Prev   Next

10. SASL

Spice server and client have support for SASL authentication. When using QEMU, /etc/sasl2/qemu.conf will be used as a configuration file. For testing, you can use the digest-md5 mechanism, and populate a test database using saslpasswd2 -f /etc/qemu/passwd.db -c foo. These files have to be readable by the QEMU process that will handle your VM.

To troubleshoot SASL issues, running strace -e open on the QEMU process can be a useful first step.

10.1. Configuration

Using virt-manager. It’s currently not possible to enable SASL from virt-manager.

Using libvirt. SASL support for SPICE has been added to libvirt mid-October 2013 so you need a libvirt version that was released after this date. To enable SASL, you need to add spice_sasl = 1 in /etc/libvirt/qemu.conf for the system libvirtd instance, and to ~/.config/libvirt/qemu.conf for the session libvirtd instance.

Using QEMU. Using SASL with QEMU involves a slight modification of the -spice parameter used when running QEMU:

-spice port=3001,sasl

10.2. Client

When you start the client as usual, if SASL was enabled on the host, remote-viewer will pop up a window asking for a password before starting the Spice session. It won’t be established if an incorrect ticket was passed to the client.

Prev   Next
 Home