Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 1 | # If you want to use VNC remotely without TLS, then you *must* |
| 2 | # pick a mechanism which provides session encryption as well |
| 3 | # as authentication. |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 4 | # |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 5 | # If you are only using TLS, then you can turn on any mechanisms |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 6 | # you like for authentication, because TLS provides the encryption |
| 7 | # |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 8 | # If you are only using UNIX sockets then encryption is not |
| 9 | # required at all. |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 10 | # |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 11 | # NB, previously DIGEST-MD5 was set as the default mechanism for |
| 12 | # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security |
| 13 | # flaws as should no longer be used. Thus GSSAPI is now the default. |
| 14 | # |
| 15 | # To use GSSAPI requires that a QEMU service principal is |
| 16 | # added to the Kerberos server for each host running QEMU. |
| 17 | # This principal needs to be exported to the keytab file listed below |
| 18 | mech_list: gssapi |
| 19 | |
| 20 | # If using TLS with VNC, or a UNIX socket only, it is possible to |
| 21 | # enable plugins which don't provide session encryption. The |
Daniel P. Berrangé | e2bf32d | 2021-03-04 18:14:26 +0000 | [diff] [blame] | 22 | # 'scram-sha-256' plugin allows plain username/password authentication |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 23 | # to be performed |
| 24 | # |
Daniel P. Berrangé | e2bf32d | 2021-03-04 18:14:26 +0000 | [diff] [blame] | 25 | #mech_list: scram-sha-256 |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 26 | |
| 27 | # You can also list many mechanisms at once, and the VNC server will |
| 28 | # negotiate which to use by considering the list enabled on the VNC |
| 29 | # client. |
Daniel P. Berrangé | e2bf32d | 2021-03-04 18:14:26 +0000 | [diff] [blame] | 30 | #mech_list: scram-sha-256 gssapi |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 31 | |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 32 | # This file needs to be populated with the service principal that |
| 33 | # was created on the Kerberos v5 server. If switching to a non-gssapi |
| 34 | # mechanism this can be commented out. |
| 35 | keytab: /etc/qemu/krb5.tab |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 36 | |
Daniel P. Berrangé | e2bf32d | 2021-03-04 18:14:26 +0000 | [diff] [blame] | 37 | # If using scram-sha-256 for username/passwds, then this is the file |
aliguori | 2f9606b | 2009-03-06 20:27:28 +0000 | [diff] [blame] | 38 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' |
Daniel P. Berrangé | e2bf32d | 2021-03-04 18:14:26 +0000 | [diff] [blame] | 39 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it. |
| 40 | # Note that this file stores passwords in clear text. |
Daniel P. Berrange | c6a9a9f | 2017-03-15 11:53:22 +0000 | [diff] [blame] | 41 | #sasldb_path: /etc/qemu/passwd.db |