diff options
author | Daniel P. Berrangé | 2021-03-04 19:14:26 +0100 |
---|---|---|
committer | Daniel P. Berrangé | 2021-06-14 14:28:50 +0200 |
commit | e2bf32dfabbfe6aabde4a0400b25b768b4481785 (patch) | |
tree | c10497865daf809209291f1d8ce44052b23fa1cd /docs | |
parent | docs: document usage of the authorization framework (diff) | |
download | qemu-e2bf32dfabbfe6aabde4a0400b25b768b4481785.tar.gz qemu-e2bf32dfabbfe6aabde4a0400b25b768b4481785.tar.xz qemu-e2bf32dfabbfe6aabde4a0400b25b768b4481785.zip |
docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant
The SHA-256 variant better meats modern security expectations.
Also warn that the password file is storing entries in clear
text.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/system/vnc-security.rst | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/docs/system/vnc-security.rst b/docs/system/vnc-security.rst index 830f6acc73..4c1769eeb8 100644 --- a/docs/system/vnc-security.rst +++ b/docs/system/vnc-security.rst @@ -168,7 +168,7 @@ used is drastically reduced. In fact only the GSSAPI SASL mechanism provides an acceptable level of security by modern standards. Previous versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has multiple serious flaws described in detail in RFC 6331 and thus should -never be used any more. The SCRAM-SHA-1 mechanism provides a simple +never be used any more. The SCRAM-SHA-256 mechanism provides a simple username/password auth facility similar to DIGEST-MD5, but does not support session encryption, so can only be used in combination with TLS. @@ -191,11 +191,12 @@ reasonable configuration is :: - mech_list: scram-sha-1 + mech_list: scram-sha-256 sasldb_path: /etc/qemu/passwd.db The ``saslpasswd2`` program can be used to populate the ``passwd.db`` -file with accounts. +file with accounts. Note that the ``passwd.db`` file stores passwords +in clear text. Other SASL configurations will be left as an exercise for the reader. Note that all mechanisms, except GSSAPI, should be combined with use of |