(Created page with 'See Test_Day:2009-05-07_Virtualization_VNC_Authentication. This test area is concerned with testing Digest-MD5 authentication for the [[Features/VirtVNCAuth|VNC Authenticati...') |
m (Add category) |
||
(7 intermediate revisions by one other user not shown) | |||
Line 92: | Line 92: | ||
! User | ! User | ||
! Access method | ! Access method | ||
! Status | |||
! Comments | ! Comments | ||
|- | |||
| [[User:Berrange | DanielBerrange]] | |||
| Remote virt-manager | |||
| FAIL | |||
| Connects to libvirt, connects to VNC, but closes connection because it doesn't know how to fetch a VNC username [https://bugzilla.redhat.com/show_bug.cgi?id=499589 rhbz #499589] | |||
|- | |||
|- | |||
| [[User:Berrange | DanielBerrange]] | |||
| Remote virt-viewer | |||
| FAIL | |||
| libvir: Remote error : Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) [https://bugzilla.redhat.com/show_bug.cgi?id=499594 rhbz #499594] | |||
|- | |||
|- | |||
| [[User:Berrange | DanielBerrange]] | |||
| Remote virt-viewer | |||
| FAIL | |||
| Tried using qemu+ssh, and --direct flag to workaround libvirt auth problem. Now prompts for VNC creds, but gives wrong data back to server [https://bugzilla.redhat.com/show_bug.cgi?id=499595 rhbz #499595] | |||
|- | |||
|- | |- | ||
| | | | ||
| | |||
| | | | ||
| | | | ||
|- | |- | ||
|} | |} | ||
[[Category:Virtualization_Test_Cases]] |
Latest revision as of 14:02, 8 May 2009
See Test_Day:2009-05-07_Virtualization_VNC_Authentication.
This test area is concerned with testing Digest-MD5 authentication for the VNC Authentication feature added in Fedora 11.
NB, Digest-MD5 auth is *not* considered a strong auth scheme by modern standards. It is merely useful for testing SASL integration in services like libvirt / vnc
Initial setup
libvirtd setup
When using Digest-MD5 auth for VNC, it is intended that Digest-MD5 is also used for libvirt. Thus the first step is to get libvirtd using SASL + Digest-MD5 auth
- Configure SASL Digest_MD5 for libvirt [1]
- Add --listen flag to /etc/sysconfig/libvirtd
- Set the 'listen_tcp=1' in /etc/libvirt/libvirtd.conf
- Restart libvirtd daemon (service libvirtd restart)
- Verify it is listening on 0.0.0.0 (use netstat -t -l -p | grep libvirtd)
Now try to connect from remote host
$ virsh --connect qemu+tcp://hostname/system
It should prompt for username+password previously configured. If this is working, move on...
QEMU setup
Now, it is time to configure SASL/Digest-MD5 for VNC
- Edit /etc/libvirt/qemu.conf
- Set vnc_sasl=1
- Set vnc_listen="0.0.0.0"
- Create /etc/sasl2/qemu.conf containing
mech_list: digest-md5 sasldb_path: /etc/libvirt/qemu-vnc-password.db
- Restart libvirtd (service libvirtd restart)
- Create password with a test user, entering password when prompted
# saslpasswd2 -a libvirt test
Test case
Pick one of the access method to test, or test several, and provide results at bottom of page
Local desktop access
- Run virt-manager from your desktop session and connect to the default QEMU connection
- PolicyKit should popup a dialog to authenticate with root password
- Start a previously installed guest OS
- Open the graphical console for the guest
- You should be prompted to enter a user and password before the VNC console is displayed
Remote access with virt-manager
- Run virt-manager from a different machine than the one running libvirtd
- Open a connection to the remote host, selecting 'Remote password or kerberos' as connection type
- virt-manager should prompt for username and password before opening libvirt connection
- Start a previously installed guest OS
- Open the graphical console for the guest
- You should be prompted to enter a user and password before the VNC console is displayed
Remote access with virt-viewer
- Start a guest on the virtualization host, using 'virsh start' or virt-manager as desired.
- From a different machine than the one running libvirtd, launch virt-viewer from the command line
virt-viewer --connect qemu+tcp://somehostname/system GUEST-NAME
- It should prompt for username and password to connect to libvirtd
- It should then prompt for username and password to connect to VNC
Remote access with vinagre
- Start a guest on the virtualization host, using 'virsh start'
- Run 'virsh vncdisplay GUEST-NAME' and note the VNC display number
- From a desktop session on a different machine than the one running libvirtd, launch vinagre from the applications menu
- Open a new VNC connection in vinagre, providing the hostname and VNC display number just identified
- It should then prompt for username and password to connect to VNC
Results
For access method column, use one of
- Local virt-manager
- Remote virt-manager
- Remote virt-viewer
- Remote vinagre
User | Access method | Status | Comments |
---|---|---|---|
DanielBerrange | Remote virt-manager | FAIL | Connects to libvirt, connects to VNC, but closes connection because it doesn't know how to fetch a VNC username rhbz #499589 |
DanielBerrange | Remote virt-viewer | FAIL | libvir: Remote error : Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) rhbz #499594 |
DanielBerrange | Remote virt-viewer | FAIL | Tried using qemu+ssh, and --direct flag to workaround libvirt auth problem. Now prompts for VNC creds, but gives wrong data back to server rhbz #499595 |