[Spice-devel] Feature requests for virt-viewer windows port

Fernando Lozano fernando at lozano.eti.br
Tue Aug 27 17:43:13 PDT 2013


Hi Uri,
>> I want access to the guest consoles, which means spice connections to
>> the host. But I want those connections secured either by TLS or SSH.
>> So far can get only plain insecure spice connections from a windows
>> workstation to the kvm host.
>
> You should be able to use secure ports both on  Linux  and on Windows.

Yes, I managed to to that using the correct URL syntax, something like
spice://kvmhost?tls-port=5901

Setting up tls on the kvm host is not easy. It would be very nice of
remote-viewer for windows was able to setup ssh tunnels.

I am also worried about authentication using spice+tls. Any user, from
any machine, can connect to the spice+tl port. But using an ssh tunnel
means each user needs his own ssh password or key.

> This can be done by specifying the secure channels either on the
> spice-server side (qemu-kvm -spice command line option), or on a the
> client side (with spice-gtk >= 0.20). If you only provide a
> secure-port (and no insecure port),  all channels are secured.
The problem is, virt-manager and virsh allways configure an insecure
port. Either it is fixed, or it is auto, but never disabled. I had to
block the insecure ports on the host using iptables, else virt-viewer
and virt-manager never use the tls port. Looks like this is a libvirt
fault, not qemu.

But on remote-viewer, using the correct URL syntax opens connections
using the tls port even if the insecure one is not blocked.


[]s, Fernando Lozano


More information about the Spice-devel mailing list