5
0
mirror of git://git.proxmox.com/git/spiceterm.git synced 2025-01-18 06:03:56 +03:00

drop SASL support allowing using Debians libspice-server

The disadvantage over keeping this and thus having to maintain
libspice-server ourself, a package with frequent security issues
reported, overweight the advantages. Spiceterm itself is probably not
used that much, and of that relatively small user base SASL is
probably almost non-existent.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2019-05-22 16:15:08 +02:00
parent 1a89d702e7
commit 16ca49dad0
6 changed files with 8 additions and 74 deletions

View File

@ -14,7 +14,7 @@ PROGRAMS=spiceterm
HEADERS=translations.h event_loop.h glyphs.h spiceterm.h keysyms.h HEADERS=translations.h event_loop.h glyphs.h spiceterm.h keysyms.h
SOURCES=screen.c event_loop.c input.c spiceterm.c auth-pve.c SOURCES=screen.c event_loop.c input.c spiceterm.c auth-pve.c
PKGS := glib-2.0 spice-protocol spice-server libsasl2 PKGS := glib-2.0 spice-protocol spice-server
CFLAGS += `pkg-config --cflags $(PKGS)` CFLAGS += `pkg-config --cflags $(PKGS)`
LIBS += `pkg-config --libs $(PKGS)` LIBS += `pkg-config --libs $(PKGS)`

5
debian/control vendored
View File

@ -4,14 +4,13 @@ Priority: extra
Maintainer: Proxmox Support Team <support@proxmox.com> Maintainer: Proxmox Support Team <support@proxmox.com>
Build-Depends: debhelper (>= 8.0.0), Build-Depends: debhelper (>= 8.0.0),
libglib2.0-dev, libglib2.0-dev,
libsasl2-dev,
libspice-protocol-dev, libspice-protocol-dev,
pve-libspice-server-dev, libspice-server-dev,
Standards-Version: 3.9.3 Standards-Version: 3.9.3
Package: spiceterm Package: spiceterm
Architecture: any Architecture: any
Depends: pve-libspice-server1, Depends: libspice-server1,
pve-qemu-kvm, pve-qemu-kvm,
${misc:Depends}, ${misc:Depends},
${shlibs:Depends}, ${shlibs:Depends},

View File

@ -40,7 +40,6 @@
#include <spice/macros.h> #include <spice/macros.h>
#include <spice/qxl_dev.h> #include <spice/qxl_dev.h>
#include <spice/vd_agent.h> #include <spice/vd_agent.h>
#include <sasl/sasl.h>
#include "glyphs.h" #include "glyphs.h"
@ -713,50 +712,6 @@ spice_screen_draw_char(SpiceScreen *spice_screen, int x, int y, gunichar2 ch,
push_command(spice_screen, &update->ext); push_command(spice_screen, &update->ext);
} }
static int
sasl_checkpass_cb(sasl_conn_t *conn,
void *context,
const char *user,
const char *pass,
unsigned passlen,
struct propctx *propctx)
{
const void *remoteport = NULL;
char *clientip = NULL;
if (sasl_getprop(conn, SASL_IPREMOTEPORT, &remoteport) == SASL_OK) {
clientip = strtok(g_strdup(remoteport), ";");
} else {
clientip = g_strdup("unknown");
}
int res = pve_auth_verify(clientip, user, pass);
g_free(clientip);
return (res == 0) ? SASL_OK : SASL_NOAUTHZ;
}
static int
sasl_getopt_cb(void *context, const char *plugin_name,
const char *option,
const char **result, unsigned *len)
{
if (strcmp(option, "mech_list") == 0) {
*result = "plain";
len = NULL;
return SASL_OK;
}
return SASL_FAIL;
}
typedef int sasl_cb_fn(void);
static sasl_callback_t sasl_callbacks[] = {
{ SASL_CB_GETOPT, (sasl_cb_fn *)sasl_getopt_cb, NULL },
{ SASL_CB_SERVER_USERDB_CHECKPASS, (sasl_cb_fn *)sasl_checkpass_cb, NULL },
{ SASL_CB_LIST_END, NULL, NULL },
};
SpiceScreen * SpiceScreen *
spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height, spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height,
SpiceTermOptions *opts) SpiceTermOptions *opts)
@ -805,18 +760,12 @@ spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height,
if (opts->noauth) { if (opts->noauth) {
spice_server_set_noauth(server); spice_server_set_noauth(server);
} else {
if (opts->sasl) {
spice_server_set_sasl(server, 1);
spice_server_set_sasl_appname(server, NULL); // enforce pve auth
spice_server_set_sasl_callbacks(server, sasl_callbacks);
} else { } else {
char *ticket = getenv("SPICE_TICKET"); char *ticket = getenv("SPICE_TICKET");
if (ticket) { if (ticket) {
spice_server_set_ticket(server, ticket, 300, 0, 0); spice_server_set_ticket(server, ticket, 300, 0, 0);
} }
} }
}
int res = spice_server_init(server, core); int res = spice_server_init(server, core);
if (res != 0) { if (res != 0) {

