Xen 		  
Home About Xen.org Xen Xen Summit Wiki Mailing List Bug Tracker Xen Downloads
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] Individual passwords for guest VNC servers ?

from [Ian Pratt] [Permanent Link][Original]
To: "Daniel P. Berrange" <berrange@xxxxxxxxxx>, "Masami Watanabe" <masami.watanabe@xxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] Individual passwords for guest VNC servers ?
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Fri, 22 Sep 2006 14:54:24 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 22 Sep 2006 06:55:13 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D572606@xxxxxxxxxxxxxxxxxxxxxxxxxxx><JB2006092221043832.34149296@xxxxxxxxxxxxxx> <20060922131246.GD31773@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcbeSu+MDBprrop5TKCYqCrf1JTdpwAAuszA
Thread-topic: [Xen-devel] Individual passwords for guest VNC servers ? 
> Passing around passwords either on the command line, or environment is
a
> big red flag from a security POV. Also the Xen guest & xend config
files
> all default to world readable. I think we should follow the Apache
model
> and store the passwords out-of-band from the main config. eg
> 
>    (vncpasswordfile '/etc/xen/vncpassword')
> 
> At this point it would make sense to have one password file for all
guests,
> and store them in format:  'vm-name:  pw-hash'

The new life cycle management stuff in post 3.0.3 xend changes this
quite a bit as a config file is only used when initially creating a VM,
and then information about it gets stored in xend's database. The
current password associated with a VM would be one of the parameters
stored in the database, and should be updated using 'xm vnc-password' or
shuch like. 

> As Ian just suggested we could have command 'xm password'  for
updating
> these passwords (cf apache's  htpasswd command)
> 
> Now when launching qemu-dm, we can either pass the path to the
password
> file on its command line,   eg  -passwordfile /etc/xen/password, or
> passs the actual password to qemu-dm down a pipe (eg qemu-dm would
read
> the password from filehandle 3 upon startup). The latter would be my
> preference, since then we could isolate the password handling stuff in
> Xend, and not duplicate it in qemu-dm, and the paravirt  equivalent.

I wouldn't rely on qemu-dm staying in dom0. I think the information
should be passed transiently via xenstore.

Thanks,
Ian 

> 
> Regards,
> Dan.
> --
> |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392
2496 -
> =|
> |=-           Perl modules: http://search.cpan.org/~danberr/
-
> =|
> |=-               Projects: http://freshmeat.net/~danielpb/
-
> =|
> |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B
9505  -
> =|
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Re: [MINIOS] Add stuff for generating assembler symbols in Makefile, Grzegorz Milos
Next by Date:  Re: [Xen-devel] Individual passwords for guest VNC servers ?, Anthony Liguori
Previous by Thread:  Re: [Xen-devel] Individual passwords for guest VNC servers ?, Daniel P. Berrange
Next by Thread:  Re: [Xen-devel] Individual passwords for guest VNC servers ?, Anthony Liguori
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , XenSource, Inc. All rights reserved. Note: the xen.org trademark policy
is changing. For information please email legalxen.org, Legal and Privacy