[virt-tools-list] [Spice-devel] Feature requests for virt-viewer windows port

David Jaša djasa at redhat.com
Tue Sep 10 09:05:26 UTC 2013 

Fernando Lozano píše v St 28. 08. 2013 v 12:36 -0300:
> Hi Uri,
> >> I am also worried about authentication using spice+tls. Any user, from
> >> any machine, can connect to the spice+tl port. But using an ssh tunnel
> >> means each user needs his own ssh password or key.
> >
> > One can use passwords (aka tickets), to limit the access to the remote 
> > machine.
> > It is set on the server side (via qemu-kvm monitor or via libvirt), 
> > and is asked for
> > on the client side.
> > Tickets have expiration time.
> 
> AFAIK those tickets are fixed, shared passworlds like plain old VNC.

no and yes. The passwords can be changed at qemu command line and that's
what oVirt/RHEV does - each time a user wants to connect, a new password
is generated and set at qemu and given to the user (silently under the
hood).

> I found no docs about something smarter / more secure. Can you point me in 
> the right direction?

Spice also supports SASL for client authentication. I didn't try that
personally so I can't you tell further instructions.

> 
> >> The problem is, virt-manager and virsh allways configure an insecure
> >> port. Either it is fixed, or it is auto, but never disabled. I had to
> >> block the insecure ports on the host using iptables, else virt-viewer
> >> and virt-manager never use the tls port. Looks like this is a libvirt
> >> fault, not qemu.
> >
> > I'm sure it's possible to configure the VM for your needs with libvirt.
> >
> > Maybe try "virsh edit domain" for the VM and in the
> > "graphics type='spice' section, remove  the "port=number"
> > part, leaving only the "tls-port=number" part.
> 
> Tried that, edited my kvm domain to this:
> 
> <graphics type='spice' tlsPort='5901' autoport='no'/>
> 
> After saving, if I list the config virsh shows:
> 
> <graphics type='spice' port='5900' tlsPort='5901' autoport='no'/>
> 
> Looks like it re-inserts the port attribute with a default value if 
> omited. It doesn't matter if the VM is running or not, I cannot make 
> virsh accept a <graphics> element without a port attribute.
> 
> My libvirt release is 0.9.10, maybe you're talking about something fixed 
> on a newer release.

That sounds like old libvirt release indeed. FTR, I filed
https://bugzilla.redhat.com/show_bug.cgi?id=875729 to track the issue in
RHEL and developers indicated in comments that the issue should be fixed
in current upstream versions.

David

> 
> 
> PS: My fault, found that --spice-ca-file indeed works fine with 
> remote-viewer for Windows, using normal, non-escaped, Windows file 
> paths. My previous attempts failed because of typos. But I stll cannot 
> make virsh and virt-viewer for windows connect using TLS, and I won't 
> open access to libvirtd without it. The path 
> '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem' is supposed 
> to point to where on the Windows workstations?
> 
> 
> []s, Fernando Lozano
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20130910/f2ecd7c6/attachment.bin>

More information about the virt-tools-list mailing list