[libvirt] [PATCH] Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5

Michal Privoznik mprivozn at redhat.com
Mon Mar 13 13:54:41 UTC 2017


On 03/13/2017 01:51 PM, Daniel P. Berrange wrote:
> RFC 6331 documents a number of serious security weaknesses in
> the SASL DIGEST-MD5 mechanism. As such, libvirtd should not
> by using it as a default mechanism. GSSAPI is the only other
> viable SASL mechanism that can provide secure session encryption
> so enable that by defalt as the replacement.
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  daemon/libvirtd.sasl | 44 +++++++++++++++++---------
>  docs/auth.html.in    | 89 +++++++++++++++++++++++++++++++++++++++++-----------
>  libvirt.spec.in      |  6 ++--
>  3 files changed, 102 insertions(+), 37 deletions(-)

ACK

Michal




More information about the libvir-list mailing list