Remote management with Kerberos
To enable single sign-on across all services in a network, libvirt supports use of Kerberos. The libvirt library and daemon use the SASL libraries and the GSSAPI plugin to enable Kerberos to provide both authentication and encryption of the remote management protocol.
Pros/Cons of Kerberos
- Pro: No need to give users shell accounts on the remote machines being managed.
- Pro: Centralized access control - can revoke user access to services from a single point
- Pro: Single-sign-on across all kerberos enabled services
- Con: Need to deploy a Kerberos server, though FreeIPA makes this easy(ish)
- Con: Not yet supported for VNC console access
Steps to setup Kerberos access for libvirt
The libvirt docs on authentication support include some notes on setting up Kerberos
libvirt daemon setup
The master libvirt configuration file /etc/libvirt/libvirtd.conf needs to have the following settings enabled:
* listen_tls=0 * listen_tcp=1 * auth_tcp="sasl"
To restrict access to individual nominated kerberos user accounts you also need to have
* sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
The libvirt SASL configuration file /etc/sasl2/libvirt.conf needs to have GSSAPI enabled with:
* mech_list: gssapi
On the kerberos server it is neccessary to generate a service principle for each libvirt daemon. The principle name should be of the form libvirt/full.hostname@KERBEROS.REALM
Once generated the principle should be exported to a keytab and copied to the libvirt server in /etc/libvirt/krb5.tab
The last configuration step is to make sure the libvirtd daemon is configured to listen for TCP connections by editing /etc/sysconfig/libvirtd and ensuring
Finally restart the libvirt daemon:
* service libvirtd restart
The libvirt daemon should now be ready to accept client connections with Kerberos
There is no libvirt specific configuration required on client machines wishing to connect to libvirt. Each client machine simply needs to have Kerberos enabled by putting the local realm details into /etc/krb5.conf.
Once kerberos is enabled, any user with a Kerberos ticket should be able to connect to the libvirt daemon. If your configuration doesn't obtain a ticket upon login, then simply use 'kinit' to obtain one.
In virt-manager, when opening a connection to a remote host select the 'Remote password or Kerberos' connection type. It should 'just work' and with the magic of single-sign-on you will not be prompted for any passwords when connecting.
As with virt-manager, virsh merely requires that you have a kerberos principle. The URI for connecting to a remote machine using Kerberos is of the form "xen+tcp://hostname/" or "qemu+tcp://hostname/system"
VNC server configuration
The VNC protocol does not currently support authentication with Kerberos. This will be added at a later date.