Fernando Lozano píše v St 28. 08. 2013 v 12:36 -0300: > Hi Uri, > >> I am also worried about authentication using spice+tls. Any user, from > >> any machine, can connect to the spice+tl port. But using an ssh tunnel > >> means each user needs his own ssh password or key. > > > > One can use passwords (aka tickets), to limit the access to the remote > > machine. > > It is set on the server side (via qemu-kvm monitor or via libvirt), > > and is asked for > > on the client side. > > Tickets have expiration time. > > AFAIK those tickets are fixed, shared passworlds like plain old VNC. no and yes. The passwords can be changed at qemu command line and that's what oVirt/RHEV does - each time a user wants to connect, a new password is generated and set at qemu and given to the user (silently under the hood). > I found no docs about something smarter / more secure. Can you point me in > the right direction? Spice also supports SASL for client authentication. I didn't try that personally so I can't you tell further instructions. > > >> The problem is, virt-manager and virsh allways configure an insecure > >> port. Either it is fixed, or it is auto, but never disabled. I had to > >> block the insecure ports on the host using iptables, else virt-viewer > >> and virt-manager never use the tls port. Looks like this is a libvirt > >> fault, not qemu. > > > > I'm sure it's possible to configure the VM for your needs with libvirt. > > > > Maybe try "virsh edit domain" for the VM and in the > > "graphics type='spice' section, remove the "port=number" > > part, leaving only the "tls-port=number" part. > > Tried that, edited my kvm domain to this: > > <graphics type='spice' tlsPort='5901' autoport='no'/> > > After saving, if I list the config virsh shows: > > <graphics type='spice' port='5900' tlsPort='5901' autoport='no'/> > > Looks like it re-inserts the port attribute with a default value if > omited. It doesn't matter if the VM is running or not, I cannot make > virsh accept a <graphics> element without a port attribute. > > My libvirt release is 0.9.10, maybe you're talking about something fixed > on a newer release. That sounds like old libvirt release indeed. FTR, I filed https://bugzilla.redhat.com/show_bug.cgi?id=875729 to track the issue in RHEL and developers indicated in comments that the issue should be fixed in current upstream versions. David > > > PS: My fault, found that --spice-ca-file indeed works fine with > remote-viewer for Windows, using normal, non-escaped, Windows file > paths. My previous attempts failed because of typos. But I stll cannot > make virsh and virt-viewer for windows connect using TLS, and I won't > open access to libvirtd without it. The path > '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem' is supposed > to point to where on the Windows workstations? > > > []s, Fernando Lozano > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel