[virt-tools-list] TLS authentification

Daniel Berteaud daniel at firewall-services.com
Thu Oct 1 13:08:23 UTC 2009


Le jeudi 01 octobre 2009 à 15:02 +0200, Daniel Huhardeaux a écrit :
> Daniel Berteaud a écrit :
> > Le jeudi 01 octobre 2009 à 14:03 +0200, Daniel Huhardeaux a écrit :
> 
> [...]
> 
> >> On the client, it's another story. All certificats need to be located in 
> >> /etc/pki/[CA|libvirt] directories. Ok, can be. But other problem is with 
> >> the file names which are cacert.pem clientcert.pem and clientkey.pem
> >>
> >> How to get them renamed as I have 2 servers to connect on :-( ? At this 
> >> time I use same certs for both of them but that's not a solution.
> > 
> > I had the same problem, so for now, I've switched to SSH instead of TLS
> > (as I can manage different keys for different servers and automatically
> > choose the good one in .ssh/config).
> 
> But ssh you need to accept root connections, I can't agree with that.

No, you don't need root access. Just configure rw socket of libvirt with
770 permission (in libvirtd.conf), then create an unprivileged user and
put him in the libvirt group. Now you can connect to libvirt through SSH
using this user (in virt-manager use user at host syntax instead of just
host)

Regards

> 
> > But it'd be great to be able to
> > specify CA, cert and key files on a per connection basis when adding a
> > new connection using TLS. We should also be able to specify certs files
> > for VNC connections (also on a per connection basis)
> 
> Same here ;-)
> 
> _______________________________________________
> virt-tools-list mailing list
> virt-tools-list at redhat.com
> https://www.redhat.com/mailman/listinfo/virt-tools-list
-- 
Daniel Berteaud
FIREWALL-SERVICES SARL.
Société de Services en Logiciels Libres
Technopôle Montesquieu
33650 MARTILLAC
Tel : 05 56 64 15 32
Fax : 05 56 64 15 32
Mail: daniel at firewall-services.com
Web : http://www.firewall-services.com




More information about the virt-tools-list mailing list