On Mon, Dec 03, 2007 at 01:43:01PM +0100, Jim Meyering wrote: > "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote: > > > On Thu, Nov 29, 2007 at 05:18:06PM +0000, Daniel P. Berrange wrote: > >> This patch provides the ability to configure what authentication mechanism > >> is used on each socket - UNIX RW, UNIX RO, TCP, and TLS sockets - all can > >> have independant settings. By default the UNIX & TLS sockets have no auth, > >> and the TCP socket has SASL auth enabled. The /etc/libvirt/libvirtd.conf > >> file lets you override these options. > >> > >> There is also a new sasl_allowed_username_list = ["admin"] config > >> param to let you whitelist the users you want to allow. This supports > >> use of wildcards. The username is dependnat on the SASL auth mechanism. > >> For DIGEST-MD5 it will be plain usernames, for Kerberos it will be a > >> username + realm, eg admin EXAMPLE COM > >> > >> After discussion with Rich, I also remove the tls_allowed_ip_list for > >> whitelisting source IP addresses. This was a) not protecting us because > >> it was only checked after the TLS handshake - thus allowing trivial DOS > >> attack b) much easier to handle via tcp wrappers, or IPtables. c) only > >> ever checked for the TLS socket d) IP addresses are easily spoofed. > >> > >> If summary, if you're using a real authentication mechanism, this is > >> only useful for protecting against DOS attacks & that's better done by > >> iptables. > > > > Rebased to take account of Jim's changes, and incorporated fixes to the > > config file > > This looks fine. > Thanks for preserving my convention of "#var = ..." (no space after '#') > in the config file. I have a test that depends on that -- will post it > after you commit this change. > > I find code/diffs easier to read when the lines themselves fit in 80 columns. > There are lots of 100+-byte lines here. I know some are generated, but > I'll be happy to normalize the others once this is checked in. This is now comited. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list