# If you want to use VNC remotely without TLS, then you *must* # pick a mechanism which provides session encryption as well # as authentication. # # If you are only using TLS, then you can turn on any mechanisms # you like for authentication, because TLS provides the encryption # # If you are only using UNIX sockets then encryption is not # required at all. # # NB, previously DIGEST-MD5 was set as the default mechanism for # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security # flaws as should no longer be used. Thus GSSAPI is now the default. # # To use GSSAPI requires that a QEMU service principal is # added to the Kerberos server for each host running QEMU. # This principal needs to be exported to the keytab file listed below mech_list: gssapi # If using TLS with VNC, or a UNIX socket only, it is possible to # enable plugins which don't provide session encryption. The # 'scram-sha-1' plugin allows plain username/password authentication # to be performed # #mech_list: scram-sha-1 # You can also list many mechanisms at once, and the VNC server will # negotiate which to use by considering the list enabled on the VNC # client. #mech_list: scram-sha-1 gssapi # Some older builds of MIT kerberos on Linux ignore this option & # instead need KRB5_KTNAME env var. # For modern Linux, and other OS, this should be sufficient # # This file needs to be populated with the service principal that # was created on the Kerberos v5 server. If switching to a non-gssapi # mechanism this can be commented out. keytab: /etc/qemu/krb5.tab # If using scram-sha-1 for username/passwds, then this is the file # containing the passwds. Use 'saslpasswd2 -a qemu [username]' # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it #sasldb_path: /etc/qemu/passwd.db