Re: More logs from libvirt+qemu+VNC+SASL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/12/07 11:57, Daniel P. Berrangé wrote:
> On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote:
> > Hello
> > 
> > I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
> > made qemu use SASL as authentication method instead of regular passwords.
> > However, no matter what I do, I can't get it to accept credentials provided
> > with a VNC client.
> > 
> > Is there a way to get some qemu/SASL logs? I need to understand why the
> > credentials are not accepted.
> > 
> > Any pointers to docs/code/old bugs appreciated.
> 
> There's not much in way of debugging with SASL server side.
> 
> Client side you can use  --gtk-vnc-debug arg to virt-viewer to see
> messages.
> 
> Can you explain in more detail what you've done to try to make it work ?
> 
> For plain password auth you need...
> 
> In /etc/libvirt/qemu.conf  set (uncomment)
> 
>   vnc_tls = 1
>   vnc_sasl = 1
>   vnc_listen = 0.0.0.0

Check.

> 
> Then setup x509 certificates for the QEMU and your client application

Check.

> 
> THen in /etc/sasl2/qemu.conf
> 
>   mech_list: scram-sha-1
>   sasldb_path: /etc/qemu/passwd.db

Check.

> 
> Now "saslpasswd -a qemu test".

Check.

> 
> Make sure the password file is readable by qemu

...
Facepalm
...
That was it. The db file was readable by root only. I feel so stupid now.

Thank you!

> Regards,
> Daniel

Tomo

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux