mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-28 08:35:22 +00:00
68d08cf2f2
When the comment in libvirtd.sasl was last updated with
commit fe772f24a6
Author: Cole Robinson <crobinso@redhat.com>
Date: Sat Oct 20 14:10:03 2012 -0400
daemon: Avoid 'Could not find keytab file' in syslog
it was noted that only old versions of kerberos would need the
environment variable to be set: that was more than seven years
ago, so it's safe to assume that none of our current target
platforms still requires that hack and setting the appropriate
key in the configuration file will be enough.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
44 lines
1.6 KiB
Plaintext
44 lines
1.6 KiB
Plaintext
# If you want to use the non-TLS socket, then you *must* pick a
|
|
# mechanism which provides session encryption as well as
|
|
# authentication.
|
|
#
|
|
# If you are only using TLS, then you can turn on any mechanisms
|
|
# you like for authentication, because TLS provides the encryption
|
|
#
|
|
# If you are only using UNIX, sockets then encryption is not
|
|
# required at all.
|
|
#
|
|
# Since SASL is the default for the libvirtd non-TLS socket, we
|
|
# pick a strong mechanism by default.
|
|
#
|
|
# NB, previously DIGEST-MD5 was set as the default mechanism for
|
|
# libvirt. Per RFC 6331 this is vulnerable to many serious security
|
|
# flaws and should no longer be used. Thus GSSAPI is now the default.
|
|
#
|
|
# To use GSSAPI requires that a libvirtd service principal is
|
|
# added to the Kerberos server for each host running libvirtd.
|
|
# This principal needs to be exported to the keytab file listed below
|
|
mech_list: gssapi
|
|
|
|
# If using a TLS socket or UNIX socket only, it is possible to
|
|
# enable plugins which don't provide session encryption. The
|
|
# 'scram-sha-1' plugin allows plain username/password authentication
|
|
# to be performed
|
|
#
|
|
#mech_list: scram-sha-1
|
|
|
|
#
|
|
# You can also list many mechanisms at once, then the user can choose
|
|
# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
|
|
# qemu+tcp://hostname/system?auth=sasl.gssapi
|
|
#mech_list: scram-sha-1 gssapi
|
|
|
|
# File containing the service principal for libvirtd
|
|
#
|
|
keytab: /etc/libvirt/krb5.tab
|
|
|
|
# If using scram-sha-1 for username/passwds, then this is the file
|
|
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
|
|
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
|
|
#sasldb_path: /etc/libvirt/passwd.db
|