9:51 p.m.
Hello everyone!
I am trying without any success to decipher traffic from client to server
in virt-manager in wireshark, but I don't know the sessioon key there, so
seems no chance to do this.
This is why I want to ask, is any info related to the certificate sent
through the connection? Or if I use kerberos protocol for authentication,
will the user id be sent in every message from client to server? Or only
during authentication?
7:02 a.m.
On 11/26/18 4:51 AM, Anastasiya Ruzhanskaya wrote:
Hello everyone!
I am trying without any success to decipher traffic from client to server
in virt-manager in wireshark, but I don't know the sessioon key there, so
seems no chance to do this.
This is why I want to ask, is any info related to the certificate sent
through the connection?> Or if I use kerberos protocol for authentication,
will the user id be sent in every message from client to server? Or only
during authentication?
This is not really a libvirt question, but I will try to answer it anyway.
Firstly, you can use disable TLS and use plain TCP to see libvirt
packets flying by (e.g. qemu+tcp://localhost/system).
Secondly, TLS is a whole another beast. There is plenty of documentation
on the internet. The server certificate is not transferred, if it was it
wouldn't be trustworthy anyway. Instead, server sends a signed message
and from there and from PKI the client can work out whether the server
really is who they claim to be. There is a bunch of so called
certificate authorities which sign other servers certificates so that
chain of trust can be built. Again, very brief and useless description.
For Kerberos, the username is sent, however only in the kinit phase. At
this point, the kerberos client gets so called ticket which it then uses
to authenticate to other services (so no username nor password is sent).
Michal
8:19 a.m.
Yes, I already disabled it and found out how the rpc protocol looks like.
I just was wondering if something more is sent.
For kerberos, I found quite a good description
https://www.roguelynn.com/words/explain-like-im-5-kerberos/, but it only
says that this ticket is then used in communication. So, I was wondering
how it is used and does any information to client in included in messages
further after authentication.
пн, 26 нояб. 2018 г. в 16:02, Michal Privoznik <mprivozn(a)redhat.com>:
On 11/26/18 4:51 AM, Anastasiya Ruzhanskaya wrote:
> Hello everyone!
>
> I am trying without any success to decipher traffic from client to server
> in virt-manager in wireshark, but I don't know the sessioon key there, so
> seems no chance to do this.
>
> This is why I want to ask, is any info related to the certificate sent
> through the connection?> Or if I use kerberos protocol for
authentication,
> will the user id be sent in every message from client to server? Or only
> during authentication?
This is not really a libvirt question, but I will try to answer it anyway.
Firstly, you can use disable TLS and use plain TCP to see libvirt
packets flying by (e.g. qemu+tcp://localhost/system).
Secondly, TLS is a whole another beast. There is plenty of documentation
on the internet. The server certificate is not transferred, if it was it
wouldn't be trustworthy anyway. Instead, server sends a signed message
and from there and from PKI the client can work out whether the server
really is who they claim to be. There is a bunch of so called
certificate authorities which sign other servers certificates so that
chain of trust can be built. Again, very brief and useless description.
For Kerberos, the username is sent, however only in the kinit phase. At
this point, the kerberos client gets so called ticket which it then uses
to authenticate to other services (so no username nor password is sent).
Michal
2188
days inactive
2188
days old
2 comments
2 participants
participants (2)
-
Anastasiya Ruzhanskaya -
Michal Privoznik