View File

@ -1601,7 +1601,6 @@ spiceterm_print_usage(const char *msg)
fprintf(stderr, " --permission <perm> Required permissions (PVE AUTH)\n"); fprintf(stderr, " --permission <perm> Required permissions (PVE AUTH)\n");
fprintf(stderr, " --port <port> Bind to port <port>\n"); fprintf(stderr, " --port <port> Bind to port <port>\n");
fprintf(stderr, " --addr <addr> Bind to address <addr>\n"); fprintf(stderr, " --addr <addr> Bind to address <addr>\n");
fprintf(stderr, " --sasl Enable SASL based authentication\n");
fprintf(stderr, " --noauth Disable authentication\n"); fprintf(stderr, " --noauth Disable authentication\n");
fprintf(stderr, " --keymap Spefify keymap (uses kvm keymap files)\n"); fprintf(stderr, " --keymap Spefify keymap (uses kvm keymap files)\n");
} }
@ -1621,7 +1620,6 @@ main (int argc, char** argv)
.port = 5900, .port = 5900,
.addr = NULL, .addr = NULL,
.noauth = FALSE, .noauth = FALSE,
.sasl = FALSE,
}; };
static struct option long_options[] = { static struct option long_options[] = {
@ -1632,19 +1630,14 @@ main (int argc, char** argv)
{ "addr", required_argument, 0, 'a' }, { "addr", required_argument, 0, 'a' },
{ "keymap", required_argument, 0, 'k' }, { "keymap", required_argument, 0, 'k' },
{ "noauth", no_argument, 0, 'n' }, { "noauth", no_argument, 0, 'n' },
{ "sasl", no_argument, 0, 's' },
{ NULL, 0, 0, 0 }, { NULL, 0, 0, 0 },
}; };
while ((c = getopt_long(argc, argv, "nkst:a:p:P:", long_options, NULL)) != -1) { while ((c = getopt_long(argc, argv, "nkt:a:p:P:", long_options, NULL)) != -1) {
switch (c) { switch (c) {
case 'n': case 'n':
opts.noauth = TRUE; opts.noauth = TRUE;
break; break;
case 's':
opts.sasl = TRUE;
break;
case 'k': case 'k':
opts.keymap = optarg; opts.keymap = optarg;
break; break;

View File

@ -30,7 +30,6 @@ typedef struct SpiceTermOptions {
char *addr; char *addr;
char *keymap; char *keymap;
gboolean noauth; gboolean noauth;
gboolean sasl;
} SpiceTermOptions; } SpiceTermOptions;
typedef struct SpiceScreen SpiceScreen; typedef struct SpiceScreen SpiceScreen;

View File

@ -12,7 +12,6 @@ spiceterm - SPICE Terminal Emulator
--permission <perm> Required permissions (PVE AUTH) --permission <perm> Required permissions (PVE AUTH)
--port <port> Bind to port <port> --port <port> Bind to port <port>
--addr <addr> Bind to address <addr> --addr <addr> Bind to address <addr>
--sasl Enable SASL based authentication
--noauth Disable authentication --noauth Disable authentication
--keymap Spefify keymap (uses kvm keymap files) --keymap Spefify keymap (uses kvm keymap files)
@ -31,8 +30,6 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal.
=item screen resize (vdagent) =item screen resize (vdagent)
=item SASL support
=item use TLS to encrypt all traffic =item use TLS to encrypt all traffic
=item use Proxmox VE authentication =item use Proxmox VE authentication
@ -43,9 +40,6 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal.
You can disable authentication using the C<--noauth> option. You can disable authentication using the C<--noauth> option.
Please use C<--sasl> if you want to connect with username and password
(password if verified using the Proxmox VE auth framework).
Ticket authentication is default, and you should pass the ticket using Ticket authentication is default, and you should pass the ticket using
the C<SPICE_TICKET> environment variable. the C<SPICE_TICKET> environment variable.