Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 1 | # If you want to use VNC remotely without TLS, then you *must* |
| 2 | # pick a mechanism which provides session encryption as well |
| 3 | # as authentication. |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 4 | # |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 5 | # If you are only using TLS, then you can turn on any mechanisms |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 6 | # you like for authentication, because TLS provides the encryption |
| 7 | # |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 8 | # If you are only using UNIX sockets then encryption is not |
| 9 | # required at all. |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 10 | # |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 11 | # NB, previously DIGEST-MD5 was set as the default mechanism for |
| 12 | # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security |
| 13 | # flaws as should no longer be used. Thus GSSAPI is now the default. |
| 14 | # |
| 15 | # To use GSSAPI requires that a QEMU service principal is |
| 16 | # added to the Kerberos server for each host running QEMU. |
| 17 | # This principal needs to be exported to the keytab file listed below |
| 18 | mech_list: gssapi |
| 19 | |
| 20 | # If using TLS with VNC, or a UNIX socket only, it is possible to |
| 21 | # enable plugins which don't provide session encryption. The |
| 22 | # 'scram-sha-1' plugin allows plain username/password authentication |
| 23 | # to be performed |
| 24 | # |
| 25 | #mech_list: scram-sha-1 |
| 26 | |
| 27 | # You can also list many mechanisms at once, and the VNC server will |
| 28 | # negotiate which to use by considering the list enabled on the VNC |
| 29 | # client. |
| 30 | #mech_list: scram-sha-1 gssapi |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 31 | |
| 32 | # Some older builds of MIT kerberos on Linux ignore this option & |
| 33 | # instead need KRB5_KTNAME env var. |
| 34 | # For modern Linux, and other OS, this should be sufficient |
Laszlo Ersek | dfb3804 | 2014-03-14 15:39:36 +0100 | [diff] [blame] | 35 | # |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 36 | # This file needs to be populated with the service principal that |
| 37 | # was created on the Kerberos v5 server. If switching to a non-gssapi |
| 38 | # mechanism this can be commented out. |
| 39 | keytab: /etc/qemu/krb5.tab |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 40 | |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 41 | # If using scram-sha-1 for username/passwds, then this is the file |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 42 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' |
Cole Robinson | 805695d | 2013-07-09 10:07:53 -0400 | [diff] [blame] | 43 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 44 | #sasldb_path: /etc/qemu/passwd.db |