Bug 1688275
Summary: | remote-viewer connecting to guest with vnc_sasl setting closed unexpectly after input wrong username and passwd | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Daniel Berrangé <berrange> |
Component: | gtk-vnc | Assignee: | Daniel Berrangé <berrange> |
Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | cfergeau, dblechte, desktop-qa-list, dyuan, elima, fjin, fziglio, jjongsma, juzhou, mkrajnak, tpelka, tzheng, xiaodwan, yafu, zpeng |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | gtk-vnc-0.9.0-2.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1456175 | Environment: | |
Last Closed: | 2020-04-28 15:59:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1456175 | ||
Bug Blocks: |
Description
Daniel Berrangé
2019-03-13 12:33:25 UTC
I am not sure how to verify this, Here is the reproducer I tried and it ended ip with vnc-viewer crash. > Steps to Reproduce: > 1.Enable vnc_sasl in /etc/libvirt/qemu.conf: > #vim /etc/libvirt/qemu.conf > vnc_sasl=1 DONE > 2.Set the DIGEST-MD5 mechanisms in /etc/sasl2/qemu.conf > mech_list: digest-md5 > sasldb_path: /tmp/passwd.db I have only /etc/sasl2/qemu-kvm.conf file, there is a message in the file describing that MD5 is vulnerable and gssapi is used instead. So I set: mech_list: gssapi sasldb_path: /tmp/passwd.db and also this was allowed by default: keytab: /etc/qemu/krb5.tab > > auxprop_plugin: sasldb There is no plugin option in the file > 3.Restart libvirtd service: > #systemctl restart libvirtd Done, service running > 4.Create a user and set sasl passwd for qemu-kvm (Set the passwd as redhat): > #saslpasswd2 -f /tmp/passwd.db -c redhat Done > 5.Start a guest with vnc setting: > #virsh dumpxml rhel7.3-min > ... > <graphics type='vnc' port='5901' autoport='yes' listen='0.0.0.0'> > <listen type='address' address='0.0.0.0'/> > </graphics> > ... I started #virsh #dumpxml 8.2 .... <graphics type='vnc' port='-1' autoport='yes'> <listen type='address'/> </graphics> .... Then: # start 8.2 --console > 6.Change the context of /tmp/passwd.db to the same with the context of the > qemu process: > #ps auxZ | grep qemu-kvm > system_u:system_r:svirt_t:s0:c94,c384 qemu 24986 2.1 10.0 6103836 783240 ? > Sl 18:07 0:29 /usr/libexec/qemu-kvm -name > guest=rhel7.3-min,debug-threads=on ... > #chcon system_u:system_r:svirt_t:s0:c94,c384 /tmp/passwd.db > > 7.Change the permission of file /tmp/passwd.db: > #chmod o+rx /tmp/passwd.db > > 8.Connect the guest from client: > #remote-viewer vnc://10.66.70.106:5901 --debug --gtk-vnc-debug > > 9.Input the wrong user and passwd > I could only insert the password, username field was blocked. After 1st password insertion I got the error, dialog spawned again I typed the wrong password again and it crashed. What do you think ? is this reproducer OK ? About the crash is it related to bug ? I am installing debuginfos to provide more about crash. I cannot reproduce the crash anymore, I might be doing something wrong, can you please help with reproducer ? I've never reproduced this bug myself, so the only information I have is what's in the initial bug description here. OK verifying sanity only then. (In reply to Martin Krajnak from comment #2) > > > 2.Set the DIGEST-MD5 mechanisms in /etc/sasl2/qemu.conf > > mech_list: digest-md5 > > sasldb_path: /tmp/passwd.db > > I have only /etc/sasl2/qemu-kvm.conf file, there is a message in the file > describing that MD5 is vulnerable and gssapi is used instead. So I set: For testing, I'd stick with digest-md5, I've always assumed gssapi is much more complicated to setup :) (In reply to Christophe Fergeau from comment #6) > (In reply to Martin Krajnak from comment #2) > > > > > > 2.Set the DIGEST-MD5 mechanisms in /etc/sasl2/qemu.conf > > > mech_list: digest-md5 > > > sasldb_path: /tmp/passwd.db > > > > I have only /etc/sasl2/qemu-kvm.conf file, there is a message in the file > > describing that MD5 is vulnerable and gssapi is used instead. So I set: > > For testing, I'd stick with digest-md5, I've always assumed gssapi is much > more complicated to setup :) Thanks for advice, I wasn't sure if it is okay to change steps in the setup :) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1690 |