From 9b53a3b4c06b33ff8e0055ffdfb7059d3f79ba54 Mon Sep 17 00:00:00 2001 From: Evan Broder Date: Tue, 28 Oct 2008 20:00:19 -0400 Subject: [PATCH] Generate the VNC token key at invirt-vnc-server install-time instead of hard-coding svn path=/trunk/packages/invirt-vnc-server/; revision=1388 --- debian/changelog | 3 ++- debian/invirt-vnc-server.postinst | 4 ++++ python/vnc/extauth.py | 11 +++++++---- 3 files changed, 13 insertions(+), 5 deletions(-) mode change 100644 => 100755 debian/invirt-vnc-server.postinst diff --git a/debian/changelog b/debian/changelog index f180fd9..da167fb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,9 @@ invirt-vnc-server (0.0.1) unstable; urgency=low * sipb-xen-vnc-server -> invirt-vnc-server + * Generate the VNC token key at install-time instead of hard-coding - -- Evan Broder Tue, 28 Oct 2008 15:18:42 -0400 + -- Evan Broder Tue, 28 Oct 2008 19:44:04 -0400 sipb-xen-vnc-server (1.2) unstable; urgency=low diff --git a/debian/invirt-vnc-server.postinst b/debian/invirt-vnc-server.postinst old mode 100644 new mode 100755 index c7e3d1f..ee266d9 --- a/debian/invirt-vnc-server.postinst +++ b/debian/invirt-vnc-server.postinst @@ -23,6 +23,10 @@ case "$1" in if [ -z "$2" ]; then echo "Please be sure to copy vncproxy.crt and vncproxykey.pem into /usr/share/invirt-vnc-server/" fi + mkdir -p /etc/invirt/secrets + if ! [ -e /etc/invirt/secrets/vnc-key ]; then + openssl rand -base64 33 >/etc/invirt/secrets/vnc-key + fi ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/python/vnc/extauth.py b/python/vnc/extauth.py index e6d07fe..b7351a3 100644 --- a/python/vnc/extauth.py +++ b/python/vnc/extauth.py @@ -18,11 +18,15 @@ import hmac import base64 import socket import time -import get_port -TOKEN_KEY = "0M6W0U1IXexThi5idy8mnkqPKEq1LtEnlK/pZSn0cDrN" +def getTokenKey(): + token_key = file('/etc/invirt/secrets/vnc-key').read().strip() + while True: + yield token_key +getTokenKey = getTokenKey().next def getPort(name, auth_data): + import get_port if (auth_data["machine"] == name): port = get_port.findPort(name) if port is None: @@ -62,12 +66,11 @@ class VNCAuth(protocol.Protocol): self.otherConn=None def validateToken(self, token): - global TOKEN_KEY self.auth_error = "Invalid token" try: token = base64.urlsafe_b64decode(token) token = cPickle.loads(token) - m = hmac.new(TOKEN_KEY, digestmod=sha) + m = hmac.new(getTokenKey(), digestmod=sha) m.update(token['data']) if (m.digest() == token['digest']): data = cPickle.loads(token['data']) -- 1.7.9.5