[Kimchi-devel] [PATCH 0/6] Enable Kimchi authentication in console pages
Aline Manera
alinefm at linux.vnet.ibm.com
Sun May 4 15:29:06 UTC 2014
On 05/04/2014 12:14 PM, Aline Manera wrote:
> On 05/04/2014 04:21 AM, Zhou Zheng Sheng wrote:
>> This is a nice idea. I tested the vnc part. A problem in previous "[v3]
>> Enable encryption in vm VNC console connection" is that vnc_auto.html is
>> not protected by kimchi authentication, and this patch fixes the
>> problem. The reason why I did not implement authentication is that the
>> port 64667 for the VNC websocket traffic itself is not protected by
>> Kimchi authentication. Even with this patch series, one can just git
>> clone the noVNC official git repo, then open the following link in Opera
>> (or Chrome?).
>>
>>
>> file:///home/edward/src/noVNC/vnc_auto.html?port=64667&host=X.X.X.X&path=?token=NAME_OF_THE_VM&encrypt=1
>>
>> Then you get the guest VNC console without logging in to Kimchi. So this
>> patch does not improve anything compared to "[v3] Enable encryption in
>> vm VNC console connection", and it involves another redirection which
>> makes the process a bit more complicated.
> I need to disagree with you.
> With this patch the noVNC is protected from Kimchi perspective
> (different from the previous patch), ie,
> if the user wants to get the console, he does need to get it from noVNC
> source code as you described above
> but it will not be possible through Kimchi.
>
> Even with the password parameter you mentioned below, if the user has
> the full URL (including the password)
> he will be able to get the console from noVNC source code without
> authentication.
>
> To the password parameter works, we need to set a random password for
> each VNC connection with expiration
> time (to reset it after connection is stabilized)
>
> So vm_connect() create a random VNC password with expiration time for
> 10s (just the enough time to open
> connection to noVNC)
>
> That way we ensure each connection has a single valid password and if
> someone gets the full URL it won't be valid
> anymore.
>
> We need to verify how much work is needed to implement this "password
> with expiration time" approach.
> Any help is welcome!
Just found it:
http://libvirt.org/git/?p=libvirt.git;a=commitdiff_plain;h=7a696678e57917aa94e0557c35b1ed3d00068a77
>> I think instead of protecting vnc_auto.html, which is purely static
>> content and not useful to protect, we should protect the VNC payload
>> with password. Kimchi should start the VM with a random VNC password,
>> when the user clicks the VNC link, it should links to
>>
>> https://server:64667/vnc_auto.html?password=XXX&port=XXX&token=XXX&encrypt=1&path=?
>>
>> Since the password is random generated, and the traffic encrypted on
>> HTTPs, it's actually secure.
>>
>> We can also improve the security by generating a new random password
>> every time the user opens a new VNC session.
>>
>> on 2014/05/02 08:49, Aline Manera wrote:
>>> From: Aline Manera <alinefm at br.ibm.com>
>>>
>>> As I commented in mailing list ([v3] Enable encryption in vm VNC console connection)
>>> to enable Kimchi authentication in console pages those need to be provided by
>>> Kimchi server instead of websockify web server.
>>>
>>> I reverted the "Enable encryption in vm VNC console connection" commit, applied
>>> "[PATCH v2] Enable encryption in vm console connection" path send by Mark and
>>> make the changes needed to redirect user from websockify web server to Kimchi.
>>> So noVNC page continues to be rendered by Kimchi.
>>>
>>> With all that done, I was able to enable authentication to vnc_auto.html and
>>> spice.html
>>>
>>> Aline Manera (5):
>>> Revert "Enable encryption in vm VNC console connection"
>>> Make use of the mini Web server in the websockify
>>> Enable Kimchi authentication in console pages
>>> backend: Redirect 401 error to default page
>>> UI: Redirect user to console page after logging
>>>
>>> Mark Wu (1):
>>> Enable encryption in vm console connection
>>>
>>> configure.ac | 9 +-
>>> contrib/kimchi.spec.fedora.in | 14 +-
>>> contrib/kimchi.spec.suse.in | 14 +-
>>> src/kimchi/config.py.in | 32 +-
>>> src/kimchi/vnc.py | 2 +-
>>> src/nginx.conf.in | 15 +
>>> tests/test_config.py.in | 32 +-
>>> ui/Makefile.am | 2 +-
>>> ui/css/Makefile.am | 2 +-
>>> ui/css/fonts/Makefile.am | 2 +
>>> ui/css/fonts/novnc/Makefile.am | 20 +
>>> ui/css/fonts/novnc/Orbitron700.ttf | Bin 0 -> 38580 bytes
>>> ui/css/fonts/novnc/Orbitron700.woff | Bin 0 -> 17472 bytes
