1# If you want to use the non-TLS socket, then you *must* include 2# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only 3# ones that can offer session encryption as well as authentication. 4# 5# If you're only using TLS, then you can turn on any mechanisms 6# you like for authentication, because TLS provides the encryption 7# 8# Default to a simple username+password mechanism 9# NB digest-md5 is no longer considered secure by current standards 10mech_list: digest-md5 11 12# Before you can use GSSAPI, you need a service principle on the 13# KDC server for libvirt, and that to be exported to the keytab 14# file listed below 15#mech_list: gssapi 16# 17# You can also list many mechanisms at once, then the user can choose 18# by adding '?auth=sasl.gssapi' to their libvirt URI, eg 19# qemu+tcp://hostname/system?auth=sasl.gssapi 20#mech_list: digest-md5 gssapi 21 22# Some older builds of MIT kerberos on Linux ignore this option & 23# instead need KRB5_KTNAME env var. 24# For modern Linux, and other OS, this should be sufficient 25keytab: /etc/qemu/krb5.tab 26 27# If using digest-md5 for username/passwds, then this is the file 28# containing the passwds. Use 'saslpasswd2 -a qemu [username]' 29# to add entries, and 'sasldblistusers2 -a qemu' to browse it 30sasldb_path: /etc/qemu/passwd.db 31 32 33auxprop_plugin: sasldb 34 35