Revision d49bd2fb
| ID | d49bd2fbb8121029f1bc36522e1dba0d92cd3436 |
Add support for control connection authentication
Since vncauthproxy no longer uses Unix domain sockets for the control
connection handling, authentication handling, which was done with POSIX
file permissions, must be implemented in vncauthproxy.
The /var/lib/vncauthproxy/users file (configurable) acts as an
'auth_db'. Its entries are in the form of 'username password'. Lines
starting with '#' are treated as comments. Passwords can be stored in
cleartext format, or they can be prefixed with a {cipher} tag. At the
moment, vncauthproxy only supports the {cleartext} tag (same as no tag)
and the {HA1} tag, which stores the MD5 digest of the string
'username:vncauthproxy:password'.
The json format for the requests has changed accordingly, with two new
elements added (auth_user and auth_password). Failed requests will now
also get a slightly modified response, including the reason for the
failure (eg 'Authentication Failure').
Currently, vncauthproxy doesn't (need to) support separate read and
write permissions.
Note that since vncauthproxy now needs exclusive read access on the
'auth_db' file (and the SSL key file, introduced in a previous commit),
the vncauthproxy daemon must not run as nobody / nogroup. The relevant
debian files in the debian branch must change accordingly.
This commit also includes various fixes / improvements regarding the
SSL/TLS support for control connections (introduced in a previous
commit).
Files
- added
- modified
- copied
- renamed
- deleted