On Tuesday, June 05, 2012 11:51:40 PM Alexander Graf wrote: > On 05.06.2012, at 23:45, Paul Moore wrote: > > On Tuesday, June 05, 2012 03:08:26 AM Alexander Graf wrote: > >> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a > >> password is set? I agree with the assessment that we should never > >> silently drop features. So the best way to make sure that the user knows > >> he did something stupid (enable FIPS, but require a non-FIPS compliant > >> authentication method) would be to just quit, no? > > > > That is basically what the patch does now. In vnc_display_open() if it > > detects that the user has supplied a VNC password it prints an error to > > stderr and returns an error which causes QEMU to exit. > > > > The error message displayed is shown below: > > > > "VNC password auth disabled due to FIPS mode, consider using the VeNCrypt > > or SASL authentication methods as an alernative" > > > > ... which seems pretty obvious to me. If anyone would prefer something > > different, let me know. > > No, as long as the spelling is actually correct and not the one above, > that's perfectly fine.
What, not a fan of my "alernative" spelling? Fixed in the next version of the patch :) > I just have a habit of not reading the patches I comment on :). If nothing else, it makes the discussions much more interesting :) > > On Tuesday, June 05, 2012 09:23:04 AM Anthony Liguori wrote: > >> I think my primary requirement is: allow a user to use vnc authentication > >> even when fips mode is active by using some command line option. > > > > I'll agree that FIPS mode can be a bit silly in the case of QEMU and VNC > > but to be honest, that requirement above seems just as silly to me, if > > not more so. However, if making this behavior optional is what it takes > > to get the patch accepted, so be it. > > > > I'll start working on v4 of the patch tomorrow. > > Let's just wait for Anthony to reply ... Fine with me, I've got plenty else to do in the meantime and I don't think this is 1.1 material anyway. -- paul moore security and virtualization @ redhat
