Subversion Repositories configs

Rev

Go to most recent revision | Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
192 - 1
# If you want to use the non-TLS socket, then you *must* pick a
2
# mechanism which provides session encryption as well as
3
# authentication.
4
#
5
# If you are only using TLS, then you can turn on any mechanisms
6
# you like for authentication, because TLS provides the encryption
7
#
8
# If you are only using UNIX, sockets then encryption is not
9
# required at all.
10
#
11
# Since SASL is the default for the libvirtd non-TLS socket, we
12
# pick a strong mechanism by default.
13
#
14
# NB, previously DIGEST-MD5 was set as the default mechanism for
15
# libvirt. Per RFC 6331 this is vulnerable to many serious security
16
# flaws and should no longer be used. Thus GSSAPI is now the default.
17
#
18
# To use GSSAPI requires that a libvirtd service principal is
19
# added to the Kerberos server for each host running libvirtd.
20
# This principal needs to be exported to the keytab file listed below
21
mech_list: gssapi
22
 
23
# If using a TLS socket or UNIX socket only, it is possible to
24
# enable plugins which don't provide session encryption. The
25
# 'scram-sha-1' plugin allows plain username/password authentication
26
# to be performed
27
#
28
#mech_list: scram-sha-1
29
 
30
#
31
# You can also list many mechanisms at once, then the user can choose
32
# by adding  '?auth=sasl.gssapi' to their libvirt URI, eg
33
#   qemu+tcp://hostname/system?auth=sasl.gssapi
34
#mech_list: scram-sha-1 gssapi
35
 
36
# Some older builds of MIT kerberos on Linux ignore this option &
37
# instead need KRB5_KTNAME env var.
38
# For modern Linux, and other OS, this should be sufficient
39
#
40
keytab: /etc/libvirt/krb5.tab
41
 
42
# If using scram-sha-1 for username/passwds, then this is the file
43
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
44
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
45
#sasldb_path: /etc/libvirt/passwd.db