On Thu, 2007-01-11 at 00:39 +0000, Daniel P. Berrange wrote: > Finally, one could simply say, this is all rather complicated, why don't > we just use a simple username+password for everything. While this would > be nice from a coding POV, I think we need to be forward looking and > ensure we're setup to cope with things like Kerberos single-sign-on. > This is why I'm looking at SASL for the QEMU authentication process - if > you use libsasl.so you're app doesn't even need to know what auth method > it is using - the admin can simple create an appropriate config file > for sasl, and bingo you're fully kerberized & single sign-on capable. SASL and all it entails does seem like the only sane approach. Perhaps look at the D-Bus API ... I vaguely remember being impressed at the work Havoc did with SASL in D-BUS. Also, it might be nice to keep all the "remote stuff" nicely isolated from the rest of the libvirt API which is nice and straightforward right now. Cheers, Mark.