Bug 1434551
| Summary: | No password is required to connect to guest with graphics password configured | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Pavel Hrdina <phrdina> |
| Component: | virt-manager | Assignee: | Pavel Hrdina <phrdina> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | crobinso, juzhou, kuwei, mxie, phrdina, tzheng, xiaodwan, yualiu |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | virt-manager-1.4.1-2.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 21:04:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1365367 | ||
Yeah I'm not sure what to do here really. It's not an unintentional regression as that feature is working as expected, and IMO isn't really reducing security at all since if you have access to qemu:///system you can see the graphical password anyways. Certainly makes verifying passwords are working more of a pain. I guess we need to dig to figure out why SKIPAUTH makes listen type=none work, and whether it's a fixable bug somewhere else Upstream commit:
commit cb182f7e3a569bde926818a4c55bb8427fba2728
Author: Pavel Hrdina <phrdina>
Date: Thu Mar 23 15:26:19 2017 +0100
graphics: skip authentication only for VNC with listen type none
I can reproduce this issue with package:
virt-manager-1.4.1-1.el7.noarch
Then try to verify this bug with:
virt-manager-1.4.1-2.el7.noarch
libvirt-3.2.0-3.el7.x86_64
qemu-kvm-rhev-2.8.0-6.el7.x86_64
Steps:
Scenario-1 Testing with spice guest
On host A:
Scenario-1.1 listen type: address + Address: Localhost only + password setting
1.1.1 Guest with configuration:
# virsh dumpxml rhel6.9 --security-info
<graphics type='spice' port='5901' autoport='yes' listen='127.0.0.1' passwd='aabb'>
<listen type='address' address='127.0.0.1'/>
<image compression='off'/>
</graphics>
1.1.2 Start guest and open the guest console.
Result for 1.1.2:
I. Password is required when connecting to guest graphical console.
II. We can login guest with typing correct password.
If not, with wrong password, 'Input Error' error window will pop up with "Viewer authentication error: Authentication failed: wrong password ? ", after click 'OK' will back to password authentication window, and wrong spice password keeps.
1.1.3 Closed guest window and open again, input correct password, then tick 'Save this password in your keyring', then click 'Login'.
Result for 1.1.3:
I. Login guest successfully.
II. Closed guest window and open again, we can see password is saving, we can login guest directly with click 'Login' button.
Scenario-1.2: Listen type: address + Address: All interfaces + password setting
1.2.1 Guest with configuration:
# virsh dumpxml rhel6.9 --security-info
<graphics type='spice' port='5901' autoport='yes' listen='0.0.0.0' passwd='aabb'>
<listen type='address' address='0.0.0.0'/>
<image compression='off'/>
</graphics>
1.2.2 Steps as Scenario-1.1
Result: Get same result with Scenario-1.1.
Scenario-3 Listen type: none + password setting
1.3.1 Guest with configuration:
# virsh dumpxml rhel6.9 --security-info
<graphics type='spice' passwd='aabb'>
<listen type='none'/>
<image compression='off'/>
</graphics>
1.3.2 Steps as Scenario-1.1
Result: Get same result with Scenario-1.1.
Scenario-4 Try to connect to above spice guest console in remote connection.
On hostB:
1.4.1 Launch virt-manager on Host B, File->Add connection->Hypervisor choosing 'QEMU/KVM'->Tick 'Connect to remote host'->Method 'SSH'->Username: root ->Hostname: $host A ->Connect.
1.4.2 Open guest console 'rhel6.9' on hostA.
Result for step1.4.2:
I. <listen type='address' address='127.0.0.1'/> - pass
Get same result with Scenario-1.1
II. <listen type='address' address='0.0.0.0'/> - failed
Failed to show password authentication page, it displays error:
Viewer was disconnected.
Encountered SPICE error-connect: could not connect to xx.xx.xx.xx
No route to host
III. <listen type='none'/> - failed
It will fail to open guest window and reports:
"Error connecting to graphical console:
Guest is on a remote host, but is only configured to allow local file
descriptor connections."
