[libvirt] [PATCH] Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5

Ján Tomko jtomko at redhat.com
Mon Mar 13 14:01:12 UTC 2017 

On Mon, Mar 13, 2017 at 12:51:40PM +0000, Daniel P. Berrange wrote:
>RFC 6331 documents a number of serious security weaknesses in
>the SASL DIGEST-MD5 mechanism. As such, libvirtd should not
>by using it as a default mechanism. GSSAPI is the only other
>viable SASL mechanism that can provide secure session encryption
>so enable that by defalt as the replacement.
>

>
>diff --git a/daemon/libvirtd.sasl b/daemon/libvirtd.sasl
>index 5e2528d..2be99ef 100644
>--- a/daemon/libvirtd.sasl
>+++ b/daemon/libvirtd.sasl
>+# If you are only using UNIX, sockets then encryption is not
>+# required at all.
>+#
>+# Since SASL is the default for the libvirtd non-TLS socket, we
>+# pick a strong mechanism by default.
>+#
>+# NB, previously DIGEST-MD5 was set as the default mechanism for
>+# libvirt. Per RFC 6331 this is vulnerable to many serious security
>+# flaws as should no longer be used. Thus GSSAPI is now the default.

s/as/and/

>+#
>+# To use GSSAPI requires that a libvirtd service principal is
>+# added to the Kerberos server for each host running libvirtd.
>+# This principal needs to be exported to the keytab file listed below
>+mech_list: gssapi

>diff --git a/docs/auth.html.in b/docs/auth.html.in
>index 08feacc..9f2e317 100644
>--- a/docs/auth.html.in
>+++ b/docs/auth.html.in
>@@ -204,16 +204,71 @@ ResultActive=yes</pre>
>+Libvirt integrates with the cyrus-sasl library to provide a pluggable authentication
>+system using the SASL protocol. SASL can be used in combination with libvirtd's TLS
>+or TCP socket listeners. When used with the TCP listener, the SASL mechanism is
>+rqeuired to provide session encryption in addition to authentication. Only a very
>+few SASL mechanisms are able todo this, and of those that can do it, only the

s/todo/to do/

>+GSSAPI plugin is considered acceptably secure by modern standards:
>+    </p>
>+
>+    <dl>
>+      <dt>GSSAPI</dt>
>+      <dd><strong>This is the current default mechanism to use with libvirtd</strong>.
>+        It uses the Kerberos v5 authentication protocol underneath, and assuming
>+        the Kerberos client/server are configured with modern ciphers (AES),
>+        it provides strong session encryption capabilities.</dd>
>+
>+      <dt>DIGEST-MD5</dt>
>+      <dd>This was previously set as the default mechanism to use with libvirtd.
>+        It provides a simple username/password based authentication mechanism
>+        that includes session encryption.
>+        <a href="https://tools.ietf.org/html/rfc6331">RFC 6331</a>, however,
>+        documents a number of serious security flaws with DIGEST-MD5 and as a
>+        result marks it as <code>OBSOLETE</code>. Specific concerns are that
>+        it is vulnerable to MITM attacks and the MD5 hash can be brute-forced
>+        to reveal the password. A replacement is provided via the SCRAM mechanism,
>+        however, note that this is does not provide encryption, so the SCRAM

s/is //

>+        mechanism can only be used on the libvirtd TLS listener.
>+      </dd>
>+

Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170313/c2b24fbc/attachment-0001.sig>

More information about the libvir-list mailing list