See Test_Day:2009-05-07_Virtualization_VNC_Authentication.
This test area is concerned with testing Digest-MD5 authentication for the VNC Authentication feature added in Fedora 11.
NB, Digest-MD5 auth is *not* considered a strong auth scheme by modern standards. It is merely useful for testing SASL integration in services like libvirt / vnc
Initial setup
libvirtd setup
When using Digest-MD5 auth for VNC, it is intended that Digest-MD5 is also used for libvirt. Thus the first step is to get libvirtd using SASL + Digest-MD5 auth
- Configure SASL Digest_MD5 for libvirt [1]
- Add --listen flag to /etc/sysconfig/libvirtd
- Set the 'listen_tcp=1' in /etc/libvirt/libvirtd.conf
- Restart libvirtd daemon (service libvirtd restart)
- Verify it is listening on 0.0.0.0 (use netstat -t -l -p | grep libvirtd)
Now try to connect from remote host
$ virsh --connect qemu+tcp://hostname/system
It should prompt for username+password previously configured. If this is working, move on...
QEMU setup
Now, it is time to configure SASL/Digest-MD5 for VNC
- Edit /etc/libvirt/qemu.conf
- Set vnc_sasl=1
- Set vnc_listen="0.0.0.0"
- Create /etc/sasl2/qemu.conf containing
mech_list: digest-md5 sasldb_path: /etc/libvirt/qemu-vnc-password.db
- Restart libvirtd (service libvirtd restart)
- Create password with a test user, entering password when prompted
# saslpasswd2 -a libvirt test
Test case
Pick one of the access method to test, or test several, and provide results at bottom of page
Local desktop access
- Run virt-manager from your desktop session and connect to the default QEMU connection
- PolicyKit should popup a dialog to authenticate with root password
- Start a previously installed guest OS
- Open the graphical console for the guest
- You should be prompted to enter a user and password before the VNC console is displayed
Remote access with virt-manager
- Run virt-manager from a different machine than the one running libvirtd
- Open a connection to the remote host, selecting 'Remote password or kerberos' as connection type
- virt-manager should prompt for username and password before opening libvirt connection
- Start a previously installed guest OS
- Open the graphical console for the guest
- You should be prompted to enter a user and password before the VNC console is displayed
Remote access with virt-viewer
- Start a guest on the virtualization host, using 'virsh start' or virt-manager as desired.
- From a different machine than the one running libvirtd, launch virt-viewer from the command line
virt-viewer --connect qemu+tcp://somehostname/system GUEST-NAME
- It should prompt for username and password to connect to libvirtd
- It should then prompt for username and password to connect to VNC
Remote access with vinagre
- Start a guest on the virtualization host, using 'virsh start'
- Run 'virsh vncdisplay GUEST-NAME' and note the VNC display number
- From a desktop session on a different machine than the one running libvirtd, launch vinagre from the applications menu
- Open a new VNC connection in vinagre, providing the hostname and VNC display number just identified
- It should then prompt for username and password to connect to VNC
Results
For access method column, use one of
- Local virt-manager
- Remote virt-manager
- Remote virt-viewer
- Remote vinagre
User | Access method | Status | Comments |
---|---|---|---|
DanielBerrange | Remote virt-manager | FAIL | Connects to libvirt, connects to VNC, but closes connection because it doesn't know how to fetch a VNC username |
DanielBerrange | Remote virt-viewer | FAIL | libvir: Remote error : Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) |
DanielBerrange | Remote virt-viewer | FAIL | Tried using qemu+ssh, and --direct flag to workaround libvirt auth problem. Now prompts for VNC creds, but gives wrong data back to server |