xen-devel

[Top] [All Lists]

Re: [Xen-devel] Individual passwords for guest VNC servers ?

from [Daniel P. Berrange]

[Permanent Link][Original]

To:	Ian Pratt <m+Ian.Pratt@xxxxxxxxxxxx>
Subject:	Re: [Xen-devel] Individual passwords for guest VNC servers ?
From:	"Daniel P. Berrange" <berrange@xxxxxxxxxx>
Date:	Fri, 22 Sep 2006 15:43:30 +0100
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx, Masami Watanabe <masami.watanabe@xxxxxxxxxxxxxx>
Delivery-date:	Fri, 22 Sep 2006 07:44:13 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<3AAA99889D105740BE010EB6D5A5A3B202A30D@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<20060922131246.GD31773@xxxxxxxxxx> <3AAA99889D105740BE010EB6D5A5A3B202A30D@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to:	"Daniel P. Berrange" <berrange@xxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mutt/1.4.1i

On Fri, Sep 22, 2006 at 02:54:24PM +0100, Ian Pratt wrote:
> > Passing around passwords either on the command line, or environment is
> a
> > big red flag from a security POV. Also the Xen guest & xend config
> files
> > all default to world readable. I think we should follow the Apache
> model
> > and store the passwords out-of-band from the main config. eg
> > 
> >    (vncpasswordfile '/etc/xen/vncpassword')
> > 
> > At this point it would make sense to have one password file for all
> guests,
> > and store them in format:  'vm-name:  pw-hash'
> 
> The new life cycle management stuff in post 3.0.3 xend changes this
> quite a bit as a config file is only used when initially creating a VM,
> and then information about it gets stored in xend's database. The
> current password associated with a VM would be one of the parameters
> stored in the database, and should be updated using 'xm vnc-password' or
> shuch like. 

As long as XenD makes sure its DB is not world readable, this sounds
reasonable.

> > As Ian just suggested we could have command 'xm password'  for
> updating
> > these passwords (cf apache's  htpasswd command)
> > 
> > Now when launching qemu-dm, we can either pass the path to the
> password
> > file on its command line,   eg  -passwordfile /etc/xen/password, or
> > passs the actual password to qemu-dm down a pipe (eg qemu-dm would
> read
> > the password from filehandle 3 upon startup). The latter would be my
> > preference, since then we could isolate the password handling stuff in
> > Xend, and not duplicate it in qemu-dm, and the paravirt  equivalent.
> 
> I wouldn't rely on qemu-dm staying in dom0. I think the information
> should be passed transiently via xenstore.

Yeah, that's probably best solution particularly since qemu-dm is
already reading/writing to the xenstore it should be little work
to also fetch the password from there.


Dan,
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: [Xen-devel] Individual passwords for guest VNC servers ?, Masami Watanabe RE: [Xen-devel] Individual passwords for guest VNC servers ?, Ian Pratt Re: [Xen-devel] Individual passwords for guest VNC servers ?, Daniel P. Berrange RE: [Xen-devel] Individual passwords for guest VNC servers ?, Ian Pratt Re: [Xen-devel] Individual passwords for guest VNC servers ?, Anthony Liguori Re: [Xen-devel] Individual passwords for guest VNC servers ?, Daniel P. Berrange <= RE: [Xen-devel] Individual passwords for guest VNC servers ?, Masami Watanabe Re: [Xen-devel] Individual passwords for guest VNC servers ?, Anthony Liguori Re: [Xen-devel] Individual passwords for guest VNC servers ?, Masami Watanabe RE: [Xen-devel] Individual passwords for guest VNC servers ?, Ian Pratt RE: [Xen-devel] Individual passwords for guest VNC servers ?, Masami Watanabe [Xen-devel] [PATCH][Take 2] VNC authentification, Masami Watanabe [Xen-devel] Re: [PATCH][Take 2] VNC authentification, Anthony Liguori [Xen-devel] Re: [PATCH][Take 2] VNC authentification, masami . watanabe [Xen-devel] Re: [PATCH][Take 2] VNC authentification, Daniel P. Berrange [Xen-devel] Re: [PATCH][Take 2] VNC authentification, Masami Watanabe

Previous by Date:	Re: [Xen-devel] Kernel error with todays -unstable., Matt Ayres
Next by Date:	Re: [Xen-devel] Xen talk to TPM, Stefan Berger
Previous by Thread:	Re: [Xen-devel] Individual passwords for guest VNC servers ?, Anthony Liguori
Next by Thread:	RE: [Xen-devel] Individual passwords for guest VNC servers ?, Masami Watanabe
Indexes:	[Date] [Thread] [Top] [All Lists]