Re: [spice-gtk v2] sasl: fix SASL GSSAPI by allowing NULL username

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 10 Jun 2016, Pavel Grunt wrote:
> How does it affect info about auth failure provided by
> spice_channel_failed_authentication() ?
If c->auth_needs_username is set, spice_channel_failed_authentication()
will tell that a username is required. This is certainly true -- if SASL
GSSAPI failed, username/password are indeed required. So it wouldn't be
a problem, at least from my reading of the code and tests with spicy
tool.

However, there is a problem with cases like virt-manager which assumes
there is only a password per channel required and never shows you a
request to enter username in case of SASL GSSAPI failure. When you enter
a password, the underlying code would complain that username is missing
but no way to enter username would be provided. This is virt-manager's
issue
Is there a bug ?
No, now I'm not able to reproduce it when SASL GSSAPI is fixed.
Do you want a bug for the case when you don't have a valid ticket in the
ccache?

(not related to the patch - it would be nice to rewrite/clean up the "SASL" part
of spice-channel.c)
There could be a bit of clean up but the main auth code is correct.

I would perhaps added support to optionally allow TGT delegation but we
would need it only once we would build up a channel to sign in into a
VM so that TGT could be forwarded into a VM's ccache.


--
/ Alexander Bokovoy
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]