projects / qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| 2f9606b3 AL |
1 | # If you want to use the non-TLS socket, then you *must* include |
| 2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only | |
| 3 | # ones that can offer session encryption as well as authentication. | |
| 4 | # | |
| 5 | # If you're only using TLS, then you can turn on any mechanisms | |
| 6 | # you like for authentication, because TLS provides the encryption | |
| 7 | # | |
| 8 | # Default to a simple username+password mechanism | |
| 9 | # NB digest-md5 is no longer considered secure by current standards | |
| 10 | mech_list: digest-md5 | |
| 11 | ||
| 12 | # Before you can use GSSAPI, you need a service principle on the | |
| 13 | # KDC server for libvirt, and that to be exported to the keytab | |
| 14 | # file listed below | |
| 15 | #mech_list: gssapi | |
| 16 | # | |
| 17 | # You can also list many mechanisms at once, then the user can choose | |
| 18 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg | |
| 19 | # qemu+tcp://hostname/system?auth=sasl.gssapi | |
| 20 | #mech_list: digest-md5 gssapi | |
| 21 | ||
| 22 | # Some older builds of MIT kerberos on Linux ignore this option & | |
| 23 | # instead need KRB5_KTNAME env var. | |
| 24 | # For modern Linux, and other OS, this should be sufficient | |
| 25 | keytab: /etc/qemu/krb5.tab | |
| 26 | ||
| 27 | # If using digest-md5 for username/passwds, then this is the file | |
| 28 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' | |
| 805695da | 29 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it |
| 2f9606b3 AL |
30 | sasldb_path: /etc/qemu/passwd.db |
| 31 | ||
| 32 | ||
| 33 | auxprop_plugin: sasldb | |
| 34 |