[libvirt] More logs from libvirt+qemu+VNC+SASL
Tomasz Barański
tbaransk at redhat.com
Fri Dec 7 15:17:39 UTC 2018
On 18/12/07 11:57, Daniel P. Berrangé wrote:
> On Fri, Dec 07, 2018 at 12:25:18PM +0100, Tomasz Barański wrote:
> > Hello
> >
> > I'm working on supporting VNC console on FIPS-enabled oVirt hosts[1]. I
> > made qemu use SASL as authentication method instead of regular passwords.
> > However, no matter what I do, I can't get it to accept credentials provided
> > with a VNC client.
> >
> > Is there a way to get some qemu/SASL logs? I need to understand why the
> > credentials are not accepted.
> >
> > Any pointers to docs/code/old bugs appreciated.
>
> There's not much in way of debugging with SASL server side.
>
> Client side you can use --gtk-vnc-debug arg to virt-viewer to see
> messages.
>
> Can you explain in more detail what you've done to try to make it work ?
>
> For plain password auth you need...
>
> In /etc/libvirt/qemu.conf set (uncomment)
>
> vnc_tls = 1
> vnc_sasl = 1
> vnc_listen = 0.0.0.0
Check.
>
> Then setup x509 certificates for the QEMU and your client application
Check.
>
> THen in /etc/sasl2/qemu.conf
>
> mech_list: scram-sha-1
> sasldb_path: /etc/qemu/passwd.db
Check.
>
> Now "saslpasswd -a qemu test".
Check.
>
> Make sure the password file is readable by qemu
...
Facepalm
...
That was it. The db file was readable by root only. I feel so stupid now.
Thank you!
> Regards,
> Daniel
Tomo
More information about the libvir-list
mailing list