From 16ca49dad037093a8b47de96ac66211cab2d9a8c Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Wed, 22 May 2019 16:15:08 +0200 Subject: [PATCH] drop SASL support allowing using Debians libspice-server The disadvantage over keeping this and thus having to maintain libspice-server ourself, a package with frequent security issues reported, overweight the advantages. Spiceterm itself is probably not used that much, and of that relatively small user base SASL is probably almost non-existent. Signed-off-by: Thomas Lamprecht --- Makefile | 2 +- debian/control | 5 ++--- screen.c | 57 +++----------------------------------------------- spiceterm.c | 9 +------- spiceterm.h | 1 - spiceterm.pod | 8 +------ 6 files changed, 8 insertions(+), 74 deletions(-) diff --git a/Makefile b/Makefile index 12415ca..5d82f70 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ PROGRAMS=spiceterm HEADERS=translations.h event_loop.h glyphs.h spiceterm.h keysyms.h SOURCES=screen.c event_loop.c input.c spiceterm.c auth-pve.c -PKGS := glib-2.0 spice-protocol spice-server libsasl2 +PKGS := glib-2.0 spice-protocol spice-server CFLAGS += `pkg-config --cflags $(PKGS)` LIBS += `pkg-config --libs $(PKGS)` diff --git a/debian/control b/debian/control index a1dc92f..35ca38e 100644 --- a/debian/control +++ b/debian/control @@ -4,14 +4,13 @@ Priority: extra Maintainer: Proxmox Support Team Build-Depends: debhelper (>= 8.0.0), libglib2.0-dev, - libsasl2-dev, libspice-protocol-dev, - pve-libspice-server-dev, + libspice-server-dev, Standards-Version: 3.9.3 Package: spiceterm Architecture: any -Depends: pve-libspice-server1, +Depends: libspice-server1, pve-qemu-kvm, ${misc:Depends}, ${shlibs:Depends}, diff --git a/screen.c b/screen.c index a24fd6a..3c00aeb 100644 --- a/screen.c +++ b/screen.c @@ -40,7 +40,6 @@ #include #include #include -#include #include "glyphs.h" @@ -713,50 +712,6 @@ spice_screen_draw_char(SpiceScreen *spice_screen, int x, int y, gunichar2 ch, push_command(spice_screen, &update->ext); } -static int -sasl_checkpass_cb(sasl_conn_t *conn, - void *context, - const char *user, - const char *pass, - unsigned passlen, - struct propctx *propctx) -{ - const void *remoteport = NULL; - char *clientip = NULL; - if (sasl_getprop(conn, SASL_IPREMOTEPORT, &remoteport) == SASL_OK) { - clientip = strtok(g_strdup(remoteport), ";"); - } else { - clientip = g_strdup("unknown"); - } - - int res = pve_auth_verify(clientip, user, pass); - - g_free(clientip); - - return (res == 0) ? SASL_OK : SASL_NOAUTHZ; -} - -static int -sasl_getopt_cb(void *context, const char *plugin_name, - const char *option, - const char **result, unsigned *len) -{ - if (strcmp(option, "mech_list") == 0) { - *result = "plain"; - len = NULL; - return SASL_OK; - } - - return SASL_FAIL; -} - -typedef int sasl_cb_fn(void); -static sasl_callback_t sasl_callbacks[] = { - { SASL_CB_GETOPT, (sasl_cb_fn *)sasl_getopt_cb, NULL }, - { SASL_CB_SERVER_USERDB_CHECKPASS, (sasl_cb_fn *)sasl_checkpass_cb, NULL }, - { SASL_CB_LIST_END, NULL, NULL }, -}; - SpiceScreen * spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height, SpiceTermOptions *opts) @@ -806,15 +761,9 @@ spice_screen_new(SpiceCoreInterface *core, uint32_t width, uint32_t height, if (opts->noauth) { spice_server_set_noauth(server); } else { - if (opts->sasl) { - spice_server_set_sasl(server, 1); - spice_server_set_sasl_appname(server, NULL); // enforce pve auth - spice_server_set_sasl_callbacks(server, sasl_callbacks); - } else { - char *ticket = getenv("SPICE_TICKET"); - if (ticket) { - spice_server_set_ticket(server, ticket, 300, 0, 0); - } + char *ticket = getenv("SPICE_TICKET"); + if (ticket) { + spice_server_set_ticket(server, ticket, 300, 0, 0); } } diff --git a/spiceterm.c b/spiceterm.c index fdcafbc..153c5bf 100644 --- a/spiceterm.c +++ b/spiceterm.c @@ -1601,7 +1601,6 @@ spiceterm_print_usage(const char *msg) fprintf(stderr, " --permission Required permissions (PVE AUTH)\n"); fprintf(stderr, " --port Bind to port \n"); fprintf(stderr, " --addr Bind to address \n"); - fprintf(stderr, " --sasl Enable SASL based authentication\n"); fprintf(stderr, " --noauth Disable authentication\n"); fprintf(stderr, " --keymap Spefify keymap (uses kvm keymap files)\n"); } @@ -1621,7 +1620,6 @@ main (int argc, char** argv) .port = 5900, .addr = NULL, .noauth = FALSE, - .sasl = FALSE, }; static struct option long_options[] = { @@ -1632,19 +1630,14 @@ main (int argc, char** argv) { "addr", required_argument, 0, 'a' }, { "keymap", required_argument, 0, 'k' }, { "noauth", no_argument, 0, 'n' }, - { "sasl", no_argument, 0, 's' }, { NULL, 0, 0, 0 }, }; - while ((c = getopt_long(argc, argv, "nkst:a:p:P:", long_options, NULL)) != -1) { - + while ((c = getopt_long(argc, argv, "nkt:a:p:P:", long_options, NULL)) != -1) { switch (c) { case 'n': opts.noauth = TRUE; break; - case 's': - opts.sasl = TRUE; - break; case 'k': opts.keymap = optarg; break; diff --git a/spiceterm.h b/spiceterm.h index 0e238ca..c1fbaec 100644 --- a/spiceterm.h +++ b/spiceterm.h @@ -30,7 +30,6 @@ typedef struct SpiceTermOptions { char *addr; char *keymap; gboolean noauth; - gboolean sasl; } SpiceTermOptions; typedef struct SpiceScreen SpiceScreen; diff --git a/spiceterm.pod b/spiceterm.pod index dd65288..eb243be 100644 --- a/spiceterm.pod +++ b/spiceterm.pod @@ -12,7 +12,6 @@ spiceterm - SPICE Terminal Emulator --permission Required permissions (PVE AUTH) --port Bind to port --addr Bind to address - --sasl Enable SASL based authentication --noauth Disable authentication --keymap Spefify keymap (uses kvm keymap files) @@ -31,8 +30,6 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal. =item screen resize (vdagent) -=item SASL support - =item use TLS to encrypt all traffic =item use Proxmox VE authentication @@ -41,10 +38,7 @@ using the SPICE protocol. Implements a 'xterm' compatible terminal. =head1 Authentication -You can disable authentication using the C<--noauth> option. - -Please use C<--sasl> if you want to connect with username and password -(password if verified using the Proxmox VE auth framework). +You can disable authentication using the C<--noauth> option. Ticket authentication is default, and you should pass the ticket using the C environment variable. -- 2.39.2