]>
Commit | Line | Data |
---|---|---|
c6a9a9f5 DB |
1 | # If you want to use VNC remotely without TLS, then you *must* |
2 | # pick a mechanism which provides session encryption as well | |
3 | # as authentication. | |
2f9606b3 | 4 | # |
c6a9a9f5 | 5 | # If you are only using TLS, then you can turn on any mechanisms |
2f9606b3 AL |
6 | # you like for authentication, because TLS provides the encryption |
7 | # | |
c6a9a9f5 DB |
8 | # If you are only using UNIX sockets then encryption is not |
9 | # required at all. | |
10 | # | |
11 | # NB, previously DIGEST-MD5 was set as the default mechanism for | |
12 | # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security | |
13 | # flaws as should no longer be used. Thus GSSAPI is now the default. | |
14 | # | |
15 | # To use GSSAPI requires that a QEMU service principal is | |
16 | # added to the Kerberos server for each host running QEMU. | |
17 | # This principal needs to be exported to the keytab file listed below | |
18 | mech_list: gssapi | |
2f9606b3 | 19 | |
c6a9a9f5 DB |
20 | # If using TLS with VNC, or a UNIX socket only, it is possible to |
21 | # enable plugins which don't provide session encryption. The | |
22 | # 'scram-sha-1' plugin allows plain username/password authentication | |
23 | # to be performed | |
2f9606b3 | 24 | # |
c6a9a9f5 DB |
25 | #mech_list: scram-sha-1 |
26 | ||
27 | # You can also list many mechanisms at once, and the VNC server will | |
28 | # negotiate which to use by considering the list enabled on the VNC | |
29 | # client. | |
30 | #mech_list: scram-sha-1 gssapi | |
2f9606b3 AL |
31 | |
32 | # Some older builds of MIT kerberos on Linux ignore this option & | |
33 | # instead need KRB5_KTNAME env var. | |
34 | # For modern Linux, and other OS, this should be sufficient | |
dfb3804d | 35 | # |
c6a9a9f5 DB |
36 | # This file needs to be populated with the service principal that |
37 | # was created on the Kerberos v5 server. If switching to a non-gssapi | |
38 | # mechanism this can be commented out. | |
39 | keytab: /etc/qemu/krb5.tab | |
2f9606b3 | 40 | |
c6a9a9f5 | 41 | # If using scram-sha-1 for username/passwds, then this is the file |
2f9606b3 | 42 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' |
805695da | 43 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it |
c6a9a9f5 | 44 | #sasldb_path: /etc/qemu/passwd.db |