On Mon, May 21, 2012 at 11:50:48AM +0200, Tiziano Müller wrote: > Hi > > Currently I'm trying to get SASL working and succeeded so far but I've > some questions: > > * Is it correct that the username SASL gets is the UID of the qemu > process? If yes: what is the plan here (I saw that there's the username > attribute in the RedSASL struct already)? No, the SASL username is something that comes from the SPICE client application. What it looks like will depend on what mechanism you have enabled. For example if you have GSSAPI enabled, the SASL username will be the Kerberos principal name eg fred@xxxxxxxxxxx. If you have Digest-MD5 enabled then the username is just whatever you configured with the saslpasswd2 program. > * Is there a way to pass some information from the VM to SASL (and it's > backend) to have a password per domain and user? In theory yes, in practice no (or not yet). SASL is a nicely pluggable API, so in theory you could write a plugin that does what you describe. AFAIK, there is no such plugin in existance today though. > * Is support for client certification authentication planned? Together > with SASL this could be used to identify the user. I'm not entirely sure what you mean here ? Do you mean you want to use x509 client certificates to authenticate users ? Conceptually it would be perfectly possible to combine x509 certs and SASL to get two factor auth. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel