Revision bd377d7e
b/Changelog | ||
---|---|---|
3 | 3 |
Changelog for snf-vncauthproxy |
4 | 4 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
5 | 5 |
|
6 |
.. _Changelog-1.4next:
|
|
6 |
.. _Changelog-1.5:
|
|
7 | 7 |
|
8 |
v1.4next
|
|
9 |
========
|
|
8 |
v1.5
|
|
9 |
==== |
|
10 | 10 |
|
11 | 11 |
Released: UNRELEASED |
12 | 12 |
|
b/MANIFEST.in | ||
---|---|---|
1 |
include vncauthproxy.py LICENSE Changelog README
|
|
1 |
include LICENSE Changelog README |
|
2 | 2 |
include distribute_setup.py |
3 | 3 |
|
4 | 4 |
recursive-include vncauthproxy * |
b/docs/conf.py | ||
---|---|---|
48 | 48 |
# built documents. |
49 | 49 |
# |
50 | 50 |
# The short X.Y version. |
51 |
version = '1.4next'
|
|
51 |
version = '1.5'
|
|
52 | 52 |
# The full version, including alpha/beta/rc tags. |
53 |
release = '1.4next'
|
|
53 |
release = '1.5'
|
|
54 | 54 |
|
55 | 55 |
# The language for content autogenerated by Sphinx. Refer to documentation |
56 | 56 |
# for a list of supported languages. |
b/docs/index.rst | ||
---|---|---|
90 | 90 |
script. |
91 | 91 |
|
92 | 92 |
If you're using the init script, snf-vncauthproxy reads its paramater from its |
93 |
default file (``DAEMON_OPTS`` parameter in ``/etc/default/snf-vncauthproxy``).
|
|
93 |
default file (``DAEMON_OPTS`` parameter in ``/etc/default/vncauthproxy``). |
|
94 | 94 |
|
95 | 95 |
By default snf-vncauthproxy will listen to ``127.0.0.1:24999`` TCP, for incoming |
96 | 96 |
control connections and uses the ``25000-30000`` range for the listening / data |
97 | 97 |
sockets. |
98 | 98 |
|
99 |
Version 1.4next introduced replaced Unix domain control sockets with TCP
|
|
99 |
Version 1.5 introduced replaced Unix domain control sockets with TCP
|
|
100 | 100 |
control sockets. This change made it necessary to also introduce an |
101 | 101 |
authentication file to replace the Unix file permissions, which protected the |
102 | 102 |
domain sockets. |
103 | 103 |
|
104 |
The default path for the auth file is ``/var/lib/snf-vncauthproxy/users``
|
|
104 |
The default path for the auth file is ``/var/lib/vncauthproxy/users`` |
|
105 | 105 |
(configurable by the ``--auth-file`` option). Each line in the file represents |
106 |
one user which is allowed to use the control socket and should be in the following
|
|
107 |
format: |
|
106 |
one user which is allowed to use the control socket and should be in the |
|
107 |
following format:
|
|
108 | 108 |
|
109 | 109 |
.. code-block:: console |
110 | 110 |
|
... | ... | |
114 | 114 |
|
115 | 115 |
The Debian package provides an example users file. |
116 | 116 |
|
117 |
Version 1.4next introduced also support for SSL for the control socket. If you
|
|
117 |
Version 1.5 introduced also support for SSL for the control socket. If you
|
|
118 | 118 |
enable SSL support (``--enable-ssl`` parameter, disabled by default) you wil |
119 | 119 |
have to provide a certficate and key file (``--cert-file`` and ``--key-file`` |
120 |
parameters). |
|
120 |
parameters). The default values for certificate and key files are |
|
121 |
``/var/lib/vncauthrpoxy/{cert,key}.pem`` respectively. |
|
121 | 122 |
|
122 | 123 |
For detailed help on its configuration parameters, either consult its man page |
123 | 124 |
or run: |
... | ... | |
149 | 150 |
VNC servers and access the VNC consoles of their VMs. |
150 | 151 |
|
151 | 152 |
If you're running snf-vncauthproxy on the same host as snf-cyclades-app, |
152 |
you will only need to configure two Synnefo options. Specifically,
|
|
153 |
``VNCAUTHPROXY_USER`` and ``VNCAUTHPROXY_PASSWORD`` in
|
|
154 |
``/etc/synnefo/20-snf-cyclades-app-api.conf`` should match a user defined in
|
|
155 |
snf-vncauthproxy's users (auth) file.
|
|
153 |
you will only need to configure one Synnefo setting. Specifically,
|
|
154 |
the ``CYCLADES_VNCAUTHPROXY_OPTS`` dict in
|
|
155 |
``/etc/synnefo/20-snf-cyclades-app-api.conf`` should be edited to match
|
|
156 |
snf-vncauthproxy configuration (user, password, SSL support, certificate file).
