[libvirt] More logs from libvirt+qemu+VNC+SASL

Daniel P. Berrangé berrange at redhat.com
Fri Dec 7 11:57:06 UTC 2018

On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote:
> Hello
> I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
> made qemu use SASL as authentication method instead of regular passwords.
> However, no matter what I do, I can't get it to accept credentials provided
> with a VNC client.
> Is there a way to get some qemu/SASL logs? I need to understand why the
> credentials are not accepted.
> Any pointers to docs/code/old bugs appreciated.

There's not much in way of debugging with SASL server side.

Client side you can use  --gtk-vnc-debug arg to virt-viewer to see

Can you explain in more detail what you've done to try to make it work ?

For plain password auth you need...

In /etc/libvirt/qemu.conf  set (uncomment)

  vnc_tls = 1
  vnc_sasl = 1
  vnc_listen =

Then setup x509 certificates for the QEMU and your client application

THen in /etc/sasl2/qemu.conf

  mech_list: scram-sha-1
  sasldb_path: /etc/qemu/passwd.db

Now "saslpasswd -a qemu test".

Make sure the password file is readable by qemu

 chown qemu.qemu /etc/qemu/passwd.db

Finally "systemctl restart libvirtd", and start a guest

Note that TLS is required these days since there is no plain password
auth mechanism for SASL that provides a sane level of security without
TLS. In particular digest-md5 is not acceptable. The only exception
to this is Kerberos (GSSAPI) which can provide encryption without
needing TLS, but even then we'd recommend TLS.

|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list