mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 21:55:25 +00:00
daemon: add tcp_min_ssf option
Add an option to allow the admin to requet a higher minimum SSF for connections than the built-in default. The current default is 56 (single DES equivalent, to support old kerberos) and will be raised to 112 in the future. https://bugzilla.redhat.com/show_bug.cgi?id=1431589 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
5e3a0bb57c
commit
58a48cff84
@ -43,6 +43,7 @@ module @DAEMON_NAME_UC@ =
|
|||||||
@CUT_ENABLE_IP@
|
@CUT_ENABLE_IP@
|
||||||
| str_entry "auth_tcp"
|
| str_entry "auth_tcp"
|
||||||
| str_entry "auth_tls"
|
| str_entry "auth_tls"
|
||||||
|
| int_entry "tcp_min_ssf"
|
||||||
|
|
||||||
let certificate_entry = str_entry "key_file"
|
let certificate_entry = str_entry "key_file"
|
||||||
| str_entry "cert_file"
|
| str_entry "cert_file"
|
||||||
|
@ -197,6 +197,14 @@
|
|||||||
# It is possible to make use of any SASL authentication
|
# It is possible to make use of any SASL authentication
|
||||||
# mechanism as well, by using 'sasl' for this option
|
# mechanism as well, by using 'sasl' for this option
|
||||||
#auth_tls = "none"
|
#auth_tls = "none"
|
||||||
|
|
||||||
|
# Enforce a minimum SSF value for TCP sockets
|
||||||
|
#
|
||||||
|
# The default minimum is currently 56 (single-DES) which will
|
||||||
|
# be raised to 112 in the future.
|
||||||
|
#
|
||||||
|
# This option can be used to set values higher than 112
|
||||||
|
#tcp_min_ssf = 112
|
||||||
@END@
|
@END@
|
||||||
|
|
||||||
|
|
||||||
|
@ -210,6 +210,9 @@ daemonSetupNetworking(virNetServer *srv,
|
|||||||
int unix_sock_ro_mask = 0;
|
int unix_sock_ro_mask = 0;
|
||||||
int unix_sock_rw_mask = 0;
|
int unix_sock_rw_mask = 0;
|
||||||
int unix_sock_adm_mask = 0;
|
int unix_sock_adm_mask = 0;
|
||||||
|
#if WITH_SASL
|
||||||
|
unsigned int tcp_min_ssf = 0;
|
||||||
|
#endif /* !WITH_SASL */
|
||||||
g_autoptr(virSystemdActivation) act = NULL;
|
g_autoptr(virSystemdActivation) act = NULL;
|
||||||
virSystemdActivationMap actmap[] = {
|
virSystemdActivationMap actmap[] = {
|
||||||
{ .name = DAEMON_NAME ".socket", .family = AF_UNIX, .path = sock_path },
|
{ .name = DAEMON_NAME ".socket", .family = AF_UNIX, .path = sock_path },
|
||||||
@ -403,10 +406,13 @@ daemonSetupNetworking(virNetServer *srv,
|
|||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
#if WITH_SASL
|
#if WITH_SASL
|
||||||
|
# if WITH_IP
|
||||||
|
tcp_min_ssf = config->tcp_min_ssf;
|
||||||
|
# endif
|
||||||
if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
|
if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) &&
|
||||||
!(saslCtxt = virNetSASLContextNewServer(
|
!(saslCtxt = virNetSASLContextNewServer(
|
||||||
(const char *const*)config->sasl_allowed_username_list,
|
(const char *const*)config->sasl_allowed_username_list,
|
||||||
56)))
|
tcp_min_ssf)))
|
||||||
return -1;
|
return -1;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -134,6 +134,10 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED)
|
|||||||
data->auth_tls = REMOTE_AUTH_NONE;
|
data->auth_tls = REMOTE_AUTH_NONE;
|
||||||
#endif /* ! WITH_IP */
|
#endif /* ! WITH_IP */
|
||||||
|
|
||||||
|
#if WITH_IP
|
||||||
|
data->tcp_min_ssf = 56; /* good enough for kerberos */
|
||||||
|
#endif
|
||||||
|
|
||||||
data->min_workers = 5;
|
data->min_workers = 5;
|
||||||
data->max_workers = 20;
|
data->max_workers = 20;
|
||||||
data->max_clients = 5000;
|
data->max_clients = 5000;
|
||||||
@ -298,6 +302,17 @@ daemonConfigLoadOptions(struct daemonConfig *data,
|
|||||||
|
|
||||||
if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) < 0)
|
if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
if (virConfGetValueUInt(conf, "tcp_min_ssf", &data->tcp_min_ssf) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (data->tcp_min_ssf < SSF_WARNING_LEVEL) {
|
||||||
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
||||||
|
_("minimum SSF levels lower than %d are not supported"),
|
||||||
|
SSF_WARNING_LEVEL);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
#endif /* ! WITH_IP */
|
#endif /* ! WITH_IP */
|
||||||
|
|
||||||
if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false,
|
if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false,
|
||||||
|
@ -56,6 +56,7 @@ struct daemonConfig {
|
|||||||
bool tls_no_sanity_certificate;
|
bool tls_no_sanity_certificate;
|
||||||
char **tls_allowed_dn_list;
|
char **tls_allowed_dn_list;
|
||||||
char *tls_priority;
|
char *tls_priority;
|
||||||
|
unsigned int tcp_min_ssf;
|
||||||
|
|
||||||
char *key_file;
|
char *key_file;
|
||||||
char *cert_file;
|
char *cert_file;
|
||||||
|
@ -19,6 +19,7 @@ module Test_@DAEMON_NAME@ =
|
|||||||
@CUT_ENABLE_IP@
|
@CUT_ENABLE_IP@
|
||||||
{ "auth_tcp" = "sasl" }
|
{ "auth_tcp" = "sasl" }
|
||||||
{ "auth_tls" = "none" }
|
{ "auth_tls" = "none" }
|
||||||
|
{ "tcp_min_ssf" = "112" }
|
||||||
@END@
|
@END@
|
||||||
{ "access_drivers"
|
{ "access_drivers"
|
||||||
{ "1" = "polkit" }
|
{ "1" = "polkit" }
|
||||||
|
Loading…
Reference in New Issue
Block a user