drop SASL support allowing using Debians libspice-server

The disadvantage over keeping this and thus having to maintain
libspice-server ourself, a package with frequent security issues
reported, overweight the advantages. Spiceterm itself is probably not
used that much, and of that relatively small user base SASL is
probably almost non-existent.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/Makefile b/Makefile
index 12415ca7150e64d8dae0a6ed3f769bc6a9a0fb6e..5d82f7083aa5031e7bc2d4230d597b86dfa0d59b 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@ PROGRAMS=spiceterm
 HEADERS=translations.h event_loop.h glyphs.h spiceterm.h keysyms.h
 SOURCES=screen.c event_loop.c input.c spiceterm.c auth-pve.c
 
-PKGS := glib-2.0 spice-protocol spice-server libsasl2
+PKGS := glib-2.0 spice-protocol spice-server
 CFLAGS += `pkg-config --cflags $(PKGS)`
 LIBS += `pkg-config --libs $(PKGS)`
 

diff --git a/debian/control b/debian/control
index a1dc92f3bd3f83d19d12598a99e942bf7c7ce932..35ca38e3f6204bd3868f61c6520be0bf6d093616 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -4,14 +4,13 @@ Priority: extra
 Maintainer: Proxmox Support Team <support@proxmox.com>
 Build-Depends: debhelper (>= 8.0.0),
                libglib2.0-dev,
-               libsasl2-dev,
                libspice-protocol-dev,
-               pve-libspice-server-dev,
+               libspice-server-dev,
 Standards-Version: 3.9.3
 
 Package: spiceterm
 Architecture: any
-Depends: pve-libspice-server1,
+Depends: libspice-server1,
          pve-qemu-kvm,
          ${misc:Depends},
          ${shlibs:Depends},

diff --git a/screen.c b/screen.c
index a24fd6ae3b0b2a274ff5cb2b50207ed7e8df95e0..3c00aeb9c02a1d3b24cca72a0e54f26340652d27 100644 (file)
--- a/screen.c
+++ b/screen.c
@@ -40,7 +40,6 @@
 #include <spice/macros.h>
 #include <spice/qxl_dev.h>
 #include <spice/vd_agent.h>
-#include <sasl/sasl.h>
 
 #include "glyphs.h"
 
@@ -713,50 +712,6 @@ spice_screen_draw_char(SpiceScreen *spice_screen, int x, int y, gunichar2 ch,
     push_command(spice_screen, &update->ext);
 }
 
-static int 
-sasl_checkpass_cb(sasl_conn_t *conn,
-                  void *context,
-                  const char *user,
-                  const char *pass,
-                  unsigned passlen,
-                  struct propctx *propctx)
-{
-    const void *remoteport = NULL;
-    char *clientip = NULL;
-    if (sasl_getprop(conn, SASL_IPREMOTEPORT, &remoteport) == SASL_OK) {
-        clientip = strtok(g_strdup(remoteport), ";");
-    } else {
-        clientip = g_strdup("unknown");
-    }
-
-    int res = pve_auth_verify(clientip, user, pass);
-
-    g_free(clientip);
-
-    return (res == 0) ? SASL_OK : SASL_NOAUTHZ;
-}
-
-static int 
-sasl_getopt_cb(void *context, const char *plugin_name,
-               const char *option,
-               const char **result, unsigned *len)
-{
-    if (strcmp(option, "mech_list") == 0) {
-        *result = "plain";
-        len = NULL;
-        return SASL_OK;
-    }
-
-    return SASL_FAIL;
-}
-
-typedef int sasl_cb_fn(void);  
-static sasl_callback_t sasl_callbacks[] = {
-    { SASL_CB_GETOPT, (sasl_cb_fn *)sasl_getopt_cb, NULL },
-    { SASL_CB_SERVER_USERDB_CHECKPASS, (sasl_cb_fn *)sasl_checkpass_cb, NULL },
-    { SASL_CB_LIST_END, NULL, NULL },
-};
- 
 SpiceScreen *
 spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height, 
                  SpiceTermOptions *opts)
@@ -806,15 +761,9 @@ spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height,
     if (opts->noauth) {
         spice_server_set_noauth(server);
     } else {
-        if (opts->sasl) {
-            spice_server_set_sasl(server, 1);
-            spice_server_set_sasl_appname(server, NULL); // enforce pve auth
-            spice_server_set_sasl_callbacks(server, sasl_callbacks);
-        } else {
-            char *ticket = getenv("SPICE_TICKET");
-            if (ticket) {
-                spice_server_set_ticket(server, ticket, 300, 0, 0);
-            }
+        char *ticket = getenv("SPICE_TICKET");
+        if (ticket) {
+            spice_server_set_ticket(server, ticket, 300, 0, 0);
         }
     }
 

