blob: 851acc7e8f255bc55ea539ba9582dec960021a1f [file] [log] [blame]
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +00001# If you want to use VNC remotely without TLS, then you *must*
2# pick a mechanism which provides session encryption as well
3# as authentication.
aliguori2f9606b2009-03-06 20:27:28 +00004#
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +00005# If you are only using TLS, then you can turn on any mechanisms
aliguori2f9606b2009-03-06 20:27:28 +00006# you like for authentication, because TLS provides the encryption
7#
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +00008# If you are only using UNIX sockets then encryption is not
9# required at all.
aliguori2f9606b2009-03-06 20:27:28 +000010#
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +000011# NB, previously DIGEST-MD5 was set as the default mechanism for
12# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
13# flaws as should no longer be used. Thus GSSAPI is now the default.
14#
15# To use GSSAPI requires that a QEMU service principal is
16# added to the Kerberos server for each host running QEMU.
17# This principal needs to be exported to the keytab file listed below
18mech_list: gssapi
19
20# If using TLS with VNC, or a UNIX socket only, it is possible to
21# enable plugins which don't provide session encryption. The
Daniel P. Berrangée2bf32d2021-03-04 18:14:26 +000022# 'scram-sha-256' plugin allows plain username/password authentication
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +000023# to be performed
24#
Daniel P. Berrangée2bf32d2021-03-04 18:14:26 +000025#mech_list: scram-sha-256
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +000026
27# You can also list many mechanisms at once, and the VNC server will
28# negotiate which to use by considering the list enabled on the VNC
29# client.
Daniel P. Berrangée2bf32d2021-03-04 18:14:26 +000030#mech_list: scram-sha-256 gssapi
aliguori2f9606b2009-03-06 20:27:28 +000031
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +000032# This file needs to be populated with the service principal that
33# was created on the Kerberos v5 server. If switching to a non-gssapi
34# mechanism this can be commented out.
35keytab: /etc/qemu/krb5.tab
aliguori2f9606b2009-03-06 20:27:28 +000036
Daniel P. Berrangée2bf32d2021-03-04 18:14:26 +000037# If using scram-sha-256 for username/passwds, then this is the file
aliguori2f9606b2009-03-06 20:27:28 +000038# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
Daniel P. Berrangée2bf32d2021-03-04 18:14:26 +000039# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
40# Note that this file stores passwords in clear text.
Daniel P. Berrangec6a9a9f2017-03-15 11:53:22 +000041#sasldb_path: /etc/qemu/passwd.db