root / qemu.sasl @ d7582078
History | View | Annotate | Download (1.3 kB)
1 |
# If you want to use the non-TLS socket, then you *must* include |
---|---|
2 |
# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only |
3 |
# ones that can offer session encryption as well as authentication. |
4 |
# |
5 |
# If you're only using TLS, then you can turn on any mechanisms |
6 |
# you like for authentication, because TLS provides the encryption |
7 |
# |
8 |
# Default to a simple username+password mechanism |
9 |
# NB digest-md5 is no longer considered secure by current standards |
10 |
mech_list: digest-md5 |
11 |
|
12 |
# Before you can use GSSAPI, you need a service principle on the |
13 |
# KDC server for libvirt, and that to be exported to the keytab |
14 |
# file listed below |
15 |
#mech_list: gssapi |
16 |
# |
17 |
# You can also list many mechanisms at once, then the user can choose |
18 |
# by adding '?auth=sasl.gssapi' to their libvirt URI, eg |
19 |
# qemu+tcp://hostname/system?auth=sasl.gssapi |
20 |
#mech_list: digest-md5 gssapi |
21 |
|
22 |
# Some older builds of MIT kerberos on Linux ignore this option & |
23 |
# instead need KRB5_KTNAME env var. |
24 |
# For modern Linux, and other OS, this should be sufficient |
25 |
keytab: /etc/qemu/krb5.tab |
26 |
|
27 |
# If using digest-md5 for username/passwds, then this is the file |
28 |
# containing the passwds. Use 'saslpasswd2 -a qemu [username]' |
29 |
# to add entries, and 'sasldblistusers2 -a qemu' to browse it |
30 |
sasldb_path: /etc/qemu/passwd.db |
31 |
|
32 |
|
33 |
auxprop_plugin: sasldb |
34 |
|