44 lines
1.8 KiB
Text
44 lines
1.8 KiB
Text
# If you want to use VNC remotely without TLS, then you *must*
|
|
# pick a mechanism which provides session encryption as well
|
|
# as authentication.
|
|
#
|
|
# If you are only using TLS, then you can turn on any mechanisms
|
|
# you like for authentication, because TLS provides the encryption
|
|
#
|
|
# If you are only using UNIX sockets then encryption is not
|
|
# required at all.
|
|
#
|
|
# NB, previously DIGEST-MD5 was set as the default mechanism for
|
|
# QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
|
|
# flaws as should no longer be used. Thus GSSAPI is now the default.
|
|
#
|
|
# To use GSSAPI requires that a QEMU service principal is
|
|
# added to the Kerberos server for each host running QEMU.
|
|
# This principal needs to be exported to the keytab file listed below
|
|
mech_list: gssapi
|
|
|
|
# If using TLS with VNC, or a UNIX socket only, it is possible to
|
|
# enable plugins which don't provide session encryption. The
|
|
# 'scram-sha-1' plugin allows plain username/password authentication
|
|
# to be performed
|
|
#
|
|
#mech_list: scram-sha-1
|
|
|
|
# You can also list many mechanisms at once, and the VNC server will
|
|
# negotiate which to use by considering the list enabled on the VNC
|
|
# client.
|
|
#mech_list: scram-sha-1 gssapi
|
|
|
|
# Some older builds of MIT kerberos on Linux ignore this option &
|
|
# instead need KRB5_KTNAME env var.
|
|
# For modern Linux, and other OS, this should be sufficient
|
|
#
|
|
# This file needs to be populated with the service principal that
|
|
# was created on the Kerberos v5 server. If switching to a non-gssapi
|
|
# mechanism this can be commented out.
|
|
keytab: /etc/qemu/krb5.tab
|
|
|
|
# If using scram-sha-1 for username/passwds, then this is the file
|
|
# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
|
|
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
|
|
#sasldb_path: /etc/qemu/passwd.db
|