1# If you want to use VNC remotely without TLS, then you *must* 2# pick a mechanism which provides session encryption as well 3# as authentication. 4# 5# If you are only using TLS, then you can turn on any mechanisms 6# you like for authentication, because TLS provides the encryption 7# 8# If you are only using UNIX sockets then encryption is not 9# required at all. 10# 11# NB, previously DIGEST-MD5 was set as the default mechanism for 12# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security 13# flaws as should no longer be used. Thus GSSAPI is now the default. 14# 15# To use GSSAPI requires that a QEMU service principal is 16# added to the Kerberos server for each host running QEMU. 17# This principal needs to be exported to the keytab file listed below 18mech_list: gssapi 19 20# If using TLS with VNC, or a UNIX socket only, it is possible to 21# enable plugins which don't provide session encryption. The 22# 'scram-sha-1' plugin allows plain username/password authentication 23# to be performed 24# 25#mech_list: scram-sha-1 26 27# You can also list many mechanisms at once, and the VNC server will 28# negotiate which to use by considering the list enabled on the VNC 29# client. 30#mech_list: scram-sha-1 gssapi 31 32# Some older builds of MIT kerberos on Linux ignore this option & 33# instead need KRB5_KTNAME env var. 34# For modern Linux, and other OS, this should be sufficient 35# 36# This file needs to be populated with the service principal that 37# was created on the Kerberos v5 server. If switching to a non-gssapi 38# mechanism this can be commented out. 39keytab: /etc/qemu/krb5.tab 40 41# If using scram-sha-1 for username/passwds, then this is the file 42# containing the passwds. Use 'saslpasswd2 -a qemu [username]' 43# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it 44#sasldb_path: /etc/qemu/passwd.db 45