Discussion:
[libvirt] More logs from libvirt+qemu+VNC+SASL
Tomasz Barański
2018-12-07 11:25:18 UTC
Permalink
Hello

I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
made qemu use SASL as authentication method instead of regular passwords.
However, no matter what I do, I can't get it to accept credentials provided
with a VNC client.

Is there a way to get some qemu/SASL logs? I need to understand why the
credentials are not accepted.

Any pointers to docs/code/old bugs appreciated.

Tomo
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1595536
Daniel P. Berrangé
2018-12-07 11:57:06 UTC
Permalink
Post by Tomasz Barański
Hello
I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
made qemu use SASL as authentication method instead of regular passwords.
However, no matter what I do, I can't get it to accept credentials provided
with a VNC client.
Is there a way to get some qemu/SASL logs? I need to understand why the
credentials are not accepted.
Any pointers to docs/code/old bugs appreciated.
There's not much in way of debugging with SASL server side.

Client side you can use --gtk-vnc-debug arg to virt-viewer to see
messages.

Can you explain in more detail what you've done to try to make it work ?

For plain password auth you need...

In /etc/libvirt/qemu.conf set (uncomment)

vnc_tls = 1
vnc_sasl = 1
vnc_listen = 0.0.0.0

Then setup x509 certificates for the QEMU and your client application

THen in /etc/sasl2/qemu.conf

mech_list: scram-sha-1
sasldb_path: /etc/qemu/passwd.db

Now "saslpasswd -a qemu test".

Make sure the password file is readable by qemu

chown qemu.qemu /etc/qemu/passwd.db

Finally "systemctl restart libvirtd", and start a guest


Note that TLS is required these days since there is no plain password
auth mechanism for SASL that provides a sane level of security without
TLS. In particular digest-md5 is not acceptable. The only exception
to this is Kerberos (GSSAPI) which can provide encryption without
needing TLS, but even then we'd recommend TLS.

Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Tomasz Barański
2018-12-07 15:17:39 UTC
Permalink
Post by Daniel P. Berrangé
Post by Tomasz Barański
Hello
I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
made qemu use SASL as authentication method instead of regular passwords.
However, no matter what I do, I can't get it to accept credentials provided
with a VNC client.
Is there a way to get some qemu/SASL logs? I need to understand why the
credentials are not accepted.
Any pointers to docs/code/old bugs appreciated.
There's not much in way of debugging with SASL server side.
Client side you can use --gtk-vnc-debug arg to virt-viewer to see
messages.
Can you explain in more detail what you've done to try to make it work ?
For plain password auth you need...
In /etc/libvirt/qemu.conf set (uncomment)
vnc_tls = 1
vnc_sasl = 1
vnc_listen = 0.0.0.0
Check.
Post by Daniel P. Berrangé
Then setup x509 certificates for the QEMU and your client application
Check.
Post by Daniel P. Berrangé
THen in /etc/sasl2/qemu.conf
mech_list: scram-sha-1
sasldb_path: /etc/qemu/passwd.db
Check.
Post by Daniel P. Berrangé
Now "saslpasswd -a qemu test".
Check.
Post by Daniel P. Berrangé
Make sure the password file is readable by qemu
...
Facepalm
...
That was it. The db file was readable by root only. I feel so stupid now.

Thank you!
Post by Daniel P. Berrangé
Regards,
Daniel
Tomo

Loading...