libvirt/daemon/libvirtd.sasl

# If you want to use the non-TLS socket, then you *must* pick a
# mechanism which provides session encryption as well as
# authentication.
#
# If you are only using TLS, then you can turn on any mechanisms
# you like for authentication, because TLS provides the encryption
#
# If you are only using UNIX, sockets then encryption is not
# required at all.
#
# Since SASL is the default for the libvirtd non-TLS socket, we
# pick a strong mechanism by default.
#
# NB, previously DIGEST-MD5 was set as the default mechanism for
# libvirt. Per RFC 6331 this is vulnerable to many serious security
# flaws and should no longer be used. Thus GSSAPI is now the default.
#
# To use GSSAPI requires that a libvirtd service principal is
# added to the Kerberos server for each host running libvirtd.
# This principal needs to be exported to the keytab file listed below
mech_list: gssapi

# If using a TLS socket or UNIX socket only, it is possible to
# enable plugins which don't provide session encryption. The
# 'scram-sha-1' plugin allows plain username/password authentication
# to be performed
#
#mech_list: scram-sha-1

#
# You can also list many mechanisms at once, then the user can choose
# by adding  '?auth=sasl.gssapi' to their libvirt URI, eg
#   qemu+tcp://hostname/system?auth=sasl.gssapi
#mech_list: scram-sha-1 gssapi

# Some older builds of MIT kerberos on Linux ignore this option &
# instead need KRB5_KTNAME env var.
# For modern Linux, and other OS, this should be sufficient
#
keytab: /etc/libvirt/krb5.tab

# If using scram-sha-1 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
#sasldb_path: /etc/libvirt/passwd.db
Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, libvirtd should not by using it as a default mechanism. GSSAPI is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2017-03-13 12:15:57 +00:00			`# If you want to use the non-TLS socket, then you must pick a`
			`# mechanism which provides session encryption as well as`
			`# authentication.`
Added missing sasl config file 2007-12-05 18:21:04 +00:00			`#`
Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, libvirtd should not by using it as a default mechanism. GSSAPI is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2017-03-13 12:15:57 +00:00			`# If you are only using TLS, then you can turn on any mechanisms`
Added missing sasl config file 2007-12-05 18:21:04 +00:00			`# you like for authentication, because TLS provides the encryption`
			`#`
Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, libvirtd should not by using it as a default mechanism. GSSAPI is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2017-03-13 12:15:57 +00:00			`# If you are only using UNIX, sockets then encryption is not`
			`# required at all.`
			`#`
			`# Since SASL is the default for the libvirtd non-TLS socket, we`
			`# pick a strong mechanism by default.`
			`#`
			`# NB, previously DIGEST-MD5 was set as the default mechanism for`
			`# libvirt. Per RFC 6331 this is vulnerable to many serious security`
			`# flaws and should no longer be used. Thus GSSAPI is now the default.`
			`#`
			`# To use GSSAPI requires that a libvirtd service principal is`
			`# added to the Kerberos server for each host running libvirtd.`
			`# This principal needs to be exported to the keytab file listed below`
			`mech_list: gssapi`

			`# If using a TLS socket or UNIX socket only, it is possible to`
			`# enable plugins which don't provide session encryption. The`
			`# 'scram-sha-1' plugin allows plain username/password authentication`
			`# to be performed`
			`#`
			`#mech_list: scram-sha-1`
Added missing sasl config file 2007-12-05 18:21:04 +00:00
			`#`
			`# You can also list many mechanisms at once, then the user can choose`
			`# by adding '?auth=sasl.gssapi' to their libvirt URI, eg`
			`# qemu+tcp://hostname/system?auth=sasl.gssapi`
Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, libvirtd should not by using it as a default mechanism. GSSAPI is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2017-03-13 12:15:57 +00:00			`#mech_list: scram-sha-1 gssapi`
Added missing sasl config file 2007-12-05 18:21:04 +00:00
daemon: Avoid 'Could not find keytab file' in syslog On F17 at least, every time libvirtd starts we get this in syslog: libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab: No such file or directory This comes from cyrus-sasl, and happens regardless of whether the gssapi plugin is requested, which is what actually uses /etc/libvirt/krb5.tab. While cyrus-sasl shouldn't complain, we can easily make it shut up by commenting out the keytab value by default. Also update the keytab comment to the more modern one from qemu's sasl config file. 2012-10-20 18:10:03 +00:00			`# Some older builds of MIT kerberos on Linux ignore this option &`
			`# instead need KRB5_KTNAME env var.`
			`# For modern Linux, and other OS, this should be sufficient`
			`#`
Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, libvirtd should not by using it as a default mechanism. GSSAPI is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2017-03-13 12:15:57 +00:00			`keytab: /etc/libvirt/krb5.tab`
Added missing sasl config file 2007-12-05 18:21:04 +00:00
Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, libvirtd should not by using it as a default mechanism. GSSAPI is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2017-03-13 12:15:57 +00:00			`# If using scram-sha-1 for username/passwds, then this is the file`
Added missing sasl config file 2007-12-05 18:21:04 +00:00			`# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'`
daemon: Fix command example in libvirtd.sasl sasldblistusers2 doesn't have a '-a' option 2013-07-09 14:01:55 +00:00			`# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it`
Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, libvirtd should not by using it as a default mechanism. GSSAPI is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> 2017-03-13 12:15:57 +00:00			`#sasldb_path: /etc/libvirt/passwd.db`