Features/VirtAuthentication

= Virtualization Authentication =

Summary
Fedora 8 introduced support for secure remote management using TLS/SSL and x509 certificates. This feature is to extend the remote management capabilities adding support for authentication against a username/password DB, Kerberos domain controller, or system auth using PAM. This is to apply to all tools using libvirt.

Owner

 * Name: DanielBerrange

Current status

 * Targeted release:  Fedora 9
 * Last updated: 2008-03-15
 * Percentage of completion: 100%

Detailed Description
Fedora 8 introduced support for secure remote management using TLS/SSL and x509 certificates. While x509 client certificates can be used as an authentication mechanism, this has significant management overhead. Sites may have existing authentication schemes such as Kerberos single sign-on that they wish to utilize. This feature is to extend the remote management capabilities adding support for authentication against a username/password DB, Kerberos domain controller, or system auth using PAM. This is to apply to all tools using libvirt. The intent is to use the SASL authentication library, since this enables support for a wide range of authentication backends, independant of the application code.

Benefit to Fedora
Flexibility for administrators in controlling access to virtualization tools. Ability to integrate with FreeIPA, and ActiveDirectory for Kerberos single-sign on capabilities.

Scope
Requires integrating SASL into the libvirt management API. Requires enhancing applications using libvirt to provide callbacks for collecting authentication credentials from the end user.

Test Plan

 * Deploy a FreeIPA server on a LAN
 * Configure two Fedora 9 instances to use Kerberos against the FreeIPA server
 * Install Xen or KVM on one Fedora 9 instance, and enable remote management by starting the libvirtd service
 * Run virt-manager on the other Fedora 9 instance.
 * Run kinit on the client to obtain a Kerberos principle
 * Attempt to connect to the libvirt server & get authenticated using the Keberos principle

User Experience
If the user configures their PAM system-auth to use Kerberos, they should automatically obtain a Kerberos principle when logging into their desktop session via GDM. They should then be able to connect to any libvirtd enabled server without having to enter any username or password, or setup any x509 certificates.

Dependencies

 * SASL support in libvirt (in rawhide in libvirt 0.4.0)
 * Authentication credential callbacks in virt-manager (available in 0.5.4)

Contingency Plan
Continue with x509 certificate based authentication present in Fedora 8

Documentation
The libvirt website provides documentation on configuring authentication at


 * http://libvirt.org/auth.html

The virt-manager wiki has guides for configuring the 4 different authentication methods:


 * SSH tunnel auth
 * TLS/SSL + x509 certificate auth
 * Kerberos / GSSAPI auth
 * Username + password Digest-MD5 auth

Release Notes
The libvirt library now integrates with the cyrus-sasl library to provide a wide selection of pluggable authentication methods. In addition to the SSH tunnel, and TLS/SSL + x509 certificate auth added in Fedora 8, it is now possible to use


 * Keberos - via the GSSAPI plugin for SASL. This enables passwordless single sign-on to libvirt servers.
 * Digest-MD5 - this provides for a secure username+password based authentication

If no Kerberos server is yet deployed on the local network, the libvirt team recommends use of FreeIPA as an application to setup and manage Kerberos.

The virsh command line tool supports authenticating with both Digest-MD5 (prompting for username+password) and Kerberos.

The virt-manager UI supports authenticating with both Digest-MD5 and Kerberos, displaying UI to enter credentials as required.