pluggable, and that it should be possible to write a module that would receive the cert information. pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox and other NSS applications). You would have to install this module in your guest, however. I think redirecting the CCID USB data would be easier, though. Yeah, I saw that ccid was also pluggable, and I begin to see why that would be a better layer to plug into. (Saves me the hassle of parsing the cert data, right?) Cheers, Jeremy ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] [spice-html5] Use wss scheme when accessing with https protocol
Hi,
Currently the websocket connection is only being established using
the ws scheme.
Adding support for wss scheme when using https protocol to allow
ssl connection.
---
spice_auto.html | 3 +++
1 file changed, 3 insertions(+)
diff --git a/spice_auto.html b/spice_auto.html
index 0a01996..b80b01c 100644
--- a/spice_auto.html
+++ b/spice_auto.html
@@ -99,6 +99,9 @@
}
}
port = spice_query_var('port', default_port);
+if (window.location.protocol == 'https:') {
+scheme = "wss://";
+}
// If a token variable is passed in, set the parameter in a
cookie.
// This is used by nova-spiceproxy.
--
1.9.3
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [PATCH] Release 0.1.2
On 07/24/2014 03:58 PM, poma wrote: > On 24.07.2014 14:43, Alon Levy wrote: >>> On 23.07.2014 14:40, Marc-André Lureau wrote: ack, thanks! >>> >>> Are you picking up this one for Fedora? >> >> The actual patches for any relevant bugs should already be there, >> doing a rebase will probably happen the next time someone needs to fix >> something (i.e. some bz). > > Is it not a sufficient reason the amount of patches per se? :) > http://pkgs.fedoraproject.org/cgit/xorg-x11-drv-qxl.git/plain/ Touch. > > > remote desktop fan club > > > ___ > Spice-devel mailing list > Spice-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/spice-devel ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [PATCH] Release 0.1.2
On 24.07.2014 14:43, Alon Levy wrote: On 23.07.2014 14:40, Marc-André Lureau wrote: ack, thanks! Are you picking up this one for Fedora? The actual patches for any relevant bugs should already be there, doing a rebase will probably happen the next time someone needs to fix something (i.e. some bz). Is it not a sufficient reason the amount of patches per se? :) http://pkgs.fedoraproject.org/cgit/xorg-x11-drv-qxl.git/plain/ remote desktop fan club ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [PATCH] Release 0.1.2
> On 23.07.2014 14:40, Marc-André Lureau wrote: > > ack, thanks! > > Are you picking up this one for Fedora? The actual patches for any relevant bugs should already be there, doing a rebase will probably happen the next time someone needs to fix something (i.e. some bz). > > > remote desktop fan club > > > ___ > Spice-devel mailing list > Spice-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/spice-devel > ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [PATCH] Release 0.1.2
On 23.07.2014 14:40, Marc-André Lureau wrote: ack, thanks! Are you picking up this one for Fedora? remote desktop fan club ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
