1 # If you want to use VNC remotely without TLS, then you *must* 2 # pick a mechanism which provides session encryption as well 3 # as authentication. 4 # 5 # If you are only using TLS, then you can turn on any mechanisms 6 # you like for authentication, because TLS provides the encryption 7 # 8 # If you are only using UNIX sockets then encryption is not 9 # required at all. 10 # 11 # NB, previously DIGEST-MD5 was set as the default mechanism for 12 # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security 13 # flaws as should no longer be used. Thus GSSAPI is now the default. 14 # 15 # To use GSSAPI requires that a QEMU service principal is 16 # added to the Kerberos server for each host running QEMU. 17 # This principal needs to be exported to the keytab file listed below 18 mech_list: gssapi 19 20 # If using TLS with VNC, or a UNIX socket only, it is possible to 21 # enable plugins which don't provide session encryption. The 22 # 'scram-sha-256' plugin allows plain username/password authentication 23 # to be performed 24 # 25 #mech_list: scram-sha-256 26 27 # You can also list many mechanisms at once, and the VNC server will 28 # negotiate which to use by considering the list enabled on the VNC 29 # client. 30 #mech_list: scram-sha-256 gssapi 31 32 # This file needs to be populated with the service principal that 33 # was created on the Kerberos v5 server. If switching to a non-gssapi 34 # mechanism this can be commented out. 35 keytab: /etc/qemu/krb5.tab 36 37 # If using scram-sha-256 for username/passwds, then this is the file 38 # containing the passwds. Use 'saslpasswd2 -a qemu [username]' 39 # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it. 40 # Note that this file stores passwords in clear text. 41 #sasldb_path: /etc/qemu/passwd.db 42