On 05/04/2014 10:41 AM, Sheldon wrote:
On 05/04/2014 03:21 PM, Zhou Zheng Sheng wrote:
> This is a nice idea. I tested the vnc part. A problem in previous "[v3]
> Enable encryption in vm VNC console connection" is that vnc_auto.html is
> not protected by kimchi authentication, and this patch fixes the
> problem. The reason why I did not implement authentication is that the
> port 64667 for the VNC websocket traffic itself is not protected by
> Kimchi authentication. Even with this patch series, one can just git
> clone the noVNC official git repo, then open the following link in Opera
> (or Chrome?).
>
>
>
file:///home/edward/src/noVNC/vnc_auto.html?port=64667&host=X.X.X.X&path=?token=NAME_OF_THE_VM&encrypt=1
>
> Then you get the guest VNC console without logging in to Kimchi. So this
> patch does not improve anything compared to "[v3] Enable encryption in
> vm VNC console connection", and it involves another redirection which
> makes the process a bit more complicated.
>
> I think instead of protecting vnc_auto.html, which is purely static
> content and not useful to protect, we should protect the VNC payload
> with password. Kimchi should start the VM with a random VNC password,
> when the user clicks the VNC link, it should links to
>
>
https://server:64667/vnc_auto.html?password=XXX&port=XXX&token=XX...
>
> Since the password is random generated, and the traffic encrypted on
> HTTPs, it's actually secure.
>
> We can also improve the security by generating a new random password
> every time the user opens a new VNC session.
a ticket for VNC or spice session?
Ticket is used to gain admission to access VNC or spice session.
An expire time for ticket, when expire, ticket is not validated.
Or one ticket is just for one time access.
Only the user with VM operation permission can get the ticket.
For UI, the VM connection action, first get the ticket and then connect
the VNC or Spice.
Yeap, Sheldon! I think it will work.
It's very similiar to what I send in response to Zhou Zheng's email.
Just need to find an easy way to implement this.
> on 2014/05/02 08:49, Aline Manera wrote:
>> From: Aline Manera <alinefm(a)br.ibm.com>
>>
>> As I commented in mailing list ([v3] Enable encryption in vm VNC console
connection)
>> to enable Kimchi authentication in console pages those need to be provided by
>> Kimchi server instead of websockify web server.
>>
>> I reverted the "Enable encryption in vm VNC console connection" commit,
applied
>> "[PATCH v2] Enable encryption in vm console connection" path send by
Mark and
>> make the changes needed to redirect user from websockify web server to Kimchi.
>> So noVNC page continues to be rendered by Kimchi.
>>
>> With all that done, I was able to enable authentication to vnc_auto.html and
>> spice.html
>>
>> Aline Manera (5):
>> Revert "Enable encryption in vm VNC console connection"
>> Make use of the mini Web server in the websockify
>> Enable Kimchi authentication in console pages
>> backend: Redirect 401 error to default page
>> UI: Redirect user to console page after logging
>>
>> Mark Wu (1):
>> Enable encryption in vm console connection
>>
>> configure.ac | 9 +-
>> contrib/kimchi.spec.fedora.in | 14 +-
>> contrib/kimchi.spec.suse.in | 14 +-
>> src/kimchi/config.py.in | 32 +-
>> src/kimchi/vnc.py | 2 +-
>> src/nginx.conf.in | 15 +
>> tests/test_config.py.in | 32 +-
>> ui/Makefile.am | 2 +-
>> ui/css/Makefile.am | 2 +-
>> ui/css/fonts/Makefile.am | 2 +
>> ui/css/fonts/novnc/Makefile.am | 20 +
>> ui/css/fonts/novnc/Orbitron700.ttf | Bin 0 -> 38580 bytes
>> ui/css/fonts/novnc/Orbitron700.woff | Bin 0 -> 17472 bytes
>> ui/css/novnc/Makefile.am | 20 +
>> ui/css/novnc/base.css | 405 ++++++
>> ui/js/Makefile.am | 2 +-
>> ui/js/novnc/Makefile.am | 22 +
>> ui/js/novnc/base64.js | 115 ++
>> ui/js/novnc/des.js | 273 ++++
>> ui/js/novnc/display.js | 770 +++++++++++
>> ui/js/novnc/input.js | 1946 +++++++++++++++++++++++++++
>> ui/js/novnc/jsunzip.js | 676 ++++++++++
