[libvirt] Information sent in libvirt during the sasl usage and tls
Michal Privoznik
mprivozn at redhat.com
Mon Nov 26 13:02:14 UTC 2018
On 11/26/18 4:51 AM, Anastasiya Ruzhanskaya wrote:
> Hello everyone!
>
> I am trying without any success to decipher traffic from client to server
> in virt-manager in wireshark, but I don't know the sessioon key there, so
> seems no chance to do this.
>
> This is why I want to ask, is any info related to the certificate sent
> through the connection?> Or if I use kerberos protocol for authentication,
> will the user id be sent in every message from client to server? Or only
> during authentication?
This is not really a libvirt question, but I will try to answer it anyway.
Firstly, you can use disable TLS and use plain TCP to see libvirt
packets flying by (e.g. qemu+tcp://localhost/system).
Secondly, TLS is a whole another beast. There is plenty of documentation
on the internet. The server certificate is not transferred, if it was it
wouldn't be trustworthy anyway. Instead, server sends a signed message
and from there and from PKI the client can work out whether the server
really is who they claim to be. There is a bunch of so called
certificate authorities which sign other servers certificates so that
chain of trust can be built. Again, very brief and useless description.
For Kerberos, the username is sent, however only in the kinit phase. At
this point, the kerberos client gets so called ticket which it then uses
to authenticate to other services (so no username nor password is sent).
Michal
More information about the libvir-list
mailing list