External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-12 14:41:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
libvirt/src/remote/libvirtd.sasl
Daniel P. Berrangé 0a92f70c8f docs: stop mentioning insecure / broken SASL mechanisms 
We don't need to go to the trouble of telling users about existance of
insecure SASL mechanisms only to then say that they shouldn't be used.
We should only tell people about the GSSAPI mechanism for TCP sockets.

For the SCRAM mechanism we should be telling people about the SHA256
variant only, and also warning that the password database stores the
passwords in clear text.

Reviewed-by: Erik Skultety <eskultet@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-03-17 09:31:57 +00:00

45 lines
1.7 KiB
Plaintext
Raw Blame History

# If you want to use the non-TLS socket, then you *must* pick a
# mechanism which provides session encryption as well as
# authentication.
#
# If you are only using TLS, then you can turn on any mechanisms
# you like for authentication, because TLS provides the encryption
#
# If you are only using UNIX, sockets then encryption is not
# required at all.
#
# Since SASL is the default for the libvirtd non-TLS socket, we
# pick a strong mechanism by default.
#
# NB, previously DIGEST-MD5 was set as the default mechanism for
# libvirt. Per RFC 6331 this is vulnerable to many serious security
# flaws and should no longer be used. Thus GSSAPI is now the default.
#
# To use GSSAPI requires that a libvirtd service principal is
# added to the Kerberos server for each host running libvirtd.
# This principal needs to be exported to the keytab file listed below
mech_list: gssapi
# If using a TLS socket or UNIX socket only, it is possible to
# enable plugins which don't provide session encryption. The
# 'scram-sha-256' plugin allows plain username/password authentication
# to be performed
#
#mech_list: scram-sha-256
#
# You can also list many mechanisms at once, then the user can choose
# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
# qemu+tcp://hostname/system?auth=sasl.gssapi
#mech_list: scram-sha-256 gssapi
# File containing the service principal for libvirtd
#
keytab: /etc/libvirt/krb5.tab
# If using scram-sha-256 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
# Note that this file stores passwords in clear text.
#sasldb_path: /etc/libvirt/passwd.db
Reference in New Issue View Git Blame Copy Permalink