Re: [libvirt] Information sent in libvirt during the sasl usage and tls
On 11/26/18 4:51 AM, Anastasiya Ruzhanskaya wrote:
Hello everyone!
I am trying without any success to decipher traffic from client to server
in virt-manager in wireshark, but I don't know the sessioon key there, so
seems no chance to do this.
This is why I want to ask, is any info related to the certificate sent
through the connection?> Or if I use kerberos protocol for authentication,
will the user id be sent in every message from client to server? Or only
during authentication?
This is not really a libvirt question, but I will try to answer it anyway.
Firstly, you can use disable TLS and use plain TCP to see libvirt
packets flying by (e.g. qemu+tcp://localhost/system).
Secondly, TLS is a whole another beast. There is plenty of documentation
on the internet. The server certificate is not transferred, if it was it
wouldn't be trustworthy anyway. Instead, server sends a signed message
and from there and from PKI the client can work out whether the server
really is who they claim to be. There is a bunch of so called
certificate authorities which sign other servers certificates so that
chain of trust can be built. Again, very brief and useless description.
For Kerberos, the username is sent, however only in the kinit phase. At
this point, the kerberos client gets so called ticket which it then uses
to authenticate to other services (so no username nor password is sent).
Michal