1021575 – Missing SASL support for SPICE

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1021575 - Missing SASL support for SPICE

Summary: Missing SASL support for SPICE

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1092950 1092957
TreeView+	depends on / blocked

Reported:	2013-10-21 14:38 UTC by Christophe Fergeau
Modified:	2014-10-14 06:53 UTC (History)
CC List:	12 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.425.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1092950 1092957 (view as bug list)
Environment:
Last Closed:	2014-10-14 06:53:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1490	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2014-10-14 01:28:27 UTC

Description Christophe Fergeau 2013-10-21 14:38:11 UTC

In rhel6, spice-server is built with sasl support, qemu is built with vnc+sasl support, but http://git.qemu.org/?p=qemu.git;a=commit;h=48b3ed0a68b8c1b288b4e15743ea39b7b5b318c3 was never backported to rhel6 qemu, which makes spice sasl support not usable (qemu does not recognize the -spice sasl command line option in order to tell spice-server to enable sasl support).

Comment 6 Gerd Hoffmann 2014-04-10 10:13:43 UTC

patches posted.

Comment 9 mazhang 2014-04-24 06:06:38 UTC

After change the permissions of /etc/qemu/passwd.db and /etc/sasl2/qemu-kvm.conf, I can connect guest with SASL by using PLAIN authentication.

But found the auth was "none" in hmp, seems vnc not.

(qemu) info spice
Server:
     migrated: false
     address: 0.0.0.0:5900
        auth: none
Channels: none

{"execute":"query-spice"}
{"return": {"migrated": false, "enabled": true, "auth": "none", "port": 5900, "host": "0.0.0.0", "channels": []}}

(qemu) info vnc
Server:
     address: 0.0.0.0:5900
        auth: sasl
Client: none

Comment 10 Gerd Hoffmann 2014-04-24 06:42:54 UTC

> But found the auth was "none" in hmp, seems vnc not.
> 
> (qemu) info spice
> Server:
>      migrated: false
>      address: 0.0.0.0:5900
>         auth: none
> Channels: none

That is a bug in info spice, sasl is actually active.

Question: Is it a valid use case to have both sasl and spice (ticket) auth active?

Comment 11 Christophe Fergeau 2014-04-24 08:47:09 UTC

Ticket will be ignored when SASL is active.

Comment 12 Gerd Hoffmann 2014-04-24 11:06:29 UTC

Ok, so the 'disable-ticketing' on the command line is not needed and has no effect, correct?

And we have these three auth methods:

  if (sasl == on) {
      use sasl
  } else if (disable-ticketing) {
      no auth
  } else {
      classic spice ticket auth
  }

correct?

Comment 13 Christophe Fergeau 2014-04-24 11:40:30 UTC

(In reply to Gerd Hoffmann from comment #12)
> Ok, so the 'disable-ticketing' on the command line is not needed and has no
> effect, correct?
> 
> And we have these three auth methods:
> 
>   if (sasl == on) {
>       use sasl
>   } else if (disable-ticketing) {
>       no auth
>   } else {
>       classic spice ticket auth
>   }
> 
> correct?


disable-ticketing is handled the same as classic spice ticket auth iirc, except that the password is empty.

Comment 14 Gerd Hoffmann 2014-04-24 14:42:17 UTC

/me is confused.

So we have these four cases:

(1) -spice $args,password=$secret
    => classic spice ticket auth, with the password being passed
       to spice server using spice_server_set_ticket().

(2) -spice $args,disable-ticketing
    => no auth required to connect

(3) -spice $args,sasl=on,password=$secret
    => authentication via sasl I guess?  Has the password set via 
       spice_server_set_ticket() any effect?  Probably not as sasl
       handles auth?  Should qemu throw an error in case someone
       tries to set a password (via cmd line or monitor) with sasl
       being active?

(4) -spice $args sasl=on,disable-ticketing
    [ In that case qemu calls spice_server_set_sasl(1) first,
      then spice_server_set_noauth() ]
    What is the expected behavior?  Same as (3)?  Or something else?

Please clarify.

Comment 15 Christophe Fergeau 2014-04-24 14:58:54 UTC

An error could be thrown in 3) in order to make it clear to the user that their password is going to be ignored. 'disable-ticketing' is only taken into account when sasl is not used (in which case we fallback to ticketing), so 4) is about the same as 3).