|
|
156 | 157 |
|
157 | 158 |
In case you want to deploy snf-vncauthproxy on a different host than |
158 | 159 |
snf-cyclades-app, you should make sure that you change the default listening |
b/docs/upgrade.rst | ||
---|---|---|
1 | 1 |
Upgrade notes |
2 | 2 |
^^^^^^^^^^^^^ |
3 | 3 |
|
4 |
v1.4next
|
|
5 |
========
|
|
6 |
Version 1.4next replaced Unix domain control sockets with TCP
|
|
4 |
v1.5
|
|
5 |
==== |
|
6 |
Version 1.5 replaced Unix domain control sockets with TCP
|
|
7 | 7 |
control sockets. This change made it necessary to also introduce an |
8 | 8 |
authentication file to replace the POSIX file permissions, which protected the |
9 | 9 |
domain sockets. |
10 | 10 |
|
11 |
The default path for the auth file is ``/var/lib/snf-vncauthproxy/users``
|
|
11 |
The default path for the auth file is ``/var/lib/vncauthproxy/users`` |
|
12 | 12 |
(configurable by the ``--auth-file`` option). Each line in the file represents |
13 | 13 |
one user which is allowed to use the control socket and should be in the |
14 | 14 |
following format: |
... | ... | |
19 | 19 |
user1 {cleartext}password |
20 | 20 |
user2 {HA1}md5hash |
21 | 21 |
|
22 |
If you want to use a hash instead of a password, you should provide the MD5 |
|
23 |
digest of the string ``user:vncauthproxy:password``. It can be generated with |
|
24 |
the following command: |
|
25 |
|
|
26 |
.. code-block:: console |
|
27 |
|
|
28 |
$ echo -n 'user:vncauthproxy:password' | openssl md5 |
|
29 |
|
|
22 | 30 |
The Debian package provides an example users file. |
23 | 31 |
|
24 |
Version 1.4next also introduced support for SSL for the control socket. If you
|
|
25 |
enable SSL support (``--enable-ssl`` parameter, disabled by default) you wil |
|
32 |
Version 1.5 also introduced support for SSL for the control socket. If you
|
|
33 |
enable SSL support (``--enable-ssl`` parameter, disabled by default) you will
|
|
26 | 34 |
have to provide a certficate and key file (``--cert-file`` and ``--key-file`` |
27 |
parameters). |
|
28 |
|
|
29 |
If you're using snf-vncauthproxy with Synnefo, you should make sure to set the |
|
30 |
``VNCAUTHPROXY_USER`` and ``VNCAUTHPROXY_PASSWORD`` options in |
|
31 |
``/etc/synnefo/20-snf-cyclades-app-api.conf``. They should match a user defined |
|
32 |
in snf-vncauthproxy's users (auth) file. You should also make sure that the |
|
33 |
node running snf-cyclades-app can connect to the snf-vncauthproxy's control |
|
34 |
socket address /port (the default deployment to run snf-vncauthproxy on the |
|
35 |
same host with snf-cyclades-app should work with the defaults of |
|
36 |
snf-vncauthproxy, with the exception of the authentiction file). |
|
35 |
parameters). The default values for certificate and key files are |
|
36 |
``/var/lib/vncauthrpoxy/{cert,key}.pem`` respectively. |
|
37 |
|
|
38 |
If you're using snf-vncauthproxy with Synnefo, you should make sure to edit the |
|
39 |
``CYCLADES_VNCAUTHPROXY_OPTS`` setting in |
|
40 |
``/etc/synnefo/20-snf-cyclades-app-api.conf``. The |
|
41 |
``CYCLADES_VNCAUTHPROXY_OPTS`` dict in |
|
42 |
``/etc/synnefo/20-snf-cyclades-app-api.conf`` should be edited to match |
|
43 |
snf-vncauthproxy configuration (user, password, SSL support, certificate file). |
|
44 |
You should also make sure that the node running snf-cyclades-app can connect to |
|
45 |
the snf-vncauthproxy's control socket address / port (the suggested deployment to |
|
46 |
run snf-vncauthproxy on the same host as snf-cyclades-app should work with |
|
47 |
the defaults of snf-vncauthproxy, with the exception of the authentication |
|
48 |
file). |
b/vncauthproxy/client.py | ||
---|---|---|
123 | 123 |
if strict and not ca_cert: |
124 | 124 |
raise Exception("strict requires ca-cert to be set") |
125 | 125 |
if not enable_ssl and (strict or ca_cert): |
126 |
logger.warning("strict or ca-cert set, but ssl not enabled")
|
|
126 |
logger.warning("strict or ca_cert set, but ssl not enabled")
|
|
127 | 127 |
|
128 | 128 |
req = { |
129 | 129 |
"source_port": int(sport), |
b/vncauthproxy/proxy.py | ||
---|---|---|
73 | 73 |
import hashlib |
74 | 74 |
import re |
75 | 75 |
|
76 |
import rfb |
|
76 |
from vncauthproxy import rfb
|
|
77 | 77 |
|
78 | 78 |
try: |
79 | 79 |
import simplejson as json |
... | ... | |
144 | 144 |
self.client = client |
145 | 145 |
# A list of worker/forwarder greenlets, one for each direction |
146 | 146 |
self.workers = [] |
147 |
self.listeners = [] |
|
147 | 148 |
self.sport = None |
148 | 149 |
self.pool = None |
149 | 150 |
self.daddr = None |
... | ... | |
619 | 620 |
def parse_auth_file(auth_file): |
620 | 621 |
supported_ciphers = ('cleartext', 'HA1', None) |
621 | 622 |
regexp = re.compile(r'^\s*(?P<user>\S+)\s+({(?P<cipher>\S+)})?' |
622 |
'(?P<pass>\S+)\s*$') |
|
623 |
r'(?P<pass>\S+)\s*$')
|
|
623 | 624 |
|
624 | 625 |
users = {} |
625 | 626 |
|
626 | 627 |
if os.path.isfile(auth_file) is False: |
627 |
logger.warning("Authentication file not found. Continuing without" |
|
628 |
logger.warning("Authentication file not found. Continuing without "
|
|
628 | 629 |
"users") |
629 | 630 |
return users |
630 | 631 |
|
Also available in: Unified diff