KVM - The Linux Kernel-Based Virtual Machine
News, Blogs and Resources on the Linux (KVM) Kernel-Based Virtual Machine
Password protect VNC console
July 7, 2008 - 12:39pm
I have been unable to find a way to set a per VM vnc password (I know I can set a global VNC password but I woyuld want to have a different for each VM).
According to here: http://libvirt.org/formatdomain.html#elementsGraphics one should be able to set one in the xml file but when I have tried it seems to simply be ignored
graphics type='vnc' port='5904' password='whatever'
(vnc works fine but ignores the password)
Has anyone gotten this to work?
Just wondering if I should file a bug report or if it is me messing up somewhere.
I've run into the same block. Has anyone found a workaround for this bug?
One potential workaround is to just run a vncserver at the shell prompt (tight vncserver for instance). It allows password protection. Then direct all your qemu VMs to not create their own VNC server but just use SDL with your X11 DISPLAY set to the VNC server you launched.
Interesting approach. I will have to try that. Unfortunately, this server is headless and without X... for now, I'm going to stick with Xen which gives me better performance and has more VNC options.
I haven't needed this before, but I think that I would fix it with a SSH-tunnel. This would allow you to use passwords as well as certificates (eg. secret keyfiles) to access your server and it would also encrypt your VNC-traffic on your LAN...
I'm thinking about something like the following:
1. Setup SSHd on your KVM-server.
2. Block all incoming connections to VNC, except from localhost.
3. Create a tunnel from a client to your server with something like:
ssh -N -L 5901:localhost:5901 ssh_user@kvm_server
This will create a encrypted tunnel from port 5901 (VNC port 1) on your server to 5901 on your client.
4. On your client connect with VNC through the encrypted SSH-tunnel:
vncviewer localhost:1
5. Make sure that your client blocks incomming connections, so other people can't connect to your VNC-service running on your client :)
You can probably do this in a smarter way to make it a one-line command, but I'm too tired to think it through now ;)
Best Regards
Kenni
...I just tested it out myself, for some reason the VNC-connection is much faster through SSH (with standard settings) than when making the connection directly. And if you optimize it by using the blowfish-algoritm, it will be even faster:
ssh -c blowfish-cbc -N -L 5901:localhost:5901 ssh_user@kvm_server
...and now I just found out that vncviewer support such SSH-connections out-of the box :-D
New easier solution:
1. Setup SSHd on your KVM-server.
2. Block all incoming connections to VNC, except from localhost.
3. Connect from your client with:
vncviewer -via ssh_user@kvm_server localhost:1
Best Regards
Kenni
...and you probably don't even need to block the incoming connections to VNC, it seems like you can setup VNC to only listen on for connections from localhost, if you add an argument like:
listen='127.0.0.1'
to the vnc-line in your xml-file.
Kenni
The correct syntaxt is:
graphics type='vnc' port='5904' passwd='whatever'
Post new comment