Re: [libvirt] More logs from libvirt+qemu+VNC+SASL
On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote:
Hello
I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
made qemu use SASL as authentication method instead of regular passwords.
However, no matter what I do, I can't get it to accept credentials provided
with a VNC client.
Is there a way to get some qemu/SASL logs? I need to understand why the
credentials are not accepted.
Any pointers to docs/code/old bugs appreciated.
There's not much in way of debugging with SASL server side.
Client side you can use --gtk-vnc-debug arg to virt-viewer to see
messages.
Can you explain in more detail what you've done to try to make it work ?
For plain password auth you need...
In /etc/libvirt/qemu.conf set (uncomment)
vnc_tls = 1
vnc_sasl = 1
vnc_listen = 0.0.0.0
Then setup x509 certificates for the QEMU and your client application
THen in /etc/sasl2/qemu.conf
mech_list: scram-sha-1
sasldb_path: /etc/qemu/passwd.db
Now "saslpasswd -a qemu test".
Make sure the password file is readable by qemu
chown qemu.qemu /etc/qemu/passwd.db
Finally "systemctl restart libvirtd", and start a guest
Note that TLS is required these days since there is no plain password
auth mechanism for SASL that provides a sane level of security without
TLS. In particular digest-md5 is not acceptable. The only exception
to this is Kerberos (GSSAPI) which can provide encryption without
needing TLS, but even then we'd recommend TLS.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|