[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Information sent in libvirt during the sasl usage and tls



Yes, I already disabled it and found out how the rpc protocol looks like.
I just was wondering if something more is sent.

For kerberos, I found quite a good description https://www.roguelynn.com/words/explain-like-im-5-kerberos/, but it only says that this ticket is then used in communication. So, I was wondering how it is used and does any information to client in included in messages further after authentication.

пн, 26 нояб. 2018 г. в 16:02, Michal Privoznik <mprivozn redhat com>:
On 11/26/18 4:51 AM, Anastasiya Ruzhanskaya wrote:
> Hello everyone!
>
> I am trying without any success to decipher traffic from client to server
> in virt-manager in wireshark, but I don't know the sessioon key there, so
> seems no chance to do this.
>
> This is why I want to ask, is any info related to the certificate sent
> through the connection?> Or if I use kerberos protocol for authentication,
> will the user id be sent in every message from client to server? Or only
> during authentication?

This is not really a libvirt question, but I will try to answer it anyway.

Firstly, you can use disable TLS and use plain TCP to see libvirt
packets flying by (e.g. qemu+tcp://localhost/system).

Secondly, TLS is a whole another beast. There is plenty of documentation
on the internet. The server certificate is not transferred, if it was it
wouldn't be trustworthy anyway. Instead, server sends a signed message
and from there and from PKI the client can work out whether the server
really is who they claim to be. There is a bunch of so called
certificate authorities which sign other servers certificates so that
chain of trust can be built. Again, very brief and useless description.

For Kerberos, the username is sent, however only in the kinit phase. At
this point, the kerberos client gets so called ticket which it then uses
to authenticate to other services (so no username nor password is sent).

Michal

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]