[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC] xl: support configuration of encrypted VNC

On Tue, 2011-12-20 at 18:25 +0000, Ian Jackson wrote:
> Ian Campbell writes ("[Xen-devel] [RFC] xl: support configuration of 
> encrypted VNC"):
> > Someone pointed out that it's not possible to configure encrypted vnc
> > via xl, while it is possible via xm. This is obviously quite nice to
> > have if you are logging in as root...
> > 
> > The following is my initial attempt but TBH I'm not sure if this is
> > presenting the correct interface at either the libxl or xl level. Since
> > I don't actually use this stuff myself I'm finding it a bit hard to
> > judge how much flexibility is needed or even what the right names/terms
> > for things are. Opinions?
> 
> What is the security implication of the path with the certificates ?
> Is it that only clients with that particular certificate can connect ?

This option corresponds to the path given to the x509 or x509verify
option to qemu's -vnc. The man page isn't totally clear about what goes
on but AIUI it will look for a CA cert under here and only accept
clients with a cert signed by that CA.

There must surely (?!) be a way to allow you to certify two customers
but only allow them to connect to their own VM but I don't see what it
is, I don't seem to have ended up with either half of a client cert
under that path yet all three options worked for me.

Aha, http://libvirt.org/remote.html suggests that the client certs DN
can be checked against an access control list. Upstream qemu documents
an "acl" command you must use via the monitor to allow the DN. qemu-xen
seems to predate this support.

> 
> > +        if (!xlu_cfg_get_string (config, "vnctls", &buf, 0)) {
> > +            fprintf(stderr, "VNC: %s\n", buf);
> > +            if (libxl_vnc_tlsmode_from_string(buf, &dm_info->vnctls)) {
> > +                fprintf(stderr, "ERROR: invalid value \"%s\" for 
> > \"vnctls\"\n",
> > +                        buf);
> > +                exit (1);
> > +            }
> > +        } else {
> > +            fprintf(stderr, "!VNC: %s\n", buf);
> > +            exit(1);
> > +        }
> 
> This is a bit odd.  If you don't say "vnctls" in your config file, the
> config parser just exits ?

Err. that may have been some debug cruft to check I was really passing
the right option when it didn't seem to be working...

Ian.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.