docs/system/vnc-security.rst

23 This ensures that only users on local box with read/write access to that
30 With passwords
41 is requested with the ``password`` option, and then once QEMU is running
42 the password is set with the monitor. Until the monitor is used to set
54 With x509 certificates
75 with file mode 0600 to only be readable by the user owning it.
79 With x509 certificates and client verification
85 This is a good choice if deploying in an environment with a private
87 but with ``verify-peer`` set to ``on`` instead.
97 With x509 certificates, client verification and passwords
100 Finally, the previous method can be combined with VNC password
114 With SASL authentication
119 integration with a wide range of authentication mechanisms, such as PAM,
127 can be launched with:
135 With x509 certificates and SASL authentication
139 layers, then it is strongly advised to run it in combination with TLS
142 enabled, by combining the 'sasl' option with the aforementioned TLS +
173 support session encryption, so can only be used in combination with TLS.
182 This says to use the 'GSSAPI' mechanism with the Kerberos v5 protocol,
183 with the server principal stored in /etc/qemu/krb5.tab. For this to work
185 server, with a name of 'qemu/somehost.example.com@EXAMPLE.COM' replacing
186 'somehost.example.com' with the fully qualified host name of the machine
187 running QEMU, and 'EXAMPLE.COM' with the Kerberos Realm.
198 file with accounts. Note that the ``passwd.db`` file stores passwords
202 Note that all mechanisms, except GSSAPI, should be combined with use of