Bug 1248238 - RFE: Investigate using paramiko for spice+ssh, instead of manual ssh calls
RFE: Investigate using paramiko for spice+ssh, instead of manual ssh calls
Status: NEW
Product: Virtualization Tools
Classification: Community
Component: virt-manager (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Cole Robinson
Depends On:
  Show dependency treegraph
Reported: 2015-07-29 20:19 EDT by jamespharvey20
Modified: 2015-09-23 18:33 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description jamespharvey20 2015-07-29 20:19:02 EDT
Description of problem:

When I connect to a remote QEMU/KVM in virt-manager, it asks me for my user password.  I enter it, and it accepts it.

I open a running virtual machine's remote console, it first shows "Connecting to graphical console for guest".  And, asks me for my password again.

Then, the VM's console area goes black, and it asks me for my password again.  (But it won't let me type for about 10 seconds.)

Then it asks me for my password again.

And again.

Then it shows the VM's console with correct content.  And, asks me for my password again.

Then it asks me for my password again.

Then, I can use the VM.

(No, there's no editing mistake here.  I have to type my password 7 times.)

Version-Release number of selected component (if applicable):

virt-manager source build from git.  v1.2.1.r4564.466bf92-1 (master, at least as of a short while ago).  This happened identically on v1.2.1-release.

libvirt 1.2.17 (-2 Arch)

openbsd-netcat 1.105_7 (-7 Arch)

polkit 0.112 (-4 Arch)

openssh 6.9p1 (-2 Arch)

Yeah, both of these are Arch systems using kernel 4.1.3 (-1 Arch)

I'm starting here, knowing this may not actually be a virt-manager issue.  Not sure how to diagnose who is behind this further, but willing to run commands/tests you give me.

How reproducible:

Steps to Reproduce:
1. polkit authentication.  gpasswd -a username kvm.  re-log.  /etc/polkit-1/rules.d/49-org.libvirt.unix.manager.rules:
polkit.addRule(function(action, subject) {
   if (action.id == "org.libvirt.unix.manage" &&
      subject.isInGroup("kvm")) {
         return polkit.Result.YES;
2. virt-manager to connect to remote hypervisor (QEMU/KVM) via ssh, my username - not root.

Actual results:
7 password prompts

Expected results:
1 password prompt.  Maybe none using the autoconnect feature.
Comment 1 jamespharvey20 2015-08-08 23:45:41 EDT
Any thoughts?  Things I should run to help diagnose this?
Comment 2 Cole Robinson 2015-08-09 14:20:43 EDT
The multiple password prompts are likely due to spice: spice opens multiple network connections for its various channels (video, input, sound, usb redirection, etc), and each need to open an ssh tunnel to the remote machine. So you'll get lots of password prompts

The simplest 'fix' is to either setup ssh keys so you only need to auth once for SSH.

Polkit doesn't help here, since polkit config won't let you skip an ssh prompt no matter how you configure it AFAIK

I have some ideas about maybe simplifying this in the future, like trying to use an ssh library rather than forking the 'ssh' which has its own set of problems, but it's just handwavy future work.

Note You need to log in before you can comment on or make changes to this bug.