>>> ui/css/novnc/Makefile.am | 20 +
>>> ui/css/novnc/base.css | 405 ++++++
>>> ui/js/Makefile.am | 2 +-
>>> ui/js/novnc/Makefile.am | 22 +
>>> ui/js/novnc/base64.js | 115 ++
>>> ui/js/novnc/des.js | 273 ++++
>>> ui/js/novnc/display.js | 770 +++++++++++
>>> ui/js/novnc/input.js | 1946 +++++++++++++++++++++++++++
>>> ui/js/novnc/jsunzip.js | 676 ++++++++++
>>> ui/js/novnc/main.js | 103 ++
>>> ui/js/novnc/rfb.js | 1866 +++++++++++++++++++++++++
>>> ui/js/novnc/util.js | 381 ++++++
>>> ui/js/novnc/web-socket-js/Makefile.am | 24 +
>>> ui/js/novnc/web-socket-js/README.txt | 109 ++
>>> ui/js/novnc/web-socket-js/WebSocketMain.swf | Bin 0 -> 177114 bytes
>>> ui/js/novnc/web-socket-js/swfobject.js | 4 +
>>> ui/js/novnc/web-socket-js/web_socket.js | 391 ++++++
>>> ui/js/novnc/websock.js | 422 ++++++
>>> ui/js/novnc/webutil.js | 216 +++
>>> ui/js/src/kimchi.api.js | 7 +-
>>> ui/js/src/kimchi.login_window.js | 24 +-
>>> ui/novnc/Makefile.am | 22 -
>>> ui/novnc/css/Makefile.am | 20 -
>>> ui/novnc/css/Orbitron700.ttf | Bin 38580 -> 0 bytes
>>> ui/novnc/css/Orbitron700.woff | Bin 17472 -> 0 bytes
>>> ui/novnc/css/base.css | 405 ------
>>> ui/novnc/js/Makefile.am | 22 -
>>> ui/novnc/js/base64.js | 115 --
>>> ui/novnc/js/des.js | 273 ----
>>> ui/novnc/js/display.js | 770 -----------
>>> ui/novnc/js/input.js | 1946 ---------------------------
>>> ui/novnc/js/jsunzip.js | 676 ----------
>>> ui/novnc/js/main.js | 103 --
>>> ui/novnc/js/rfb.js | 1866 -------------------------
>>> ui/novnc/js/util.js | 381 ------
>>> ui/novnc/js/web-socket-js/Makefile.am | 24 -
>>> ui/novnc/js/web-socket-js/README.txt | 109 --
>>> ui/novnc/js/web-socket-js/WebSocketMain.swf | Bin 177114 -> 0 bytes
>>> ui/novnc/js/web-socket-js/swfobject.js | 4 -
>>> ui/novnc/js/web-socket-js/web_socket.js | 391 ------
>>> ui/novnc/js/websock.js | 422 ------
>>> ui/novnc/js/webutil.js | 216 ---
>>> ui/novnc/vnc.html | 43 -
>>> ui/pages/Makefile.am | 2 +-
>>> ui/pages/novnc/Makefile.am | 20 +
>>> ui/pages/novnc/vnc_auto.html | 22 +
>>> ui/pages/vnc_auto.html.tmpl | 44 +
>>> 60 files changed, 7955 insertions(+), 7861 deletions(-)
>>> create mode 100644 ui/css/fonts/novnc/Makefile.am
>>> create mode 100644 ui/css/fonts/novnc/Orbitron700.ttf
>>> create mode 100644 ui/css/fonts/novnc/Orbitron700.woff
>>> create mode 100644 ui/css/novnc/Makefile.am
>>> create mode 100644 ui/css/novnc/base.css
>>> create mode 100644 ui/js/novnc/Makefile.am
>>> create mode 100644 ui/js/novnc/base64.js
>>> create mode 100644 ui/js/novnc/des.js
>>> create mode 100644 ui/js/novnc/display.js
>>> create mode 100644 ui/js/novnc/input.js
>>> create mode 100755 ui/js/novnc/jsunzip.js
>>> create mode 100644 ui/js/novnc/main.js
>>> create mode 100644 ui/js/novnc/rfb.js
>>> create mode 100644 ui/js/novnc/util.js
>>> create mode 100644 ui/js/novnc/web-socket-js/Makefile.am
>>> create mode 100644 ui/js/novnc/web-socket-js/README.txt
>>> create mode 100644 ui/js/novnc/web-socket-js/WebSocketMain.swf
>>> create mode 100644 ui/js/novnc/web-socket-js/swfobject.js
>>> create mode 100644 ui/js/novnc/web-socket-js/web_socket.js
>>> create mode 100644 ui/js/novnc/websock.js
>>> create mode 100644 ui/js/novnc/webutil.js
>>> delete mode 100644 ui/novnc/Makefile.am
>>> delete mode 100644 ui/novnc/css/Makefile.am
>>> delete mode 100644 ui/novnc/css/Orbitron700.ttf
>>> delete mode 100644 ui/novnc/css/Orbitron700.woff
>>> delete mode 100644 ui/novnc/css/base.css
>>> delete mode 100644 ui/novnc/js/Makefile.am
>>> delete mode 100644 ui/novnc/js/base64.js
>>> delete mode 100644 ui/novnc/js/des.js
>>> delete mode 100644 ui/novnc/js/display.js
>>> delete mode 100644 ui/novnc/js/input.js
>>> delete mode 100755 ui/novnc/js/jsunzip.js
>>> delete mode 100644 ui/novnc/js/main.js
>>> delete mode 100644 ui/novnc/js/rfb.js
>>> delete mode 100644 ui/novnc/js/util.js
>>> delete mode 100644 ui/novnc/js/web-socket-js/Makefile.am
>>> delete mode 100644 ui/novnc/js/web-socket-js/README.txt
>>> delete mode 100644 ui/novnc/js/web-socket-js/WebSocketMain.swf
>>> delete mode 100644 ui/novnc/js/web-socket-js/swfobject.js
>>> delete mode 100644 ui/novnc/js/web-socket-js/web_socket.js
>>> delete mode 100644 ui/novnc/js/websock.js
>>> delete mode 100644 ui/novnc/js/webutil.js
>>> delete mode 100644 ui/novnc/vnc.html
>>> create mode 100644 ui/pages/novnc/Makefile.am
>>> create mode 100644 ui/pages/novnc/vnc_auto.html
>>> create mode 100644 ui/pages/vnc_auto.html.tmpl
>>>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
More information about the Kimchi-devel
mailing list