Re: [libvirt] [PATCH] qemu: Let empty default VNC password work as documented
On Tue, Jun 28, 2016 at 10:01:19AM -0400, Cole Robinson wrote:
On 06/28/2016 09:28 AM, Daniel P. Berrange wrote:
> On Tue, Jun 28, 2016 at 02:45:15PM +0200, Jiri Denemark wrote:
>> Setting an empty vnc_password in qemu.conf is documented as a way to
>> disable VNC access, but QEMU does not seem to behave like that. Let's
>> enforce the behavior by setting password expiration to "now".
>
> Hmm, i wonder when they regressed that behaviour *again*. We've fixed
> that in QEMU at least twice in the past. I'd like to see us explore
> when this changed in QEMU and whehter we should fix it there instead.
>
I did some digging on this recently, see my findings here:
https://bugzilla.redhat.com/show_bug.cgi?id=1180092#c5
The issue is that there's two different monitor commands at play here, and the
set_password one we presently use has never had the semantics we advertise in
qemu.conf, so I'm guessing something like Jiri's patch will be needed regardless
Ok, so its broken since we stopped using 'change vnc password' HMP
command. So we'll want to deal with this as a libvirt CVE, and provide
patches on historical stable branches too.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|