aboutsummaryrefslogtreecommitdiff
path: root/qemu-options.hx
diff options
context:
space:
mode:
authorDaniel P. Berrangé <berrange@redhat.com>2021-03-11 11:43:42 +0000
committerGerd Hoffmann <kraxel@redhat.com>2021-03-15 17:36:20 +0100
commit99522f69d62216f5d9581f66f2c0edca6bd48f78 (patch)
tree5f0ad49410504389ac7f87f3d1f2e8019f729c94 /qemu-options.hx
parent6c6840e9281cf2fd3b29d77f45b18949d4a83944 (diff)
ui: introduce "password-secret" option for SPICE server
Currently when using SPICE the "password" option provides the password in plain text on the command line. This is insecure as it is visible to all processes on the host. As an alternative, the password can be provided separately via the monitor. This introduces a "password-secret" option which lets the password be provided up front. $QEMU --object secret,id=vncsec0,file=passwd.txt \ --spice port=5901,password-secret=vncsec0 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20210311114343.439820-3-berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'qemu-options.hx')
-rw-r--r--qemu-options.hx9
1 files changed, 7 insertions, 2 deletions
diff --git a/qemu-options.hx b/qemu-options.hx
index 357fc4596e..a98f8e84a2 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1899,7 +1899,8 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice,
" [,tls-ciphers=<list>]\n"
" [,tls-channel=[main|display|cursor|inputs|record|playback]]\n"
" [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n"
- " [,sasl=on|off][,password=<secret>][,disable-ticketing=on|off]\n"
+ " [,sasl=on|off][,disable-ticketing=on|off]\n"
+ " [,password=<string>][,password-secret=<secret-id>]\n"
" [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n"
" [,jpeg-wan-compression=[auto|never|always]]\n"
" [,zlib-glz-wan-compression=[auto|never|always]]\n"
@@ -1924,9 +1925,13 @@ SRST
``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off``
Force using the specified IP version.
- ``password=<secret>``
+ ``password=<string>``
Set the password you need to authenticate.
+ ``password-secret=<secret-id>``
+ Set the ID of the ``secret`` object containing the password
+ you need to authenticate.
+
``sasl=on|off``
Require that the client use SASL to authenticate with the spice.
The exact choice of authentication method used is controlled