Comment 16 Miroslav Rezanina 2014-04-29 06:02:23 UTC

Fix included in qemu-kvm-0.12.1.2-2.425.el6

Comment 18 mazhang 2014-07-01 03:19:09 UTC

Test this bug qemu-kvm-0.12.1.2-2.428.el6.x86_64, sasl works well both withe plain auth and ssl.

Host:
qemu-kvm-0.12.1.2-2.428.el6.x86_64

Client:
virt-viewer-0.6.0-9.el6.x86_64

Plain authentication.
1. Set root's sasl password.
# saslpasswd2 -f /etc/qemu/passwd.db root
Password:                           <--- enter password "12345678"
Again (for verification):

# sasldblistusers2 /etc/qemu/passwd.db 
mazhang.lab.eng.nay.redhat.com: userPassword
redhat.lab.eng.nay.redhat.com: userPassword
rh.lab.eng.nay.redhat.com: userPassword
root.lab.eng.nay.redhat.com: userPassword

2. Change the permission of /etc/qemu/passwd.db.

3. Boot vm with sasl enabled and ticket disabled.
...
-vga qxl \
-spice port=5900,sasl,disable-ticketing \

4. Connect to guest.
remote-viewer spice://dell-per720-02.qe.lab.eng.nay.redhat.com:5900

5. Enter password login guest.

With SSL certification.
1. Generate certificate file on host.

2. Copy certificate file to client.

3. Boot vm with encrypted channels.
-spice port=5900,sasl=on,tls-port=5910,x509-dir=/home/x509,disable-ticketing

4. Connect to guest.
remote-viewer spice://dell-per720-02.qe.lab.eng.nay.redhat.com?tls-port=5910 --spice-ca-file=/etc/pki/CA/ca-cert.pem

5. Enter password login guest.


But found two problems in my test.
1. Output auth is wrong by "info spice", see comment#9.
2. Boot with "-spice port=5900,disable-ticketing,sasl", and connect to guest.
   Connection will break when "set_password" in hmp monitor.

Gerd, may I file two bugs against above problems?

Thanks,
Mazhang.

Comment 19 Gerd Hoffmann 2014-07-01 09:17:04 UTC

> But found two problems in my test.
> 1. Output auth is wrong by "info spice", see comment#9.

IIRC there is a bug for that already.

> 2. Boot with "-spice port=5900,disable-ticketing,sasl", and connect to guest.
>    Connection will break when "set_password" in hmp monitor.

Yes, new bug please.  set_password should throw an error in case sasl is enabled.

Comment 20 mazhang 2014-07-02 02:32:43 UTC

(In reply to Gerd Hoffmann from comment #19)
> > But found two problems in my test.
> > 1. Output auth is wrong by "info spice", see comment#9.
> 
> IIRC there is a bug for that already.
> 
Didn't found the bug, could you help paste it here, in case qe miss it.

> > 2. Boot with "-spice port=5900,disable-ticketing,sasl", and connect to guest.
> >    Connection will break when "set_password" in hmp monitor.
> 
> Yes, new bug please.  set_password should throw an error in case sasl is
> enabled.

Has been filed a bug 1115237 against this problem.

Thanks,
Mazhang.

Comment 21 Gerd Hoffmann 2014-07-02 06:35:47 UTC

> > > 1. Output auth is wrong by "info spice", see comment#9.
> > 
> > IIRC there is a bug for that already.
> > 
> Didn't found the bug, could you help paste it here, in case qe miss it.

Can't find it either.  Hmm.  Guess we need a new one then.

Comment 22 mazhang 2014-07-02 06:56:31 UTC

(In reply to Gerd Hoffmann from comment #21)
> > > > 1. Output auth is wrong by "info spice", see comment#9.
> > > 
> > > IIRC there is a bug for that already.
> > > 
> > Didn't found the bug, could you help paste it here, in case qe miss it.
> 
> Can't find it either.  Hmm.  Guess we need a new one then.

1. Filed a new bug 1115291 against this problem.

2. According to comment#18 comment#19 and comment#20 set this bug verified.

Comment 23 errata-xmlrpc 2014-10-14 06:53:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html

Note You need to log in before you can comment on or make changes to this bug.