This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 526953 - RFE: console SSO: libvirt should authenticate user for access to guest consoles
RFE: console SSO: libvirt should authenticate user for access to guest consoles
Status: CLOSED CURRENTRELEASE
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Libvirt Maintainers
:
Depends On:
Blocks: libvirtTodoHV
  Show dependency treegraph
 
Reported: 2009-10-02 14:00 EDT by Matthew Booth
Modified: 2012-04-18 11:44 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-18 06:07:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Matthew Booth 2009-10-02 14:00:42 EDT
Description of problem:
You are required to enter a password when connecting to a remote libvirt over SSH. When you start a guest and attempt to view its console, you are required to enter the same password again. This should not be necessary. It's also not useful as an 'authentication timeout' security measure, as I am still able to create, destroy, start, stop and modify guests without re-authentication.

The password dialog box always provides a whack-a-mole problem when the console view is active and the underlying guest is having problems causing it to restart continuously. This is a major problem as the dialog is modal.

Version-Release number of selected component (if applicable):
virt-manager-0.8.0-6.fc11.noarch

How reproducible:
Always

Steps to Reproduce:
1. Connect to a remote libvirt over SSH
2. Enter password
3. Double click on a remote guest which is not running
4. Click Run
  
Actual results:
Have to enter same password again

Expected resuts:
Seamless display of console

Additional info:
Comment 1 Daniel Berrange 2009-10-05 05:14:36 EDT
Those are different passwords surely - one for authenticating with Libvirt, one for authenticating with VNC. Indeed, each VNC server could be configured with a different password.

virt-manager should be offering to save any passwords so you don't have to enter it multiple times - just accept the pre-filled remembered value.. Or you can switch to an SSO solution like GSSAPI for auth...
Comment 2 Matthew Booth 2009-10-05 05:29:46 EDT
The fact that authentication with VNC is done separately is an uninteresting implementation detail from a user perspective. Perhaps that's the real bug here: libvirt should be able to mediate access to the guest's console.
Comment 3 Mark McLoughlin 2009-10-09 09:01:47 EDT
Okay, this is a fairly major design change; moving to upstream tracker
Comment 4 Daniel Berrange 2011-07-07 10:36:14 EDT
This would be addressed the following patch proposal which uses FD passing over the libvirtd connection to access VNC without requiring any additional VNC auth

http://www.redhat.com/archives/libvir-list/2011-June/msg01122.html

Note You need to log in before you can comment on or make changes to this bug.