Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > Currently any client which can complete the TLS handshake is able to use > a chardev server. The server admin can turn on the 'verify-peer' option > for the x509 creds to require the client to provide a x509 > certificate. This means the client will have to acquire a certificate > from the CA before they are permitted to use the chardev server. This is > still a fairly low bar. > > This adds a 'tls-authz=OBJECT-ID' option to the socket chardev backend > which takes the ID of a previously added 'QAuthZ' object instance. This > will be used to validate the client's x509 distinguished name. Clients > failing the check will not be permitted to use the chardev server. > > For example to setup authorization that only allows connection from a > client whose x509 certificate distinguished name contains 'CN=fred', you > would use: > > $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\ > endpoint=server,verify-peer=yes \ > -object authz-simple,id=authz0,identity=CN=laptop.example.com,,\ > O=Example Org,,L=London,,ST=London,,C=GB \ > -chardev socket,host=127.0.0.1,port=9000,server,\ > tls-creds=tls0,tls-authz=authz0 \ > ...other qemu args... > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
