• Home
• FAQ
• Wiki
• Download
• Screenshots
• Mailing list
• Development
• Source repository
• Related links

Contents 1 Remote management with username/password digest auth 1.1 Pros/cons of digest auth 1.2 Steps to setup username/password access for libvirt 1.2.1 libvirt daemon setup 1.2.2 Adding / removing user accounts 1.2.3 libvirt client setup 1.3 VNC setup

Remote management with username/password digest auth

The simplest way to provide secure remote access is to make use of the SASL username/password based scheme, known as "digest-md5". This provides both authentication and encryption of the session without any complex setup procedures or tunnelling.

Pros/cons of digest auth

• Pro: No need to give users shell accounts on the remote machines being managed.
• Con: Need to sync username/password files across all servers
• Pro: No external server required, and no complex x509 certificate setup.

Steps to setup username/password access for libvirt

The libvirt docs on authentication support include some notes on setting up digest auth

libvirt daemon setup

The master libvirt configuration file /etc/libvirt/libvirtd.conf needs to have the following settings enabled:

* listen_tls=0
* listen_tcp=1
* auth_tcp="sasl"

To restrict access to individual nominated kerberos user accounts you also need to have

* sasl_allowed_username_list = ["joe", "fred" ]

The libvirt SASL configuration file /etc/sasl2/libvirt.conf needs to have GSSAPI enabled with:

* mech_list: digest-md5

The last configuration step is to make sure the libvirtd daemon is configured to listen for TCP connections by editing /etc/sysconfig/libvirtd and ensuring

* LIBVIRTD_ARGS="--listen"

Finally restart the libvirt daemon:

* service libvirtd restart

Adding / removing user accounts

User management is done with a saslpasswd2 program

To add a user:

* saslpasswd2 -a libvirt fred

It will prompt for a password to be entered

To remove a user:

* saslpasswd2 -a libvirt -d fred

To list all users:

* sasldblistusers2 -f /etc/libvirt/passwd.db

libvirt client setup

There is no setup procedure required on libvirt clients. When connecting to a server in virt-manager simply select 'Remote password or kerberos' connection type and it will prompt for a username and password if required. you may get an error message if you don't have 'cyrus-sasl' installed in your client machine.

When connecting with virsh use URIs of the form "xen+tcp://hostname/" or "qemu+tcp://hostname/" and it will prompt for a username and password

VNC setup

There is not currently any support for SASL digest authentication in the VNC protocol. This will be added at a later date.

Augeas

A configuration editing tool and API

libvirt

The open source virtualization API

Cobbler

OS provisioning and profile management

oVirt

Virtualization management across the data center

FreeIPA

Identity, policy and audit management

Virtual Machine Manager

Virtualization management from the desktop