aboutsummaryrefslogtreecommitdiff
path: root/docs/system/vnc-security.texi
blob: abf7f7fa43aa8a2bafb44f337e16d69c57f89497 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
@node vnc_security
@section VNC security

The VNC server capability provides access to the graphical console
of the guest VM across the network. This has a number of security
considerations depending on the deployment scenarios.

@menu
* vnc_sec_none::
* vnc_sec_password::
* vnc_sec_certificate::
* vnc_sec_certificate_verify::
* vnc_sec_certificate_pw::
* vnc_sec_sasl::
* vnc_sec_certificate_sasl::
* vnc_setup_sasl::
@end menu
@node vnc_sec_none
@subsection Without passwords

The simplest VNC server setup does not include any form of authentication.
For this setup it is recommended to restrict it to listen on a UNIX domain
socket only. For example

@example
@value{qemu_system} [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc
@end example

This ensures that only users on local box with read/write access to that
path can access the VNC server. To securely access the VNC server from a
remote machine, a combination of netcat+ssh can be used to provide a secure
tunnel.

@node vnc_sec_password
@subsection With passwords

The VNC protocol has limited support for password based authentication. Since
the protocol limits passwords to 8 characters it should not be considered
to provide high security. The password can be fairly easily brute-forced by
a client making repeat connections. For this reason, a VNC server using password
authentication should be restricted to only listen on the loopback interface
or UNIX domain sockets. Password authentication is not supported when operating
in FIPS 140-2 compliance mode as it requires the use of the DES cipher. Password
authentication is requested with the @code{password} option, and then once QEMU
is running the password is set with the monitor. Until the monitor is used to
set the password all clients will be rejected.

@example
@value{qemu_system} [...OPTIONS...] -vnc :1,password -monitor stdio
(qemu) change vnc password
Password: ********
(qemu)
@end example

@node vnc_sec_certificate
@subsection With x509 certificates

The QEMU VNC server also implements the VeNCrypt extension allowing use of
TLS for encryption of the session, and x509 certificates for authentication.
The use of x509 certificates is strongly recommended, because TLS on its
own is susceptible to man-in-the-middle attacks. Basic x509 certificate
support provides a secure session, but no authentication. This allows any
client to connect, and provides an encrypted session.

@example
@value{qemu_system} [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
  -vnc :1,tls-creds=tls0 -monitor stdio
@end example

In the above example @code{/etc/pki/qemu} should contain at least three files,
@code{ca-cert.pem}, @code{server-cert.pem} and @code{server-key.pem}. Unprivileged
users will want to use a private directory, for example @code{$HOME/.pki/qemu}.
NB the @code{server-key.pem} file should be protected with file mode 0600 to
only be readable by the user owning it.

@node vnc_sec_certificate_verify
@subsection With x509 certificates and client verification

Certificates can also provide a means to authenticate the client connecting.
The server will request that the client provide a certificate, which it will
then validate against the CA certificate. This is a good choice if deploying
in an environment with a private internal certificate authority. It uses the
same syntax as previously, but with @code{verify-peer} set to @code{yes}
instead.

@example
@value{qemu_system} [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
  -vnc :1,tls-creds=tls0 -monitor stdio
@end example


@node vnc_sec_certificate_pw
@subsection With x509 certificates, client verification and passwords

Finally, the previous method can be combined with VNC password authentication
to provide two layers of authentication for clients.

@example
@value{qemu_system} [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
  -vnc :1,tls-creds=tls0,password -monitor stdio
(qemu) change vnc password
Password: ********
(qemu)
@end example


@node vnc_sec_sasl
@subsection With SASL authentication

The SASL authentication method is a VNC extension, that provides an
easily extendable, pluggable authentication method. This allows for
integration with a wide range of authentication mechanisms, such as
PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more.
The strength of the authentication depends on the exact mechanism
configured. If the chosen mechanism also provides a SSF layer, then
it will encrypt the datastream as well.

Refer to the later docs on how to choose the exact SASL mechanism
used for authentication, but assuming use of one supporting SSF,
then QEMU can be launched with:

@example
@value{qemu_system} [...OPTIONS...] -vnc :1,sasl -monitor stdio
@end example

@node vnc_sec_certificate_sasl
@subsection With x509 certificates and SASL authentication

If the desired SASL authentication mechanism does not supported
SSF layers, then it is strongly advised to run it in combination
with TLS and x509 certificates. This provides securely encrypted
data stream, avoiding risk of compromising of the security
credentials. This can be enabled, by combining the 'sasl' option
with the aforementioned TLS + x509 options:

@example
@value{qemu_system} [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
  -vnc :1,tls-creds=tls0,sasl -monitor stdio
@end example

@node vnc_setup_sasl

@subsection Configuring SASL mechanisms

The following documentation assumes use of the Cyrus SASL implementation on a
Linux host, but the principles should apply to any other SASL implementation
or host. When SASL is enabled, the mechanism configuration will be loaded from
system default SASL service config /etc/sasl2/qemu.conf. If running QEMU as an
unprivileged user, an environment variable SASL_CONF_PATH can be used to make
it search alternate locations for the service config file.

If the TLS option is enabled for VNC, then it will provide session encryption,
otherwise the SASL mechanism will have to provide encryption. In the latter
case the list of possible plugins that can be used is drastically reduced. In
fact only the GSSAPI SASL mechanism provides an acceptable level of security
by modern standards. Previous versions of QEMU referred to the DIGEST-MD5
mechanism, however, it has multiple serious flaws described in detail in
RFC 6331 and thus should never be used any more. The SCRAM-SHA-1 mechanism
provides a simple username/password auth facility similar to DIGEST-MD5, but
does not support session encryption, so can only be used in combination with
TLS.

When not using TLS the recommended configuration is

@example
mech_list: gssapi
keytab: /etc/qemu/krb5.tab
@end example

This says to use the 'GSSAPI' mechanism with the Kerberos v5 protocol, with
the server principal stored in /etc/qemu/krb5.tab. For this to work the
administrator of your KDC must generate a Kerberos principal for the server,
with a name of 'qemu/somehost.example.com@@EXAMPLE.COM' replacing
'somehost.example.com' with the fully qualified host name of the machine
running QEMU, and 'EXAMPLE.COM' with the Kerberos Realm.

When using TLS, if username+password authentication is desired, then a
reasonable configuration is

@example
mech_list: scram-sha-1
sasldb_path: /etc/qemu/passwd.db
@end example

The @code{saslpasswd2} program can be used to populate the @code{passwd.db}
file with accounts.

Other SASL configurations will be left as an exercise for the reader. Note that
all mechanisms, except GSSAPI, should be combined with use of TLS to ensure a
secure data channel.