Re: [gtk-vnc-devel] Auth types

From: "Daniel P. Berrange" <berrange redhat com>
To: Jonh Wendell <jwendell gnome org>
Cc: gtk-vnc-devel List <gtk-vnc-devel lists sourceforge net>
Subject: Re: [gtk-vnc-devel] Auth types
Date: Tue, 4 Sep 2007 21:19:48 +0100

On Mon, Sep 03, 2007 at 05:53:37PM -0300, Jonh Wendell wrote:
> Hi, folks.
> 
> Currently the widget is choosing the first auth method reported by the
> server (vncdisplay.c::on_auth_type())
> 
> Said that, i ask what would be better:
> 
> 1) The widget knows which auth method is safer, and choose it
> automatically; or
> 2) The widget raises a signal asking for the application what auth type
> to be used?

To my mind, punting the decision on which auth method to choose is to a large
extent just avoiding the real problem. Ultimately we need a criteria with
which to choose auth method & punting it to apps ensures every app will do it
in  a different way. This will suck for compatability.

So my questions for this are basically..

  - What criteria will the application use for choosing authentication
    methods ?
  - How do we ensure that we can add support for new auth types in the
    widget without needing apps to fix their logic for choosing auth type ?

Anthony suggests one criteria which is the level of security provided by a
particular auth type. This would require us to rank the auth methods in some
way and then let the app specify some minimum ranking level to accept. Not
an easy task since its hard to classify auth methods in a linear scale.

Another criteria might be to choose based on what credentials we have, and
or what credentials we'd prefer to use.  Currently we can't do this because
we have no way for the app to tell the widget that it doesn't have certs 
available ahead of time. So the only option is for the widget to request the 
certs & then fail - but by then its too late.  We could address this by 
allowing the app to tell the widget to blacklist auth methods which require
particular credentials.

So the app could say 'only accept an auth method requiring a password'. This
lets the widget automatically reject any requiring x509 certs, or usernames.

Taking this idea still further if the credential types were bitmasks, the
app could say 'only accept an auth method requiring a password & cert'.
By combining credentials it allows the app to indirectly specify some kind
of minimum security level for the auth. So the widget would reject any auth
method requiring merely a password.

To me this kind of API is preferable to asking the app to directly choose
amongst the auth methods. It gives the application indirect control over the
auth methods, by allowing specification of its desired security characteristics,
without exposing it to horrible VNC implementation details todo with auth
schemes.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|

Follow-Ups:
- Re: [gtk-vnc-devel] Auth types
  - From: Jonh Wendell

References:
- [gtk-vnc-devel] Auth types
  - From: Jonh Wendell

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]