• Home
• FAQ
• Wiki
• Download
• Screenshots
• Mailing list
• Development
• Source repository
• Related links

Contents 1 Remote management with Kerberos 1.1 Pros/Cons of Kerberos 1.2 Steps to setup Kerberos access for libvirt 1.2.1 libvirt daemon setup 1.2.2 virt-manager setup 1.2.3 virsh setup 1.3 VNC server configuration

Remote management with Kerberos

To enable single sign-on across all services in a network, libvirt supports use of Kerberos. The libvirt library and daemon use the SASL libraries and the GSSAPI plugin to enable Kerberos to provide both authentication and encryption of the remote management protocol.

Pros/Cons of Kerberos

• Pro: No need to give users shell accounts on the remote machines being managed.
• Pro: Centralized access control - can revoke user access to services from a single point
• Pro: Single-sign-on across all kerberos enabled services
• Con: Need to deploy a Kerberos server, though FreeIPA makes this easy(ish)
• Con: Not yet supported for VNC console access

Steps to setup Kerberos access for libvirt

The libvirt docs on authentication support include some notes on setting up Kerberos

libvirt daemon setup

The master libvirt configuration file /etc/libvirt/libvirtd.conf needs to have the following settings enabled:

* listen_tls=0
* listen_tcp=1
* auth_tcp="sasl"

To restrict access to individual nominated kerberos user accounts you also need to have

* sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]

The libvirt SASL configuration file /etc/sasl2/libvirt.conf needs to have GSSAPI enabled with:

* mech_list: gssapi

On the kerberos server it is neccessary to generate a service principle for each libvirt daemon. The principle name should be of the form libvirt/full.hostname@KERBEROS.REALM

Once generated the principle should be exported to a keytab and copied to the libvirt server in /etc/libvirt/krb5.tab

The last configuration step is to make sure the libvirtd daemon is configured to listen for TCP connections by editing /etc/sysconfig/libvirtd and ensuring

* LIBVIRTD_ARGS="--listen"

Finally restart the libvirt daemon:

* service libvirtd restart

The libvirt daemon should now be ready to accept client connections with Kerberos

virt-manager setup

There is no libvirt specific configuration required on client machines wishing to connect to libvirt. Each client machine simply needs to have Kerberos enabled by putting the local realm details into /etc/krb5.conf.

Once kerberos is enabled, any user with a Kerberos ticket should be able to connect to the libvirt daemon. If your configuration doesn't obtain a ticket upon login, then simply use 'kinit' to obtain one.

In virt-manager, when opening a connection to a remote host select the 'Remote password or Kerberos' connection type. It should 'just work' and with the magic of single-sign-on you will not be prompted for any passwords when connecting.

virsh setup

As with virt-manager, virsh merely requires that you have a kerberos principle. The URI for connecting to a remote machine using Kerberos is of the form "xen+tcp://hostname/" or "qemu+tcp://hostname/system"

VNC server configuration

The VNC protocol does not currently support authentication with Kerberos. This will be added at a later date.

Augeas

A configuration editing tool and API

libvirt

The open source virtualization API

Cobbler

OS provisioning and profile management

oVirt

Virtualization management across the data center

FreeIPA

Identity, policy and audit management

Virtual Machine Manager

Virtualization management from the desktop