aboutsummaryrefslogtreecommitdiff
path: root/ui
diff options
context:
space:
mode:
authorMarc-André Lureau <marcandre.lureau@gmail.com>2011-05-17 10:40:33 +0200
committerGerd Hoffmann <kraxel@redhat.com>2011-06-06 09:14:42 +0200
commit48b3ed0a68b8c1b288b4e15743ea39b7b5b318c3 (patch)
treec2c6af0eee5548bbd8e6c2fcb5fe3ea8038cef7e /ui
parent42138043f29b350219a45895017cf677237b6a97 (diff)
spice: add SASL support
Turn on SASL support by appending "sasl" to the spice arguments, which requires that the client use SASL to authenticate with the spice. The exact choice of authentication method used is controlled from the system / user's SASL configuration file for the 'qemu' service. This is typically found in /etc/sasl2/qemu.conf. If running QEMU as an unprivileged user, an environment variable SASL_CONF_PATH can be used to make it search alternate locations for the service config. While some SASL auth methods can also provide data encryption (eg GSSAPI), it is recommended that SASL always be combined with the 'tls' and 'x509' settings to enable use of SSL and server certificates. This ensures a data encryption preventing compromise of authentication credentials. It requires support from spice 0.8.1. [ kraxel: moved spell fix to separate commit ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'ui')
-rw-r--r--ui/spice-core.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/ui/spice-core.c b/ui/spice-core.c
index a3351f39b5..457d34d8bd 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -549,6 +549,18 @@ void qemu_spice_init(void)
if (password) {
spice_server_set_ticket(spice_server, password, 0, 0, 0);
}
+ if (qemu_opt_get_bool(opts, "sasl", 0)) {
+#if SPICE_SERVER_VERSION >= 0x000900 /* 0.9.0 */
+ if (spice_server_set_sasl_appname(spice_server, "qemu") == -1 ||
+ spice_server_set_sasl(spice_server, 1) == -1) {
+ fprintf(stderr, "spice: failed to enable sasl\n");
+ exit(1);
+ }
+#else
+ fprintf(stderr, "spice: sasl is not available (spice >= 0.9 required)\n");
+ exit(1);
+#endif
+ }
if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
auth = "none";
spice_server_set_noauth(spice_server);