[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] More logs from libvirt+qemu+VNC+SASL



On 18/12/07 11:57, Daniel P. Berrangé wrote:
> On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote:
> > Hello
> > 
> > I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
> > made qemu use SASL as authentication method instead of regular passwords.
> > However, no matter what I do, I can't get it to accept credentials provided
> > with a VNC client.
> > 
> > Is there a way to get some qemu/SASL logs? I need to understand why the
> > credentials are not accepted.
> > 
> > Any pointers to docs/code/old bugs appreciated.
> 
> There's not much in way of debugging with SASL server side.
> 
> Client side you can use  --gtk-vnc-debug arg to virt-viewer to see
> messages.
> 
> Can you explain in more detail what you've done to try to make it work ?
> 
> For plain password auth you need...
> 
> In /etc/libvirt/qemu.conf  set (uncomment)
> 
>   vnc_tls = 1
>   vnc_sasl = 1
>   vnc_listen = 0.0.0.0

Check.

> 
> Then setup x509 certificates for the QEMU and your client application

Check.

> 
> THen in /etc/sasl2/qemu.conf
> 
>   mech_list: scram-sha-1
>   sasldb_path: /etc/qemu/passwd.db

Check.

> 
> Now "saslpasswd -a qemu test".

Check.

> 
> Make sure the password file is readable by qemu

...
Facepalm
...
That was it. The db file was readable by root only. I feel so stupid now.

Thank you!

> Regards,
> Daniel

Tomo


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]