[Spice-devel] Feature requests for virt-viewer windows port
David Jaša
djasa at redhat.com
Tue Sep 10 02:05:26 PDT 2013
Fernando Lozano píše v St 28. 08. 2013 v 12:36 -0300:
> Hi Uri,
> >> I am also worried about authentication using spice+tls. Any user, from
> >> any machine, can connect to the spice+tl port. But using an ssh tunnel
> >> means each user needs his own ssh password or key.
> >
> > One can use passwords (aka tickets), to limit the access to the remote
> > machine.
> > It is set on the server side (via qemu-kvm monitor or via libvirt),
> > and is asked for
> > on the client side.
> > Tickets have expiration time.
>
> AFAIK those tickets are fixed, shared passworlds like plain old VNC.
no and yes. The passwords can be changed at qemu command line and that's
what oVirt/RHEV does - each time a user wants to connect, a new password
is generated and set at qemu and given to the user (silently under the
hood).
> I found no docs about something smarter / more secure. Can you point me in
> the right direction?
Spice also supports SASL for client authentication. I didn't try that
personally so I can't you tell further instructions.
>
> >> The problem is, virt-manager and virsh allways configure an insecure
> >> port. Either it is fixed, or it is auto, but never disabled. I had to
> >> block the insecure ports on the host using iptables, else virt-viewer
> >> and virt-manager never use the tls port. Looks like this is a libvirt
> >> fault, not qemu.
> >
> > I'm sure it's possible to configure the VM for your needs with libvirt.
> >
> > Maybe try "virsh edit domain" for the VM and in the
> > "graphics type='spice' section, remove the "port=number"
> > part, leaving only the "tls-port=number" part.
>
> Tried that, edited my kvm domain to this:
>
> <graphics type='spice' tlsPort='5901' autoport='no'/>
>
> After saving, if I list the config virsh shows:
>
> <graphics type='spice' port='5900' tlsPort='5901' autoport='no'/>
>
> Looks like it re-inserts the port attribute with a default value if
> omited. It doesn't matter if the VM is running or not, I cannot make
> virsh accept a <graphics> element without a port attribute.
>
> My libvirt release is 0.9.10, maybe you're talking about something fixed
> on a newer release.
That sounds like old libvirt release indeed. FTR, I filed
https://bugzilla.redhat.com/show_bug.cgi?id=875729 to track the issue in
RHEL and developers indicated in comments that the issue should be fixed
in current upstream versions.
David
>
>
> PS: My fault, found that --spice-ca-file indeed works fine with
> remote-viewer for Windows, using normal, non-escaped, Windows file
> paths. My previous attempts failed because of typos. But I stll cannot
> make virsh and virt-viewer for windows connect using TLS, and I won't
> open access to libvirtd without it. The path
> '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem' is supposed
> to point to where on the Windows workstations?
>
>
> []s, Fernando Lozano
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20130910/f2ecd7c6/attachment-0001.bin>
More information about the Spice-devel
mailing list