| commit | c6a9a9f57503a2736c08711a0387c3e7718353ba | |
| author | Daniel P. Berrange <berrange@redhat.com> | |
| Wed, 15 Mar 2017 11:53:22 +0000 (15 11:53 +0000) | ||
| committer | Daniel P. Berrange <berrange@redhat.com> | |
| Tue, 9 May 2017 13:41:47 +0000 (9 14:41 +0100) | ||
| tree | 6000fc6170d35495c03072b5e5fea4c12f4daf4d | treesnapshot (tar.gz zip) |
| parent | dd1559bb267becbb838de41132ef60771d183e5d | commitdiff |
Default to GSSAPI (Kerberos) instead of DIGEST-MD5 for SASL
RFC 6331 documents a number of serious security weaknesses in
the SASL DIGEST-MD5 mechanism. As such, QEMU should not be
using or recommending it as a default mechanism for VNC auth
with SASL.
GSSAPI (Kerberos) is the only other viable SASL mechanism that
can provide secure session encryption so enable that by defalt
as the replacement. If users have TLS enabled for VNC, they can
optionally decide to use SCRAM-SHA-1 instead of GSSAPI, allowing
plain username and password auth.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
RFC 6331 documents a number of serious security weaknesses in
the SASL DIGEST-MD5 mechanism. As such, QEMU should not be
using or recommending it as a default mechanism for VNC auth
with SASL.
GSSAPI (Kerberos) is the only other viable SASL mechanism that
can provide secure session encryption so enable that by defalt
as the replacement. If users have TLS enabled for VNC, they can
optionally decide to use SCRAM-SHA-1 instead of GSSAPI, allowing
plain username and password auth.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
| qemu-doc.texi | diffblobblamehistory | |
| qemu.sasl | diffblobblamehistory |