Bug 1688275

Summary: remote-viewer connecting to guest with vnc_sasl setting closed unexpectly after input wrong username and passwd
Product: Red Hat Enterprise Linux 8 Reporter: Daniel Berrangé <berrange>
Component: gtk-vncAssignee: Daniel Berrangé <berrange>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: cfergeau, dblechte, desktop-qa-list, dyuan, elima, fjin, fziglio, jjongsma, juzhou, mkrajnak, tpelka, tzheng, xiaodwan, yafu, zpeng
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gtk-vnc-0.9.0-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1456175 Environment:
Last Closed: 2020-04-28 15:59:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1456175    
Bug Blocks:    

Description Daniel Berrangé 2019-03-13 12:33:25 UTC 
+++ This bug was initially created as a clone of Bug #1456175 +++

Description of problem:
remote-viewer connecting to guest with vnc_sasl setting closed unexpectly after input wrong username and passwd

Version-Release number of selected component:
vnc server:
libvirt-3.2.0-6.virtcov.el7.x86_64
qemu-kvm-rhev-2.9.0-6.el7.x86_64
virt-viewer-5.0-4.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1.Enable vnc_sasl in /etc/libvirt/qemu.conf:
#vim /etc/libvirt/qemu.conf
vnc_sasl=1

2.Set the DIGEST-MD5 mechanisms in /etc/sasl2/qemu.conf
mech_list: digest-md5
sasldb_path: /tmp/passwd.db

auxprop_plugin: sasldb

3.Restart libvirtd service:
#systemctl restart libvirtd

4.Create a user and set sasl passwd for qemu-kvm (Set the passwd as redhat):
#saslpasswd2 -f /tmp/passwd.db -c redhat

5.Start a guest with vnc setting:
#virsh dumpxml rhel7.3-min
...
<graphics type='vnc' port='5901' autoport='yes' listen='0.0.0.0'>
      <listen type='address' address='0.0.0.0'/>
</graphics>
...

6.Change the context of /tmp/passwd.db to the same with the context of the qemu process:
#ps auxZ  | grep qemu-kvm
system_u:system_r:svirt_t:s0:c94,c384 qemu 24986 2.1 10.0 6103836 783240 ?     Sl   18:07   0:29 /usr/libexec/qemu-kvm -name guest=rhel7.3-min,debug-threads=on ...
 #chcon system_u:system_r:svirt_t:s0:c94,c384 /tmp/passwd.db 

7.Change the permission of file /tmp/passwd.db:
#chmod o+rx /tmp/passwd.db

8.Connect the guest from client:
#remote-viewer vnc://10.66.70.106:5901 --debug --gtk-vnc-debug

9.Input the wrong user and passwd

Actual results:
remote-viewer closed unexpected.

Expected results:
remote-viewer should show the user/passwd input window again.

Additional info:
The debug log of remote viewer is as follows:
(remote-viewer:11663): Gtk-WARNING **: Allocating size to VncDisplay 0x55ebfffa2250 without calling gtk_widget_get_preferred_width/height(). How does the code know the size to allocate?
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Set credential 1 test
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Set credential 0 test
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Waiting for missing credentials
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Got all credentials
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Gather Username test
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Filled SASL interact
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Client step result 1. Data 258 bytes 0x55ec000ca880 'username="test",realm="hosta",nonce="si0JJLViJaBAfE7czZOPKh9Ohhj+FL/GtHs9lTH1r2Y=",cnonce="zvSvnkbHNL7QQezxAdAf6/wfRJnsUVV7n40GWOTOMk8=",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=100000,digest-uri="vnc/10.66.4.215",response=b46522be883f66e1cb1cf98a7656e367'
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Server step with 258 bytes 0x55ec000ca880
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Read error Resource temporarily unavailable
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Closing the connection: vnc_connection_read() - ret=0
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Auth failed
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Doing final VNC cleanup
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Close VncConnection=0x55ebfffad4c0
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Emit main context 14
(remote-viewer:11663): gtk-vnc-DEBUG: vncdisplay.c Disconnected from VNC server
(remote-viewer:11663): virt-viewer-DEBUG: Not removing main window 0 0x55ebffcc4980
(remote-viewer:11663): gtk-vnc-DEBUG: vncdisplay.c Grab sequence is now Control_L+Alt_L
(remote-viewer:11663): virt-viewer-DEBUG: Disconnected
(remote-viewer:11663): virt-viewer-DEBUG: close vnc=0x55ebfffa2250
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Init VncConnection=0x55ec000e6190
(remote-viewer:11663): gtk-vnc-DEBUG: vncdisplaykeymap.c Using evdev keycode mapping
(remote-viewer:11663): gtk-vnc-DEBUG: vncdisplay.c Grab sequence is now Control_L+Alt_L
(remote-viewer:11663): virt-viewer-DEBUG: notebook show status 0x55ebffeec3a0
(remote-viewer:11663): virt-viewer-DEBUG: Guest (null) display has disconnected, shutting down
(remote-viewer:11663): gtk-vnc-DEBUG: vncdisplay.c Display destroy, requesting that VNC connection close
(remote-viewer:11663): gtk-vnc-DEBUG: vncdisplay.c Releasing VNC widget
(remote-viewer:11663): gtk-vnc-DEBUG: vncconnection.c Finalize VncConnection=0x55ec000e6190

--- Additional comment from Christophe Fergeau on 2019-01-09 13:23:45 GMT ---

Moving to gtk-vnc, fixed by https://mail.gnome.org/archives/gtk-vnc-list/2019-January/msg00001.html
Comment 2 Martin Krajnak 2019-12-18 12:18:56 UTC 
I am not sure how to verify this, Here is the reproducer I tried 
and it ended ip with vnc-viewer crash.

