Re: [libvirt] More logs from libvirt+qemu+VNC+SASL
On 18/12/07 11:57, Daniel P. Berrangé wrote:
On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote:
> Hello
>
> I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
> made qemu use SASL as authentication method instead of regular passwords.
> However, no matter what I do, I can't get it to accept credentials provided
> with a VNC client.
>
> Is there a way to get some qemu/SASL logs? I need to understand why the
> credentials are not accepted.
>
> Any pointers to docs/code/old bugs appreciated.
There's not much in way of debugging with SASL server side.
Client side you can use --gtk-vnc-debug arg to virt-viewer to see
messages.
Can you explain in more detail what you've done to try to make it work ?
For plain password auth you need...
In /etc/libvirt/qemu.conf set (uncomment)
vnc_tls = 1
vnc_sasl = 1
vnc_listen = 0.0.0.0
Check.
Then setup x509 certificates for the QEMU and your client application
Check.
THen in /etc/sasl2/qemu.conf
mech_list: scram-sha-1
sasldb_path: /etc/qemu/passwd.db
Check.
Now "saslpasswd -a qemu test".
Check.
Make sure the password file is readable by qemu
...
Facepalm
...
That was it. The db file was readable by root only. I feel so stupid now.
Thank you!
Regards,
Daniel
Tomo