ia64/xen-unstable

changeset 16272:dc3fcd5dd4eb

qemu vnc auth 4/4: XenD config for VNC TLS protocol

This patch adds support to XenD for configuring the previously added
TLS encryption and x509 certificate validation. At this time I have
only enabled this config to be done system-wide via
/etc/xen/xend-config.sxp. Since it requires the admin to add
certificates on the local FS, there's not much point in making it per
VM. The x509 certificates are located in /etc/xen/vnc. Since this
requires a special VNC client program (GTK-VNC,
virt-viewer/virt-manager or VeNCrypt viewer) the use of TLS is
disabled by default. Admins can enable it if they are using a suitable
client.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
author Keir Fraser <keir@xensource.com>
date Tue Oct 30 09:32:10 2007 +0000 (2007-10-30)
parents f7026f931e60
children ceb195042ca7
files tools/examples/xend-config.sxp tools/python/xen/xend/XendOptions.py tools/python/xen/xend/image.py
line diff
     1.1 --- a/tools/examples/xend-config.sxp	Tue Oct 30 09:30:49 2007 +0000
     1.2 +++ b/tools/examples/xend-config.sxp	Tue Oct 30 09:32:10 2007 +0000
     1.3 @@ -192,6 +192,36 @@
     1.4  # Empty string is no authentication.
     1.5  (vncpasswd '')
     1.6  
     1.7 +# The VNC server can be told to negotiate a TLS session
     1.8 +# to encryption all traffic, and provide x509 cert to
     1.9 +# clients enalbing them to verify server identity. The
    1.10 +# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
    1.11 +# all support the VNC extension for TLS used in QEMU. The
    1.12 +# TightVNC/RealVNC/UltraVNC clients do not.
    1.13 +#
    1.14 +# To enable this create x509 certificates / keys in the
    1.15 +# directory /etc/xen/vnc
    1.16 +#
    1.17 +#  ca-cert.pem       - The CA certificate
    1.18 +#  server-cert.pem   - The Server certificate signed by the CA
    1.19 +#  server-key.pem    - The server private key
    1.20 +#
    1.21 +# and then uncomment this next line
    1.22 +# (vnc-tls 1)
    1.23 +
    1.24 +# The certificate dir can be pointed elsewhere..
    1.25 +#
    1.26 +# (vnc-x509-cert-dir /etc/xen/vnc)
    1.27 +
    1.28 +# The server can be told to request & validate an x509
    1.29 +# certificate from the client. Only clients with a cert
    1.30 +# signed by the trusted CA will be able to connect. This
    1.31 +# is more secure the password auth alone. Passwd auth can
    1.32 +# used at the same time if desired. To enable client cert
    1.33 +# checking uncomment this:
    1.34 +#
    1.35 +# (vnc-x509-verify 1)
    1.36 +
    1.37  # The default keymap to use for the VM's virtual keyboard
    1.38  # when not specififed in VM's configuration
    1.39  #(keymap 'en-us')
     2.1 --- a/tools/python/xen/xend/XendOptions.py	Tue Oct 30 09:30:49 2007 +0000
     2.2 +++ b/tools/python/xen/xend/XendOptions.py	Tue Oct 30 09:32:10 2007 +0000
     2.3 @@ -102,6 +102,15 @@ class XendOptions:
     2.4      """Default interface to listen for VNC connections on"""
     2.5      xend_vnc_listen_default = '127.0.0.1'
     2.6  
     2.7 +    """Use of TLS mode in QEMU VNC server"""
     2.8 +    xend_vnc_tls = 0
     2.9 +
    2.10 +    """x509 certificate directory for QEMU VNC server"""
    2.11 +    xend_vnc_x509_cert_dir = "/etc/xen/vnc"
    2.12 +
    2.13 +    """Verify incoming client x509 certs"""
    2.14 +    xend_vnc_x509_verify = 0
    2.15 +
    2.16      """Default session storage path."""
    2.17      xend_domains_path_default = '/var/lib/xend/domains'
    2.18  
    2.19 @@ -288,6 +297,16 @@ class XendOptions:
    2.20              return None
    2.21  
    2.22  
    2.23 +    def get_vnc_tls(self):
    2.24 +        return self.get_config_string('vnc-tls', self.xend_vnc_tls)
    2.25 +
    2.26 +    def get_vnc_x509_cert_dir(self):
    2.27 +        return self.get_config_string('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir)
    2.28 +
    2.29 +    def get_vnc_x509_verify(self):
    2.30 +        return self.get_config_string('vnc-x509-verify', self.xend_vnc_x509_verify)
    2.31 +
    2.32 +
    2.33  class XendOptionsFile(XendOptions):
    2.34  
    2.35      """Default path to the config file."""
     3.1 --- a/tools/python/xen/xend/image.py	Tue Oct 30 09:30:49 2007 +0000
     3.2 +++ b/tools/python/xen/xend/image.py	Tue Oct 30 09:32:10 2007 +0000
     3.3 @@ -17,7 +17,7 @@
     3.4  #============================================================================
     3.5  
     3.6  
     3.7 -import os, string
     3.8 +import os, os.path, string
     3.9  import re
    3.10  import math
    3.11  import time
    3.12 @@ -227,6 +227,19 @@ class ImageHandler:
    3.13              else:
    3.14                  log.debug("No VNC passwd configured for vfb access")
    3.15  
    3.16 +            if XendOptions.instance().get_vnc_tls():
    3.17 +                vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir()
    3.18 +                vncx509verify = XendOptions.instance().get_vnc_x509_verify()
    3.19 +
    3.20 +                if not os.path.exists(vncx509certdir):
    3.21 +                    raise VmError("VNC x509 certificate dir %s does not exist" % vncx509certdir)
    3.22 +
    3.23 +                if vncx509verify:
    3.24 +                    vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir
    3.25 +                else:
    3.26 +                    vncopts = vncopts + ",tls,x509=%s" % vncx509certdir
    3.27 +
    3.28 +
    3.29              vnclisten = vnc_config.get('vnclisten',
    3.30                                         XendOptions.instance().get_vnclisten_address())
    3.31              vncdisplay = vnc_config.get('vncdisplay', 0)