On Wed, Aug 24, 2011 at 07:55:38AM -0500, Anthony Liguori wrote: > On 08/24/2011 07:50 AM, Daniel P. Berrange wrote: > >On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote: > >>On 08/24/2011 06:01 AM, Daniel P. Berrange wrote: > >>>From: "Daniel P. Berrange"<berra...@redhat.com> > >>> > >>>In CVE-2011-0011 it was noted that setting an empty password > >>>would disable all authentication for the VNC password. Commit > >>>1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this > >>>but it just broke it in a different way, because now instead > >>>of blindly disabling all authentication, it blindly resets all > >>>authentication to 'VNC'. > >> > >>But this is *not* a security problem. Login becomes disabled as expected. > > > >It *is* a security problem, because if you do > > > > change vnc password 123 > > change vnc password "" > > change vnc password 456 > > > >you have lost the authentication settings you requested. > > > >With this patch, changing the password to "" *still* disables > >the login, without side effects on the auth scheme. > > Just because it isn't doing what you expect it to do doesn't make it > a security problem. This is the current behavior and you simply > cannot write a management tool without being aware of this behavior > for better or worse.
This was *not* the behaviour for many releases. It is a regression against the original behaviour of the change vnc password in QEMU which we had succesfully worked with in libvirt since password+TLS support was written for QEMU. The current behaviour is unusably broken. It cannot be used without creating a security problem, where as the original QEMU behaviour was succesfully usable. Simply saying that we must create a new command, instead of fixing the QEMU regression does nothing to help existing apps which are expecting current QEMU releases to work as previous releases did & as the command is *documented* : http://qemu.weilnetz.de/qemu-doc.html#vnc_005fsec_005fcertificate_005fpw [quote] 3.11.5 With x509 certificates, client verification and passwords Finally, the previous method can be combined with VNC password authentication to provide two layers of authentication for clients. qemu [...OPTIONS...] -vnc :1,password,tls,x509verify=/etc/pki/qemu -monitor stdio (qemu) change vnc password Password: ******** (qemu) [/quote] This documented example no longer works because authentication is being silently reset. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
