diff options
| author | Keir Fraser <keir@xensource.com> | 2007-10-30 09:32:10 +0000 |
|---|---|---|
| committer | Keir Fraser <keir@xensource.com> | 2007-10-30 09:32:10 +0000 |
| commit | 818a83176228b7005915c6cdb0f529dfe0fd9625 (patch) | |
| tree | 65f0dce6295a07b143b63953fd77a3a42adcac76 /tools/examples/xend-config.sxp | |
| parent | 02b1dc06bf051c6ec8cd7a48dadf278f70b57fb9 (diff) | |
| download | xen-818a83176228b7005915c6cdb0f529dfe0fd9625.tar.gz xen-818a83176228b7005915c6cdb0f529dfe0fd9625.tar.bz2 xen-818a83176228b7005915c6cdb0f529dfe0fd9625.zip | |
qemu vnc auth 4/4: XenD config for VNC TLS protocol
This patch adds support to XenD for configuring the previously added
TLS encryption and x509 certificate validation. At this time I have
only enabled this config to be done system-wide via
/etc/xen/xend-config.sxp. Since it requires the admin to add
certificates on the local FS, there's not much point in making it per
VM. The x509 certificates are located in /etc/xen/vnc. Since this
requires a special VNC client program (GTK-VNC,
virt-viewer/virt-manager or VeNCrypt viewer) the use of TLS is
disabled by default. Admins can enable it if they are using a suitable
client.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Diffstat (limited to 'tools/examples/xend-config.sxp')
| -rw-r--r-- | tools/examples/xend-config.sxp | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp index 9dfd97471f..df1749f340 100644 --- a/tools/examples/xend-config.sxp +++ b/tools/examples/xend-config.sxp @@ -192,6 +192,36 @@ # Empty string is no authentication. (vncpasswd '') +# The VNC server can be told to negotiate a TLS session +# to encryption all traffic, and provide x509 cert to +# clients enalbing them to verify server identity. The +# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt +# all support the VNC extension for TLS used in QEMU. The +# TightVNC/RealVNC/UltraVNC clients do not. +# +# To enable this create x509 certificates / keys in the +# directory /etc/xen/vnc +# +# ca-cert.pem - The CA certificate +# server-cert.pem - The Server certificate signed by the CA +# server-key.pem - The server private key +# +# and then uncomment this next line +# (vnc-tls 1) + +# The certificate dir can be pointed elsewhere.. +# +# (vnc-x509-cert-dir /etc/xen/vnc) + +# The server can be told to request & validate an x509 +# certificate from the client. Only clients with a cert +# signed by the trusted CA will be able to connect. This +# is more secure the password auth alone. Passwd auth can +# used at the same time if desired. To enable client cert +# checking uncomment this: +# +# (vnc-x509-verify 1) + # The default keymap to use for the VM's virtual keyboard # when not specififed in VM's configuration #(keymap 'en-us') |