[virt-tools-list] [Spice-devel] Feature requests for virt-viewer windows port

Fernando Lozano fernando at lozano.eti.br
Wed Aug 28 15:36:59 UTC 2013

Hi Uri,
>> I am also worried about authentication using spice+tls. Any user, from
>> any machine, can connect to the spice+tl port. But using an ssh tunnel
>> means each user needs his own ssh password or key.
> One can use passwords (aka tickets), to limit the access to the remote 
> machine.
> It is set on the server side (via qemu-kvm monitor or via libvirt), 
> and is asked for
> on the client side.
> Tickets have expiration time.

AFAIK those tickets are fixed, shared passworlds like plain old VNC. I 
found no docs about something smarter / more secure. Can you point me in 
the right direction?

>> The problem is, virt-manager and virsh allways configure an insecure
>> port. Either it is fixed, or it is auto, but never disabled. I had to
>> block the insecure ports on the host using iptables, else virt-viewer
>> and virt-manager never use the tls port. Looks like this is a libvirt
>> fault, not qemu.
> I'm sure it's possible to configure the VM for your needs with libvirt.
> Maybe try "virsh edit domain" for the VM and in the
> "graphics type='spice' section, remove  the "port=number"
> part, leaving only the "tls-port=number" part.

Tried that, edited my kvm domain to this:

<graphics type='spice' tlsPort='5901' autoport='no'/>

After saving, if I list the config virsh shows:

<graphics type='spice' port='5900' tlsPort='5901' autoport='no'/>

Looks like it re-inserts the port attribute with a default value if 
omited. It doesn't matter if the VM is running or not, I cannot make 
virsh accept a <graphics> element without a port attribute.

My libvirt release is 0.9.10, maybe you're talking about something fixed 
on a newer release.

PS: My fault, found that --spice-ca-file indeed works fine with 
remote-viewer for Windows, using normal, non-escaped, Windows file 
paths. My previous attempts failed because of typos. But I stll cannot 
make virsh and virt-viewer for windows connect using TLS, and I won't 
open access to libvirtd without it. The path 
'/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem' is supposed 
to point to where on the Windows workstations?

[]s, Fernando Lozano

More information about the virt-tools-list mailing list