[Spice-devel] Feature requests for virt-viewer windows port

Uri Lublin uril at redhat.com
Wed Aug 28 08:04:09 PDT 2013 

On 08/28/2013 03:43 AM, Fernando Lozano wrote:
> Hi Uri,
>>> I want access to the guest consoles, which means spice connections to
>>> the host. But I want those connections secured either by TLS or SSH.
>>> So far can get only plain insecure spice connections from a windows
>>> workstation to the kvm host.
>> You should be able to use secure ports both on  Linux  and on Windows.
> Yes, I managed to to that using the correct URL syntax, something like
> spice://kvmhost?tls-port=5901
>
> Setting up tls on the kvm host is not easy. It would be very nice of
> remote-viewer for windows was able to setup ssh tunnels.
>
> I am also worried about authentication using spice+tls. Any user, from
> any machine, can connect to the spice+tl port. But using an ssh tunnel
> means each user needs his own ssh password or key.

One can use passwords (aka tickets), to limit the access to the remote 
machine.
It is set on the server side (via qemu-kvm monitor or via libvirt), and 
is asked for
on the client side.
Tickets have expiration time.

>
>> This can be done by specifying the secure channels either on the
>> spice-server side (qemu-kvm -spice command line option), or on a the
>> client side (with spice-gtk >= 0.20). If you only provide a
>> secure-port (and no insecure port),  all channels are secured.
> The problem is, virt-manager and virsh allways configure an insecure
> port. Either it is fixed, or it is auto, but never disabled. I had to
> block the insecure ports on the host using iptables, else virt-viewer
> and virt-manager never use the tls port. Looks like this is a libvirt
> fault, not qemu.
>
> But on remote-viewer, using the correct URL syntax opens connections
> using the tls port even if the insecure one is not blocked.

I'm sure it's possible to configure the VM for your needs with libvirt.

Maybe try "virsh edit domain" for the VM and in the
"graphics type='spice' section, remove  the "port=number"
part, leaving only the "tls-port=number" part.

Regards,
     Uri.

More information about the Spice-devel mailing list