On Thursday, May 03, 2012 09:29:15 AM Daniel P. Berrange wrote:
> On Wed, May 02, 2012 at 03:32:56PM -0400, Paul Moore wrote:
> > static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
> > {
> > #ifdef _VNC_DEBUG
> >
> > @@ -2748,6 +2772,14 @@ void vnc_display_init(DisplayState *ds)
> >
> > dcl->idle = 1;
> > vnc_display = vs;
> >
> > + vs->fips = fips_enabled();
> > + VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
> > +#ifndef _WIN32
> > + if (vs->fips) {
> > + syslog(LOG_NOTICE, "Disabling VNC password auth due to FIPS
> > mode\n"); + }
> > +#endif /* _WIN32 */
>
> I really think this should only be done if a password is actually set.
> With the code as it is, then every single time you launch a VM you're
> going to get this message in syslog, which makes it appear as if something
> is trying to illegally use passwords in FIPS mode. I feel this will cause
> admins/auditors to be worried about something being wrong, when in fact
> everything is normal.
Yep. I can see arguments for either location but I'll go ahead and move it in
v3 which I will be posting shortly.
--
paul moore
security and virtualization @ redhat
