Generate the VNC token key at invirt-vnc-server install-time instead

of hard-coding

svn path=/trunk/packages/invirt-vnc-server/; revision=1388

diff --git a/debian/changelog b/debian/changelog
index f180fd9..da167fb 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,9 @@
 invirt-vnc-server (0.0.1) unstable; urgency=low
 
   * sipb-xen-vnc-server -> invirt-vnc-server
 invirt-vnc-server (0.0.1) unstable; urgency=low
 
   * sipb-xen-vnc-server -> invirt-vnc-server

+  * Generate the VNC token key at install-time instead of hard-coding

 
 

- -- Evan Broder <broder@mit.edu>  Tue, 28 Oct 2008 15:18:42 -0400
+ -- Evan Broder <broder@mit.edu>  Tue, 28 Oct 2008 19:44:04 -0400

 
 sipb-xen-vnc-server (1.2) unstable; urgency=low
 
 
 sipb-xen-vnc-server (1.2) unstable; urgency=low
 

diff --git a/debian/invirt-vnc-server.postinst b/debian/invirt-vnc-server.postinst
old mode 100644 (file)
new mode 100755 (executable)
index c7e3d1f..ee266d9
--- a/debian/invirt-vnc-server.postinst
+++ b/debian/invirt-vnc-server.postinst
@@ -23,6 +23,10 @@ case "$1" in
        if [ -z "$2" ]; then
            echo "Please be sure to copy vncproxy.crt and vncproxykey.pem into /usr/share/invirt-vnc-server/"
        fi
        if [ -z "$2" ]; then
            echo "Please be sure to copy vncproxy.crt and vncproxykey.pem into /usr/share/invirt-vnc-server/"
        fi

+        mkdir -p /etc/invirt/secrets
+        if ! [ -e /etc/invirt/secrets/vnc-key ]; then
+            openssl rand -base64 33 >/etc/invirt/secrets/vnc-key
+        fi

     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

diff --git a/python/vnc/extauth.py b/python/vnc/extauth.py
index e6d07fe..b7351a3 100644 (file)
--- a/python/vnc/extauth.py
+++ b/python/vnc/extauth.py
@@ -18,11 +18,15 @@ import hmac
 import base64
 import socket
 import time
 import base64
 import socket
 import time

-import get_port

 
 

-TOKEN_KEY = "0M6W0U1IXexThi5idy8mnkqPKEq1LtEnlK/pZSn0cDrN"
+def getTokenKey():
+    token_key = file('/etc/invirt/secrets/vnc-key').read().strip()
+    while True:
+        yield token_key
+getTokenKey = getTokenKey().next

 
 def getPort(name, auth_data):
 
 def getPort(name, auth_data):

+    import get_port

     if (auth_data["machine"] == name):
         port = get_port.findPort(name)
         if port is None:
     if (auth_data["machine"] == name):
         port = get_port.findPort(name)
         if port is None:

@@ -62,12 +66,11 @@ class VNCAuth(protocol.Protocol):
         self.otherConn=None
 
     def validateToken(self, token):
         self.otherConn=None
 
     def validateToken(self, token):

-        global TOKEN_KEY

         self.auth_error = "Invalid token"
         try:
             token = base64.urlsafe_b64decode(token)
             token = cPickle.loads(token)
         self.auth_error = "Invalid token"
         try:
             token = base64.urlsafe_b64decode(token)
             token = cPickle.loads(token)

-            m = hmac.new(TOKEN_KEY, digestmod=sha)
+            m = hmac.new(getTokenKey(), digestmod=sha)

             m.update(token['data'])
             if (m.digest() == token['digest']):
                 data = cPickle.loads(token['data'])
             m.update(token['data'])
             if (m.digest() == token['digest']):
                 data = cPickle.loads(token['data'])