On Wed, Jun 10, 2009 at 01:36:42PM +0200, Christian Weyermann wrote: > Daniel P. Berrange schrieb: > > On Mon, Jun 08, 2009 at 02:00:58PM +0200, Christian Weyermann wrote: > > > >> Daniel P. Berrange schrieb: > >> > >>> On Mon, Jun 08, 2009 at 11:35:00AM +0200, Christian Weyermann wrote: > >>> > >>> > >>>> Hello everybody, > >>>> > >>>> I encountered the following problem. I want my users to only be able to > >>>> connect to their own virtual machines via VNC. Is there any way to do so? > >>>> > >>>> > >>> The VNC authentication setup is currently being done per-host, so there > >>> is no way to define ACLs per-(user,vm) tuple as you describe. > >>> > >>> > >> Do you think, there might be a chance reaching this goal anyway, using > >> VNC-Kerberos Auth via SASL, as the virt-viewer supports SASL? > >> > > > > No, afraid that won't help you. The key issue is that there is no way to > > specify authorization data on a per-VM basis. So if you authenticate > > successfully you have access. We need to add a way to check the authenticated > > username against an access control list of some form. > Do you have any idea when this issue will be tackled? > It is on our wish list for Real Soon Now, but we haven't identified anyone to actually do the work yet... patches welcome :)... --Hugh -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list