On Tue, Sep 17, 2013 at 02:38:52PM -0300, Fernando Lozano wrote: > Hi there, > > I am experimenting with different security settings for libvirtd, so > I can give sysadmins administrative access to the KVM hypervisor > without giving them root access on the host. I had success using TLS > (with client-certs) and SASL, but have not managed to make polkit > and ssh to work so far. > > If I change /etc/libvirt/libvirtd.conf auth_tcp or auth_unix_rw a > local virsh connection gets this error: > > "Authorization requires authentication but no agent is available" > > Thus I'm using "sasl" for tcp and "none" for the unix socket. > > When I try a "qemu+ssh" remote virsh connection evething works fine. > But then I try the same URL using virt-manager, and then try to open > a guest console, virt-manager prompts multiple times for a ssh login > password. > > Shoudn't virt-manager resue the same ssh connection for guest > console access? And even if it needs to open a new ssh connection > for the spice connection, this should require only one additional > ssh login. > > But I tried many times, carefully typing the password each time, and > I'm sure they were not typos: virt-manager is actually asking for > the ssh login password many times! > > Maybe people who use ssh keys (passwordless) logins didn't notice, > but I think virt-manager should't require more than one addtional > ssh connection per guest console. Is this a bug? Each console rquires that we setup a new SSH tunnel, since every console is on a different socket on the remote host and we don't know them all ahead of time. If you are using SSH for libvirt, it is expected that you setup SSH agent + public keys, so that you are not prompted for passwords at all when logging on. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel