aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel P. Berrangé <berrange@redhat.com>2021-03-11 11:43:41 +0000
committerGerd Hoffmann <kraxel@redhat.com>2021-03-15 17:36:20 +0100
commit6c6840e9281cf2fd3b29d77f45b18949d4a83944 (patch)
tree259d5ad2e62eb3d79d263772af126dd9ba299f52
parent6157b0e19721aadb4c7fdcfe57b2924af6144b14 (diff)
ui: introduce "password-secret" option for VNC servers
Currently when using VNC the "password" flag turns on password based authentication. The actual password has to be provided separately via the monitor. This introduces a "password-secret" option which lets the password be provided up front. $QEMU --object secret,id=vncsec0,file=passwd.txt \ --vnc localhost:0,password-secret=vncsec0 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20210311114343.439820-2-berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r--qemu-options.hx5
-rw-r--r--ui/vnc.c23
2 files changed, 27 insertions, 1 deletions
diff --git a/qemu-options.hx b/qemu-options.hx
index 622d3bfa5a..357fc4596e 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2165,6 +2165,11 @@ SRST
time to allow <protocol> password to expire immediately or never
expire.
+ ``password-secret=<secret-id>``
+ Require that password based authentication is used for client
+ connections, using the password provided by the ``secret``
+ object identified by ``secret-id``.
+
``tls-creds=ID``
Provides the ID of a set of TLS credentials to use to secure the
VNC server. They will apply to both the normal VNC server socket
diff --git a/ui/vnc.c b/ui/vnc.c
index 310abc9378..e8e3426a65 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -48,6 +48,7 @@
#include "crypto/tlscredsanon.h"
#include "crypto/tlscredsx509.h"
#include "crypto/random.h"
+#include "crypto/secret_common.h"
#include "qom/object_interfaces.h"
#include "qemu/cutils.h"
#include "qemu/help_option.h"
@@ -3460,6 +3461,9 @@ static QemuOptsList qemu_vnc_opts = {
.name = "password",
.type = QEMU_OPT_BOOL,
},{
+ .name = "password-secret",
+ .type = QEMU_OPT_STRING,
+ },{
.name = "reverse",
.type = QEMU_OPT_BOOL,
},{
@@ -3931,6 +3935,7 @@ void vnc_display_open(const char *id, Error **errp)
int lock_key_sync = 1;
int key_delay_ms;
const char *audiodev;
+ const char *passwordSecret;
if (!vd) {
error_setg(errp, "VNC display not active");
@@ -3948,7 +3953,23 @@ void vnc_display_open(const char *id, Error **errp)
goto fail;
}
- password = qemu_opt_get_bool(opts, "password", false);
+
+ passwordSecret = qemu_opt_get(opts, "password-secret");
+ if (passwordSecret) {
+ if (qemu_opt_get(opts, "password")) {
+ error_setg(errp,
+ "'password' flag is redundant with 'password-secret'");
+ goto fail;
+ }
+ vd->password = qcrypto_secret_lookup_as_utf8(passwordSecret,
+ errp);
+ if (!vd->password) {
+ goto fail;
+ }
+ password = true;
+ } else {
+ password = qemu_opt_get_bool(opts, "password", false);
+ }
if (password) {
if (fips_get_state()) {
error_setg(errp,