[Spice-devel] SASL authentication & plans
Daniel P. Berrange
berrange at redhat.com
Mon May 21 02:57:40 PDT 2012
On Mon, May 21, 2012 at 11:50:48AM +0200, Tiziano Müller wrote:
> Hi
>
> Currently I'm trying to get SASL working and succeeded so far but I've
> some questions:
>
> * Is it correct that the username SASL gets is the UID of the qemu
> process? If yes: what is the plan here (I saw that there's the username
> attribute in the RedSASL struct already)?
No, the SASL username is something that comes from the SPICE
client application. What it looks like will depend on what
mechanism you have enabled. For example if you have GSSAPI
enabled, the SASL username will be the Kerberos principal
name eg fred at EXAMPLE.COM. If you have Digest-MD5 enabled
then the username is just whatever you configured with the
saslpasswd2 program.
> * Is there a way to pass some information from the VM to SASL (and it's
> backend) to have a password per domain and user?
In theory yes, in practice no (or not yet). SASL is a nicely
pluggable API, so in theory you could write a plugin that
does what you describe. AFAIK, there is no such plugin in
existance today though.
> * Is support for client certification authentication planned? Together
> with SASL this could be used to identify the user.
I'm not entirely sure what you mean here ? Do you mean you want
to use x509 client certificates to authenticate users ? Conceptually
it would be perfectly possible to combine x509 certs and SASL to get
two factor auth.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Spice-devel
mailing list