Username and Password Authentication with SASL

SASL provides username and password authentication as well as data encryption (digest-md5, by default).

Since SASL maintains its own user database, the users do not need to exist on the VM Host Server.

SASL is required by TCP connections and on top of TLS/SSL connections.

To configure SASL authentication, proceed as follows:

一、修改libvirtd配置
1.1修改 /etc/libvirt/libvirtd.conf :

listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
auth_tcp = "sasl"

#如果启用tls,配置如下
auth_tls = "sasl"

1.2 修改/etc/sysconfig/libvirtd

#开启tcp端口
LIBVIRTD_ARGS="--listen"

二、添加sasl2配置
2.1 设置加密方式 /etc/sasl2/libvirt.conf

mech_list:digest-md5
sasldb_path: /etc/libvirt/passwd.db

2.2 安装所需依赖包:

#一般我会把所有包装上 yum install cyrus-sasl*
yum install cyrus-sasl-md5-2.1.26-21.el7.x86_64 cyrus-sasl-devel-2.1.26-21.el7.x86_64

三、重启libvirtd

#如果调试或者没生效使用:libvirtd --daemon --listen --config /etc/libvirt/libvirtd.conf
systemctl restart libvirtd

四、添加用户

注意这里必须是libvirt,这是application的名字,只有输入libvirt,才会使用配置/etc/sasl2/libvirt.conf,结果才会写到/etc/libvirt/passwd.db

mercury:~ # saslpasswd2 -a libvirt foxchan # add user foxchan
Password:
Again (for verification):

mercury:~ # sasldblistusers2 -f /etc/libvirt/passwd.db # list users
[email protected]: userPassword
mercury:~ # saslpasswd2 -a libvirt -d foxchan # delete user foxchan


如果使用qemu+tcp://连接,则应该enable digest-md5,这样交互会被加密。
如果使用qemu+tls://连接,则应该disable digest-md5,这样交互就不会被md5加密一次,然后再被TLS加密一次
# virsh -c qemu+tcp://localhost/system nodeinfo
Please enter your authentication name: 
Please enter your password: 
CPU model:           x86_64
CPU(s):              24
CPU frequency:       1999 MHz
CPU socket(s):       1
Core(s) per socket:  6
Thread(s) per core:  2
NUMA cell(s):        2
Memory size:         134171180 KiB

如果是加密连接,配置如下
#对于tcp或者tls则auth

auth_tcp = "sasl"

#对于tls需要configure下面的

auth_tls = "sasl"

key_file = "/etc/pki/libvirt/private/serverkey.pem"

cert_file = "/etc/pki/libvirt/servercert.pem"

ca_file = "/etc/pki/CA/cacert.pem"


创建key和certificate

/////////////////////////////Create the Certificate Authority Certificate

cat certificate_authority_template.info

cn = libvirt.org
ca
cert_signing_key

apt-get install gnutls-bin

(umask 277 && certtool --generate-privkey > certificate_authority_key.pem)

