Commit 1263b7d6131cdaed2c460cf03757aaaf5696ec47
1 parent
2f9606b3
Include auth credentials in 'info vnc' ("Daniel P. Berrange")
This patch extends the 'info vnc' monitor output to include information
about the VNC client authentication credentials.
For clients authenticated using SASL, this will output the username.
For clients authenticated using x509 certificates, this will output
the x509 distinguished name.
Auth can be stacked, so both username & x509 dname may be shown.
Server:
address: 0.0.0.0:5902
auth: vencrypt+x509+sasl
Client:
address: 10.33.6.67:38621
x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
username: admin
Client:
address: 10.33.6.63:38620
x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
username: admin
vnc-tls.c | 17 +++++++++++++++++
vnc-tls.h | 3 +++
vnc.c | 19 +++++++++++++++++--
3 files changed, 37 insertions(+), 2 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6725 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
17 additions
and
2 deletions
vnc.c
| @@ -156,6 +156,21 @@ static void do_info_vnc_client(Monitor *mon, VncState *client) | @@ -156,6 +156,21 @@ static void do_info_vnc_client(Monitor *mon, VncState *client) | ||
| 156 | monitor_printf(mon, "Client:\n"); | 156 | monitor_printf(mon, "Client:\n"); |
| 157 | monitor_printf(mon, "%s", clientAddr); | 157 | monitor_printf(mon, "%s", clientAddr); |
| 158 | free(clientAddr); | 158 | free(clientAddr); |
| 159 | + | ||
| 160 | +#ifdef CONFIG_VNC_TLS | ||
| 161 | + if (client->tls.session && | ||
| 162 | + client->tls.dname) | ||
| 163 | + monitor_printf(mon, " x509 dname: %s\n", client->tls.dname); | ||
| 164 | + else | ||
| 165 | + monitor_printf(mon, " x509 dname: none\n"); | ||
| 166 | +#endif | ||
| 167 | +#ifdef CONFIG_VNC_SASL | ||
| 168 | + if (client->sasl.conn && | ||
| 169 | + client->sasl.username) | ||
| 170 | + monitor_printf(mon, " username: %s\n", client->sasl.username); | ||
| 171 | + else | ||
| 172 | + monitor_printf(mon, " username: none\n"); | ||
| 173 | +#endif | ||
| 159 | } | 174 | } |
| 160 | 175 | ||
| 161 | void do_info_vnc(Monitor *mon) | 176 | void do_info_vnc(Monitor *mon) |
| @@ -1824,7 +1839,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) | @@ -1824,7 +1839,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) | ||
| 1824 | /* We only advertise 1 auth scheme at a time, so client | 1839 | /* We only advertise 1 auth scheme at a time, so client |
| 1825 | * must pick the one we sent. Verify this */ | 1840 | * must pick the one we sent. Verify this */ |
| 1826 | if (data[0] != vs->vd->auth) { /* Reject auth */ | 1841 | if (data[0] != vs->vd->auth) { /* Reject auth */ |
| 1827 | - VNC_DEBUG("Reject auth %d\n", (int)data[0]); | 1842 | + VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]); |
| 1828 | vnc_write_u32(vs, 1); | 1843 | vnc_write_u32(vs, 1); |
| 1829 | if (vs->minor >= 8) { | 1844 | if (vs->minor >= 8) { |
| 1830 | static const char err[] = "Authentication failed"; | 1845 | static const char err[] = "Authentication failed"; |
| @@ -1864,7 +1879,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) | @@ -1864,7 +1879,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) | ||
| 1864 | #endif /* CONFIG_VNC_SASL */ | 1879 | #endif /* CONFIG_VNC_SASL */ |
| 1865 | 1880 | ||
| 1866 | default: /* Should not be possible, but just in case */ | 1881 | default: /* Should not be possible, but just in case */ |
| 1867 | - VNC_DEBUG("Reject auth %d\n", vs->vd->auth); | 1882 | + VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth); |
| 1868 | vnc_write_u8(vs, 1); | 1883 | vnc_write_u8(vs, 1); |
| 1869 | if (vs->minor >= 8) { | 1884 | if (vs->minor >= 8) { |
| 1870 | static const char err[] = "Authentication failed"; | 1885 | static const char err[] = "Authentication failed"; |