diff options
author | Keir Fraser <keir@xensource.com> | 2007-10-30 09:32:10 +0000 |
---|---|---|
committer | Keir Fraser <keir@xensource.com> | 2007-10-30 09:32:10 +0000 |
commit | 818a83176228b7005915c6cdb0f529dfe0fd9625 (patch) | |
tree | 65f0dce6295a07b143b63953fd77a3a42adcac76 /tools | |
parent | 02b1dc06bf051c6ec8cd7a48dadf278f70b57fb9 (diff) | |
download | xen-818a83176228b7005915c6cdb0f529dfe0fd9625.tar.gz xen-818a83176228b7005915c6cdb0f529dfe0fd9625.tar.bz2 xen-818a83176228b7005915c6cdb0f529dfe0fd9625.zip |
qemu vnc auth 4/4: XenD config for VNC TLS protocol
This patch adds support to XenD for configuring the previously added
TLS encryption and x509 certificate validation. At this time I have
only enabled this config to be done system-wide via
/etc/xen/xend-config.sxp. Since it requires the admin to add
certificates on the local FS, there's not much point in making it per
VM. The x509 certificates are located in /etc/xen/vnc. Since this
requires a special VNC client program (GTK-VNC,
virt-viewer/virt-manager or VeNCrypt viewer) the use of TLS is
disabled by default. Admins can enable it if they are using a suitable
client.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/examples/xend-config.sxp | 30 | ||||
-rw-r--r-- | tools/python/xen/xend/XendOptions.py | 19 | ||||
-rw-r--r-- | tools/python/xen/xend/image.py | 15 |
3 files changed, 63 insertions, 1 deletions
diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp index 9dfd97471f..df1749f340 100644 --- a/tools/examples/xend-config.sxp +++ b/tools/examples/xend-config.sxp @@ -192,6 +192,36 @@ # Empty string is no authentication. (vncpasswd '') +# The VNC server can be told to negotiate a TLS session +# to encryption all traffic, and provide x509 cert to +# clients enalbing them to verify server identity. The +# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt +# all support the VNC extension for TLS used in QEMU. The +# TightVNC/RealVNC/UltraVNC clients do not. +# +# To enable this create x509 certificates / keys in the +# directory /etc/xen/vnc +# +# ca-cert.pem - The CA certificate +# server-cert.pem - The Server certificate signed by the CA +# server-key.pem - The server private key +# +# and then uncomment this next line +# (vnc-tls 1) + +# The certificate dir can be pointed elsewhere.. +# +# (vnc-x509-cert-dir /etc/xen/vnc) + +# The server can be told to request & validate an x509 +# certificate from the client. Only clients with a cert +# signed by the trusted CA will be able to connect. This +# is more secure the password auth alone. Passwd auth can +# used at the same time if desired. To enable client cert +# checking uncomment this: +# +# (vnc-x509-verify 1) + # The default keymap to use for the VM's virtual keyboard # when not specififed in VM's configuration #(keymap 'en-us') diff --git a/tools/python/xen/xend/XendOptions.py b/tools/python/xen/xend/XendOptions.py index 1c1177c945..8f2cca3b33 100644 --- a/tools/python/xen/xend/XendOptions.py +++ b/tools/python/xen/xend/XendOptions.py @@ -102,6 +102,15 @@ class XendOptions: """Default interface to listen for VNC connections on""" xend_vnc_listen_default = '127.0.0.1' + """Use of TLS mode in QEMU VNC server""" + xend_vnc_tls = 0 + + """x509 certificate directory for QEMU VNC server""" + xend_vnc_x509_cert_dir = "/etc/xen/vnc" + + """Verify incoming client x509 certs""" + xend_vnc_x509_verify = 0 + """Default session storage path.""" xend_domains_path_default = '/var/lib/xend/domains' @@ -288,6 +297,16 @@ class XendOptions: return None + def get_vnc_tls(self): + return self.get_config_string('vnc-tls', self.xend_vnc_tls) + + def get_vnc_x509_cert_dir(self): + return self.get_config_string('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir) + + def get_vnc_x509_verify(self): + return self.get_config_string('vnc-x509-verify', self.xend_vnc_x509_verify) + + class XendOptionsFile(XendOptions): """Default path to the config file.""" diff --git a/tools/python/xen/xend/image.py b/tools/python/xen/xend/image.py index b319703140..f84d0dca7d 100644 --- a/tools/python/xen/xend/image.py +++ b/tools/python/xen/xend/image.py @@ -17,7 +17,7 @@ #============================================================================ -import os, string +import os, os.path, string import re import math import time @@ -227,6 +227,19 @@ class ImageHandler: else: log.debug("No VNC passwd configured for vfb access") + if XendOptions.instance().get_vnc_tls(): + vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir() + vncx509verify = XendOptions.instance().get_vnc_x509_verify() + + if not os.path.exists(vncx509certdir): + raise VmError("VNC x509 certificate dir %s does not exist" % vncx509certdir) + + if vncx509verify: + vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir + else: + vncopts = vncopts + ",tls,x509=%s" % vncx509certdir + + vnclisten = vnc_config.get('vnclisten', XendOptions.instance().get_vnclisten_address()) vncdisplay = vnc_config.get('vncdisplay', 0) |