Red Hat Bugzilla – Bug 526953
RFE: console SSO: libvirt should authenticate user for access to guest consoles
Last modified: 2012-04-18 11:44:50 EDT
Description of problem:
You are required to enter a password when connecting to a remote libvirt over SSH. When you start a guest and attempt to view its console, you are required to enter the same password again. This should not be necessary. It's also not useful as an 'authentication timeout' security measure, as I am still able to create, destroy, start, stop and modify guests without re-authentication.
The password dialog box always provides a whack-a-mole problem when the console view is active and the underlying guest is having problems causing it to restart continuously. This is a major problem as the dialog is modal.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Connect to a remote libvirt over SSH
2. Enter password
3. Double click on a remote guest which is not running
4. Click Run
Have to enter same password again
Seamless display of console
Those are different passwords surely - one for authenticating with Libvirt, one for authenticating with VNC. Indeed, each VNC server could be configured with a different password.
virt-manager should be offering to save any passwords so you don't have to enter it multiple times - just accept the pre-filled remembered value.. Or you can switch to an SSO solution like GSSAPI for auth...
The fact that authentication with VNC is done separately is an uninteresting implementation detail from a user perspective. Perhaps that's the real bug here: libvirt should be able to mediate access to the guest's console.
Okay, this is a fairly major design change; moving to upstream tracker
This would be addressed the following patch proposal which uses FD passing over the libvirtd connection to access VNC without requiring any additional VNC auth