Proxmox/spiceterm
5
0
Fork 0
mirror of git://git.proxmox.com/git/spiceterm.git synced 2024-12-22 13:34:06 +03:00
Code Releases Activity

drop SASL support allowing using Debians libspice-server

Browse Source 
The disadvantage over keeping this and thus having to maintain
libspice-server ourself, a package with frequent security issues
reported, overweight the advantages. Spiceterm itself is probably not
used that much, and of that relatively small user base SASL is
probably almost non-existent.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2019-05-22 16:15:08 +02:00
parent 1a89d702e7
commit 16ca49dad0
6 changed files with 8 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -14,7 +14,7 @@ PROGRAMS=spiceterm
HEADERS=translations.h event_loop.h glyphs.h spiceterm.h keysyms.h
SOURCES=screen.c event_loop.c input.c spiceterm.c auth-pve.c
PKGS := glib-2.0 spice-protocol spice-server libsasl2
PKGS := glib-2.0 spice-protocol spice-server
CFLAGS += `pkg-config --cflags $(PKGS)`
LIBS += `pkg-config --libs $(PKGS)`

5
debian/control vendored
View File

@ -4,14 +4,13 @@ Priority: extra
Maintainer: Proxmox Support Team <support@proxmox.com>
Build-Depends: debhelper (>= 8.0.0),
libglib2.0-dev,
libsasl2-dev,
libspice-protocol-dev,
pve-libspice-server-dev,
libspice-server-dev,
Standards-Version: 3.9.3
Package: spiceterm
Architecture: any
Depends: pve-libspice-server1,
Depends: libspice-server1,
pve-qemu-kvm,
${misc:Depends},
${shlibs:Depends},

57
screen.c
View File

@ -40,7 +40,6 @@
#include <spice/macros.h>
#include <spice/qxl_dev.h>
#include <spice/vd_agent.h>
#include <sasl/sasl.h>
#include "glyphs.h"
@ -713,50 +712,6 @@ spice_screen_draw_char(SpiceScreen *spice_screen, int x, int y, gunichar2 ch,
push_command(spice_screen, &update->ext);
}
static int
sasl_checkpass_cb(sasl_conn_t *conn,
void *context,
const char *user,
const char *pass,
unsigned passlen,
struct propctx *propctx)
{
const void *remoteport = NULL;
char *clientip = NULL;
if (sasl_getprop(conn, SASL_IPREMOTEPORT, &remoteport) == SASL_OK) {
clientip = strtok(g_strdup(remoteport), ";");
} else {
clientip = g_strdup("unknown");
}
int res = pve_auth_verify(clientip, user, pass);
g_free(clientip);
return (res == 0) ? SASL_OK : SASL_NOAUTHZ;
}
static int
sasl_getopt_cb(void *context, const char *plugin_name,
const char *option,
const char **result, unsigned *len)
{
if (strcmp(option, "mech_list") == 0) {
*result = "plain";
len = NULL;
return SASL_OK;
}
return SASL_FAIL;
}
typedef int sasl_cb_fn(void);
static sasl_callback_t sasl_callbacks[] = {
{ SASL_CB_GETOPT, (sasl_cb_fn *)sasl_getopt_cb, NULL },
{ SASL_CB_SERVER_USERDB_CHECKPASS, (sasl_cb_fn *)sasl_checkpass_cb, NULL },
{ SASL_CB_LIST_END, NULL, NULL },
};
SpiceScreen *
spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height,
SpiceTermOptions *opts)
@ -806,15 +761,9 @@ spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height,
if (opts->noauth) {
spice_server_set_noauth(server);
} else {
if (opts->sasl) {
spice_server_set_sasl(server, 1);
spice_server_set_sasl_appname(server, NULL); // enforce pve auth
spice_server_set_sasl_callbacks(server, sasl_callbacks);
} else {
char *ticket = getenv("SPICE_TICKET");
if (ticket) {
spice_server_set_ticket(server, ticket, 300, 0, 0);
}
char *ticket = getenv("SPICE_TICKET");
if (ticket) {
spice_server_set_ticket(server, ticket, 300, 0, 0);
}
}

9
spiceterm.c
View File

@ -1601,7 +1601,6 @@ spiceterm_print_usage(const char *msg)
fprintf(stderr, " --permission <perm> Required permissions (PVE AUTH)\n");
fprintf(stderr, " --port <port> Bind to port <port>\n");
fprintf(stderr, " --addr <addr> Bind to address <addr>\n");
fprintf(stderr, " --sasl Enable SASL based authentication\n");
fprintf(stderr, " --noauth Disable authentication\n");
fprintf(stderr, " --keymap Spefify keymap (uses kvm keymap files)\n");
}
@ -1621,7 +1620,6 @@ main (int argc, char** argv)
.port = 5900,
.addr = NULL,
.noauth = FALSE,
.sasl = FALSE,
};
static struct option long_options[] = {
@ -1632,19 +1630,14 @@ main (int argc, char** argv)
{ "addr", required_argument, 0, 'a' },
{ "keymap", required_argument, 0, 'k' },
{ "noauth", no_argument, 0, 'n' },
{ "sasl", no_argument, 0, 's' },
{ NULL, 0, 0, 0 },
};
while ((c = getopt_long(argc, argv, "nkst:a:p:P:", long_options, NULL)) != -1) {
while ((c = getopt_long(argc, argv, "nkt:a:p:P:", long_options, NULL)) != -1) {
switch (c) {
case 'n':
opts.noauth = TRUE;
break;
case 's':
opts.sasl = TRUE;
break;
case 'k':
opts.keymap = optarg;
break;

1
spiceterm.h
View File

@ -30,7 +30,6 @@ typedef struct SpiceTermOptions {
char *addr;
char *keymap;
gboolean noauth;
gboolean sasl;
} SpiceTermOptions;
typedef struct SpiceScreen SpiceScreen;

8
spiceterm.pod
View File

@ -12,7 +12,6 @@ spiceterm - SPICE Terminal Emulator
--permission <perm> Required permissions (PVE AUTH)
--port <port> Bind to port <port>
--addr <addr> Bind to address <addr>
--sasl Enable SASL based authentication
--noauth Disable authentication
--keymap Spefify keymap (uses kvm keymap files)
@ -31,8 +30,6 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal.
=item screen resize (vdagent)
=item SASL support
=item use TLS to encrypt all traffic
=item use Proxmox VE authentication
@ -41,10 +38,7 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal.
=head1 Authentication
You can disable authentication using the C<--noauth> option.
Please use C<--sasl> if you want to connect with username and password
(password if verified using the Proxmox VE auth framework).
You can disable authentication using the C<--noauth> option.
Ticket authentication is default, and you should pass the ticket using
the C<SPICE_TICKET> environment variable.