On 18/12/07 11:57, Daniel P. Berrangé wrote: > On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote: > > Hello > > > > I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I > > made qemu use SASL as authentication method instead of regular passwords. > > However, no matter what I do, I can't get it to accept credentials provided > > with a VNC client. > > > > Is there a way to get some qemu/SASL logs? I need to understand why the > > credentials are not accepted. > > > > Any pointers to docs/code/old bugs appreciated. > > There's not much in way of debugging with SASL server side. > > Client side you can use --gtk-vnc-debug arg to virt-viewer to see > messages. > > Can you explain in more detail what you've done to try to make it work ? > > For plain password auth you need... > > In /etc/libvirt/qemu.conf set (uncomment) > > vnc_tls = 1 > vnc_sasl = 1 > vnc_listen = 0.0.0.0 Check. > > Then setup x509 certificates for the QEMU and your client application Check. > > THen in /etc/sasl2/qemu.conf > > mech_list: scram-sha-1 > sasldb_path: /etc/qemu/passwd.db Check. > > Now "saslpasswd -a qemu test". Check. > > Make sure the password file is readable by qemu ... Facepalm ... That was it. The db file was readable by root only. I feel so stupid now. Thank you! > Regards, > Daniel Tomo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
