Re: QEMU
Hi.
On Tue, 29 Dec 2015 21:05:20 +0000
Andrew Wood <andrewjameswood@ymail.com> wrote:
> On 30/10/15 09:36, Reco wrote:
> > Specifing $SOME_IP instead of 0.0.0.0 should be possible, although I
> > have to admit that I've never tried it (127.0.0.1 does not count). But
> > 'refused to start' lacks some specific details: 1) What vnc stanza
> > have you use? 2) What's the list of IPs on the host that runs QEMU?
>
> > VNC follows the simple rule: VNC port + 5900 = TCP port. So, you
> > should either use tcp port 11801, or specify 0.0.0.0:1. Reco
>
> Sorry for the delay in picking this up, I do a bit of experimenting with
> it as and when.
>
> It works now it was because I was trying to specify the port literally
> rather than +1. Who thought of that? It seems rather strange. Does than
> mean you cant put it on a port below 5900?
Not by QEMU itself:
$ qemu-system-x86_64 -vnc 127.0.0.1:-1
qemu-system-x86_64: Failed to start VNC server on `127.0.0.1:-1': can't
convert to a number: -1
It should be possible though if you use 'nat' table of iptables, or any
port bouncer. For example this should allow to connect to QEMU's VNC
via tcp port 443:
iptables -t nat -I PREROUTING -p tcp --dport 443 \
-j REDIRECT --to-ports 5901
> Also is there any option in QEMU to require some sort of VNC
> authentication?
Yes. A basic form of authentication would look like this:
qemu-system-x86_64 -vnc 127.0.0.1:1,password=foo
Since supplying a password in process' arguments is an extremely bad
idea - you'd probably better use SASL. See qemu-system-x86-64(1).
> I cant find anything online about it under QEMU but I
> believe the VNC protocol does support authentication?
Indeed it does. The trouble is - every form of VNC authentication is an
extension of VNC protocol, and QEMU managed to implement its own
VNC-via-TLS, for example). A basic QEMU's password authentication
works with TightVNC client though.
> Would it for example be possible to ask it to verify a users username &
> password against the standard Debian users file and even go one step
> further and allow or deny access to certain qemu guests based on the
> users group?
Even such authentication is not possible via simple means, as that
would require two things:
1) Running QEMU as root. A very bad idea.
2) Implementing PAM authentication in QEMU. It is not there (yet?).
Best you can do is either have 'one password fits all' security model,
or a custom 'username-password' pairs SASL database. If you manage to
convince SASL to work with Kerberos, and to convince Debian OS users
also authenticate with Kerberos - than you'll have an illusion of what
you're trying to achieve.
Reco
Reply to:
- References:
- Re: QEMU
- From: Andrew Wood <andrewjameswood@ymail.com>