On Mon, Dec 03, 2007 at 01:43:01PM +0100, Jim Meyering wrote:
"Daniel P. Berrange" <berrange@redhat.com> wrote:
On Thu, Nov 29, 2007 at 05:18:06PM +0000, Daniel P. Berrange wrote:
This patch provides the ability to configure what authentication mechanism is used on each socket - UNIX RW, UNIX RO, TCP, and TLS sockets - all can have independant settings. By default the UNIX & TLS sockets have no auth, and the TCP socket has SASL auth enabled. The /etc/libvirt/libvirtd.conf file lets you override these options.
There is also a new sasl_allowed_username_list = ["admin"] config param to let you whitelist the users you want to allow. This supports use of wildcards. The username is dependnat on the SASL auth mechanism. For DIGEST-MD5 it will be plain usernames, for Kerberos it will be a username + realm, eg admin EXAMPLE COM
After discussion with Rich, I also remove the tls_allowed_ip_list for whitelisting source IP addresses. This was a) not protecting us because it was only checked after the TLS handshake - thus allowing trivial DOS attack b) much easier to handle via tcp wrappers, or IPtables. c) only ever checked for the TLS socket d) IP addresses are easily spoofed.
If summary, if you're using a real authentication mechanism, this is only useful for protecting against DOS attacks & that's better done by iptables.
Rebased to take account of Jim's changes, and incorporated fixes to the config file
This looks fine. Thanks for preserving my convention of "#var = ..." (no space after '#') in the config file. I have a test that depends on that -- will post it after you commit this change.
I find code/diffs easier to read when the lines themselves fit in 80 columns. There are lots of 100+-byte lines here. I know some are generated, but I'll be happy to normalize the others once this is checked in.
This is now comited. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|