diff --git a/spiceterm.c b/spiceterm.c
index fdcafbc60670a7124af475344edcf9074379ede9..153c5bfe4a8fed21ecd0484cf1acf17910dd443b 100644 (file)
--- a/spiceterm.c
+++ b/spiceterm.c
@@ -1601,7 +1601,6 @@ spiceterm_print_usage(const char *msg)
     fprintf(stderr, "  --permission <perm>  Required permissions (PVE AUTH)\n");
     fprintf(stderr, "  --port <port>        Bind to port <port>\n");
     fprintf(stderr, "  --addr <addr>        Bind to address <addr>\n");
-    fprintf(stderr, "  --sasl               Enable SASL based authentication\n");
     fprintf(stderr, "  --noauth             Disable authentication\n");
     fprintf(stderr, "  --keymap             Spefify keymap (uses kvm keymap files)\n");
 }
@@ -1621,7 +1620,6 @@ main (int argc, char** argv)
         .port = 5900,
         .addr = NULL,
         .noauth = FALSE,
-        .sasl = FALSE,
     };
 
    static struct option long_options[] = {
@@ -1632,19 +1630,14 @@ main (int argc, char** argv)
         { "addr", required_argument, 0, 'a' },
         { "keymap", required_argument, 0, 'k' },
         { "noauth", no_argument, 0, 'n' },
-        { "sasl", no_argument, 0, 's' },
         { NULL, 0, 0, 0 },
     };
 
-    while ((c = getopt_long(argc, argv, "nkst:a:p:P:", long_options, NULL)) != -1) {
-        
+    while ((c = getopt_long(argc, argv, "nkt:a:p:P:", long_options, NULL)) != -1) {
         switch (c) {
         case 'n':
             opts.noauth = TRUE;
             break;
-        case 's':
-            opts.sasl = TRUE;
-            break;
         case 'k':
             opts.keymap = optarg;
             break;

diff --git a/spiceterm.h b/spiceterm.h
index 0e238ca8d924d457fb605ff295b6bb827628513d..c1fbaec0566750df7b2d48167cccfb261a8d8bba 100644 (file)
--- a/spiceterm.h
+++ b/spiceterm.h
@@ -30,7 +30,6 @@ typedef struct SpiceTermOptions {
     char *addr;
     char *keymap;
     gboolean noauth;
-    gboolean sasl;
 } SpiceTermOptions;
 
 typedef struct SpiceScreen SpiceScreen;

diff --git a/spiceterm.pod b/spiceterm.pod
index dd652884d7aebe4d6ba4b078ef5ca8fbaf5f462f..eb243bef00f3a367a62f10b92a4883c652394a83 100644 (file)
--- a/spiceterm.pod
+++ b/spiceterm.pod
@@ -12,7 +12,6 @@ spiceterm - SPICE Terminal Emulator
   --permission <perm>  Required permissions (PVE AUTH)
   --port <port>        Bind to port <port>
   --addr <addr>        Bind to address <addr>
-  --sasl               Enable SASL based authentication
   --noauth             Disable authentication
   --keymap             Spefify keymap (uses kvm keymap files)
 
@@ -31,8 +30,6 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal.
 
 =item screen resize (vdagent)
 
-=item SASL support
-
 =item use TLS to encrypt all traffic
 
 =item use Proxmox VE authentication
@@ -41,10 +38,7 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal.
 
 =head1 Authentication
 
-You can disable authentication using the C<--noauth> option. 
-
-Please use C<--sasl> if you want to connect with username and password
-(password if verified using the Proxmox VE auth framework).
+You can disable authentication using the C<--noauth> option.
 
 Ticket authentication is default, and you should pass the ticket using
 the C<SPICE_TICKET> environment variable.