It same with Bug 1441127.
Summary for spice guest:
Local connection:
I. Password is required when connecting to guest graphical console.
II. We can login guest with typing correct password.
If not, with wrong password, 'Input Error' error window will pop up with "Viewer authentication error: Authentication failed: wrong password ? ", after click 'OK' will back to password authentication window, and wrong spice password keeps.
II. 'Save this password in you keyring' choice works well.
Remote connection:
I. Can only connect to password authentication page for guest (<listen type='address' address='127.0.0.1'/> ).
Scenario-2 Testing with vnc guest
On host A:
Scenario-2.1 listen type: address + Address: Localhost only + password setting
2.1.1 Guest with configuration:
# virsh dumpxml rhel7.3latest-vnc --security-info
<graphics type='vnc' port='5901' autoport='yes' listen='127.0.0.1' passwd='aabb'>
<listen type='address' address='127.0.0.1'/>
</graphics>
2.1.2 Start guest and open the guest console.
Result for 2.1.2:
I. Password is required when connecting to guest graphical console.
II. We can login guest with typing correct password.
If not, with wrong password, 'Input Error' error window will pop up with "Viewer authentication error: Authentication failed ", after click 'OK' will back to password authentication window, and wrong vnc password will be empty.
2.1.3 Close guest window and reopen, input correct password, then tick 'Save this password in your keyring', then click 'Login'.
Result for 2.1.3:
I. Login guest successfully.
II. Closed guest window and open again, we can see password is saving, we can login guest directly with click 'Login' button.
Scenario-2.2: Listen type: address + Address: All interfaces + password setting
2.2.1 Guest with configuration:
# virsh dumpxml rhel7.3latest-vnc --security-info
<graphics type='vnc' port='5901' autoport='yes' listen='0.0.0.0' passwd='aabb'>
<listen type='address' address='0.0.0.0'/>
</graphics>
2.2.2 Steps as Scenario-1.1
Result: Get same result with Scenario-1.1.
Scenario-2.3: Listen type: none + password setting
2.3.1 Guest with configuration:
# virsh dumpxml rhel7.3latest-vnc --security-info
<graphics type='vnc' port='-1' autoport='yes' passwd='aabb'>
<listen type='none'/>
</graphics>
2.3.2 Steps as Scenario-2.1
Result: Skip authentication.
Scenario-2.4 Try to connect to above spice guest console in remote connection.
On hostB:
2.4.1 Launch virt-manager on Host B, File->Add connection->Hypervisor choosing 'QEMU/KVM'->Tick 'Connect to remote host'->Method 'SSH'->Username: root ->Hostname: $host A ->Connect.
2.4.2 Open guest console 'rhel7.3latest-vnc' on hostA.
Result for step2.4.2:
I. <listen type='address' address='127.0.0.1'/> - pass
Get same result with Scenario-2.1
II. <listen type='address' address='0.0.0.0'/> - failed
Failed to show password authentication page, it displays error:
Viewer was disconnected.
III. <listen type='none'/> - failed
It will fail to open guest window and reports:
Viewer was disconnected.
SSH tunnel error output: nc: invalid option -- '1'
Ncat: Try `--help' or man(1) ncat for more information, usage options and help. QUITTING.
Summary for vnc guest:
Local connection:
I. Password is required when connecting to guest graphical console.
II. We can login guest with typing correct password.
If not, with wrong password, 'Input Error' error window will pop up with "Viewer authentication error: Authentication failed ", after click 'OK' will back to password authentication window, and wrong vnc password will be empty automatically.
