[libvirt-users] How to tell spicy client to use SASL authentication?
mordenkainen
mordenkainen at zoho.com
Thu Oct 13 22:22:00 UTC 2016
I'm using libvirt in desktop environment. Single host machine, pair of users, a few guest machines. The first thought was that unix socket restricted to specific group is just enough for authentication. But virsh has the power like sudo: you could define pool on real device and write anything on it. So I decided to authenticate with password for each virsh use. I'm using SASL + saslauthd + PAM for that case.
/etc/sasl2/libvirt.conf:
mech_list: PLAIN
pwcheck_method: saslauthd
/etc/sasl2/qemu.conf:
mech_list: PLAIN
pwcheck_method: saslauthd
/etc/pam.d/libvirt:
auth requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group
auth required pam_tally2.so onerr=succeed
auth required pam_nologin.so
auth required pam_unix.so try_first_pass likeauth nullok
account requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group
account required pam_nologin.so
account required pam_unix.so
/etc/pam.d/qemu:
auth requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group
auth required pam_tally2.so onerr=succeed
auth required pam_nologin.so
auth required pam_unix.so try_first_pass likeauth nullok
account requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group
account required pam_nologin.so
account required pam_unix.so
They are two identical configs for libvirt and for qemu. The first works flawlessly. virsh prompts for user and password and then login me to the shell.
But spicy fails. It prompts only for the password and fails after receiving it leaving error message in syslog:
Oct 13 23:24:21 paladin spicy[9001]: GSSAPI client step 1
What are the supposed actions I should perform to get further debug informations?
More information about the libvirt-users
mailing list