[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] [Spice-devel] Feature requests for virt-viewer windows port



Hi Uri,
I am also worried about authentication using spice+tls. Any user, from
any machine, can connect to the spice+tl port. But using an ssh tunnel
means each user needs his own ssh password or key.

One can use passwords (aka tickets), to limit the access to the remote machine. It is set on the server side (via qemu-kvm monitor or via libvirt), and is asked for
on the client side.
Tickets have expiration time.

AFAIK those tickets are fixed, shared passworlds like plain old VNC. I found no docs about something smarter / more secure. Can you point me in the right direction?

The problem is, virt-manager and virsh allways configure an insecure
port. Either it is fixed, or it is auto, but never disabled. I had to
block the insecure ports on the host using iptables, else virt-viewer
and virt-manager never use the tls port. Looks like this is a libvirt
fault, not qemu.

I'm sure it's possible to configure the VM for your needs with libvirt.

Maybe try "virsh edit domain" for the VM and in the
"graphics type='spice' section, remove  the "port=number"
part, leaving only the "tls-port=number" part.

Tried that, edited my kvm domain to this:

<graphics type='spice' tlsPort='5901' autoport='no'/>

After saving, if I list the config virsh shows:

<graphics type='spice' port='5900' tlsPort='5901' autoport='no'/>

Looks like it re-inserts the port attribute with a default value if omited. It doesn't matter if the VM is running or not, I cannot make virsh accept a <graphics> element without a port attribute.

My libvirt release is 0.9.10, maybe you're talking about something fixed on a newer release.


PS: My fault, found that --spice-ca-file indeed works fine with remote-viewer for Windows, using normal, non-escaped, Windows file paths. My previous attempts failed because of typos. But I stll cannot make virsh and virt-viewer for windows connect using TLS, and I won't open access to libvirtd without it. The path '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem' is supposed to point to where on the Windows workstations?


[]s, Fernando Lozano


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]