.. parsed-literal::
- |qemu_system| [...OPTIONS...] -vnc :1,password -monitor stdio
+ |qemu_system| [...OPTIONS...] -vnc :1,password=on -monitor stdio
(qemu) change vnc password
Password: ********
(qemu)
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=off \
-vnc :1,tls-creds=tls0 -monitor stdio
In the above example ``/etc/pki/qemu`` should contain at least three
certificate, which it will then validate against the CA certificate.
This is a good choice if deploying in an environment with a private
internal certificate authority. It uses the same syntax as previously,
-but with ``verify-peer`` set to ``yes`` instead.
+but with ``verify-peer`` set to ``on`` instead.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0 -monitor stdio
.. _vnc_005fsec_005fcertificate_005fpw:
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
- -vnc :1,tls-creds=tls0,password -monitor stdio
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
+ -vnc :1,tls-creds=tls0,password=on -monitor stdio
(qemu) change vnc password
Password: ********
(qemu)
.. parsed-literal::
- |qemu_system| [...OPTIONS...] -vnc :1,sasl -monitor stdio
+ |qemu_system| [...OPTIONS...] -vnc :1,sasl=on -monitor stdio
.. _vnc_005fsec_005fcertificate_005fsasl:
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
- -vnc :1,tls-creds=tls0,sasl -monitor stdio
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
+ -vnc :1,tls-creds=tls0,sasl=on -monitor stdio
.. _vnc_005fsetup_005fsasl:
provides an acceptable level of security by modern standards. Previous
versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has
multiple serious flaws described in detail in RFC 6331 and thus should
-never be used any more. The SCRAM-SHA-1 mechanism provides a simple
+never be used any more. The SCRAM-SHA-256 mechanism provides a simple
username/password auth facility similar to DIGEST-MD5, but does not
support session encryption, so can only be used in combination with TLS.
::
- mech_list: scram-sha-1
+ mech_list: scram-sha-256
sasldb_path: /etc/qemu/passwd.db
The ``saslpasswd2`` program can be used to populate the ``passwd.db``
-file with accounts.
+file with accounts. Note that the ``passwd.db`` file stores passwords
+in clear text.
Other SASL configurations will be left as an exercise for the reader.
Note that all mechanisms, except GSSAPI, should be combined with use of