 c6a9a9f575
			
		
	
	
		c6a9a9f575
		
	
	
	
	
		
			
			RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, QEMU should not be using or recommending it as a default mechanism for VNC auth with SASL. GSSAPI (Kerberos) is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. If users have TLS enabled for VNC, they can optionally decide to use SCRAM-SHA-1 instead of GSSAPI, allowing plain username and password auth. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
		
			
				
	
	
		
			45 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			45 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| # If you want to use VNC remotely without TLS, then you *must*
 | |
| # pick a mechanism which provides session encryption as well
 | |
| # as authentication.
 | |
| #
 | |
| # If you are only using TLS, then you can turn on any mechanisms
 | |
| # you like for authentication, because TLS provides the encryption
 | |
| #
 | |
| # If you are only using UNIX sockets then encryption is not
 | |
| # required at all.
 | |
| #
 | |
| # NB, previously DIGEST-MD5 was set as the default mechanism for
 | |
| # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
 | |
| # flaws as should no longer be used. Thus GSSAPI is now the default.
 | |
| #
 | |
| # To use GSSAPI requires that a QEMU service principal is
 | |
| # added to the Kerberos server for each host running QEMU.
 | |
| # This principal needs to be exported to the keytab file listed below
 | |
| mech_list: gssapi
 | |
| 
 | |
| # If using TLS with VNC, or a UNIX socket only, it is possible to
 | |
| # enable plugins which don't provide session encryption. The
 | |
| # 'scram-sha-1' plugin allows plain username/password authentication
 | |
| # to be performed
 | |
| #
 | |
| #mech_list: scram-sha-1
 | |
| 
 | |
| # You can also list many mechanisms at once, and the VNC server will
 | |
| # negotiate which to use by considering the list enabled on the VNC
 | |
| # client.
 | |
| #mech_list: scram-sha-1 gssapi
 | |
| 
 | |
| # Some older builds of MIT kerberos on Linux ignore this option &
 | |
| # instead need KRB5_KTNAME env var.
 | |
| # For modern Linux, and other OS, this should be sufficient
 | |
| #
 | |
| # This file needs to be populated with the service principal that
 | |
| # was created on the Kerberos v5 server. If switching to a non-gssapi
 | |
| # mechanism this can be commented out.
 | |
| keytab: /etc/qemu/krb5.tab
 | |
| 
 | |
| # If using scram-sha-1 for username/passwds, then this is the file
 | |
| # containing the passwds. Use 'saslpasswd2 -a qemu [username]'
 | |
| # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
 | |
| #sasldb_path: /etc/qemu/passwd.db
 |