Bug 811346

Summary: remote spice connection without ssh keys opens many askpass dialogs at once
Product: [Fedora] Fedora Reporter: Gabriel Somlo <somlo>
Component: virt-managerAssignee: Cole Robinson <crobinso>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: be.nicolas.michel, berrange, crobinso, dpierce, hbrock, jforbes, ptalbert, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: virt-manager-0.10.0-3.gita2e52067.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-03 21:56:33 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Gabriel Somlo 2012-04-10 14:50:18 EDT
Description of problem:
When attempting to open a guest window on a remote ssh connection, I get multiple overlapping ssh password dialogs that keep opening on top of each other, and ultimately result in an error-message popup which reads:

"SSH password dialog could not grab the keyboard input. This might be caused by application such as screensaver, however it could also mean that someone may be eavesdropping on your session. Either close the application which grabs the keyboard or log out and log in again to prevent this from happening."

I run a straightforward default gnome 3 desktop, and nothing else is running beyond virt-manager itself.

Opening the ssh remote connection itself works fine (the connection URI looks
like this: qemu+ssh://root@remote.host.example.com/system). It is only once I pick one of the listed guests and double-click on it to open the DisplaySpice connection that I get flooded by ssh password requests and error messages.

Version-Release number of selected component (if applicable):
virt-manager-0.9.1-2.fc16

How reproducible:
attempt to open a remote kvm guest over an ssh connection

Steps to Reproduce:
1. From virt-manager, connect to a remote host using qemu+ssh
   (qemu+ssh://root@remote.host.example.com/system). This might
   require completing an ssh password dialog for
   root@remote.host.example.com;
2. Double-click on one of the listed (running) guests. Mine are set
   up to use Spice rather than VNC.
  
Actual results:
Get flooded by dialogs asking for the remote root's password, and by popups containing the error message quoted above

Expected results:
After completing the first password dialog for remote root, the viewer starts displaying the remote guest.
Comment 1 Cole Robinson 2012-04-25 09:14:44 EDT
Spice requires multiple channels to do its thing, which means opening multiple SSH tunnels. If you want to use remote spice, you really should be using ssh keys.

That said maybe we can serialize how these are opened so that multiple dialogs don't jump up at once.
Comment 2 Cole Robinson 2012-07-08 14:12:40 EDT
So serializing this isn't as simple as I thought. I think the only way forward here is for us to use a library like libssh2 to try and fix this stuff once and for all. However that's not an easy bit of work so won't make the next release.

In the interim, I'd recommend setting up SSH keys to avoid the dialogs all together, or use ssh connection sharing like described here:

http://fermiparadox.wordpress.com/2008/06/19/ssh-connection-sharing/
Comment 3 Fedora End Of Life 2013-01-16 07:47:27 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Cole Robinson 2013-09-06 19:58:57 EDT
I figured out a way to fix this upstream:

https://git.fedorahosted.org/cgit/virt-manager.git/commit/?id=5bf63759b6c18f4b814b52d8ed671fbb428af1f8

But it's not really backportable, moving to F20 where we will rebase in the fix.
Comment 5 Fedora Update System 2013-09-24 11:15:00 EDT
virt-manager-0.10.0-3.gita2e52067.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/virt-manager-0.10.0-3.gita2e52067.fc20
Comment 6 Fedora Update System 2013-09-26 02:13:19 EDT
Package virt-manager-0.10.0-3.gita2e52067.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing virt-manager-0.10.0-3.gita2e52067.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17628/virt-manager-0.10.0-3.gita2e52067.fc20
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-10-03 21:56:33 EDT
virt-manager-0.10.0-3.gita2e52067.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 sylock 2014-03-26 05:09:25 EDT
I'm on Fedora 20 and I still have the issue. I have to type my ssh password 4 times to open the remote display.

$ rpm -qi virt-manager
Name        : virt-manager
Version     : 1.0.0
Release     : 6.fc20
Architecture: noarch
Install Date: Tue 25 Mar 2014 10:12:05 AM CET
Group       : Applications/Emulators
Size        : 3687809
License     : GPLv2+
Signature   : RSA/SHA256, Tue 11 Mar 2014 07:12:37 PM CET, Key ID 2eb161fa246110c1
Source RPM  : virt-manager-1.0.0-6.fc20.src.rpm
Build Date  : Mon 10 Mar 2014 02:58:38 PM CET
Build Host  : arm02-builder09.arm.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://virt-manager.org/
Summary     : Virtual Machine Manager
Description :
Virtual Machine Manager provides a graphical tool for administering virtual
machines for KVM, Xen, and LXC. Start, stop, add or remove virtual devices,
connect to a graphical or serial console, and see resource usage statistics
for existing VMs on local or remote machines. Uses libvirt as the backend
Comment 9 Cole Robinson 2014-03-26 07:30:24 EDT
The original report was that all the dialogs were opened at the same time, overlapping and causing weird X errors since they all want to own focus. The root issue that spice requires multiple channels is not 'fixed' and doesn't have a clear solution. You can probably work around this on your machine, google 'ssh connection sharing'
Comment 10 sylock 2014-03-26 08:32:50 EDT
Thanks for you comment. I hadn't understood well that the root cause was not the subject of this bug report but it's side-effect.

May I suggest that if the solution is the ssh connection sharing, why don't implement it in virt-manager? It is only a matter of option when initializing the first connection to the remote host. Every ssh connection configured in virt-manager would have the connection sharing enabled even if they don't use it later (because they doesn't use spice but VNC for example).
Comment 11 Cole Robinson 2014-03-26 08:37:38 EDT
connection sharing has its caveats, so if we implemented it we'd need to allow users to turn it off, so more UI, more code paths to test.

If we are going to mess with this code, it would be to consider switching to an ssh library that should hopefully solve this problem.

Until then, the recommended usage in this scenario is to set up ssh keys, it's pretty easy:

ssh-keygen
ssh-copy-id user@host