[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] [Spice-devel] Strange behaviour using qemu+ssh on virt-manager



On 09/18/2013 03:46 AM, Daniel P. Berrange wrote:
> On Tue, Sep 17, 2013 at 02:38:52PM -0300, Fernando Lozano wrote:
>> Hi there,
>>
>> I am experimenting with different security settings for libvirtd, so
>> I can give sysadmins administrative access to the KVM hypervisor
>> without giving them root access on the host. I had success using TLS
>> (with client-certs) and SASL, but have not managed to make polkit
>> and ssh to work so far.
>>
>> If I change /etc/libvirt/libvirtd.conf auth_tcp or auth_unix_rw  a
>> local virsh connection gets this error:
>>
>> "Authorization requires authentication but no agent is available"
>>
>> Thus  I'm using "sasl" for tcp and "none" for the unix socket.
>>
>> When I try a "qemu+ssh" remote virsh connection evething works fine.
>> But then I try the same URL using virt-manager, and then try to open
>> a guest console, virt-manager prompts multiple times for a ssh login
>> password.
>>
>> Shoudn't virt-manager resue the same ssh connection for guest
>> console access? And even if it needs to open a new ssh connection
>> for the spice connection, this should require only one additional
>> ssh login.
>>
>> But I tried many times, carefully typing the password each time, and
>> I'm sure they were not typos: virt-manager is actually asking for
>> the ssh login password many times!
>>
>> Maybe people who use ssh keys (passwordless) logins didn't notice,
>> but I think virt-manager should't require more than one addtional
>> ssh connection per guest console. Is this a bug?
> 
> Each console rquires that we setup a new SSH tunnel, since every
> console is on a different socket on the remote host and we don't
> know them all ahead of time.
> 
> If you are using SSH for libvirt, it is expected that you setup
> SSH agent + public keys, so that you are not prompted for passwords
> at all when logging on.
> 

This is particularly bad with spice, which wants multiple fds for each channel
(display, audio, usb redirection, a few others). Each channel requires an ssh
connection, so if you are only using a default ssh setup it will launch
askpass many times.

- Cole


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]