]> git.ipfire.org Git - thirdparty/qemu.git/blame - qemu.sasl
Merge remote-tracking branch 'remotes/cleber/tags/python-next-pull-request' into...
[thirdparty/qemu.git] / qemu.sasl
CommitLineData
c6a9a9f5
DB
1# If you want to use VNC remotely without TLS, then you *must*
2# pick a mechanism which provides session encryption as well
3# as authentication.
2f9606b3 4#
c6a9a9f5 5# If you are only using TLS, then you can turn on any mechanisms
2f9606b3
AL
6# you like for authentication, because TLS provides the encryption
7#
c6a9a9f5
DB
8# If you are only using UNIX sockets then encryption is not
9# required at all.
10#
11# NB, previously DIGEST-MD5 was set as the default mechanism for
12# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
13# flaws as should no longer be used. Thus GSSAPI is now the default.
14#
15# To use GSSAPI requires that a QEMU service principal is
16# added to the Kerberos server for each host running QEMU.
17# This principal needs to be exported to the keytab file listed below
18mech_list: gssapi
2f9606b3 19
c6a9a9f5
DB
20# If using TLS with VNC, or a UNIX socket only, it is possible to
21# enable plugins which don't provide session encryption. The
22# 'scram-sha-1' plugin allows plain username/password authentication
23# to be performed
2f9606b3 24#
c6a9a9f5
DB
25#mech_list: scram-sha-1
26
27# You can also list many mechanisms at once, and the VNC server will
28# negotiate which to use by considering the list enabled on the VNC
29# client.
30#mech_list: scram-sha-1 gssapi
2f9606b3
AL
31
32# Some older builds of MIT kerberos on Linux ignore this option &
33# instead need KRB5_KTNAME env var.
34# For modern Linux, and other OS, this should be sufficient
dfb3804d 35#
c6a9a9f5
DB
36# This file needs to be populated with the service principal that
37# was created on the Kerberos v5 server. If switching to a non-gssapi
38# mechanism this can be commented out.
39keytab: /etc/qemu/krb5.tab
2f9606b3 40
c6a9a9f5 41# If using scram-sha-1 for username/passwds, then this is the file
2f9606b3 42# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
805695da 43# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
c6a9a9f5 44#sasldb_path: /etc/qemu/passwd.db