[libvirt] [PATCH] Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5
Ján Tomko
jtomko at redhat.com
Mon Mar 13 14:01:12 UTC 2017
On Mon, Mar 13, 2017 at 12:51:40PM +0000, Daniel P. Berrange wrote:
>RFC 6331 documents a number of serious security weaknesses in
>the SASL DIGEST-MD5 mechanism. As such, libvirtd should not
>by using it as a default mechanism. GSSAPI is the only other
>viable SASL mechanism that can provide secure session encryption
>so enable that by defalt as the replacement.
>
>
>diff --git a/daemon/libvirtd.sasl b/daemon/libvirtd.sasl
>index 5e2528d..2be99ef 100644
>--- a/daemon/libvirtd.sasl
>+++ b/daemon/libvirtd.sasl
>+# If you are only using UNIX, sockets then encryption is not
>+# required at all.
>+#
>+# Since SASL is the default for the libvirtd non-TLS socket, we
>+# pick a strong mechanism by default.
>+#
>+# NB, previously DIGEST-MD5 was set as the default mechanism for
>+# libvirt. Per RFC 6331 this is vulnerable to many serious security
>+# flaws as should no longer be used. Thus GSSAPI is now the default.
s/as/and/
>+#
>+# To use GSSAPI requires that a libvirtd service principal is
>+# added to the Kerberos server for each host running libvirtd.
>+# This principal needs to be exported to the keytab file listed below
>+mech_list: gssapi
>diff --git a/docs/auth.html.in b/docs/auth.html.in
>index 08feacc..9f2e317 100644
>--- a/docs/auth.html.in
>+++ b/docs/auth.html.in
>@@ -204,16 +204,71 @@ ResultActive=yes</pre>
>+Libvirt integrates with the cyrus-sasl library to provide a pluggable authentication
>+system using the SASL protocol. SASL can be used in combination with libvirtd's TLS
>+or TCP socket listeners. When used with the TCP listener, the SASL mechanism is
>+rqeuired to provide session encryption in addition to authentication. Only a very
>+few SASL mechanisms are able todo this, and of those that can do it, only the
s/todo/to do/
>+GSSAPI plugin is considered acceptably secure by modern standards:
>+ </p>
>+
>+ <dl>
>+ <dt>GSSAPI</dt>
>+ <dd><strong>This is the current default mechanism to use with libvirtd</strong>.
>+ It uses the Kerberos v5 authentication protocol underneath, and assuming
>+ the Kerberos client/server are configured with modern ciphers (AES),
>+ it provides strong session encryption capabilities.</dd>
>+
>+ <dt>DIGEST-MD5</dt>
>+ <dd>This was previously set as the default mechanism to use with libvirtd.
>+ It provides a simple username/password based authentication mechanism
>+ that includes session encryption.
>+ <a href="https://tools.ietf.org/html/rfc6331">RFC 6331</a>, however,
>+ documents a number of serious security flaws with DIGEST-MD5 and as a
>+ result marks it as <code>OBSOLETE</code>. Specific concerns are that
>+ it is vulnerable to MITM attacks and the MD5 hash can be brute-forced
>+ to reveal the password. A replacement is provided via the SCRAM mechanism,
>+ however, note that this is does not provide encryption, so the SCRAM
s/is //
>+ mechanism can only be used on the libvirtd TLS listener.
>+ </dd>
>+
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170313/c2b24fbc/attachment-0001.sig>
More information about the libvir-list
mailing list