>> ui/js/novnc/main.js | 103 ++
>> ui/js/novnc/rfb.js | 1866 +++++++++++++++++++++++++
>> ui/js/novnc/util.js | 381 ++++++
>> ui/js/novnc/web-socket-js/Makefile.am | 24 +
>> ui/js/novnc/web-socket-js/README.txt | 109 ++
>> ui/js/novnc/web-socket-js/WebSocketMain.swf | Bin 0 -> 177114 bytes
>> ui/js/novnc/web-socket-js/swfobject.js | 4 +
>> ui/js/novnc/web-socket-js/web_socket.js | 391 ++++++
>> ui/js/novnc/websock.js | 422 ++++++
>> ui/js/novnc/webutil.js | 216 +++
>> ui/js/src/kimchi.api.js | 7 +-
>> ui/js/src/kimchi.login_window.js | 24 +-
>> ui/novnc/Makefile.am | 22 -
>> ui/novnc/css/Makefile.am | 20 -
>> ui/novnc/css/Orbitron700.ttf | Bin 38580 -> 0 bytes
>> ui/novnc/css/Orbitron700.woff | Bin 17472 -> 0 bytes
>> ui/novnc/css/base.css | 405 ------
>> ui/novnc/js/Makefile.am | 22 -
>> ui/novnc/js/base64.js | 115 --
>> ui/novnc/js/des.js | 273 ----
>> ui/novnc/js/display.js | 770 -----------
>> ui/novnc/js/input.js | 1946 ---------------------------
>> ui/novnc/js/jsunzip.js | 676 ----------
>> ui/novnc/js/main.js | 103 --
>> ui/novnc/js/rfb.js | 1866 -------------------------
>> ui/novnc/js/util.js | 381 ------
>> ui/novnc/js/web-socket-js/Makefile.am | 24 -
>> ui/novnc/js/web-socket-js/README.txt | 109 --
>> ui/novnc/js/web-socket-js/WebSocketMain.swf | Bin 177114 -> 0 bytes
>> ui/novnc/js/web-socket-js/swfobject.js | 4 -
>> ui/novnc/js/web-socket-js/web_socket.js | 391 ------
>> ui/novnc/js/websock.js | 422 ------
>> ui/novnc/js/webutil.js | 216 ---
>> ui/novnc/vnc.html | 43 -
>> ui/pages/Makefile.am | 2 +-
>> ui/pages/novnc/Makefile.am | 20 +
>> ui/pages/novnc/vnc_auto.html | 22 +
>> ui/pages/vnc_auto.html.tmpl | 44 +
>> 60 files changed, 7955 insertions(+), 7861 deletions(-)
>> create mode 100644 ui/css/fonts/novnc/Makefile.am
>> create mode 100644 ui/css/fonts/novnc/Orbitron700.ttf
>> create mode 100644 ui/css/fonts/novnc/Orbitron700.woff
>> create mode 100644 ui/css/novnc/Makefile.am
>> create mode 100644 ui/css/novnc/base.css
>> create mode 100644 ui/js/novnc/Makefile.am
>> create mode 100644 ui/js/novnc/base64.js
>> create mode 100644 ui/js/novnc/des.js
>> create mode 100644 ui/js/novnc/display.js
>> create mode 100644 ui/js/novnc/input.js
>> create mode 100755 ui/js/novnc/jsunzip.js
>> create mode 100644 ui/js/novnc/main.js
>> create mode 100644 ui/js/novnc/rfb.js
>> create mode 100644 ui/js/novnc/util.js
>> create mode 100644 ui/js/novnc/web-socket-js/Makefile.am
>> create mode 100644 ui/js/novnc/web-socket-js/README.txt
>> create mode 100644 ui/js/novnc/web-socket-js/WebSocketMain.swf
>> create mode 100644 ui/js/novnc/web-socket-js/swfobject.js
>> create mode 100644 ui/js/novnc/web-socket-js/web_socket.js
>> create mode 100644 ui/js/novnc/websock.js
>> create mode 100644 ui/js/novnc/webutil.js
>> delete mode 100644 ui/novnc/Makefile.am
>> delete mode 100644 ui/novnc/css/Makefile.am
>> delete mode 100644 ui/novnc/css/Orbitron700.ttf
>> delete mode 100644 ui/novnc/css/Orbitron700.woff
>> delete mode 100644 ui/novnc/css/base.css
>> delete mode 100644 ui/novnc/js/Makefile.am
>> delete mode 100644 ui/novnc/js/base64.js
>> delete mode 100644 ui/novnc/js/des.js
>> delete mode 100644 ui/novnc/js/display.js
>> delete mode 100644 ui/novnc/js/input.js
>> delete mode 100755 ui/novnc/js/jsunzip.js
>> delete mode 100644 ui/novnc/js/main.js
>> delete mode 100644 ui/novnc/js/rfb.js
>> delete mode 100644 ui/novnc/js/util.js
>> delete mode 100644 ui/novnc/js/web-socket-js/Makefile.am
>> delete mode 100644 ui/novnc/js/web-socket-js/README.txt
>> delete mode 100644 ui/novnc/js/web-socket-js/WebSocketMain.swf
>> delete mode 100644 ui/novnc/js/web-socket-js/swfobject.js
>> delete mode 100644 ui/novnc/js/web-socket-js/web_socket.js
>> delete mode 100644 ui/novnc/js/websock.js
>> delete mode 100644 ui/novnc/js/webutil.js
>> delete mode 100644 ui/novnc/vnc.html
>> create mode 100644 ui/pages/novnc/Makefile.am
>> create mode 100644 ui/pages/novnc/vnc_auto.html
>> create mode 100644 ui/pages/vnc_auto.html.tmpl
>>