On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote:

Hello

I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I made qemu use SASL as authentication method instead of regular passwords. However, no matter what I do, I can't get it to accept credentials provided with a VNC client.

Is there a way to get some qemu/SASL logs? I need to understand why the credentials are not accepted.

Any pointers to docs/code/old bugs appreciated.

There's not much in way of debugging with SASL server side. Client side you can use --gtk-vnc-debug arg to virt-viewer to see messages. Can you explain in more detail what you've done to try to make it work ? For plain password auth you need... In /etc/libvirt/qemu.conf set (uncomment) vnc_tls = 1 vnc_sasl = 1 vnc_listen = 0.0.0.0 Then setup x509 certificates for the QEMU and your client application THen in /etc/sasl2/qemu.conf mech_list: scram-sha-1 sasldb_path: /etc/qemu/passwd.db Now "saslpasswd -a qemu test". Make sure the password file is readable by qemu chown qemu.qemu /etc/qemu/passwd.db Finally "systemctl restart libvirtd", and start a guest Note that TLS is required these days since there is no plain password auth mechanism for SASL that provides a sane level of security without TLS. In particular digest-md5 is not acceptable. The only exception to this is Kerberos (GSSAPI) which can provide encryption without needing TLS, but even then we'd recommend TLS. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|