Rev 192 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# If you want to use VNC remotely without TLS, then you *must*# pick a mechanism which provides session encryption as well# as authentication.## If you are only using TLS, then you can turn on any mechanisms# you like for authentication, because TLS provides the encryption## If you are only using UNIX sockets then encryption is not# required at all.## NB, previously DIGEST-MD5 was set as the default mechanism for# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security# flaws as should no longer be used. Thus GSSAPI is now the default.## To use GSSAPI requires that a QEMU service principal is# added to the Kerberos server for each host running QEMU.# This principal needs to be exported to the keytab file listed belowmech_list: gssapi# If using TLS with VNC, or a UNIX socket only, it is possible to# enable plugins which don't provide session encryption. The# 'scram-sha-256' plugin allows plain username/password authentication# to be performed##mech_list: scram-sha-256# You can also list many mechanisms at once, and the VNC server will# negotiate which to use by considering the list enabled on the VNC# client.#mech_list: scram-sha-256 gssapi# This file needs to be populated with the service principal that# was created on the Kerberos v5 server. If switching to a non-gssapi# mechanism this can be commented out.keytab: /etc/qemu/krb5.tab# If using scram-sha-256 for username/passwds, then this is the file# containing the passwds. Use 'saslpasswd2 -a qemu [username]'# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.# Note that this file stores passwords in clear text.#sasldb_path: /etc/qemu/passwd.db