docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant
The SHA-256 variant better meats modern security expectations. Also warn that the password file is storing entries in clear text. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé
parent
1c45af36e7
commit
e2bf32dfab
@ -168,7 +168,7 @@ used is drastically reduced. In fact only the GSSAPI SASL mechanism
|
||||
provides an acceptable level of security by modern standards. Previous
|
||||
versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has
|
||||
multiple serious flaws described in detail in RFC 6331 and thus should
|
||||
never be used any more. The SCRAM-SHA-1 mechanism provides a simple
|
||||
never be used any more. The SCRAM-SHA-256 mechanism provides a simple
|
||||
username/password auth facility similar to DIGEST-MD5, but does not
|
||||
support session encryption, so can only be used in combination with TLS.
|
||||
|
||||
@ -191,11 +191,12 @@ reasonable configuration is
|
||||
|
||||
::
|
||||
|
||||
mech_list: scram-sha-1
|
||||
mech_list: scram-sha-256
|
||||
sasldb_path: /etc/qemu/passwd.db
|
||||
|
||||
The ``saslpasswd2`` program can be used to populate the ``passwd.db``
|
||||
file with accounts.
|
||||
file with accounts. Note that the ``passwd.db`` file stores passwords
|
||||
in clear text.
|
||||
|
||||
Other SASL configurations will be left as an exercise for the reader.
|
||||
Note that all mechanisms, except GSSAPI, should be combined with use of
|
||||
|
||||
11
qemu.sasl
11
qemu.sasl
@ -19,15 +19,15 @@ mech_list: gssapi
|
||||
|
||||
# If using TLS with VNC, or a UNIX socket only, it is possible to
|
||||
# enable plugins which don't provide session encryption. The
|
||||
# 'scram-sha-1' plugin allows plain username/password authentication
|
||||
# 'scram-sha-256' plugin allows plain username/password authentication
|
||||
# to be performed
|
||||
#
|
||||
#mech_list: scram-sha-1
|
||||
#mech_list: scram-sha-256
|
||||
|
||||
# You can also list many mechanisms at once, and the VNC server will
|
||||
# negotiate which to use by considering the list enabled on the VNC
|
||||
# client.
|
||||
#mech_list: scram-sha-1 gssapi
|
||||
#mech_list: scram-sha-256 gssapi
|
||||
|
||||
# Some older builds of MIT kerberos on Linux ignore this option &
|
||||
# instead need KRB5_KTNAME env var.
|
||||
@ -38,7 +38,8 @@ mech_list: gssapi
|
||||
# mechanism this can be commented out.
|
||||
keytab: /etc/qemu/krb5.tab
|
||||
|
||||
# If using scram-sha-1 for username/passwds, then this is the file
|
||||
# If using scram-sha-256 for username/passwds, then this is the file
|
||||
# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
|
||||
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
|
||||
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
|
||||
# Note that this file stores passwords in clear text.
|
||||
#sasldb_path: /etc/qemu/passwd.db
|
||||
|
||||
Loading…
Reference in New Issue
Block a user