[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] [Spice-devel] Feature requests for virt-viewer windows port



On 08/28/2013 03:43 AM, Fernando Lozano wrote:
Hi Uri,
I want access to the guest consoles, which means spice connections to
the host. But I want those connections secured either by TLS or SSH.
So far can get only plain insecure spice connections from a windows
workstation to the kvm host.
You should be able to use secure ports both on  Linux  and on Windows.
Yes, I managed to to that using the correct URL syntax, something like
spice://kvmhost?tls-port=5901

Setting up tls on the kvm host is not easy. It would be very nice of
remote-viewer for windows was able to setup ssh tunnels.

I am also worried about authentication using spice+tls. Any user, from
any machine, can connect to the spice+tl port. But using an ssh tunnel
means each user needs his own ssh password or key.

One can use passwords (aka tickets), to limit the access to the remote machine. It is set on the server side (via qemu-kvm monitor or via libvirt), and is asked for
on the client side.
Tickets have expiration time.


This can be done by specifying the secure channels either on the
spice-server side (qemu-kvm -spice command line option), or on a the
client side (with spice-gtk >= 0.20). If you only provide a
secure-port (and no insecure port),  all channels are secured.
The problem is, virt-manager and virsh allways configure an insecure
port. Either it is fixed, or it is auto, but never disabled. I had to
block the insecure ports on the host using iptables, else virt-viewer
and virt-manager never use the tls port. Looks like this is a libvirt
fault, not qemu.

But on remote-viewer, using the correct URL syntax opens connections
using the tls port even if the insecure one is not blocked.

I'm sure it's possible to configure the VM for your needs with libvirt.

Maybe try "virsh edit domain" for the VM and in the
"graphics type='spice' section, remove  the "port=number"
part, leaving only the "tls-port=number" part.

Regards,
    Uri.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]