We’ve looked at how to setup libvirt for encrypted remote access using a SASL file database to authenticate users.
But, wouldn’t it be nice if we could integrate libvirt users into LDAP, like we did previously with Jenkins and Mediawiki? Doing so would give you the SSO benefits of Kerberos, and the security and policy features of FreeIPA.
To get started, we need to install some packages on the libvirtd server and the client where you’ll be running virsh or virt-manager.
$ sudo apt-get install libsasl2-2 libsasl2-modules-gssapi-mit
$ sudo yum install cyrus-sasl cyrus-sasl-gssapi
$ sudo pacman -S libsasl cyrus-sasl cyrus-sasl-gssapi
Next we need to create a service principal in LDAP for libvirt, and export it to a keytab which we’ll install on the libvirtd server. In the FreeIPA admin, navigate to: Identity -> Services -> Add
The service is “libvirt” and the Host Name is the server running libvirtd. In this example the principal would be “libvirt/[email protected]”
You can verify this by running
ipa service-show on the IPA server:
$ ipa service-show libvirt/libvirt.watchmysys.com Principal: libvirt/[email protected] Keytab: True Managed by: libvirt.watchmysys.com
Once you’ve created the principal it needs to be exported to a keytab which will be installed on the libvirtd server:
ipa cert-request --principal=libvirt/libvirt.watchmysys.com libvirt.keytab
libvirt.keytab file needs to be copied to
/etc/libvirt/krb5.keytab the libvirtd server with permissions
Now we need to change SASL to authenticate using Kerberos, instead of the file based authentication we had before.
$ sudo vi /etc/sasl2/libvirt.conf mech_list: gssapi keytab: /etc/libvirt/krb5.keytab
Ensure that there are no other mechanisms defined in
mech_list and that
sasldb_path: is commented out.
Now if you have a valid ticket on your client you should be able to login using virsh or virt-manager without having to type in a username or password.
Before logging in to libvirtd:
client $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 10/27/2014 20:06:48 10/28/2014 20:06:45 krbtgt/[email protected]
Open virt-manager or use virsh to connect to the hypervisor:
client $ virsh -c qemu+tls://libvirt.watchmysys.com/system list Id Name State ---------------------------------------------------- 1 debian7 running 2 centos7 running 3 arch2014.08 running 4 opensuse running 5 xbuntu1404 running 6 windows7 running
After logging in to libvirtd:
client $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 10/27/2014 20:06:48 10/28/2014 20:06:45 krbtgt/[email protected] 10/27/2014 20:06:53 10/28/2014 20:06:45 libvirt/[email protected]
Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found)
Check that you have the proper sasl gssapi packages installed on both the client and the server.