Bug 1021575 - Missing SASL support for SPICE
Missing SASL support for SPICE
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
6.5
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Gerd Hoffmann
Virtualization Bugs
:
Depends On:
Blocks: 1092950 1092957
  Show dependency treegraph
 
Reported: 2013-10-21 10:38 EDT by Christophe Fergeau
Modified: 2014-10-14 02:53 EDT (History)
12 users (show)

See Also:
Fixed In Version: qemu-kvm-0.12.1.2-2.425.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1092950 1092957 (view as bug list)
Environment:
Last Closed: 2014-10-14 02:53:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christophe Fergeau 2013-10-21 10:38:11 EDT
In rhel6, spice-server is built with sasl support, qemu is built with vnc+sasl support, but http://git.qemu.org/?p=qemu.git;a=commit;h=48b3ed0a68b8c1b288b4e15743ea39b7b5b318c3 was never backported to rhel6 qemu, which makes spice sasl support not usable (qemu does not recognize the -spice sasl command line option in order to tell spice-server to enable sasl support).
Comment 6 Gerd Hoffmann 2014-04-10 06:13:43 EDT
patches posted.
Comment 9 mazhang 2014-04-24 02:06:38 EDT
After change the permissions of /etc/qemu/passwd.db and /etc/sasl2/qemu-kvm.conf, I can connect guest with SASL by using PLAIN authentication.

But found the auth was "none" in hmp, seems vnc not.

(qemu) info spice
Server:
     migrated: false
     address: 0.0.0.0:5900
        auth: none
Channels: none

{"execute":"query-spice"}
{"return": {"migrated": false, "enabled": true, "auth": "none", "port": 5900, "host": "0.0.0.0", "channels": []}}

(qemu) info vnc
Server:
     address: 0.0.0.0:5900
        auth: sasl
Client: none
Comment 10 Gerd Hoffmann 2014-04-24 02:42:54 EDT
> But found the auth was "none" in hmp, seems vnc not.
> 
> (qemu) info spice
> Server:
>      migrated: false
>      address: 0.0.0.0:5900
>         auth: none
> Channels: none

That is a bug in info spice, sasl is actually active.

Question: Is it a valid use case to have both sasl and spice (ticket) auth active?
Comment 11 Christophe Fergeau 2014-04-24 04:47:09 EDT
Ticket will be ignored when SASL is active.
Comment 12 Gerd Hoffmann 2014-04-24 07:06:29 EDT
Ok, so the 'disable-ticketing' on the command line is not needed and has no effect, correct?

And we have these three auth methods:

  if (sasl == on) {
      use sasl
  } else if (disable-ticketing) {
      no auth
  } else {
      classic spice ticket auth
  }

correct?
Comment 13 Christophe Fergeau 2014-04-24 07:40:30 EDT
(In reply to Gerd Hoffmann from comment #12)
> Ok, so the 'disable-ticketing' on the command line is not needed and has no
> effect, correct?
> 
> And we have these three auth methods:
> 
>   if (sasl == on) {
>       use sasl
>   } else if (disable-ticketing) {
>       no auth
>   } else {
>       classic spice ticket auth
>   }
> 
> correct?


disable-ticketing is handled the same as classic spice ticket auth iirc, except that the password is empty.
Comment 14 Gerd Hoffmann 2014-04-24 10:42:17 EDT
/me is confused.

So we have these four cases:

(1) -spice $args,password=$secret
    => classic spice ticket auth, with the password being passed
       to spice server using spice_server_set_ticket().

(2) -spice $args,disable-ticketing
    => no auth required to connect

(3) -spice $args,sasl=on,password=$secret
    => authentication via sasl I guess?  Has the password set via 
       spice_server_set_ticket() any effect?  Probably not as sasl
       handles auth?  Should qemu throw an error in case someone
       tries to set a password (via cmd line or monitor) with sasl
       being active?

(4) -spice $args sasl=on,disable-ticketing
    [ In that case qemu calls spice_server_set_sasl(1) first,
      then spice_server_set_noauth() ]
    What is the expected behavior?  Same as (3)?  Or something else?