III. 'Save this password in you keyring' choice works well.
IV. Skip authentication only for VNC with listen type none.
Remote connection:
I. Can only connect to password authentication page for guest (<listen type='address' address='127.0.0.1'/> ).
Hi Pavel, I failed to see authentication for remote connecting, could help me have a look, thanks. (In reply to zhoujunqin from comment #7) [...] > Scenario-2.4 Try to connect to above spice guest console in remote > connection. > On hostB: > > 2.4.1 Launch virt-manager on Host B, File->Add connection->Hypervisor > choosing 'QEMU/KVM'->Tick 'Connect to remote host'->Method 'SSH'->Username: > root ->Hostname: $host A ->Connect. > > 2.4.2 Open guest console 'rhel7.3latest-vnc' on hostA. > > Result for step2.4.2: > I. <listen type='address' address='127.0.0.1'/> - pass > Get same result with Scenario-2.1 > > II. <listen type='address' address='0.0.0.0'/> - failed > Failed to show password authentication page, it displays error: > Viewer was disconnected. I'm not able to reproduce it, it works correctly for me. Full debug log for this case would be nice. > III. <listen type='none'/> - failed > It will fail to open guest window and reports: > Viewer was disconnected. > > SSH tunnel error output: nc: invalid option -- '1' > Ncat: Try `--help' or man(1) ncat for more information, usage options and > help. QUITTING. This is yet another bug in virt-manager, it doesn't detect that the listen type is 'none' and virt-manager tries to connect to that guest while it should print this error "Guest is on a remote host, but is only configured to allow local file descriptor connections." Please create a new bug for this issue, thanks. (In reply to Pavel Hrdina from comment #9) > (In reply to zhoujunqin from comment #7) > > [...] > > > Scenario-2.4 Try to connect to above spice guest console in remote > > connection. > > On hostB: > > > > 2.4.1 Launch virt-manager on Host B, File->Add connection->Hypervisor > > choosing 'QEMU/KVM'->Tick 'Connect to remote host'->Method 'SSH'->Username: > > root ->Hostname: $host A ->Connect. > > > > 2.4.2 Open guest console 'rhel7.3latest-vnc' on hostA. > > > > Result for step2.4.2: > > I. <listen type='address' address='127.0.0.1'/> - pass > > Get same result with Scenario-2.1 > > > > II. <listen type='address' address='0.0.0.0'/> - failed > > Failed to show password authentication page, it displays error: > > Viewer was disconnected. > > I'm not able to reproduce it, it works correctly for me. Full debug log for > this case would be nice. Yes, Pave. I tested in another environment, it works for me when listening all interfaces both for spice and vnc guests. Thanks for your confirmation. > > > III. <listen type='none'/> - failed > > It will fail to open guest window and reports: > > Viewer was disconnected. > > > > SSH tunnel error output: nc: invalid option -- '1' > > Ncat: Try `--help' or man(1) ncat for more information, usage options and > > help. QUITTING. > > This is yet another bug in virt-manager, it doesn't detect that the listen > type is 'none' and virt-manager tries to connect to that guest while it > should print this error "Guest is on a remote host, but is only configured > to allow local file descriptor connections." > > Please create a new bug for this issue, thanks. Yes, Bug 1445714 filed to track this issue, thanks. As a summary for this bug, all testing scenarios listed in Comment 6 and Comment 7 will ask for authentication when connect to guest console, except Bug 1445714, Bug 1445239 testing scenarios, so move this bug to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2072 |
If a guest XML contains this configuration: ... <graphics type='vnc' port='-1' autoport='yes' passwd='1234'> <listen type='address'/> </graphics> ... the password is ignored and the graphics console is successfully opened. Caused by this commit: commit 0910c8dcfc38d03178d0cb6f2beb41a192eb45be Author: Cole Robinson <crobinso> Date: Thu Mar 2 15:08:32 2017 -0500 domain: Use libvirt.VIR_DOMAIN_OPEN_GRAPHICS_SKIPAUTH (bug 1379581) It's what virt-viewer uses, and apparently it's needed for VNC listen type=none https://bugzilla.redhat.com/show_bug.cgi?id=1379581