cat certificate_authority_key.pem

-----BEGIN RSA PRIVATE KEY-----
MIIFfQIBAAKCATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3B
D1bNTCHVo/2TeCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7j
P53x/1aD6u1IMKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofv
NoN6mxseAxhxYHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7
cqr5PLqxmirTRd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+p
wt/IYHuH9dH0JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0uc
GRVJfN49DstHhLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABAoIBMBSyITCm/mDP5nzE
VX4oxEjboxHT6ouAnXACUhAS7kGNU3CJRTirjay9aXnQcSZcpJcL32RpEI+87Hw9
InR1DXtt0cL8uusuedEKkIG2kz/3MZOwpp4LT53CWhPZdKggedQ/NqmvuUH2a3/W
h/FYY5uha/mslVkY+Li72NJOZEHFrP14V+6BTbv49Tn4DoIrspFBat536MhNPYhj
FNAS7BMqPCx8t/51b8jUuM+TITItuG24bdMsy67w3Xc2Xi3pdS7rc67b31TUMiD7
G0C3uPtNr7uSKVGH6NPDyWZvWgraN91Ls76qIt+felwBBF0uPPIuV8Vr30z0M+MQ
GJNoxtFwwG9q+sQpb38MKbx0e6Vbuig9Mp44i2T6B/zFlf1Wt8hyYYXgbno8B7zZ
TjklO7kCgZkA8l86tIPD6+d5E9HhBLeZwxuSdZuXigqDjgqztuvzxhWyESnRykZI
/0yZcv/haFWpbLYtOcspNxaea34yxwY3saf89M/7mQmAJDAE1OwgOZEu0+CQ83fy
pL9byKPH++lUYkZEjlvfTOoLMxDajGLhT6dsW3G6WvAfucX8EoAQaDAHbadyLNLP
J661EQ1s+IDLaFNqTRdawc0CgZkA9nhGBkQPYh6Xq/TWuOV1+wrVbZrPrcQnrGm0
HR6i/YUKlzr/PHjq8BpfcA7oW4R2uvTkKIpc81Z6TFvwIYneMjOT2TFOnFmQQr6F
lfOJHnd2XnEy+xMAb0b3aiSZChbgLE9EnnGuHIg/a/8Z8pL/VnmUO3a6ZEWZHomW
O5nkjCRd6ed86/f4C/j8sTUyg6NoF3zYkKJPZ5UCgZkAqdDrMts3hKvz+10MCeAS
Dc/duCVB8egX8IezDzEW5e0BjGD+qnjAYI/s29RIvG94e8DQwzODNyPT74DGVwgW
MZV/+I9YuwsbCz/RwtWGZo9AfhdTuCKMkb25s0R9tBTxmMGe+xeHxz4chrUCS2Zk
cwjdNNzkMx8XO3RqfxPXawhry/qMVreFiUoxdzcu6JZk7j2ztzvrzOkCgZkAxDAy
1TQB5sGhS6CF9wG36w/RmgBcBd6ZEfXGCFPlu9XV+1Fb7//0SxFDHMjRDmAfvmvG
3bpdiNkyWmvodlnvA5jovD8yauQkH+zWGumTISxIjZ6fzRlwBCPCN7xQEabp5Hto
jJLC3DVb/pQ+TEfUdjoq0zaL4dtAqf0tF95E/YTJOLIqTw7AZI9aXZiR0BUXe3LG
VELO4A0CgZkAwF78LboWjR9+LGrXu0taaoLymhxltpC81BRWEXjPZ3rj0IEMxITw
9mQAMXdJzXiARoIu/sarLb/wphVSia2QO8x0Q65De526jUUCZjP/wYgl0X8S7Mu+
r3FcApmGyoh+Vy8txyV3uJVh5xbsxF60fSenswQd+VPdJ01XJCbnLbVFH/5iQw4a
NzjF/UlXfBI0/NMSIYP5DnQ=
-----END RSA PRIVATE KEY-----

root@popsuper1982:/home/cliu8/keys/certtool# ls -la certificate_authority_key.pem
-r-------- 1 root root 1972 Jul 15 22:28 certificate_authority_key.pem

certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem

certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem

Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 53c53b4d
Validity:
Not Before: Tue Jul 15 14:31:41 UTC 2014
Not After: Wed Jul 15 14:31:41 UTC 2015
Subject: CN=libvirt.org
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:e9:59:61:58:f3:f4:a0:db:7a:c1:57:48:5c:c4:19
5a:2c:b3:51:cf:2c:37:31:64:3f:52:bc:ea:f8:1b:db
3f:ed:95:7d:c1:0f:56:cd:4c:21:d5:a3:fd:93:78:29
87:ca:fe:1a:7b:79:01:c6:69:c1:d1:84:93:f7:6f:18
87:f9:5b:9f:7a:b8:c1:ac:ab:a8:8c:1f:fc:c9:d8:f5
29:b5:ea:1e:e3:3f:9d:f1:ff:56:83:ea:ed:48:30:ac
61:e5:39:46:22:53:97:57:09:6c:6c:58:de:7f:f5:a5
d8:46:46:79:19:4d:be:6f:1c:d0:2c:1c:8b:ef:1c:be
ca:96:5e:87:ef:36:83:7a:9b:1b:1e:03:18:71:60:70
f5:73:1b:11:e6:01:3e:87:43:b9:7a:aa:4b:01:99:21
69:76:4e:22:0e:e6:a5:bc:23:48:d9:04:ad:1e:56:b7
90:8b:01:bb:bb:72:aa:f9:3c:ba:b1:9a:2a:d3:45:de
d3:84:82:4e:40:07:da:1f:e9:b7:47:3b:96:6d:e0:f8
1b:b0:c1:98:d0:df:9b:c9:f9:c6:d9:32:58:43:8e:9a
e6:6a:a7:6f:a9:c2:df:c8:60:7b:87:f5:d1:f4:25:1a
c4:3c:bb:17:fe:83:a1:06:48:8b:a5:1a:b3:00:91:d9
26:2a:8d:73:dc:e5:a1:85:a4:1a:29:1f:1d:c1:fb:14
4f:51:8f:4b:9c:19:15:49:7c:de:3d:0e:cb:47:84:b6
ff:d2:dd:1e:2a:d6:77:59:18:df:c1:82:39:a4:0f:47
51
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
f113e5356c2b30271aa1f1bb6183676edee28ed7
Other Information:
Public Key Id:
f113e5356c2b30271aa1f1bb6183676edee28ed7

Signing certificate...

cat certificate_authority_certificate.pem

-----BEGIN CERTIFICATE-----
MIIDTTCCAgWgAwIBAgIEU8U7TTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwts
aWJ2aXJ0Lm9yZzAeFw0xNDA3MTUxNDMxNDFaFw0xNTA3MTUxNDMxNDFaMBYxFDAS
BgNVBAMTC2xpYnZpcnQub3JnMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKC
ATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3BD1bNTCHVo/2T
eCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7jP53x/1aD6u1I
MKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofvNoN6mxseAxhx
YHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7cqr5PLqxmirT
Rd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+pwt/IYHuH9dH0
JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0ucGRVJfN49DstH
hLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8G
A1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFPET5TVsKzAnGqHxu2GDZ27e4o7XMA0G
CSqGSIb3DQEBCwUAA4IBMQBYPjJmkdduz+ZjoOb/4TLrRd7vt+dv88/uW1YGO5v8
doYBOGbo/KKp0bq//TDs8ILl666wu0VeXOSTvvGn6vhVAzttqWmtDgKzvs5E9KGE
N+7O7vPvPooLdKo1hXkXp7S3VrAenHbyqXAff/zV8jzDZkeEtaGJ1vlMs4pz3owU
nMX9ndojP4aXdq9B+ny1RyYPGofL7zpjgwocc/ubBgu1iRtDN4emHarnjZM6fHkN
HV8QlZgBAoObChXs+zSws/nkkS+FPFBGfJSwSjn6AmmGsBHo0KTmN+tkoNZlg6YN
tYHjllz34D5BH5hOmIeEQNSspFdhbE3aK9AqYOHEM99nhDKxiiKhKVgrux3WaiJi
yhanGVlwILFiFtoY/6rREIa88jWB1Lxjg88XqlNelqky
-----END CERTIFICATE-----

查看证书

ls -la certificate_authority_certificate.pem
-r-------- 1 root root 1204 Jul 15 22:31 certificate_authority_certificate.pem

cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem

chmod 444 /etc/pki/CA/cacert.pem

scp -r certificate_authority_certificate.pem [email protected]:/home/cliu8/

on 16.158.166.197
cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem


/////////////////////////Creating Transport Layer Security Server Certificates for libvirt
# cat popsuper1982_server_template.info 
organization = libvirt.org
cn = popsuper1982
tls_www_server
encryption_key
signing_key

(umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)

