On Tue, Jun 28, 2016 at 10:01:19AM -0400, Cole Robinson wrote:
On 06/28/2016 09:28 AM, Daniel P. Berrange wrote:
On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
Setting an empty vnc_password in qemu.conf is documented as a way to disable VNC access, but QEMU does not seem to behave like that. Let's enforce the behavior by setting password expiration to "now".
Hmm, i wonder when they regressed that behaviour *again*. We've fixed that in QEMU at least twice in the past. I'd like to see us explore when this changed in QEMU and whehter we should fix it there instead.
I did some digging on this recently, see my findings here: https://bugzilla.redhat.com/show_bug.cgi?id=1180092#c5
The issue is that there's two different monitor commands at play here, and the set_password one we presently use has never had the semantics we advertise in qemu.conf, so I'm guessing something like Jiri's patch will be needed regardless
Ok, so its broken since we stopped using 'change vnc password' HMP command. So we'll want to deal with this as a libvirt CVE, and provide patches on historical stable branches too. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|