11:57 a.m.
I was playing with SASL authentication a bit today and I wasn't able
to get libvirt to authenticate against PAM (or anything else except
the sasldb, although I didn't try Kerberos). Does anybody know off
the top of their head what mechanisms/password check options work?
I'm trying to figure out if I'm attempting the impossible.
Dave
5:05 p.m.
On Wednesday 2011-12-14, Dave Allan wrote:
I was playing with SASL authentication a bit today and I wasn't
able
to get libvirt to authenticate against PAM (or anything else except
the sasldb, although I didn't try Kerberos). Does anybody know off
the top of their head what mechanisms/password check options work?
I'm trying to figure out if I'm attempting the impossible.
Dave
Hi Dave,
Here is my working configuration with sql backend. I am using postgres.
mech_list: digest-md5
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: pgsql
sql_hostnames: localhost
sql_user: qemukvm
sql_passwd: secret
sql_database: qemukvmdb
sql_select: select password from qemuusers where username = '%u'
To make use of PAM as far as I know you will have to use saslauthd method.
And here is the list of relevant sasl options (I am not sure if it's up to
date): http://asyd.net/docs/cyrus-options.html
--
Josip Deanovic
6:07 p.m.
On Wednesday 2011-12-14, Josip Deanovic wrote:
On Wednesday 2011-12-14, Dave Allan wrote:
> I was playing with SASL authentication a bit today and I wasn't able
> to get libvirt to authenticate against PAM (or anything else except
> the sasldb, although I didn't try Kerberos). Does anybody know off
> the top of their head what mechanisms/password check options work?
> I'm trying to figure out if I'm attempting the impossible.
>
> Dave
Hi Dave,
Here is my working configuration with sql backend. I am using postgres.
mech_list: digest-md5
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: pgsql
sql_hostnames: localhost
sql_user: qemukvm
sql_passwd: secret
sql_database: qemukvmdb
sql_select: select password from qemuusers where username = '%u'
To make use of PAM as far as I know you will have to use saslauthd
method.
And here is the list of relevant sasl options (I am not sure if it's up
to date): http://asyd.net/docs/cyrus-options.html
Sorry, I was mistakenly referring to sasl authentication for vnc client with
sasl support.
However, this configuration might work with libvit with little or no
modifications. However I never tried to authenticate to libvrit using sasl.
--
Josip Deanovic
1:39 a.m.
On Wed, Dec 14, 2011 at 11:07:13AM +0100, Josip Deanovic wrote:
On Wednesday 2011-12-14, Josip Deanovic wrote:
> On Wednesday 2011-12-14, Dave Allan wrote:
> > I was playing with SASL authentication a bit today and I wasn't able
> > to get libvirt to authenticate against PAM (or anything else except
> > the sasldb, although I didn't try Kerberos). Does anybody know off
> > the top of their head what mechanisms/password check options work?
> > I'm trying to figure out if I'm attempting the impossible.
> >
> > Dave
>
> Hi Dave,
>
> Here is my working configuration with sql backend. I am using postgres.
>
> mech_list: digest-md5
> pwcheck_method: auxprop
> auxprop_plugin: sql
> sql_engine: pgsql
> sql_hostnames: localhost
> sql_user: qemukvm
> sql_passwd: secret
> sql_database: qemukvmdb
> sql_select: select password from qemuusers where username = '%u'
>
>
> To make use of PAM as far as I know you will have to use saslauthd
> method.
>
> And here is the list of relevant sasl options (I am not sure if it's up
> to date): http://asyd.net/docs/cyrus-options.html
Sorry, I was mistakenly referring to sasl authentication for vnc client with
sasl support.
However, this configuration might work with libvit with little or no
modifications. However I never tried to authenticate to libvrit using sasl.
Good info nonetheless, thanks.
Dave
--
Josip Deanovic
_______________________________________________
libvirt-users mailing list
libvirt-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
5:13 p.m.
On Tue, Dec 13, 2011 at 10:57:25PM -0500, Dave Allan wrote:
I was playing with SASL authentication a bit today and I wasn't
able
to get libvirt to authenticate against PAM (or anything else except
the sasldb, although I didn't try Kerberos). Does anybody know off
the top of their head what mechanisms/password check options work?
I'm trying to figure out if I'm attempting the impossible.
If you are configuring SASL for the tcp socket it will refuse to use
SASL mechanisms which do not support encryption, which is all of them
except Kerberos or Digest-MD5.
If you are configuring SASL for the TLS socket it will allow any
SASL mechanism, since TLS provides the encryption
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:27 p.m.
On Wed, Dec 14, 2011 at 09:13:32AM +0000, Daniel P. Berrange wrote:
On Tue, Dec 13, 2011 at 10:57:25PM -0500, Dave Allan wrote:
> I was playing with SASL authentication a bit today and I wasn't able
> to get libvirt to authenticate against PAM (or anything else except
> the sasldb, although I didn't try Kerberos). Does anybody know off
> the top of their head what mechanisms/password check options work?
> I'm trying to figure out if I'm attempting the impossible.
If you are configuring SASL for the tcp socket it will refuse to use
SASL mechanisms which do not support encryption, which is all of them
except Kerberos or Digest-MD5.
If you are configuring SASL for the TLS socket it will allow any
SASL mechanism, since TLS provides the encryption
Ah, I left out the most salient detail: I was trying it on the unix rw
socket. libvirtd.conf says "For non-TCP or TLS sockets, any scheme is
allowed." The way I read that, I'd expect any scheme to work with the
unix rw socket, is that right?
Dave
10:34 p.m.
On Wed, Dec 14, 2011 at 09:27:51AM -0500, Dave Allan wrote:
On Wed, Dec 14, 2011 at 09:13:32AM +0000, Daniel P. Berrange wrote:
> On Tue, Dec 13, 2011 at 10:57:25PM -0500, Dave Allan wrote:
> > I was playing with SASL authentication a bit today and I wasn't able
> > to get libvirt to authenticate against PAM (or anything else except
> > the sasldb, although I didn't try Kerberos). Does anybody know off
> > the top of their head what mechanisms/password check options work?
> > I'm trying to figure out if I'm attempting the impossible.
>
> If you are configuring SASL for the tcp socket it will refuse to use
> SASL mechanisms which do not support encryption, which is all of them
> except Kerberos or Digest-MD5.
>
> If you are configuring SASL for the TLS socket it will allow any
> SASL mechanism, since TLS provides the encryption
Ah, I left out the most salient detail: I was trying it on the unix rw
socket. libvirtd.conf says "For non-TCP or TLS sockets, any scheme is
allowed." The way I read that, I'd expect any scheme to work with the
unix rw socket, is that right?
It should allow any scheme with UNIX sockets, but I doubt we've
tested that to make sure
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4651
days inactive
4651
days old
6 comments
4 participants
participants (4)
-
Daniel P. Berrange -
Dave Allan -
Josip Deanovic -
Josip Deanovic