# (umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)
Generating a 2432 bit RSA private key...

# certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem

# certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem
Generating a signed certificate...
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 53c55255
        Validity:
                Not Before: Tue Jul 15 16:09:57 UTC 2014
                Not After: Wed Jul 15 16:09:57 UTC 2015
        Subject: O=libvirt.org,CN=popsuper1982
        Subject Public Key Algorithm: RSA
        Certificate Security Level: Normal
                Modulus (bits 2432):
                        00:ca:e5:92:4f:d8:14:f4:e2:26:26:88:5a:b4:fd:0e
                        ee:86:c6:e8:15:b2:4f:36:6d:8a:b1:23:75:80:b1:0a
                        72:e0:6c:a0:06:ce:03:43:12:2c:6f:e9:ee:bf:21:d2
                        93:82:02:74:14:50:17:fc:f8:21:ec:a6:66:29:9f:d7
                        c3:63:35:50:82:f2:30:9a:12:3b:3e:5a:d1:68:29:7a
                        eb:18:10:7a:69:f8:0b:aa:1a:d9:2d:8b:e4:b3:1b:81
                        c7:de:a8:9f:08:1d:d0:85:db:af:cc:08:00:9b:c1:5a
                        31:f8:9a:43:01:42:88:11:91:35:73:df:57:b9:ce:83
                        34:91:70:ee:29:4b:88:dd:f2:7a:16:1d:c1:36:4d:8b
                        28:7b:05:ba:42:b1:63:8a:92:f8:3d:0c:d1:a2:d8:24
                        92:29:de:c7:8a:73:1d:1e:ec:d3:72:4a:7e:7a:a1:43
                        85:fa:85:ab:58:a3:67:03:4a:48:62:04:b3:f4:8e:f5
                        f0:16:fb:24:28:75:d7:1d:43:52:bc:08:9d:3e:d0:38
                        7d:36:9b:1b:f5:81:0c:17:fd:ba:1b:10:bb:1b:69:cf
                        eb:c1:54:4e:99:ed:ff:15:71:11:9a:63:31:9d:0f:7b
                        b2:31:a2:4c:49:2a:ee:d1:3c:80:c0:98:e0:6c:63:6b
                        52:9a:b5:d6:0b:6c:34:13:86:d6:ab:c4:4d:9a:ff:ae
                        be:60:b2:a7:e3:3d:b4:63:05:d3:f0:f9:69:01:35:97
                        1c:52:48:24:75:b5:73:96:b5:fb:bc:8e:2e:62:7c:5c
                        17
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Purpose (not critical):
                        TLS WWW Server.
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Subject Key Identifier (not critical):
                        0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c
                Authority Key Identifier (not critical):
                        f113e5356c2b30271aa1f1bb6183676edee28ed7
Other Information:
        Public Key Id:
                0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c

Signing certificate...

cp popsuper1982_server_certificate.pem /etc/pki/libvirt/servercert.pem

cp popsuper1982_server_key.pem /etc/pki/libvirt/private/serverkey.pem

///////////////////////Creating Transport Layer Security Client Certificates for libvirt

# cat escto-bj-hp-z620_client_template.info 
country = CN
state = Beijing
locality = Beijing
organization = libvirt.org
cn = escto-bj-hp-z620
tls_www_client
encryption_key
signing_key

(umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem)

(umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem)
Generating a 2432 bit RSA private key...

certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem

certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 53c55678
Validity:
Not Before: Tue Jul 15 16:27:36 UTC 2014
Not After: Wed Jul 15 16:27:36 UTC 2015
Subject: C=CN,O=libvirt.org,L=Beijing,ST=Beijing,CN=escto-bj-hp-z620
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:9f:5c:d7:89:2c:0b:fe:e7:38:21:1d:2a:da:92:eb
82:91:96:3c:f3:22:28:a3:d6:3d:70:68:27:a1:2b:3a
3e:79:03:55:ea:1b:eb:1f:81:90:71:3d:41:4c:99:f2
96:46:22:e0:33:91:bb:5b:38:83:a5:3f:d7:0a:25:dd
f0:90:cf:0d:4a:18:b3:0d:db:01:5f:70:78:1b:63:01
ac:6f:32:8b:79:cc:51:0f:d4:45:1e:6f:b8:d8:84:57
af:ca:e8:3e:58:0a:79:89:0d:99:e2:8a:b2:2c:85:dc
40:15:7c:52:9b:46:66:a0:0f:6c:52:7d:e8:1b:b4:06
5a:d9:7f:30:84:d0:37:66:2a:3f:53:50:33:99:93:b7
8d:a2:74:cd:4d:ca:76:b5:df:2f:47:f9:e2:1a:7b:91
49:20:be:c9:ca:9b:f1:2c:f1:40:1a:66:37:2e:ac:23
3f:3d:44:de:0f:2d:d2:60:63:22:2d:49:28:98:c0:b7
9f:70:be:51:b8:d3:10:1d:40:3d:3e:6f:1a:f1:a2:1b
5c:2e:68:8b:05:99:7b:0b:5c:9c:78:54:8f:de:ae:7e
75:6d:fb:af:cc:ea:3c:be:9d:25:57:d1:3d:ef:27:66
c3:93:2f:62:f0:43:31:64:df:df:20:b6:b8:df:8a:85
77:38:9b:3d:85:e1:67:1b:e6:b4:9b:e0:30:4e:6c:62
c1:07:72:57:ad:bc:fc:f0:0c:d8:d4:12:ac:eb:80:ee
04:b2:b0:10:e4:d6:71:68:2b:ee:e6:98:23:9a:df:c7
95
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
f4385711f8089b39ba2c13869aa816114d378190
Authority Key Identifier (not critical):
f113e5356c2b30271aa1f1bb6183676edee28ed7
Other Information:
Public Key Id:
f4385711f8089b39ba2c13869aa816114d378190

Signing certificate...

root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_certificate.pem [email protected]:/home/cliu8/
[email protected]'s password:
escto-bj-hp-z620_client_certificate.pem 100% 1379 1.4KB/s 00:00
root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_key.pem [email protected]:/home/cliu8/
[email protected]'s password:
escto-bj-hp-z620_client_key.pem 100% 1968 1.9KB/s 00:00

修改/etc/hosts文件

16.158.166.150 popsuper1982
16.158.166.197 escto-bj-hp-z620

修改/etc/default/libvirt-bin

#cat /etc/default/libvirt-bin

Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin)

This is a POSIX shell fragment

Start libvirtd to handle qemu/kvm:

start_libvirtd="yes"

options passed to libvirtd, add "-l" to listen on tcp

libvirtd_opts="-d -l"

pass in location of kerberos keytab

#export KRB5_KTNAME=/etc/libvirt/libvirt.keytab

重启libvirt-bin

root@popsuper1982:/home/cliu8# netstat -na | grep 16509
tcp 0 0 0.0.0.0:16509 0.0.0.0: LISTEN
tcp6 0 0 :::16509 :::
LISTEN
root@popsuper1982:/home/cliu8# netstat -na | grep 16514
tcp 0 0 0.0.0.0:16514 0.0.0.0: LISTEN
tcp6 0 0 :::16514 :::
LISTEN


如果远程连接tls,则需要配置/etc/pki/CA/cacert.pem

在client机器上escto-bj-hp-z620

tree --charset ASCII /etc/pki/
/etc/pki/
|-- CA
| -- cacert.pem
|-- libvirt
| |-- clientcert.pem
|
-- private
| -- clientkey.pem
-- nssdb -> /var/lib/nssdb

在server机器上popsuper1982

tree --charset ASCII /etc/pki/

/etc/pki/
|-- CA
| -- cacert.pem
|-- libvirt
| |-- private
| |
-- serverkey.pem
| -- servercert.pem
-- nssdb -> /var/lib/nssdb

virsh -c qemu+tls://popsuper1982/system list --all

Please enter your authentication name: test1@popsuper1982
Please enter your password:
Id Name State

  • ubuntu-14.04 shut off
    
    需要用hostname才能通过认证