Default to GSSAPI (Kerberos) instead of DIGEST-MD5 for SASL
RFC 6331 documents a number of serious security weaknesses in the SASL DIGEST-MD5 mechanism. As such, QEMU should not be using or recommending it as a default mechanism for VNC auth with SASL. GSSAPI (Kerberos) is the only other viable SASL mechanism that can provide secure session encryption so enable that by defalt as the replacement. If users have TLS enabled for VNC, they can optionally decide to use SCRAM-SHA-1 instead of GSSAPI, allowing plain username and password auth. Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
Showing
想要评论请 注册 或 登录