qemu/qemu.sasl
<<
>>
Prefs
   1# If you want to use VNC remotely without TLS, then you *must*
   2# pick a mechanism which provides session encryption as well
   3# as authentication.
   4#
   5# If you are only using TLS, then you can turn on any mechanisms
   6# you like for authentication, because TLS provides the encryption
   7#
   8# If you are only using UNIX sockets then encryption is not
   9# required at all.
  10#
  11# NB, previously DIGEST-MD5 was set as the default mechanism for
  12# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
  13# flaws as should no longer be used. Thus GSSAPI is now the default.
  14#
  15# To use GSSAPI requires that a QEMU service principal is
  16# added to the Kerberos server for each host running QEMU.
  17# This principal needs to be exported to the keytab file listed below
  18mech_list: gssapi
  19
  20# If using TLS with VNC, or a UNIX socket only, it is possible to
  21# enable plugins which don't provide session encryption. The
  22# 'scram-sha-256' plugin allows plain username/password authentication
  23# to be performed
  24#
  25#mech_list: scram-sha-256
  26
  27# You can also list many mechanisms at once, and the VNC server will
  28# negotiate which to use by considering the list enabled on the VNC
  29# client.
  30#mech_list: scram-sha-256 gssapi
  31
  32# This file needs to be populated with the service principal that
  33# was created on the Kerberos v5 server. If switching to a non-gssapi
  34# mechanism this can be commented out.
  35keytab: /etc/qemu/krb5.tab
  36
  37# If using scram-sha-256 for username/passwds, then this is the file
  38# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
  39# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
  40# Note that this file stores passwords in clear text.
  41#sasldb_path: /etc/qemu/passwd.db
  42