[libvirt] Information sent in libvirt during the sasl usage and tls

Anastasiya Ruzhanskaya anastasiya.ruzhanskaya at frtk.ru
Mon Nov 26 14:19:34 UTC 2018


Yes, I already disabled it and found out how the rpc protocol looks like.
I just was wondering if something more is sent.

For kerberos, I found quite a good description
https://www.roguelynn.com/words/explain-like-im-5-kerberos/, but it only
says that this ticket is then used in communication. So, I was wondering
how it is used and does any information to client in included in messages
further after authentication.

пн, 26 нояб. 2018 г. в 16:02, Michal Privoznik <mprivozn at redhat.com>:

> On 11/26/18 4:51 AM, Anastasiya Ruzhanskaya wrote:
> > Hello everyone!
> >
> > I am trying without any success to decipher traffic from client to server
> > in virt-manager in wireshark, but I don't know the sessioon key there, so
> > seems no chance to do this.
> >
> > This is why I want to ask, is any info related to the certificate sent
> > through the connection?> Or if I use kerberos protocol for
> authentication,
> > will the user id be sent in every message from client to server? Or only
> > during authentication?
>
> This is not really a libvirt question, but I will try to answer it anyway.
>
> Firstly, you can use disable TLS and use plain TCP to see libvirt
> packets flying by (e.g. qemu+tcp://localhost/system).
>
> Secondly, TLS is a whole another beast. There is plenty of documentation
> on the internet. The server certificate is not transferred, if it was it
> wouldn't be trustworthy anyway. Instead, server sends a signed message
> and from there and from PKI the client can work out whether the server
> really is who they claim to be. There is a bunch of so called
> certificate authorities which sign other servers certificates so that
> chain of trust can be built. Again, very brief and useless description.
>
> For Kerberos, the username is sent, however only in the kinit phase. At
> this point, the kerberos client gets so called ticket which it then uses
> to authenticate to other services (so no username nor password is sent).
>
> Michal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20181126/162c5a32/attachment-0001.htm>


More information about the libvir-list mailing list