]> git.proxmox.com Git - mirror_qemu.git/blame - qemu.sasl
Add new vhost-user netdev backend
[mirror_qemu.git] / qemu.sasl
CommitLineData
2f9606b3
AL
1# If you want to use the non-TLS socket, then you *must* include
2# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
3# ones that can offer session encryption as well as authentication.
4#
5# If you're only using TLS, then you can turn on any mechanisms
6# you like for authentication, because TLS provides the encryption
7#
8# Default to a simple username+password mechanism
9# NB digest-md5 is no longer considered secure by current standards
10mech_list: digest-md5
11
12# Before you can use GSSAPI, you need a service principle on the
13# KDC server for libvirt, and that to be exported to the keytab
14# file listed below
15#mech_list: gssapi
16#
17# You can also list many mechanisms at once, then the user can choose
18# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
19# qemu+tcp://hostname/system?auth=sasl.gssapi
20#mech_list: digest-md5 gssapi
21
22# Some older builds of MIT kerberos on Linux ignore this option &
23# instead need KRB5_KTNAME env var.
24# For modern Linux, and other OS, this should be sufficient
dfb3804d
LE
25#
26# There is no default value here, uncomment if you need this
27#keytab: /etc/qemu/krb5.tab
2f9606b3
AL
28
29# If using digest-md5 for username/passwds, then this is the file
30# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
805695da 31# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
2f9606b3
AL
32sasldb_path: /etc/qemu/passwd.db
33
34
35auxprop_plugin: sasldb
36