On Mon, Jun 08, 2009 at 02:00:58PM +0200, Christian Weyermann wrote: > Daniel P. Berrange schrieb: > > On Mon, Jun 08, 2009 at 11:35:00AM +0200, Christian Weyermann wrote: > > > >> Hello everybody, > >> > >> I encountered the following problem. I want my users to only be able to > >> connect to their own virtual machines via VNC. Is there any way to do so? > >> > > > > The VNC authentication setup is currently being done per-host, so there > > is no way to define ACLs per-(user,vm) tuple as you describe. > > > Do you think, there might be a chance reaching this goal anyway, using > VNC-Kerberos Auth via SASL, as the virt-viewer supports SASL? No, afraid that won't help you. The key issue is that there is no way to specify authorization data on a per-VM basis. So if you authenticate successfully you have access. We need to add a way to check the authenticated username against an access control list of some form. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list