Subversion Repositories configs

# If you want to use VNC remotely without TLS, then you *must*

# pick a mechanism which provides session encryption as well

# as authentication.

#

# If you are only using TLS, then you can turn on any mechanisms

# you like for authentication, because TLS provides the encryption

#

# If you are only using UNIX sockets then encryption is not

# required at all.

#

# NB, previously DIGEST-MD5 was set as the default mechanism for

# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security

# flaws as should no longer be used. Thus GSSAPI is now the default.

#

# To use GSSAPI requires that a QEMU service principal is

# added to the Kerberos server for each host running QEMU.

# This principal needs to be exported to the keytab file listed below

mech_list: gssapi

# If using TLS with VNC, or a UNIX socket only, it is possible to

# enable plugins which don't provide session encryption. The

# 'scram-sha-1' plugin allows plain username/password authentication

# to be performed

#

#mech_list: scram-sha-1

# You can also list many mechanisms at once, and the VNC server will

# negotiate which to use by considering the list enabled on the VNC

# client.

#mech_list: scram-sha-1 gssapi

# Some older builds of MIT kerberos on Linux ignore this option &

# instead need KRB5_KTNAME env var.

# For modern Linux, and other OS, this should be sufficient

#

# This file needs to be populated with the service principal that

# was created on the Kerberos v5 server. If switching to a non-gssapi

# mechanism this can be commented out.

keytab: /etc/qemu/krb5.tab

# If using scram-sha-1 for username/passwds, then this is the file

# containing the passwds. Use 'saslpasswd2 -a qemu [username]'

# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it

#sasldb_path: /etc/qemu/passwd.db