aboutsummaryrefslogtreecommitdiffstats
path: root/tools/examples/xend-config.sxp
diff options
context:
space:
mode:
authorKeir Fraser <keir@xensource.com>2007-10-30 09:32:10 +0000
committerKeir Fraser <keir@xensource.com>2007-10-30 09:32:10 +0000
commit818a83176228b7005915c6cdb0f529dfe0fd9625 (patch)
tree65f0dce6295a07b143b63953fd77a3a42adcac76 /tools/examples/xend-config.sxp
parent02b1dc06bf051c6ec8cd7a48dadf278f70b57fb9 (diff)
downloadxen-818a83176228b7005915c6cdb0f529dfe0fd9625.tar.gz
xen-818a83176228b7005915c6cdb0f529dfe0fd9625.tar.bz2
xen-818a83176228b7005915c6cdb0f529dfe0fd9625.zip
qemu vnc auth 4/4: XenD config for VNC TLS protocol
This patch adds support to XenD for configuring the previously added TLS encryption and x509 certificate validation. At this time I have only enabled this config to be done system-wide via /etc/xen/xend-config.sxp. Since it requires the admin to add certificates on the local FS, there's not much point in making it per VM. The x509 certificates are located in /etc/xen/vnc. Since this requires a special VNC client program (GTK-VNC, virt-viewer/virt-manager or VeNCrypt viewer) the use of TLS is disabled by default. Admins can enable it if they are using a suitable client. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Diffstat (limited to 'tools/examples/xend-config.sxp')
-rw-r--r--tools/examples/xend-config.sxp30
1 files changed, 30 insertions, 0 deletions
diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp
index 9dfd97471f..df1749f340 100644
--- a/tools/examples/xend-config.sxp
+++ b/tools/examples/xend-config.sxp
@@ -192,6 +192,36 @@
# Empty string is no authentication.
(vncpasswd '')
+# The VNC server can be told to negotiate a TLS session
+# to encryption all traffic, and provide x509 cert to
+# clients enalbing them to verify server identity. The
+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
+# all support the VNC extension for TLS used in QEMU. The
+# TightVNC/RealVNC/UltraVNC clients do not.
+#
+# To enable this create x509 certificates / keys in the
+# directory /etc/xen/vnc
+#
+# ca-cert.pem - The CA certificate
+# server-cert.pem - The Server certificate signed by the CA
+# server-key.pem - The server private key
+#
+# and then uncomment this next line
+# (vnc-tls 1)
+
+# The certificate dir can be pointed elsewhere..
+#
+# (vnc-x509-cert-dir /etc/xen/vnc)
+
+# The server can be told to request & validate an x509
+# certificate from the client. Only clients with a cert
+# signed by the trusted CA will be able to connect. This
+# is more secure the password auth alone. Passwd auth can
+# used at the same time if desired. To enable client cert
+# checking uncomment this:
+#
+# (vnc-x509-verify 1)
+
# The default keymap to use for the VM's virtual keyboard
# when not specififed in VM's configuration
#(keymap 'en-us')