Create sasl accounts for libvirt

I have been playing around with libvirt, which is a virtualization toolkit that sits on top of the native virtualization technologies in various operating systems. Libvirt provides built-in support for managing remote nodes, which is useful when you need to enable one or more virtualization properties, or when you need to perform some type of administrative action (e.g., migrate a host to another machine). To allow secure access, libvirt supports transport layer security as well as authentication. TLS is typically used to secure the network transport, and SASL is used to provide authentication.

SASL currently supports MD5 and GSSAPI authentication. To configure libvirt to use the SASL DIGEST-MD5 mechanism, you will need to add a user to the SASL database. This can be accomplished with the saslpasswd2 command:

$ saslpasswd2 -a libvirt virt
Again (for verification):

The “-a” option specifies the application name to tie the user to, and the name passed to command is the account to create. To view the list of users in the SASL database, you can pass the name of the sasl password database (a Berkeley DB database) to the sasldblistusers2 command:

$ sasldblistusers2 -f /etc/libvirt/passwd.db
virt@thecrue: userPassword

After the accounts are created, you will need to make sure the digest-md5 mechanism is enabled in the /etc/sasl2/libvirt.conf configuration file:

# Default to a simple username+password mechanism
mech_list: digest-md5

Next you will need to edit /etc/libvirt/libvirtd.conf to enforce SASL authentication. If you are using a TCP socket to connect to your hosts (not recommended), you can update the auth_tcp directive:

# Change the authentication scheme for TCP sockets.
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in /etc/sasl2/libvirt.conf
auth_tcp = "sasl"

If you are using TLS over TCP to connect to your hosts (this is recommended, since the user credentials will be encrypted and not passed to the remote nodes as plain text), you can update the auth_tls directive:

# Change the authentication scheme for TLS sockets.
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
auth_tls = "sasl"

After sasl is active, you will be prompted by libvirt to provide a user account and password each time an operation is performed:

$ virsh

virsh # migrate –live kvmnode2 qemu+tls://disarm/system
Please enter your authentication name:virt
Please enter your password:

Using TLS requires a bit more work to get operational, so I will leave that for a separate post. Libvirt is pretty sweet, and when KVM is fully integrated life will be grand!!