'[libvirt-users] How to tell spicy client to use SASL authentication?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libvirt-users
Subject:    [libvirt-users] How to tell spicy client to use SASL authentication?
From:       mordenkainen <mordenkainen () zoho ! com>
Date:       2016-10-13 22:22:00
Message-ID: 20161014012200.00cf7ede () paladin
[Download RAW message or body]

I'm using libvirt in desktop environment. Single host machine, pair of users, a few \
guest machines. The first thought was that unix socket restricted to specific group \
is just enough for authentication. But virsh has the power like sudo: you could \
define pool on real device and write anything on it. So I decided to authenticate \
with password for each virsh use. I'm using SASL + saslauthd + PAM for that case.

/etc/sasl2/libvirt.conf:
  mech_list: PLAIN
  pwcheck_method: saslauthd

/etc/sasl2/qemu.conf:
  mech_list: PLAIN
  pwcheck_method: saslauthd

/etc/pam.d/libvirt:
  auth            requisite       pam_listfile.so item=group sense=allow \
file=/etc/libvirt/allow_group  auth            required        pam_tally2.so \
onerr=succeed  auth            required        pam_nologin.so
  auth            required        pam_unix.so try_first_pass likeauth nullok
  account         requisite       pam_listfile.so item=group sense=allow \
file=/etc/libvirt/allow_group  account         required        pam_nologin.so
  account         required        pam_unix.so

/etc/pam.d/qemu:
  auth            requisite       pam_listfile.so item=group sense=allow \
file=/etc/libvirt/allow_group  auth            required        pam_tally2.so \
onerr=succeed  auth            required        pam_nologin.so
  auth            required        pam_unix.so try_first_pass likeauth nullok
  account         requisite       pam_listfile.so item=group sense=allow \
file=/etc/libvirt/allow_group  account         required        pam_nologin.so
  account         required        pam_unix.so

They are two identical configs for libvirt and for qemu. The first works flawlessly. \
virsh prompts for user and password and then login me to the shell.

But spicy fails. It prompts only for the password and fails after receiving it \
leaving error message in syslog:

Oct 13 23:24:21 paladin spicy[9001]: GSSAPI client step 1

What are the supposed actions I should perform to get further debug informations?


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic