aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2017-03-15 11:53:22 +0000
committerDaniel P. Berrange <berrange@redhat.com>2017-05-09 14:41:47 +0100
commitc6a9a9f57503a2736c08711a0387c3e7718353ba (patch)
tree6000fc6170d35495c03072b5e5fea4c12f4daf4d /docs
parentdd1559bb267becbb838de41132ef60771d183e5d (diff)
Default to GSSAPI (Kerberos) instead of DIGEST-MD5 for SASL
RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, QEMU should not be using or recommending it as a default mechanism for VNC auth with SASL. GSSAPI (Kerberos) is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. If users have TLS enabled for VNC, they can optionally decide to use SCRAM-SHA-1 instead of GSSAPI, allowing plain username and password auth. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Diffstat (limited to 'docs')
0 files changed, 0 insertions, 0 deletions