Git Repo - qemu.git/blame_incremental

... / ...

Commit	Line	Data
	1	# If you want to use VNC remotely without TLS, then you must
	2	# pick a mechanism which provides session encryption as well
	3	# as authentication.
	4	#
	5	# If you are only using TLS, then you can turn on any mechanisms
	6	# you like for authentication, because TLS provides the encryption
	7	#
	8	# If you are only using UNIX sockets then encryption is not
	9	# required at all.
	10	#
	11	# NB, previously DIGEST-MD5 was set as the default mechanism for
	12	# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
	13	# flaws as should no longer be used. Thus GSSAPI is now the default.
	14	#
	15	# To use GSSAPI requires that a QEMU service principal is
	16	# added to the Kerberos server for each host running QEMU.
	17	# This principal needs to be exported to the keytab file listed below
	18	mech_list: gssapi
	19
	20	# If using TLS with VNC, or a UNIX socket only, it is possible to
	21	# enable plugins which don't provide session encryption. The
	22	# 'scram-sha-1' plugin allows plain username/password authentication
	23	# to be performed
	24	#
	25	#mech_list: scram-sha-1
	26
	27	# You can also list many mechanisms at once, and the VNC server will
	28	# negotiate which to use by considering the list enabled on the VNC
	29	# client.
	30	#mech_list: scram-sha-1 gssapi
	31
	32	# Some older builds of MIT kerberos on Linux ignore this option &
	33	# instead need KRB5_KTNAME env var.
	34	# For modern Linux, and other OS, this should be sufficient
	35	#
	36	# This file needs to be populated with the service principal that
	37	# was created on the Kerberos v5 server. If switching to a non-gssapi
	38	# mechanism this can be commented out.
	39	keytab: /etc/qemu/krb5.tab
	40
	41	# If using scram-sha-1 for username/passwds, then this is the file
	42	# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
	43	# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
	44	#sasldb_path: /etc/qemu/passwd.db