diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2021-06-14 15:59:13 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2021-06-14 15:59:13 +0100 |
| commit | 1ea06abceec61b6f3ab33dadb0510b6e09fb61e2 (patch) | |
| tree | 4b76a98d9104f81de9d8b337e470eacd1e04dfe5 /docs/system/vnc-security.rst | |
| parent | fbe7919ecee8d525ccd107027d73d877cd4eccc4 (diff) | |
| parent | 970bc16f60937bcfd334f14c614bd4407c247961 (diff) | |
Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging
Merge misc patches
# gpg: Signature made Mon 14 Jun 2021 15:14:48 BST
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* remotes/berrange-gitlab/tags/misc-fixes-pull-request:
usb/dev-mtp: use GDateTime for formatting timestamp for objects
block: use GDateTime for formatting timestamp when dumping snapshot info
migration: use GDateTime for formatting timestamp in snapshot names
block: remove duplicate trace.h include
block: add trace point when fdatasync fails
block: preserve errno from fdatasync failures
softmmu: add trace point when bdrv_flush_all fails
migration: add trace point when vm_stop_force_state fails
sasl: remove comment about obsolete kerberos versions
docs: recommend SCRAM-SHA-256 SASL mech instead of SHA-1 variant
docs: document usage of the authorization framework
docs: document how to pass secret data to QEMU
docs: add table of contents to QAPI references
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'docs/system/vnc-security.rst')
| -rw-r--r-- | docs/system/vnc-security.rst | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/docs/system/vnc-security.rst b/docs/system/vnc-security.rst index 830f6acc73..4c1769eeb8 100644 --- a/docs/system/vnc-security.rst +++ b/docs/system/vnc-security.rst @@ -168,7 +168,7 @@ used is drastically reduced. In fact only the GSSAPI SASL mechanism provides an acceptable level of security by modern standards. Previous versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has multiple serious flaws described in detail in RFC 6331 and thus should -never be used any more. The SCRAM-SHA-1 mechanism provides a simple +never be used any more. The SCRAM-SHA-256 mechanism provides a simple username/password auth facility similar to DIGEST-MD5, but does not support session encryption, so can only be used in combination with TLS. @@ -191,11 +191,12 @@ reasonable configuration is :: - mech_list: scram-sha-1 + mech_list: scram-sha-256 sasldb_path: /etc/qemu/passwd.db The ``saslpasswd2`` program can be used to populate the ``passwd.db`` -file with accounts. +file with accounts. Note that the ``passwd.db`` file stores passwords +in clear text. Other SASL configurations will be left as an exercise for the reader. Note that all mechanisms, except GSSAPI, should be combined with use of |