On 09/18/2013 03:46 AM, Daniel P. Berrange wrote: > On Tue, Sep 17, 2013 at 02:38:52PM -0300, Fernando Lozano wrote: >> Hi there, >> >> I am experimenting with different security settings for libvirtd, so >> I can give sysadmins administrative access to the KVM hypervisor >> without giving them root access on the host. I had success using TLS >> (with client-certs) and SASL, but have not managed to make polkit >> and ssh to work so far. >> >> If I change /etc/libvirt/libvirtd.conf auth_tcp or auth_unix_rw a >> local virsh connection gets this error: >> >> "Authorization requires authentication but no agent is available" >> >> Thus I'm using "sasl" for tcp and "none" for the unix socket. >> >> When I try a "qemu+ssh" remote virsh connection evething works fine. >> But then I try the same URL using virt-manager, and then try to open >> a guest console, virt-manager prompts multiple times for a ssh login >> password. >> >> Shoudn't virt-manager resue the same ssh connection for guest >> console access? And even if it needs to open a new ssh connection >> for the spice connection, this should require only one additional >> ssh login. >> >> But I tried many times, carefully typing the password each time, and >> I'm sure they were not typos: virt-manager is actually asking for >> the ssh login password many times! >> >> Maybe people who use ssh keys (passwordless) logins didn't notice, >> but I think virt-manager should't require more than one addtional >> ssh connection per guest console. Is this a bug? > > Each console rquires that we setup a new SSH tunnel, since every > console is on a different socket on the remote host and we don't > know them all ahead of time. > > If you are using SSH for libvirt, it is expected that you setup > SSH agent + public keys, so that you are not prompted for passwords > at all when logging on. > This is particularly bad with spice, which wants multiple fds for each channel (display, audio, usb redirection, a few others). Each channel requires an ssh connection, so if you are only using a default ssh setup it will launch askpass many times. - Cole _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel