docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant

The SHA-256 variant better meats modern security expectations.
Also warn that the password file is storing entries in clear
text.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2021-03-04 18:14:26 +00:00
parent 1c45af36e7
commit e2bf32dfab
2 changed files with 10 additions and 8 deletions

View File

@ -168,7 +168,7 @@ used is drastically reduced. In fact only the GSSAPI SASL mechanism
provides an acceptable level of security by modern standards. Previous provides an acceptable level of security by modern standards. Previous
versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has
multiple serious flaws described in detail in RFC 6331 and thus should multiple serious flaws described in detail in RFC 6331 and thus should
never be used any more. The SCRAM-SHA-1 mechanism provides a simple never be used any more. The SCRAM-SHA-256 mechanism provides a simple
username/password auth facility similar to DIGEST-MD5, but does not username/password auth facility similar to DIGEST-MD5, but does not
support session encryption, so can only be used in combination with TLS. support session encryption, so can only be used in combination with TLS.
@ -191,11 +191,12 @@ reasonable configuration is
:: ::
mech_list: scram-sha-1 mech_list: scram-sha-256
sasldb_path: /etc/qemu/passwd.db sasldb_path: /etc/qemu/passwd.db
The ``saslpasswd2`` program can be used to populate the ``passwd.db`` The ``saslpasswd2`` program can be used to populate the ``passwd.db``
file with accounts. file with accounts. Note that the ``passwd.db`` file stores passwords
in clear text.
Other SASL configurations will be left as an exercise for the reader. Other SASL configurations will be left as an exercise for the reader.
Note that all mechanisms, except GSSAPI, should be combined with use of Note that all mechanisms, except GSSAPI, should be combined with use of

View File

@ -19,15 +19,15 @@ mech_list: gssapi
# If using TLS with VNC, or a UNIX socket only, it is possible to # If using TLS with VNC, or a UNIX socket only, it is possible to
# enable plugins which don't provide session encryption. The # enable plugins which don't provide session encryption. The
# 'scram-sha-1' plugin allows plain username/password authentication # 'scram-sha-256' plugin allows plain username/password authentication
# to be performed # to be performed
# #
#mech_list: scram-sha-1 #mech_list: scram-sha-256
# You can also list many mechanisms at once, and the VNC server will # You can also list many mechanisms at once, and the VNC server will
# negotiate which to use by considering the list enabled on the VNC # negotiate which to use by considering the list enabled on the VNC
# client. # client.
#mech_list: scram-sha-1 gssapi #mech_list: scram-sha-256 gssapi
# Some older builds of MIT kerberos on Linux ignore this option & # Some older builds of MIT kerberos on Linux ignore this option &
# instead need KRB5_KTNAME env var. # instead need KRB5_KTNAME env var.
@ -38,7 +38,8 @@ mech_list: gssapi
# mechanism this can be commented out. # mechanism this can be commented out.
keytab: /etc/qemu/krb5.tab keytab: /etc/qemu/krb5.tab
# If using scram-sha-1 for username/passwds, then this is the file # If using scram-sha-256 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a qemu [username]' # containing the passwds. Use 'saslpasswd2 -a qemu [username]'
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it.
# Note that this file stores passwords in clear text.
#sasldb_path: /etc/qemu/passwd.db #sasldb_path: /etc/qemu/passwd.db