artur/environment
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
environment/bin/recipes/vnc/notes.md

94 lines
3.7 KiB
Markdown
Raw Normal View History

save
2025-08-28 17:48:34 +02:00
Heres what those two pieces typically look like in a QEMU VNC + TLS + SASL setup.
# `/etc/pki/qemu` (TLS x509 creds)
QEMUs `-object tls-creds-x509,...,dir=/etc/pki/qemu,endpoint=server` expects this directory to hold the servers cert/key and the CA it should trust for client certs.
Example layout:
```
/etc/pki/qemu/
├── ca-cert.pem # CA cert used to verify client certificates (if verify-peer=yes)
├── server-cert.pem # Server certificate (CN should match the host, or use subjectAltName)
├── server-key.pem # Private key for server-cert.pem (chmod 600, root-only)
└── crl.pem # (optional) Certificate Revocation List
```
Typical QEMU arg:
```
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes
-vnc :0,tls-creds=tls0,sasl
```
Notes:
* `verify-peer=yes` means the VNC client must present a client certificate signed by `ca-cert.pem`. Omit or set `no` if you only want encryption without client certs (and rely on SASL for auth).
* File names above are the conventional ones QEMU looks for in that dir in server mode.
* Permissions matter: keep `server-key.pem` readable only by the QEMU user (e.g., `chmod 600`).
(If you wanted the client side for certificate auth, youd create a *client* bundle with `client-cert.pem` / `client-key.pem` and give the servers CA to the client.)
# `/etc/sasl2/qemu.conf` (SASL settings)
This file tells Cyrus SASL how to authenticate for the “qemu” service. A simple, local-password (sasldb) setup might be:
```
# /etc/sasl2/qemu.conf
mech_list: scram-sha-256 digest-md5
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasldb2
```
What each line does:
* `mech_list`: Which SASL mechanisms to allow. (If your build doesnt have SCRAM, use `digest-md5` and/or `plain`/`login` — but prefer SCRAM or DIGEST over PLAIN.)
* `pwcheck_method: auxprop` + `auxprop_plugin: sasldb`: use the local SASL database.
* `sasldb_path`: where the password DB lives (default is `/etc/sasldb2` on many distros).
Create users in the sasldb:
```bash
sudo saslpasswd2 -a qemu -c alice
# (it will prompt for a password)
sudo sasldblistusers2 -f /etc/sasldb2 # verify entry exists
```
Then run QEMU with both TLS and SASL:
```bash
qemu-system-x86_64 \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
-vnc :0,tls-creds=tls0,sasl
```
* Client connects over **TLS** (encrypted), then is prompted for **SASL username/password** (“alice” and the password you set).
* If you set `verify-peer=yes`, the client must also present a valid client cert signed by your CA.
## Quick OpenSSL one-liners (for testing)
> For production, use a proper CA workflow and strong key handling.
```bash
# CA
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca-cert.pem -subj "/CN=QEMU Test CA"
# Server cert
openssl genrsa -out server-key.pem 2048
openssl req -new -key server-key.pem -out server.csr -subj "/CN=your.host.name"
openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca.key -CAcreateserial -out server-cert.pem -days 825 -sha256
install -m 600 server-key.pem /etc/pki/qemu/
install -m 644 server-cert.pem ca-cert.pem /etc/pki/qemu/
```
## Common pitfalls
* **Wrong filenames/paths** in `/etc/pki/qemu` → QEMU wont find the certs.
* **Permissions too open** on `server-key.pem` → QEMU may refuse or its a security risk.
* **SASL mechanism mismatch** → ensure your client supports one from `mech_list`.
* **No TLS but SASL with PLAIN/LOGIN** → credentials go over the wire unencrypted; always pair PLAIN/LOGIN with TLS.
If you tell me your distro, I can tailor the exact package names (Cyrus SASL modules) and service paths.
Reference in a new issue Copy permalink