192 |
- |
1 |
# If you want to use the non-TLS socket, then you *must* pick a
|
|
|
2 |
# mechanism which provides session encryption as well as
|
|
|
3 |
# authentication.
|
|
|
4 |
#
|
|
|
5 |
# If you are only using TLS, then you can turn on any mechanisms
|
|
|
6 |
# you like for authentication, because TLS provides the encryption
|
|
|
7 |
#
|
|
|
8 |
# If you are only using UNIX, sockets then encryption is not
|
|
|
9 |
# required at all.
|
|
|
10 |
#
|
|
|
11 |
# Since SASL is the default for the libvirtd non-TLS socket, we
|
|
|
12 |
# pick a strong mechanism by default.
|
|
|
13 |
#
|
|
|
14 |
# NB, previously DIGEST-MD5 was set as the default mechanism for
|
|
|
15 |
# libvirt. Per RFC 6331 this is vulnerable to many serious security
|
|
|
16 |
# flaws and should no longer be used. Thus GSSAPI is now the default.
|
|
|
17 |
#
|
|
|
18 |
# To use GSSAPI requires that a libvirtd service principal is
|
|
|
19 |
# added to the Kerberos server for each host running libvirtd.
|
|
|
20 |
# This principal needs to be exported to the keytab file listed below
|
|
|
21 |
mech_list: gssapi
|
|
|
22 |
|
|
|
23 |
# If using a TLS socket or UNIX socket only, it is possible to
|
|
|
24 |
# enable plugins which don't provide session encryption. The
|
|
|
25 |
# 'scram-sha-1' plugin allows plain username/password authentication
|
|
|
26 |
# to be performed
|
|
|
27 |
#
|
|
|
28 |
#mech_list: scram-sha-1
|
|
|
29 |
|
|
|
30 |
#
|
|
|
31 |
# You can also list many mechanisms at once, then the user can choose
|
|
|
32 |
# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
|
|
|
33 |
# qemu+tcp://hostname/system?auth=sasl.gssapi
|
|
|
34 |
#mech_list: scram-sha-1 gssapi
|
|
|
35 |
|
|
|
36 |
# Some older builds of MIT kerberos on Linux ignore this option &
|
|
|
37 |
# instead need KRB5_KTNAME env var.
|
|
|
38 |
# For modern Linux, and other OS, this should be sufficient
|
|
|
39 |
#
|
|
|
40 |
keytab: /etc/libvirt/krb5.tab
|
|
|
41 |
|
|
|
42 |
# If using scram-sha-1 for username/passwds, then this is the file
|
|
|
43 |
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
|
|
|
44 |
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
|
|
|
45 |
#sasldb_path: /etc/libvirt/passwd.db
|