|
|
f439126 |
diff -rup xen-3.1.0-src.orig/tools/examples/xend-config.sxp xen-3.1.0-src.new/tools/examples/xend-config.sxp
|
|
|
f439126 |
--- xen-3.1.0-src.orig/tools/examples/xend-config.sxp 2007-10-10 17:31:42.000000000 -0400
|
|
|
f439126 |
+++ xen-3.1.0-src.new/tools/examples/xend-config.sxp 2007-10-10 17:55:25.000000000 -0400
|
|
|
f439126 |
@@ -202,3 +202,33 @@
|
|
|
f439126 |
# The default password for VNC console on HVM domain.
|
|
|
f439126 |
# Empty string is no authentication.
|
|
|
f439126 |
(vncpasswd '')
|
|
|
f439126 |
+
|
|
|
f439126 |
+# The VNC server can be told to negotiate a TLS session
|
|
|
f439126 |
+# to encryption all traffic, and provide x509 cert to
|
|
|
f439126 |
+# clients enalbing them to verify server identity. The
|
|
|
f439126 |
+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
|
|
|
f439126 |
+# all support the VNC extension for TLS used in QEMU. The
|
|
|
f439126 |
+# TightVNC/RealVNC/UltraVNC clients do not.
|
|
|
f439126 |
+#
|
|
|
f439126 |
+# To enable this create x509 certificates / keys in the
|
|
|
f439126 |
+# directory /etc/xen/vnc
|
|
|
f439126 |
+#
|
|
|
f439126 |
+# ca-cert.pem - The CA certificate
|
|
|
f439126 |
+# server-cert.pem - The Server certificate signed by the CA
|
|
|
f439126 |
+# server-key.pem - The server private key
|
|
|
f439126 |
+#
|
|
|
f439126 |
+# and then uncomment this next line
|
|
|
f439126 |
+# (vnc-tls 1)
|
|
|
f439126 |
+#
|
|
|
f439126 |
+# The certificate dir can be pointed elsewhere..
|
|
|
f439126 |
+#
|
|
|
f439126 |
+# (vnc-x509-cert-dir /etc/xen/vnc)
|
|
|
f439126 |
+#
|
|
|
f439126 |
+# The server can be told to request & validate an x509
|
|
|
f439126 |
+# certificate from the client. Only clients with a cert
|
|
|
f439126 |
+# signed by the trusted CA will be able to connect. This
|
|
|
f439126 |
+# is more secure the password auth alone. Passwd auth can
|
|
|
f439126 |
+# used at the same time if desired. To enable client cert
|
|
|
f439126 |
+# checking uncomment this:
|
|
|
f439126 |
+#
|
|
|
f439126 |
+# (vnc-x509-verify 1)
|
|
|
f439126 |
diff -rup xen-3.1.0-src.orig/tools/python/xen/xend/image.py xen-3.1.0-src.new/tools/python/xen/xend/image.py
|
|
|
f439126 |
--- xen-3.1.0-src.orig/tools/python/xen/xend/image.py 2007-10-10 17:31:42.000000000 -0400
|
|
|
f439126 |
+++ xen-3.1.0-src.new/tools/python/xen/xend/image.py 2007-10-10 19:54:22.000000000 -0400
|
|
|
f439126 |
@@ -17,7 +17,7 @@
|
|
|
f439126 |
#============================================================================
|
|
|
f439126 |
|
|
|
f439126 |
|
|
|
f439126 |
-import os, string
|
|
|
f439126 |
+import os, os.path, string
|
|
|
f439126 |
import re
|
|
|
f439126 |
import math
|
|
|
f439126 |
import signal
|
|
|
f439126 |
@@ -400,6 +400,19 @@ class HVMImageHandler(ImageHandler):
|
|
|
f439126 |
else:
|
|
|
f439126 |
log.debug("No VNC passwd configured for vfb access")
|
|
|
f439126 |
|
|
|
f439126 |
+ if XendOptions.instance().get_vnc_tls():
|
|
|
f439126 |
+ vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir()
|
|
|
f439126 |
+ vncx509verify = XendOptions.instance().get_vnc_x509_verify()
|
|
|
f439126 |
+
|
|
|
f439126 |
+ if not os.path.exists(vncx509certdir):
|
|
|
f439126 |
+ raise "VNC x509 certificate dir does not exist"
|
|
|
f439126 |
+
|
|
|
f439126 |
+ if vncx509verify:
|
|
|
f439126 |
+ vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir
|
|
|
f439126 |
+ else:
|
|
|
f439126 |
+ vncopts = vncopts + ",tls,x509=%s" % vncx509certdir
|
|
|
f439126 |
+
|
|
|
f439126 |
+
|
|
|
f439126 |
vnclisten = vnc_config.get('vnclisten',
|
|
|
f439126 |
XendOptions.instance().get_vnclisten_address())
|
|
|
f439126 |
vncdisplay = vnc_config.get('vncdisplay', 0)
|
|
|
f439126 |
diff -rup xen-3.1.0-src.orig/tools/python/xen/xend/XendOptions.py xen-3.1.0-src.new/tools/python/xen/xend/XendOptions.py
|
|
|
f439126 |
--- xen-3.1.0-src.orig/tools/python/xen/xend/XendOptions.py 2007-05-18 10:45:21.000000000 -0400
|
|
|
f439126 |
+++ xen-3.1.0-src.new/tools/python/xen/xend/XendOptions.py 2007-10-10 17:55:49.000000000 -0400
|
|
|
f439126 |
@@ -102,6 +102,15 @@ class XendOptions:
|
|
|
f439126 |
"""Default interface to listen for VNC connections on"""
|
|
|
f439126 |
xend_vnc_listen_default = '127.0.0.1'
|
|
|
f439126 |
|
|
|
f439126 |
+ """Use of TLS mode in QEMU VNC server"""
|
|
|
f439126 |
+ xend_vnc_tls = 0
|
|
|
f439126 |
+
|
|
|
f439126 |
+ """x509 certificate directory for QEMU VNC server"""
|
|
|
f439126 |
+ xend_vnc_x509_cert_dir = "/etc/xen/vnc"
|
|
|
f439126 |
+
|
|
|
f439126 |
+ """Verify incoming client x509 certs"""
|
|
|
f439126 |
+ xend_vnc_x509_verify = 0
|
|
|
f439126 |
+
|
|
|
f439126 |
"""Default session storage path."""
|
|
|
f439126 |
xend_domains_path_default = '/var/lib/xend/domains'
|
|
|
f439126 |
|
|
|
f439126 |
@@ -278,6 +287,16 @@ class XendOptions:
|
|
|
f439126 |
return self.get_config_string('vncpasswd',
|
|
|
f439126 |
self.vncpasswd_default)
|
|
|
f439126 |
|
|
|
f439126 |
+ def get_vnc_tls(self):
|
|
|
f439126 |
+ return self.get_config_string('vnc-tls', self.xend_vnc_tls)
|
|
|
f439126 |
+
|
|
|
f439126 |
+ def get_vnc_x509_cert_dir(self):
|
|
|
f439126 |
+ return self.get_config_string('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir)
|
|
|
f439126 |
+
|
|
|
f439126 |
+ def get_vnc_x509_verify(self):
|
|
|
f439126 |
+ return self.get_config_string('vnc-x509-verify', self.xend_vnc_x509_verify)
|
|
|
f439126 |
+
|
|
|
f439126 |
+
|
|
|
f439126 |
class XendOptionsFile(XendOptions):
|
|
|
f439126 |
|
|
|
f439126 |
"""Default path to the config file."""
|