[mirror_qemu.git] / qemu.sasl

# If you want to use VNC remotely without TLS, then you *must*
# pick a mechanism which provides session encryption as well
# as authentication.
#
# If you are only using TLS, then you can turn on any mechanisms
# you like for authentication, because TLS provides the encryption
#
# If you are only using UNIX sockets then encryption is not
# required at all.
#
# NB, previously DIGEST-MD5 was set as the default mechanism for
# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
# flaws as should no longer be used. Thus GSSAPI is now the default.
#
# To use GSSAPI requires that a QEMU service principal is
# added to the Kerberos server for each host running QEMU.
# This principal needs to be exported to the keytab file listed below
mech_list: gssapi

# If using TLS with VNC, or a UNIX socket only, it is possible to
# enable plugins which don't provide session encryption. The
# 'scram-sha-256' plugin allows plain username/password authentication
# to be performed
#
#mech_list: scram-sha-256

# You can also list many mechanisms at once, and the VNC server will
# negotiate which to use by considering the list enabled on the VNC
# client.
#mech_list: scram-sha-256 gssapi

# This file needs to be populated with the service principal that
# was created on the Kerberos v5 server. If switching to a non-gssapi
# mechanism this can be commented out.
keytab: /etc/qemu/krb5.tab

# If using scram-sha-256 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
# Note that this file stores passwords in clear text.
#sasldb_path: /etc/qemu/passwd.db
Commit	Line	Data
c6a9a9f5 DB	1	# If you want to use VNC remotely without TLS, then you must
	2	# pick a mechanism which provides session encryption as well
	3	# as authentication.
2f9606b3	4	#
c6a9a9f5	5	# If you are only using TLS, then you can turn on any mechanisms
2f9606b3 AL	6	# you like for authentication, because TLS provides the encryption
2f9606b3 AL	7	#
c6a9a9f5 DB	8	# If you are only using UNIX sockets then encryption is not
	9	# required at all.
	10	#
	11	# NB, previously DIGEST-MD5 was set as the default mechanism for
	12	# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
	13	# flaws as should no longer be used. Thus GSSAPI is now the default.
	14	#
	15	# To use GSSAPI requires that a QEMU service principal is
	16	# added to the Kerberos server for each host running QEMU.
	17	# This principal needs to be exported to the keytab file listed below
	18	mech_list: gssapi
2f9606b3	19
c6a9a9f5 DB	20	# If using TLS with VNC, or a UNIX socket only, it is possible to
c6a9a9f5 DB	21	# enable plugins which don't provide session encryption. The
e2bf32df	22	# 'scram-sha-256' plugin allows plain username/password authentication
c6a9a9f5	23	# to be performed
2f9606b3	24	#
e2bf32df	25	#mech_list: scram-sha-256
c6a9a9f5 DB	26
	27	# You can also list many mechanisms at once, and the VNC server will
	28	# negotiate which to use by considering the list enabled on the VNC
	29	# client.
e2bf32df	30	#mech_list: scram-sha-256 gssapi
2f9606b3	31
c6a9a9f5 DB	32	# This file needs to be populated with the service principal that
	33	# was created on the Kerberos v5 server. If switching to a non-gssapi
	34	# mechanism this can be commented out.
	35	keytab: /etc/qemu/krb5.tab
2f9606b3	36
e2bf32df	37	# If using scram-sha-256 for username/passwds, then this is the file
2f9606b3	38	# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
e2bf32df DB	39	# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
e2bf32df DB	40	# Note that this file stores passwords in clear text.
c6a9a9f5	41	#sasldb_path: /etc/qemu/passwd.db