From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>
Subject: [PATCH 3/4] docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant
Date: Fri, 14 May 2021 18:31:09 +0100 [thread overview]
Message-ID: <20210514173110.1397741-4-berrange@redhat.com> (raw)
In-Reply-To: <20210514173110.1397741-1-berrange@redhat.com>
The SHA-256 variant better meats modern security expectations.
Also warn that the password file is storing entries in clear
text.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/system/vnc-security.rst | 7 ++++---
qemu.sasl | 11 ++++++-----
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/docs/system/vnc-security.rst b/docs/system/vnc-security.rst
index 830f6acc73..4c1769eeb8 100644
--- a/docs/system/vnc-security.rst
+++ b/docs/system/vnc-security.rst
@@ -168,7 +168,7 @@ used is drastically reduced. In fact only the GSSAPI SASL mechanism
provides an acceptable level of security by modern standards. Previous
versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has
multiple serious flaws described in detail in RFC 6331 and thus should
-never be used any more. The SCRAM-SHA-1 mechanism provides a simple
+never be used any more. The SCRAM-SHA-256 mechanism provides a simple
username/password auth facility similar to DIGEST-MD5, but does not
support session encryption, so can only be used in combination with TLS.
@@ -191,11 +191,12 @@ reasonable configuration is
::
- mech_list: scram-sha-1
+ mech_list: scram-sha-256
sasldb_path: /etc/qemu/passwd.db
The ``saslpasswd2`` program can be used to populate the ``passwd.db``
-file with accounts.
+file with accounts. Note that the ``passwd.db`` file stores passwords
+in clear text.
Other SASL configurations will be left as an exercise for the reader.
Note that all mechanisms, except GSSAPI, should be combined with use of
diff --git a/qemu.sasl b/qemu.sasl
index fb8a92ba58..abdfc686be 100644
--- a/qemu.sasl
+++ b/qemu.sasl
@@ -19,15 +19,15 @@ mech_list: gssapi
# If using TLS with VNC, or a UNIX socket only, it is possible to
# enable plugins which don't provide session encryption. The
-# 'scram-sha-1' plugin allows plain username/password authentication
+# 'scram-sha-256' plugin allows plain username/password authentication
# to be performed
#
-#mech_list: scram-sha-1
+#mech_list: scram-sha-256
# You can also list many mechanisms at once, and the VNC server will
# negotiate which to use by considering the list enabled on the VNC
# client.
-#mech_list: scram-sha-1 gssapi
+#mech_list: scram-sha-256 gssapi
# Some older builds of MIT kerberos on Linux ignore this option &
# instead need KRB5_KTNAME env var.
@@ -38,7 +38,8 @@ mech_list: gssapi
# mechanism this can be commented out.
keytab: /etc/qemu/krb5.tab
-# If using scram-sha-1 for username/passwds, then this is the file
+# If using scram-sha-256 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
-# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
+# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
+# Note that this file stores passwords in clear text.
#sasldb_path: /etc/qemu/passwd.db
--
2.31.1
next prev parent reply other threads:[~2021-05-14 17:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-14 17:31 [PATCH 0/4] docs: add user facing docs for secret passing and authorization controls Daniel P. Berrangé
2021-05-14 17:31 ` [PATCH 1/4] docs: document how to pass secret data to QEMU Daniel P. Berrangé
2021-05-14 17:31 ` [PATCH 2/4] docs: document usage of the authorization framework Daniel P. Berrangé
2021-06-04 11:26 ` Marc-André Lureau
2021-05-14 17:31 ` Daniel P. Berrangé [this message]
2021-05-14 17:31 ` [PATCH 4/4] sasl: remove comment about obsolete kerberos versions Daniel P. Berrangé
2021-06-04 8:43 ` [PATCH 0/4] docs: add user facing docs for secret passing and authorization controls Daniel P. Berrangé
2021-06-04 11:26 ` Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210514173110.1397741-4-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).