[libvirt] Implementing VNC per VM access control lists
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon Jan 3 14:19:38 UTC 2011
On 12/29/2010 11:45 AM, Neil Wilson wrote:
> Hi,
>
> At the moment SASL VNC authentication in libvirt allows any of the
> userids to access any of the VNC consoles on a particular libvirt host.
> There is a section in the qemu_command code marked "TODO: Support ACLs
> later" and we would really like the ability to have per VM user
> authorization to the VNC console from within libvirt.
>
> Essentially the people who are accessing the VNC consoles are not
> administrators and have no access to the Host server - so these ACLs
> need to be completely based on a separate list of userids to any access
> mechanism for the libvirtd itself.
>
> Given that the VNC restrictions are enforced within qemu from the
> monitor system, I'm presuming the authorization list is going to have to
> be passed in via XML and be capable of being updated throughout the life
> of a VM session. Unless there's another way of doing it...
>
> What's the feeling about how this feature should be provided within
> libvirt?
One issue is probably around migration and the server (qemu-referenced)
x509 certificates. If the certificates are embedded (rather than
referenced) in the domain XML they will automatically migrate when the
VM migrates, which is desirable. Otherwise migration becomes (again)
problematic and layers above libvirt would have to take care of their
migration.
The VNC session will still be lost due to the change of host and thus
the IP address and the client user will need to learn about the new VNC
port as well.
Quoting from Qemu documentation webpage:
http://wiki.qemu.org/download/qemu-doc.html#vnc_005fsecurity
<quote>
3.10.3 With x509 certificates
The QEMU VNC server also implements the VeNCrypt extension allowing use
of TLS for encryption of the session, and x509 certificates for
authentication. The use of x509 certificates is strongly recommended,
because TLS on its own is susceptible to man-in-the-middle attacks.
Basic x509 certificate support provides a secure session, but no
authentication. This allows any client to connect, and provides an
encrypted session.
qemu [...OPTIONS...] -vnc :1,tls,x509=/etc/pki/qemu -monitor stdio
In the above example |/etc/pki/qemu| should contain at least three
files, |ca-cert.pem|, |server-cert.pem| and |server-key.pem|.
Unprivileged users will want to use a private directory, for example
|$HOME/.pki/qemu|. NB the |server-key.pem| file should be protected with
file mode 0600 to only be readable by the user owning it.
</quote>
It looks like the above mentioned 3 files would need to be embedded...
Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110103/e01724c8/attachment-0001.htm>
More information about the libvir-list
mailing list