Virtualization VNC Authentication
- Name: Your Name
- email: <your email address so we can contact you, invite you to meetings, etc.>
- Targeted release: Fedora 28
- Last updated: (DATE)
- Percentage of completion: XX%
The Fedora 8 release introduced the new feature [| VirtSecurity] which comprised supporting the SSL/TLS protocol and x590 certificate in the libvirt RPC layer and VNC protocol. The Fedora 9 release extended this work to add the new feature [SASL authentication] to the libvirt RPC layer. The next logical piece in the security puzzle for virtualization is thus SASL authentication in the VNC protocol. That is the purpose of this new feature for Fedora 11.
VNC has been lacking in serious authentication capabilities since the day it was invented. Various projects have invented new authentication types eg, UltraVNC's MS-Logon integration, but no one has ever attempted to define an portable & extensible standard for VNC authentication that can easily be used across any client/server implementation.
The SASL protocol is well documented Internet specification (RF 4422) that has multiple implementations (cyrus-sasl, gsasl, Java SASL) portable to every major operating system. It defines a protocol that is independent of the authentication mechanism, so as new mechanisms are invented/implemented they can be plugged into existing SASL enabled applications without needing further code / protocol changes.
Of particular interest is the GSSAPI mechanism, which enables Kerberos single-sign-on. Other mechanisms include plain username/password (checkable against files, LDAP, SQL database, etc), one-time passwords, and more).
Benefit to Fedora
A number of virtualization platforms use QEMU for their host device model, and the primary protocol for interacting with QEMU remotely is VNC. Until now the only truly secure means of accessing VNC remotely is to tunnel the VNC connection over SSH. This is not a satisfactory approach for many virtualization hosts, since it entails opening SSH access to the virtualization for guest administrators. Supporting SASL in the VNC protocol, in concert with the previously added SSL/TLS feature, will allow strongly authenticated, securely encrypted remote access to VNC server without any need for tunnelling.
With a little extra effort, the work to support VNC+SASL in the virtualization arena, can be extended to desktop users, by adding SASL to the VINO remote desktop service in GNOME. This will provide Fedora users with a strongly authenticated, securely encrypted remote desktop service.
- Obtain an officially allocated VNC security type code for the new SASL protocol - Write a specification for mapping SASL into the VNC protocol
Server side work
- Implement the core SASL protocol in QEMU's VNC server - Implement a means to define the user ACL for authentication in QEMU - Get code reviewed & accepted in upstream QEMU - Encourage QEMU to produce a new release in time for Fedora 11, or backport the accepted patches to QEMU 0.9.1 - Extend libvirt to allow configuration of SASL authentication for QEMU
Client side work
- Implement the core SASL protocol in GTK-VNC client
For extra credit
- Implement the core SASL protocol in VINO's VNC server (TBD: move to a separate feature page ?)
How To Test
Comments and Discussion