[pve-devel] [PATCH 1/2] add spiceproxy api2

Alexandre DERUMIER aderumier at odiso.com
Tue Jun 25 09:18:59 CEST 2013


>>Did you already send that code (patch for pve-access-control)? 
Sorry, I have forgot to send it.

>>One problem with this is that the SPICE client pass the $ticktet using an unencrypted proxy call.
>>That is a security problem, because somebody else can sniff/steal the ticket.
Yes, I have thinked about it.
Https proxy support is not available in the spice client.
Maybe,can we also use spice temp password through tls ? (The string is limited to 60 characters)


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mardi 25 Juin 2013 08:56:15 
Objet: RE: [pve-devel] [PATCH 1/2] add spiceproxy api2 

> + my $ticket = 
> + PVE::AccessControl::assemble_spice_ticket($authuser, $authpath); 

Did you already send that code (patch for pve-access-control)? 

> + 
> + my $remip; 
> + 
> + if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) { 
> + $remip = PVE::Cluster::remote_node_ip($node); 
> + } 
> + 
> + my $socket = PVE::QemuServer::spice_socket($vmid); 
> + my ($proxysocket, $proxyid) = 
> +PVE::Tools::next_spiceproxy_socket(); 
> + 
> + die "spice proxy socket is already in use\n" if -e $proxysocket; 
> + 
> + 
> + my $realcmd = sub { 
> + my $upid = shift; 
> + 
> + syslog('info', "starting spice proxy $upid\n"); 
> + 
> + my $cmd = ['/usr/bin/socat', '-d', '-d', "UNIX- 
> LISTEN:$proxysocket,reuseaddr,fork"]; 
> + my $remotesocket = $remip ? "EXEC:'ssh root@$remip socat STDIO 
> UNIX-CONNECT:$socket'" : "UNIX-CONNECT:$socket"; 
> + push @$cmd, $remotesocket; 
> + 
> + my $parser = sub { 
> + my $line = shift; 
> + print $line."\n"; 
> + die "Client is disconnect" if ($line =~ /exiting with status 0/); 
> + }; 
> + eval { 
> + local $SIG{INT} = $SIG{TERM} = $SIG{QUIT} = $SIG{HUP} = sub { 
> die "interrupted by signal\n"; }; 
> + #fixme : how to setup a connect wait timeout ? 
> + PVE::Tools::run_command($cmd, errfunc => $parser, outfunc => 
> sub{}); 
> + }; 
> + if ($@) { 
> + unlink $proxysocket if -e $proxysocket; 
> + } 
> + }; 
> + 
> + my $upid = $rpcenv->fork_worker('spiceproxy', $vmid, $authuser, 
> + $realcmd); 
> + 
> + 
> + my $proxyname = `hostname -f` || PVE::INotify::nodename(); 
> + chomp $proxyname; 
> + 
> + my $config = {}; 
> + $config->{type} = 'spice'; 
> + $config->{proxy} = "http://$proxyname:3128"; 
> + $config->{host} = $ticket; 
> + $config->{port} = $proxyid; 
> + return $config; 

One problem with this is that the SPICE client pass the $ticktet using an unencrypted proxy call. 
That is a security problem, because somebody else can sniff/steal the ticket. 



More information about the pve-devel mailing list