diff options
-rw-r--r-- | qemu-config.c | 3 | ||||
-rw-r--r-- | qemu-options.hx | 13 | ||||
-rw-r--r-- | ui/spice-core.c | 12 |
3 files changed, 28 insertions, 0 deletions
diff --git a/qemu-config.c b/qemu-config.c index 04c97e52c2..b00aa3ae89 100644 --- a/qemu-config.c +++ b/qemu-config.c @@ -388,6 +388,9 @@ QemuOptsList qemu_spice_opts = { .name = "disable-copy-paste", .type = QEMU_OPT_BOOL, },{ + .name = "sasl", + .type = QEMU_OPT_BOOL, + },{ .name = "x509-dir", .type = QEMU_OPT_STRING, },{ diff --git a/qemu-options.hx b/qemu-options.hx index 63e8cb0a1b..d9edff7d35 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -714,6 +714,19 @@ Force using the specified IP version. @item password=<secret> Set the password you need to authenticate. +@item sasl +Require that the client use SASL to authenticate with the spice. +The exact choice of authentication method used is controlled from the +system / user's SASL configuration file for the 'qemu' service. This +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an +unprivileged user, an environment variable SASL_CONF_PATH can be used +to make it search alternate locations for the service config. +While some SASL auth methods can also provide data encryption (eg GSSAPI), +it is recommended that SASL always be combined with the 'tls' and +'x509' settings to enable use of SSL and server certificates. This +ensures a data encryption preventing compromise of authentication +credentials. + @item disable-ticketing Allow client connects without authentication. diff --git a/ui/spice-core.c b/ui/spice-core.c index a3351f39b5..457d34d8bd 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -549,6 +549,18 @@ void qemu_spice_init(void) if (password) { spice_server_set_ticket(spice_server, password, 0, 0, 0); } + if (qemu_opt_get_bool(opts, "sasl", 0)) { +#if SPICE_SERVER_VERSION >= 0x000900 /* 0.9.0 */ + if (spice_server_set_sasl_appname(spice_server, "qemu") == -1 || + spice_server_set_sasl(spice_server, 1) == -1) { + fprintf(stderr, "spice: failed to enable sasl\n"); + exit(1); + } +#else + fprintf(stderr, "spice: sasl is not available (spice >= 0.9 required)\n"); + exit(1); +#endif + } if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) { auth = "none"; spice_server_set_noauth(spice_server); |