wrong patch, just forget this mail. On Tue, May 3, 2011 at 8:41 PM, Marc-André Lureau <[email protected]> wrote: > Turn on SASL support by appending "sasl" to the spice arguments, which > requires that the client use SASL to authenticate with the spice. The > exact choice of authentication method used is controlled from the > system / user's SASL configuration file for the 'qemu' service. This > is typically found in /etc/sasl2/qemu.conf. If running QEMU as an > unprivileged user, an environment variable SASL_CONF_PATH can be used > to make it search alternate locations for the service config. While > some SASL auth methods can also provide data encryption (eg GSSAPI), > it is recommended that SASL always be combined with the 'tls' and > 'x509' settings to enable use of SSL and server certificates. This > ensures a data encryption preventing compromise of authentication > credentials. > > It requires support from spice 0.8.1. > --- > configure | 2 +- > qemu-config.c | 9 ++++++--- > qemu-options.hx | 13 +++++++++++++ > ui/spice-core.c | 4 ++++ > 4 files changed, 24 insertions(+), 4 deletions(-) > > diff --git a/configure b/configure > index fddf515..4583461 100755 > --- a/configure > +++ b/configure > @@ -2316,7 +2316,7 @@ int main(void) { spice_server_new(); return 0; } > EOF > spice_cflags=$($pkgconfig --cflags spice-protocol spice-server 2>/dev/null) > spice_libs=$($pkgconfig --libs spice-protocol spice-server 2>/dev/null) > - if $pkgconfig --atleast-version=0.5.3 spice-server >/dev/null 2>&1 && \ > + if $pkgconfig --atleast-version=0.8.1 spice-server >/dev/null 2>&1 && \ > compile_prog "$spice_cflags" "$spice_libs" ; then > spice="yes" > libs_softmmu="$libs_softmmu $spice_libs" > diff --git a/qemu-config.c b/qemu-config.c > index 6d9c238..bc9a42a 100644 > --- a/qemu-config.c > +++ b/qemu-config.c > @@ -311,7 +311,7 @@ static QemuOptsList qemu_trace_opts = { > .name = "file", > .type = QEMU_OPT_STRING, > }, > - { /* end if list */ } > + { /* end of list */ } > }, > }; > #endif > @@ -390,6 +390,9 @@ QemuOptsList qemu_spice_opts = { > .name = "disable-ticketing", > .type = QEMU_OPT_BOOL, > },{ > + .name = "sasl", > + .type = QEMU_OPT_BOOL, > + },{ > .name = "x509-dir", > .type = QEMU_OPT_STRING, > },{ > @@ -435,7 +438,7 @@ QemuOptsList qemu_spice_opts = { > .name = "playback-compression", > .type = QEMU_OPT_BOOL, > }, > - { /* end if list */ } > + { /* end of list */ } > }, > }; > > @@ -451,7 +454,7 @@ QemuOptsList qemu_option_rom_opts = { > .name = "romfile", > .type = QEMU_OPT_STRING, > }, > - { /* end if list */ } > + { /* end of list */ } > }, > }; > > diff --git a/qemu-options.hx b/qemu-options.hx > index d6f80d1..f37a0a8 100644 > --- a/qemu-options.hx > +++ b/qemu-options.hx > @@ -695,6 +695,19 @@ Force using the specified IP version. > @item password=<secret> > Set the password you need to authenticate. > > +@item sasl > +Require that the client use SASL to authenticate with the spice. > +The exact choice of authentication method used is controlled from the > +system / user's SASL configuration file for the 'qemu' service. This > +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an > +unprivileged user, an environment variable SASL_CONF_PATH can be used > +to make it search alternate locations for the service config. > +While some SASL auth methods can also provide data encryption (eg GSSAPI), > +it is recommended that SASL always be combined with the 'tls' and > +'x509' settings to enable use of SSL and server certificates. This > +ensures a data encryption preventing compromise of authentication > +credentials. > + > @item disable-ticketing > Allow client connects without authentication. > > diff --git a/ui/spice-core.c b/ui/spice-core.c > index 1aa1a5e..b9c3aba 100644 > --- a/ui/spice-core.c > +++ b/ui/spice-core.c > @@ -549,6 +549,10 @@ void qemu_spice_init(void) > if (password) { > spice_server_set_ticket(spice_server, password, 0, 0, 0); > } > + if (qemu_opt_get_bool(opts, "sasl", 0)) { > + spice_server_set_sasl_appname(spice_server, "qemu"); > + spice_server_set_sasl(spice_server, 1); > + } > if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) { > auth = "none"; > spice_server_set_noauth(spice_server); > -- > 1.7.4 > >
-- Marc-André Lureau _______________________________________________ Spice-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/spice-devel
