Re: QEMU

To: debian-user@lists.debian.org
Subject: Re: QEMU
From: Reco <recoverym4n@gmail.com>
Date: Wed, 30 Dec 2015 00:51:46 +0300
Message-id: <[🔎] 20151230005146.c541f234b8a2314f67267ede@gmail.com>
In-reply-to: <[🔎] 5682F590.507@ymail.com>
References: <562BA02E.1060108@ymail.com> <20151024191932.fabf01e28072dd5feac8c597@gmail.com> <562BF88F.5030906@ymail.com> <20151025005614.e50ac09917b4adaad2f8035d@gmail.com> <563285F7.8020300@ymail.com> <20151030093630.GA21945@d1696.int.rdtex.ru> <[🔎] 5682F590.507@ymail.com>

	Hi.

On Tue, 29 Dec 2015 21:05:20 +0000
Andrew Wood <andrewjameswood@ymail.com> wrote:

> On 30/10/15 09:36, Reco wrote:
> > Specifing $SOME_IP instead of 0.0.0.0 should be possible, although I 
> > have to admit that I've never tried it (127.0.0.1 does not count). But 
> > 'refused to start' lacks some specific details: 1) What vnc stanza 
> > have you use? 2) What's the list of IPs on the host that runs QEMU?
> 
> > VNC follows the simple rule: VNC port + 5900 = TCP port. So, you 
> > should either use tcp port 11801, or specify 0.0.0.0:1. Reco 
> 
> Sorry for the delay in picking this up, I do a bit of experimenting with 
> it as and when.
> 
> It works now it was because I was trying to specify the port literally 
> rather than +1. Who thought of that? It seems rather strange. Does than 
> mean you cant put it on a port below 5900?

Not by QEMU itself:

$ qemu-system-x86_64 -vnc 127.0.0.1:-1
qemu-system-x86_64: Failed to start VNC server on `127.0.0.1:-1': can't
convert to a number: -1

It should be possible though if you use 'nat' table of iptables, or any
port bouncer. For example this should allow to connect to QEMU's VNC
via tcp port 443:

iptables -t nat -I PREROUTING -p tcp --dport 443 \
-j REDIRECT --to-ports 5901

> Also is there any option in QEMU to require some sort of VNC 
> authentication?

Yes. A basic form of authentication would look like this:

qemu-system-x86_64 -vnc 127.0.0.1:1,password=foo

Since supplying a password in process' arguments is an extremely bad
idea - you'd probably better use SASL. See qemu-system-x86-64(1).

> I cant find anything online about it under QEMU  but I 
> believe the VNC protocol does support authentication? 

Indeed it does. The trouble is - every form of VNC authentication is an
extension of VNC protocol, and QEMU managed to implement its own
VNC-via-TLS, for example). A basic QEMU's password authentication
works with TightVNC client though.

> Would it for example be possible to ask it to verify a users username &
> password against the standard Debian users file and even go one step
> further and  allow or deny access to certain qemu guests based on the
> users group?

Even such authentication is not possible via simple means, as that
would require two things:

1) Running QEMU as root. A very bad idea.
2) Implementing PAM authentication in QEMU. It is not there (yet?).

Best you can do is either have 'one password fits all' security model,
or a custom 'username-password' pairs SASL database. If you manage to
convince SASL to work with Kerberos, and to convince Debian OS users
also authenticate with Kerberos - than you'll have an illusion of what
you're trying to achieve.

Reco

Reply to:

References:
- Re: QEMU
  - From: Andrew Wood <andrewjameswood@ymail.com>

Prev by Date: Re: Putting It All On a Stick
Next by Date: Re: Debian using USB stick on diskless machine
Previous by thread: Re: QEMU
Next by thread: New Install Fails at Step 14
Index(es):
- Date
- Thread