[virt-tools-list] [Spice-devel] Feature requests for virt-viewer windows port
djasa at redhat.com
Tue Sep 10 09:05:26 UTC 2013
Fernando Lozano píše v St 28. 08. 2013 v 12:36 -0300:
> Hi Uri,
> >> I am also worried about authentication using spice+tls. Any user, from
> >> any machine, can connect to the spice+tl port. But using an ssh tunnel
> >> means each user needs his own ssh password or key.
> > One can use passwords (aka tickets), to limit the access to the remote
> > machine.
> > It is set on the server side (via qemu-kvm monitor or via libvirt),
> > and is asked for
> > on the client side.
> > Tickets have expiration time.
> AFAIK those tickets are fixed, shared passworlds like plain old VNC.
no and yes. The passwords can be changed at qemu command line and that's
what oVirt/RHEV does - each time a user wants to connect, a new password
is generated and set at qemu and given to the user (silently under the
> I found no docs about something smarter / more secure. Can you point me in
> the right direction?
Spice also supports SASL for client authentication. I didn't try that
personally so I can't you tell further instructions.
> >> The problem is, virt-manager and virsh allways configure an insecure
> >> port. Either it is fixed, or it is auto, but never disabled. I had to
> >> block the insecure ports on the host using iptables, else virt-viewer
> >> and virt-manager never use the tls port. Looks like this is a libvirt
> >> fault, not qemu.
> > I'm sure it's possible to configure the VM for your needs with libvirt.
> > Maybe try "virsh edit domain" for the VM and in the
> > "graphics type='spice' section, remove the "port=number"
> > part, leaving only the "tls-port=number" part.
> Tried that, edited my kvm domain to this:
> <graphics type='spice' tlsPort='5901' autoport='no'/>
> After saving, if I list the config virsh shows:
> <graphics type='spice' port='5900' tlsPort='5901' autoport='no'/>
> Looks like it re-inserts the port attribute with a default value if
> omited. It doesn't matter if the VM is running or not, I cannot make
> virsh accept a <graphics> element without a port attribute.
> My libvirt release is 0.9.10, maybe you're talking about something fixed
> on a newer release.
That sounds like old libvirt release indeed. FTR, I filed
https://bugzilla.redhat.com/show_bug.cgi?id=875729 to track the issue in
RHEL and developers indicated in comments that the issue should be fixed
in current upstream versions.
> PS: My fault, found that --spice-ca-file indeed works fine with
> remote-viewer for Windows, using normal, non-escaped, Windows file
> paths. My previous attempts failed because of typos. But I stll cannot
> make virsh and virt-viewer for windows connect using TLS, and I won't
> open access to libvirtd without it. The path
> '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem' is supposed
> to point to where on the Windows workstations?
> s, Fernando Lozano
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5727 bytes
Desc: not available
More information about the virt-tools-list