[Spice-devel] Feature requests for virt-viewer windows port
Fernando Lozano
fernando at lozano.eti.br
Wed Aug 28 08:36:59 PDT 2013
Hi Uri,
>> I am also worried about authentication using spice+tls. Any user, from
>> any machine, can connect to the spice+tl port. But using an ssh tunnel
>> means each user needs his own ssh password or key.
>
> One can use passwords (aka tickets), to limit the access to the remote
> machine.
> It is set on the server side (via qemu-kvm monitor or via libvirt),
> and is asked for
> on the client side.
> Tickets have expiration time.
AFAIK those tickets are fixed, shared passworlds like plain old VNC. I
found no docs about something smarter / more secure. Can you point me in
the right direction?
>> The problem is, virt-manager and virsh allways configure an insecure
>> port. Either it is fixed, or it is auto, but never disabled. I had to
>> block the insecure ports on the host using iptables, else virt-viewer
>> and virt-manager never use the tls port. Looks like this is a libvirt
>> fault, not qemu.
>
> I'm sure it's possible to configure the VM for your needs with libvirt.
>
> Maybe try "virsh edit domain" for the VM and in the
> "graphics type='spice' section, remove the "port=number"
> part, leaving only the "tls-port=number" part.
Tried that, edited my kvm domain to this:
<graphics type='spice' tlsPort='5901' autoport='no'/>
After saving, if I list the config virsh shows:
<graphics type='spice' port='5900' tlsPort='5901' autoport='no'/>
Looks like it re-inserts the port attribute with a default value if
omited. It doesn't matter if the VM is running or not, I cannot make
virsh accept a <graphics> element without a port attribute.
My libvirt release is 0.9.10, maybe you're talking about something fixed
on a newer release.
PS: My fault, found that --spice-ca-file indeed works fine with
remote-viewer for Windows, using normal, non-escaped, Windows file
paths. My previous attempts failed because of typos. But I stll cannot
make virsh and virt-viewer for windows connect using TLS, and I won't
open access to libvirtd without it. The path
'/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem' is supposed
to point to where on the Windows workstations?
[]s, Fernando Lozano
More information about the Spice-devel
mailing list