[libvirt-users] acceptable SASL mechanisms/can libvirt authenticate against PAM

[Daniel P. Berrange]

On Wed, Dec 14, 2011 at 09:27:51AM -0500, Dave Allan wrote:
> On Wed, Dec 14, 2011 at 09:13:32AM +0000, Daniel P. Berrange wrote:
> > On Tue, Dec 13, 2011 at 10:57:25PM -0500, Dave Allan wrote:
> > > I was playing with SASL authentication a bit today and I wasn't able
> > > to get libvirt to authenticate against PAM (or anything else except
> > > the sasldb, although I didn't try Kerberos).  Does anybody know off
> > > the top of their head what mechanisms/password check options work?
> > > I'm trying to figure out if I'm attempting the impossible.
> > 
> > If you are configuring SASL for the tcp socket it will refuse to use
> > SASL mechanisms which do not support encryption, which is all of them
> > except Kerberos or Digest-MD5.
> > 
> > If you are configuring SASL for the TLS socket it will allow any
> > SASL mechanism, since TLS provides the encryption
> 
> Ah, I left out the most salient detail: I was trying it on the unix rw
> socket.  libvirtd.conf says "For non-TCP or TLS sockets, any scheme is
> allowed."  The way I read that, I'd expect any scheme to work with the
> unix rw socket, is that right?

It should allow any scheme with UNIX sockets, but I doubt we've
tested that to make sure


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|