> Steps to Reproduce:
> 1.Enable vnc_sasl in /etc/libvirt/qemu.conf:
> #vim /etc/libvirt/qemu.conf
> vnc_sasl=1

DONE
 
> 2.Set the DIGEST-MD5 mechanisms in /etc/sasl2/qemu.conf
> mech_list: digest-md5
> sasldb_path: /tmp/passwd.db

I have only /etc/sasl2/qemu-kvm.conf file, there is a message in the file 
describing that MD5 is vulnerable and gssapi is used instead. So I set:

mech_list: gssapi
sasldb_path: /tmp/passwd.db

and also this was allowed by default:
keytab: /etc/qemu/krb5.tab

> 
> auxprop_plugin: sasldb

There is no plugin option in the file

> 3.Restart libvirtd service:
> #systemctl restart libvirtd

Done, service running

> 4.Create a user and set sasl passwd for qemu-kvm (Set the passwd as redhat):
> #saslpasswd2 -f /tmp/passwd.db -c redhat

Done

> 5.Start a guest with vnc setting:
> #virsh dumpxml rhel7.3-min
> ...
> <graphics type='vnc' port='5901' autoport='yes' listen='0.0.0.0'>
>       <listen type='address' address='0.0.0.0'/>
> </graphics>
> ...

I started 
#virsh

#dumpxml 8.2
....
<graphics type='vnc' port='-1' autoport='yes'>
      <listen type='address'/>
    </graphics>
....

Then:
# start 8.2 --console

> 6.Change the context of /tmp/passwd.db to the same with the context of the
> qemu process:
> #ps auxZ  | grep qemu-kvm
> system_u:system_r:svirt_t:s0:c94,c384 qemu 24986 2.1 10.0 6103836 783240 ?  
> Sl   18:07   0:29 /usr/libexec/qemu-kvm -name
> guest=rhel7.3-min,debug-threads=on ...
>  #chcon system_u:system_r:svirt_t:s0:c94,c384 /tmp/passwd.db 
> 
> 7.Change the permission of file /tmp/passwd.db:
> #chmod o+rx /tmp/passwd.db
> 
> 8.Connect the guest from client:
> #remote-viewer vnc://10.66.70.106:5901 --debug --gtk-vnc-debug
> 
> 9.Input the wrong user and passwd
> 
I could only insert the password, username field was blocked.
After 1st password insertion I got the error, dialog spawned again I typed 
the wrong password again and it crashed.

What do you think ? is this reproducer OK ? About the crash is it related to bug ? 
I am installing debuginfos to provide more about crash.
Comment 3 Martin Krajnak 2019-12-18 12:55:47 UTC 
I cannot reproduce the crash anymore, I might be doing something wrong, can you please help with reproducer ?
Comment 4 Daniel Berrangé 2020-01-14 09:39:32 UTC 
I've never reproduced this bug myself, so the only information I have is what's in the initial bug description here.
Comment 5 Tomas Pelka 2020-01-14 09:43:48 UTC 
OK verifying sanity only then.
Comment 6 Christophe Fergeau 2020-01-14 10:54:02 UTC 
(In reply to Martin Krajnak from comment #2)

>  
> > 2.Set the DIGEST-MD5 mechanisms in /etc/sasl2/qemu.conf
> > mech_list: digest-md5
> > sasldb_path: /tmp/passwd.db
> 
> I have only /etc/sasl2/qemu-kvm.conf file, there is a message in the file 
> describing that MD5 is vulnerable and gssapi is used instead. So I set:

For testing, I'd stick with digest-md5, I've always assumed gssapi is much more complicated to setup :)
Comment 7 Martin Krajnak 2020-01-15 09:35:37 UTC 
(In reply to Christophe Fergeau from comment #6)
> (In reply to Martin Krajnak from comment #2)
> 
> >  
> > > 2.Set the DIGEST-MD5 mechanisms in /etc/sasl2/qemu.conf
> > > mech_list: digest-md5
> > > sasldb_path: /tmp/passwd.db
> > 
> > I have only /etc/sasl2/qemu-kvm.conf file, there is a message in the file 
> > describing that MD5 is vulnerable and gssapi is used instead. So I set:
> 
> For testing, I'd stick with digest-md5, I've always assumed gssapi is much
> more complicated to setup :)

Thanks for advice, I wasn't sure if it is okay to change steps in the setup :)
Comment 9 errata-xmlrpc 2020-04-28 15:59:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1690