Changeset 1388

Timestamp:

Oct 28, 2008, 8:00:19 PM (15 years ago)

Author:

broder

Message:

Generate the VNC token key at invirt-vnc-server install-time instead
of hard-coding

Location:

trunk/packages/invirt-vnc-server

Files:

• debian/changelog (modified) (1 diff)
• debian/invirt-vnc-server.postinst (modified) (1 diff, 1 prop)
• python/vnc/extauth.py (modified) (2 diffs)

trunk/packages/invirt-vnc-server/debian/changelog

@@ -2 +2 @@
 
   * sipb-xen-vnc-server -> invirt-vnc-server
+  * Generate the VNC token key at install-time instead of hard-coding
 
- -- Evan Broder <broder@mit.edu>  Tue, 28 Oct 2008 15:18:42 -0400
+ -- Evan Broder <broder@mit.edu>  Tue, 28 Oct 2008 19:44:04 -0400
 
 sipb-xen-vnc-server (1.2) unstable; urgency=low

trunk/packages/invirt-vnc-server/debian/invirt-vnc-server.postinst

@@ -24 +24 @@
             echo "Please be sure to copy vncproxy.crt and vncproxykey.pem into /usr/share/invirt-vnc-server/"
         fi
+        mkdir -p /etc/invirt/secrets
+        if ! [ -e /etc/invirt/secrets/vnc-key ]; then
+            openssl rand -base64 33 >/etc/invirt/secrets/vnc-key
+        fi
     ;;
 

trunk/packages/invirt-vnc-server/python/vnc/extauth.py

@@ -19 +19 @@
 import socket
 import time
-import get_port
-
-TOKEN_KEY = "0M6W0U1IXexThi5idy8mnkqPKEq1LtEnlK/pZSn0cDrN"
+
+def getTokenKey():
+    token_key = file('/etc/invirt/secrets/vnc-key').read().strip()
+    while True:
+        yield token_key
+getTokenKey = getTokenKey().next
 
 def getPort(name, auth_data):
+    import get_port
     if (auth_data["machine"] == name):
         port = get_port.findPort(name)
@@ -63 +67 @@
 
     def validateToken(self, token):
-        global TOKEN_KEY
         self.auth_error = "Invalid token"
         try:
             token = base64.urlsafe_b64decode(token)
             token = cPickle.loads(token)
-            m = hmac.new(TOKEN_KEY, digestmod=sha)
+            m = hmac.new(getTokenKey(), digestmod=sha)
             m.update(token['data'])
             if (m.digest() == token['digest']):