1*2f9606b3Saliguori# If you want to use the non-TLS socket, then you *must* include 2*2f9606b3Saliguori# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only 3*2f9606b3Saliguori# ones that can offer session encryption as well as authentication. 4*2f9606b3Saliguori# 5*2f9606b3Saliguori# If you're only using TLS, then you can turn on any mechanisms 6*2f9606b3Saliguori# you like for authentication, because TLS provides the encryption 7*2f9606b3Saliguori# 8*2f9606b3Saliguori# Default to a simple username+password mechanism 9*2f9606b3Saliguori# NB digest-md5 is no longer considered secure by current standards 10*2f9606b3Saliguorimech_list: digest-md5 11*2f9606b3Saliguori 12*2f9606b3Saliguori# Before you can use GSSAPI, you need a service principle on the 13*2f9606b3Saliguori# KDC server for libvirt, and that to be exported to the keytab 14*2f9606b3Saliguori# file listed below 15*2f9606b3Saliguori#mech_list: gssapi 16*2f9606b3Saliguori# 17*2f9606b3Saliguori# You can also list many mechanisms at once, then the user can choose 18*2f9606b3Saliguori# by adding '?auth=sasl.gssapi' to their libvirt URI, eg 19*2f9606b3Saliguori# qemu+tcp://hostname/system?auth=sasl.gssapi 20*2f9606b3Saliguori#mech_list: digest-md5 gssapi 21*2f9606b3Saliguori 22*2f9606b3Saliguori# Some older builds of MIT kerberos on Linux ignore this option & 23*2f9606b3Saliguori# instead need KRB5_KTNAME env var. 24*2f9606b3Saliguori# For modern Linux, and other OS, this should be sufficient 25*2f9606b3Saliguorikeytab: /etc/qemu/krb5.tab 26*2f9606b3Saliguori 27*2f9606b3Saliguori# If using digest-md5 for username/passwds, then this is the file 28*2f9606b3Saliguori# containing the passwds. Use 'saslpasswd2 -a qemu [username]' 29*2f9606b3Saliguori# to add entries, and 'sasldblistusers2 -a qemu' to browse it 30*2f9606b3Saliguorisasldb_path: /etc/qemu/passwd.db 31*2f9606b3Saliguori 32*2f9606b3Saliguori 33*2f9606b3Saliguoriauxprop_plugin: sasldb 34*2f9606b3Saliguori 35