1c6a9a9f5SDaniel P. Berrange# If you want to use VNC remotely without TLS, then you *must* 2c6a9a9f5SDaniel P. Berrange# pick a mechanism which provides session encryption as well 3c6a9a9f5SDaniel P. Berrange# as authentication. 42f9606b3Saliguori# 5c6a9a9f5SDaniel P. Berrange# If you are only using TLS, then you can turn on any mechanisms 62f9606b3Saliguori# you like for authentication, because TLS provides the encryption 72f9606b3Saliguori# 8c6a9a9f5SDaniel P. Berrange# If you are only using UNIX sockets then encryption is not 9c6a9a9f5SDaniel P. Berrange# required at all. 102f9606b3Saliguori# 11c6a9a9f5SDaniel P. Berrange# NB, previously DIGEST-MD5 was set as the default mechanism for 12c6a9a9f5SDaniel P. Berrange# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security 13c6a9a9f5SDaniel P. Berrange# flaws as should no longer be used. Thus GSSAPI is now the default. 14c6a9a9f5SDaniel P. Berrange# 15c6a9a9f5SDaniel P. Berrange# To use GSSAPI requires that a QEMU service principal is 16c6a9a9f5SDaniel P. Berrange# added to the Kerberos server for each host running QEMU. 17c6a9a9f5SDaniel P. Berrange# This principal needs to be exported to the keytab file listed below 18c6a9a9f5SDaniel P. Berrangemech_list: gssapi 19c6a9a9f5SDaniel P. Berrange 20c6a9a9f5SDaniel P. Berrange# If using TLS with VNC, or a UNIX socket only, it is possible to 21c6a9a9f5SDaniel P. Berrange# enable plugins which don't provide session encryption. The 22*e2bf32dfSDaniel P. Berrangé# 'scram-sha-256' plugin allows plain username/password authentication 23c6a9a9f5SDaniel P. Berrange# to be performed 24c6a9a9f5SDaniel P. Berrange# 25*e2bf32dfSDaniel P. Berrangé#mech_list: scram-sha-256 26c6a9a9f5SDaniel P. Berrange 27c6a9a9f5SDaniel P. Berrange# You can also list many mechanisms at once, and the VNC server will 28c6a9a9f5SDaniel P. Berrange# negotiate which to use by considering the list enabled on the VNC 29c6a9a9f5SDaniel P. Berrange# client. 30*e2bf32dfSDaniel P. Berrangé#mech_list: scram-sha-256 gssapi 312f9606b3Saliguori 322f9606b3Saliguori# Some older builds of MIT kerberos on Linux ignore this option & 332f9606b3Saliguori# instead need KRB5_KTNAME env var. 342f9606b3Saliguori# For modern Linux, and other OS, this should be sufficient 35dfb3804dSLaszlo Ersek# 36c6a9a9f5SDaniel P. Berrange# This file needs to be populated with the service principal that 37c6a9a9f5SDaniel P. Berrange# was created on the Kerberos v5 server. If switching to a non-gssapi 38c6a9a9f5SDaniel P. Berrange# mechanism this can be commented out. 39c6a9a9f5SDaniel P. Berrangekeytab: /etc/qemu/krb5.tab 402f9606b3Saliguori 41*e2bf32dfSDaniel P. Berrangé# If using scram-sha-256 for username/passwds, then this is the file 422f9606b3Saliguori# containing the passwds. Use 'saslpasswd2 -a qemu [username]' 43*e2bf32dfSDaniel P. Berrangé# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it. 44*e2bf32dfSDaniel P. Berrangé# Note that this file stores passwords in clear text. 45c6a9a9f5SDaniel P. Berrange#sasldb_path: /etc/qemu/passwd.db 46