Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1365367

Summary: Failed to login guest when wrong password was typed for vnc guest
Product: Red Hat Enterprise Linux 7 Reporter: Xiaodai Wang <xiaodwan>
Component: virt-managerAssignee: Pavel Hrdina <phrdina>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: juzhou, mxie, mzhang, phrdina, tzheng
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: virt-manager-1.4.1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 21:02:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1434551    
Bug Blocks:    

Description Xiaodai Wang 2016-08-09 05:39:13 UTC 
Description of problem:
Failed to login guest when wrong password was typed for vnc guest

Version-Release number of selected component (if applicable):
virt-manager-1.4.0-1.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Prepare a vnc guest with password set.
2. Open the guest and type correct password, make sure you can login successfully.
3. Close the guest window and open the guest again, type wrong password and click login button, login failed.
4. Close the guest window, and open the guest again, type correct password.

Actual results:
Failed to login the guest.

Expected results:
The guest should be logged in successfully.

Additional info:
This issue doesn't occur for spice guest.
Comment 2 Pavel Hrdina 2016-08-18 08:43:15 UTC 
Upstream commit:

commit 354877b90ef6f6f541aa040ab40e4b4a65060c24
Author: Pavel Hrdina <phrdina>
Date:   Wed Aug 17 18:21:42 2016 +0200

    console: set unavailable page while closing details window
Comment 4 zhoujunqin 2017-03-15 07:11:53 UTC 
I can reproduce this bug with package:
virt-manager-1.4.0-2.el7.noarch
virt-install-1.4.0-2.el7.noarch
virt-manager-common-1.4.0-2.el7.noarch

Then try to verify this bug with new build:
virt-manager-1.4.1-1.el7.noarch
virt-install-1.4.1-1.el7.noarch
virt-manager-common-1.4.1-1.el7.noarch
libvirt-3.1.0-2.el7.x86_64

Step:
1. Prepare a vnc guest with password set.
# virsh dumpxml rhel7.3 --security-info 
...
    <graphics type='vnc' port='-1' autoport='yes' passwd='1234'>
      <listen type='address'/>
    </graphics>
...
2. Open the guest and type correct password, make sure you can login successfully.

Result: 
1. After open the guest, we can connect to guest console directly without input password.

2. Spice guest also has this problem.

Hi Pavel, It seems password setting is invalid both for spice and vnc guest, so i changed this bug to "ASSIGNED" status.
Comment 5 Pavel Hrdina 2017-03-21 17:28:31 UTC 
So the issue that no password is required was introduced by this commit

commit 0910c8dcfc38d03178d0cb6f2beb41a192eb45be
Author: Cole Robinson <crobinso>
Date:   Thu Mar 2 15:08:32 2017 -0500

    domain: Use libvirt.VIR_DOMAIN_OPEN_GRAPHICS_SKIPAUTH (bug 1379581)
    
    It's what virt-viewer uses, and apparently it's needed for VNC
    listen type=none
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1379581

So this bug is probably fixed but there is no way how to verify it because the mentioned commit broke virt-manager that no password is required.
Comment 7 zhoujunqin 2017-04-24 11:04:43 UTC 
Try to verify this bug with new build:
virt-manager-1.4.1-2.el7.noarch
virt-install-1.4.1-2.el7.noarch
virt-manager-common-1.4.1-2.el7.noarch
qemu-kvm-rhev-2.8.0-6.el7.x86_64
libvirt-3.2.0-3.el7.x86_64

Steps:
Scenario-1: listen type: address 
            Address: Localhost only

1. Guest with configuration:

# virsh dumpxml rhel7.3latest-vnc --security-info 
...
   <graphics type='vnc' port='5900' autoport='yes' listen='127.0.0.1' passwd='aabb'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>
...
2. Open the guest and type correct password, make sure you can login successfully.

3. Close the guest window and open the guest again, type wrong password and click login button, login failed.

Result: An 'Input Error' window pop up with error" Viewer authentication error: Authentication failed", after click 'OK', wrong password will be empty, and after will login guest with typing correct password.

4. Based on step3, after click 'OK', then close the guest window, and open the guest again, type correct password.
Result: We can also login guest with typing correct password.

5. Closed the guest window and open guest again, type wrong password and tick 'Save this password in your keying', then click 'Login'.

Result: An 'Input Error' window pop up with error" Viewer authentication error: Authentication failed", after click 'OK', back to input password window, and password saved.

6. Closed the guest window and open guest again, we can see original wrong password saved, change wrong password to correct one, then click 'Login'.
Result: We can login guest directly.

7. Closed the guest window and open guest again, we can see original correct password saved, click 'Login' directly.
Result: We can login guest directly.


Scenario-2: Listen type: address 
            Address: All interfaces

1. Guest with configuration:
# virsh dumpxml rhel7.3latest-vnc --security-info 

    <graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' passwd='aabb'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>


2. Steps as Scenario-1.
Result: Get same result with Scenario-1, can login in guest with typing correct password.

Scenario-3 Listen type: none
# virsh dumpxml rhel7.3latest-vnc --security-info 

   <graphics type='vnc' port='-1' autoport='yes' passwd='aabb'>
      <listen type='none'/>
    </graphics>

Result: Can login guest without authentication.(http://post-office.corp.redhat.com/archives/rhvirt-patches/2017-March/msg00817.html)
TESTTE

@Pavel, is it by design for vnc guest, and do you think i can move this bug to VERIFIED now?
Comment 8 Pavel Hrdina 2017-04-24 11:38:52 UTC 
QEMU has a Bug 1435352 and because of that we need to skip authentication for listen type=none.  In all other cases the password is required so this bug can be moved to VERIFIED.
Comment 9 Xiaodai Wang 2017-04-25 02:01:49 UTC 
(In reply to Pavel Hrdina from comment #8)
> QEMU has a Bug 1435352 and because of that we need to skip authentication
> for listen type=none.  In all other cases the password is required so this
> bug can be moved to VERIFIED.

Is this fix a temp workaround for Bug 1435352?  
I'm not sure how qemu fixes the bug. when the qemu bug is fixed, should we continue skipping auth for this situation?
Comment 10 zhoujunqin 2017-04-25 02:11:17 UTC 
(In reply to xiaodwan from comment #9)
> (In reply to Pavel Hrdina from comment #8)
> > QEMU has a Bug 1435352 and because of that we need to skip authentication
> > for listen type=none.  In all other cases the password is required so this
> > bug can be moved to VERIFIED.
> 
> Is this fix a temp workaround for Bug 1435352?  
> I'm not sure how qemu fixes the bug. when the qemu bug is fixed, should we
> continue skipping auth for this situation?

Hi xiaodwan,
I also asked Pavel this question on IRC yesterday, so Pavel could help give us a update for this question, thanks.
Comment 11 Pavel Hrdina 2017-04-25 07:31:53 UTC 
Yes, that is a temporary workaround for that BUG, once it gets fixed in QEMU we can update the code in virt-manager to skip the authentication only for broken QEMUs.  It would be probably good to create an upstream BUG to make sure we update virt-manager when QEMU will be fixed, there is no need to track it for RHEL because usually when the listen type=none you need extra permissions to connect to that socket and usually when you have those permissions you can easily get XML with security info.
Comment 12 zhoujunqin 2017-04-25 10:33:05 UTC 
Hi Pavel,
Thanks for your explanation, file a upstream Bug 1445239.
And move this bug from ON_QA to VERIFIED.
Comment 13 errata-xmlrpc 2017-08-01 21:02:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2072