ui: introduce "password-secret" option for VNC servers
Currently when using VNC the "password" flag turns on password based
authentication. The actual password has to be provided separately via
the monitor.
This introduces a "password-secret" option which lets the password be
provided up front.
$QEMU --object secret,id=vncsec0,file=passwd.txt \
--vnc localhost:0,password-secret=vncsec0
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20210311114343.439820-2-berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Daniel P. Berrangé
Gerd Hoffmann
parent
6157b0e197
commit
6c6840e928
|
|
@ -2165,6 +2165,11 @@ SRST
|
||||||
time to allow <protocol> password to expire immediately or never
|
time to allow <protocol> password to expire immediately or never
|
||||||
expire.
|
expire.
|
||||||
|
|
||||||
|
``password-secret=<secret-id>``
|
||||||
|
Require that password based authentication is used for client
|
||||||
|
connections, using the password provided by the ``secret``
|
||||||
|
object identified by ``secret-id``.
|
||||||
|
|
||||||
``tls-creds=ID``
|
``tls-creds=ID``
|
||||||
Provides the ID of a set of TLS credentials to use to secure the
|
Provides the ID of a set of TLS credentials to use to secure the
|
||||||
VNC server. They will apply to both the normal VNC server socket
|
VNC server. They will apply to both the normal VNC server socket
|
||||||
|
|
|
||||||
23
ui/vnc.c
23
ui/vnc.c
|
|
@ -48,6 +48,7 @@
|
||||||
#include "crypto/tlscredsanon.h"
|
#include "crypto/tlscredsanon.h"
|
||||||
#include "crypto/tlscredsx509.h"
|
#include "crypto/tlscredsx509.h"
|
||||||
#include "crypto/random.h"
|
#include "crypto/random.h"
|
||||||
|
#include "crypto/secret_common.h"
|
||||||
#include "qom/object_interfaces.h"
|
#include "qom/object_interfaces.h"
|
||||||
#include "qemu/cutils.h"
|
#include "qemu/cutils.h"
|
||||||
#include "qemu/help_option.h"
|
#include "qemu/help_option.h"
|
||||||
|
|
@ -3459,6 +3460,9 @@ static QemuOptsList qemu_vnc_opts = {
|
||||||
},{
|
},{
|
||||||
.name = "password",
|
.name = "password",
|
||||||
.type = QEMU_OPT_BOOL,
|
.type = QEMU_OPT_BOOL,
|
||||||
|
},{
|
||||||
|
.name = "password-secret",
|
||||||
|
.type = QEMU_OPT_STRING,
|
||||||
},{
|
},{
|
||||||
.name = "reverse",
|
.name = "reverse",
|
||||||
.type = QEMU_OPT_BOOL,
|
.type = QEMU_OPT_BOOL,
|
||||||
|
|
@ -3931,6 +3935,7 @@ void vnc_display_open(const char *id, Error **errp)
|
||||||
int lock_key_sync = 1;
|
int lock_key_sync = 1;
|
||||||
int key_delay_ms;
|
int key_delay_ms;
|
||||||
const char *audiodev;
|
const char *audiodev;
|
||||||
|
const char *passwordSecret;
|
||||||
|
|
||||||
if (!vd) {
|
if (!vd) {
|
||||||
error_setg(errp, "VNC display not active");
|
error_setg(errp, "VNC display not active");
|
||||||
|
|
@ -3948,7 +3953,23 @@ void vnc_display_open(const char *id, Error **errp)
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
password = qemu_opt_get_bool(opts, "password", false);
|
|
||||||
|
passwordSecret = qemu_opt_get(opts, "password-secret");
|
||||||
|
if (passwordSecret) {
|
||||||
|
if (qemu_opt_get(opts, "password")) {
|
||||||
|
error_setg(errp,
|
||||||
|
"'password' flag is redundant with 'password-secret'");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
|
||||||
|
errp);
|
||||||
|
if (!vd->password) {
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
password = true;
|
||||||
|
} else {
|
||||||
|
password = qemu_opt_get_bool(opts, "password", false);
|
||||||
|
}
|
||||||
if (password) {
|
if (password) {
|
||||||
if (fips_get_state()) {
|
if (fips_get_state()) {
|
||||||
error_setg(errp,
|
error_setg(errp,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue