• Daniel P. Berrange's avatar
    Default to GSSAPI (Kerberos) instead of DIGEST-MD5 for SASL · c6a9a9f5
    Daniel P. Berrange authored
    RFC 6331 documents a number of serious security weaknesses in
    the SASL DIGEST-MD5 mechanism. As such, QEMU should not be
    using or recommending it as a default mechanism for VNC auth
    with SASL.
    GSSAPI (Kerberos) is the only other viable SASL mechanism that
    can provide secure session encryption so enable that by defalt
    as the replacement. If users have TLS enabled for VNC, they can
    optionally decide to use SCRAM-SHA-1 instead of GSSAPI, allowing
    plain username and password auth.
    Reviewed-by: 's avatarEric Blake <eblake@redhat.com>
    Signed-off-by: 's avatarDaniel P. Berrange <berrange@redhat.com>
qemu.sasl 1.75 KB