Please clarify.
Comment 15 Christophe Fergeau 2014-04-24 10:58:54 EDT
An error could be thrown in 3) in order to make it clear to the user that their password is going to be ignored. 'disable-ticketing' is only taken into account when sasl is not used (in which case we fallback to ticketing), so 4) is about the same as 3).
Comment 16 Miroslav Rezanina 2014-04-29 02:02:23 EDT
Fix included in qemu-kvm-0.12.1.2-2.425.el6
Comment 18 mazhang 2014-06-30 23:19:09 EDT
Test this bug qemu-kvm-0.12.1.2-2.428.el6.x86_64, sasl works well both withe plain auth and ssl.

Host:
qemu-kvm-0.12.1.2-2.428.el6.x86_64

Client:
virt-viewer-0.6.0-9.el6.x86_64

Plain authentication.
1. Set root's sasl password.
# saslpasswd2 -f /etc/qemu/passwd.db root
Password:                           <--- enter password "12345678"
Again (for verification):

# sasldblistusers2 /etc/qemu/passwd.db 
mazhang@dell-per720-02.qe.lab.eng.nay.redhat.com: userPassword
redhat@dell-per720-02.qe.lab.eng.nay.redhat.com: userPassword
rh@dell-per720-02.qe.lab.eng.nay.redhat.com: userPassword
root@dell-per720-02.qe.lab.eng.nay.redhat.com: userPassword

2. Change the permission of /etc/qemu/passwd.db.

3. Boot vm with sasl enabled and ticket disabled.
...
-vga qxl \
-spice port=5900,sasl,disable-ticketing \

4. Connect to guest.
remote-viewer spice://dell-per720-02.qe.lab.eng.nay.redhat.com:5900

5. Enter password login guest.

With SSL certification.
1. Generate certificate file on host.

2. Copy certificate file to client.

3. Boot vm with encrypted channels.
-spice port=5900,sasl=on,tls-port=5910,x509-dir=/home/x509,disable-ticketing

4. Connect to guest.
remote-viewer spice://dell-per720-02.qe.lab.eng.nay.redhat.com?tls-port=5910 --spice-ca-file=/etc/pki/CA/ca-cert.pem

5. Enter password login guest.


But found two problems in my test.
1. Output auth is wrong by "info spice", see comment#9.
2. Boot with "-spice port=5900,disable-ticketing,sasl", and connect to guest.
   Connection will break when "set_password" in hmp monitor.

Gerd, may I file two bugs against above problems?

Thanks,
Mazhang.
Comment 19 Gerd Hoffmann 2014-07-01 05:17:04 EDT
> But found two problems in my test.
> 1. Output auth is wrong by "info spice", see comment#9.

IIRC there is a bug for that already.

> 2. Boot with "-spice port=5900,disable-ticketing,sasl", and connect to guest.
>    Connection will break when "set_password" in hmp monitor.

Yes, new bug please.  set_password should throw an error in case sasl is enabled.
Comment 20 mazhang 2014-07-01 22:32:43 EDT
(In reply to Gerd Hoffmann from comment #19)
> > But found two problems in my test.
> > 1. Output auth is wrong by "info spice", see comment#9.
> 
> IIRC there is a bug for that already.
> 
Didn't found the bug, could you help paste it here, in case qe miss it.

> > 2. Boot with "-spice port=5900,disable-ticketing,sasl", and connect to guest.
> >    Connection will break when "set_password" in hmp monitor.
> 
> Yes, new bug please.  set_password should throw an error in case sasl is
> enabled.

Has been filed a bug 1115237 against this problem.

Thanks,
Mazhang.
Comment 21 Gerd Hoffmann 2014-07-02 02:35:47 EDT
> > > 1. Output auth is wrong by "info spice", see comment#9.
> > 
> > IIRC there is a bug for that already.
> > 
> Didn't found the bug, could you help paste it here, in case qe miss it.

Can't find it either.  Hmm.  Guess we need a new one then.
Comment 22 mazhang 2014-07-02 02:56:31 EDT
(In reply to Gerd Hoffmann from comment #21)
> > > > 1. Output auth is wrong by "info spice", see comment#9.
> > > 
> > > IIRC there is a bug for that already.
> > > 
> > Didn't found the bug, could you help paste it here, in case qe miss it.
> 
> Can't find it either.  Hmm.  Guess we need a new one then.

1. Filed a new bug 1115291 against this problem.

2. According to comment#18 comment#19 and comment#20 set this bug verified.
Comment 23 errata-xmlrpc 2014-10-14 02:53:27 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html

Note You need to log in before you can comment on or make changes to this bug.