Securing your VNC headless guest with simple passwords

KVM - The Linux Kernel-Based Virtual Machine

News, Blogs and Resources on the Linux (KVM) Kernel-Based Virtual Machine

Monday, June 9, 2008 - 00:37 Haydn Solomon

The option of using a vncserver with your KVM virtual machine allows for running your virtual machine “headless”. Sometime ago I wrote a topic on how to run your KVM machine headless that can be found here but didn’t mention anything about securing your vncserver.

Securing your vncserver with basic passwords only involves using the password keyword argument to the vnc option when starting your KVM machine as follows:

qemu-system_x86_64 –hda windows –vnc :1,password –m 512 –monitor stdio

It is necessary to use the –monitor option when using vnc option in order to get access to the qemu monitor. After starting your machine with the above command, you will not be able to access it with vnc until you set a password. To set the vnc password, go into the qemu monitor window (specified using the –monitor option ) and type change vnc password as shown below.

(qemu) change vnc password
Password: ********
(qemu)

You will now be able to access your headless machine using any vnc client using password authentication. Personally I like tightvnc that can be found at www.tightvnc.com and is free but you can use whichever client you want. The password option, along with more options for security, is documented at the official qemu page at http://bellard.org/qemu/qemu-doc.html#SEC38. Note that plain vnc password is not the strongest security option as explained on the qemu link above but if you want quick and dirty security, it is the quickest option. For stronger security, the recommended way is using certificates and tls for encryption but takes a little more configuration.

Tutorial

Comments

Another way to secure VNC connections

Monday, June 9, 2008 - 08:21 Dave (not verified)

Great information. However, there is another way to secure VNC traffic and is simple to deploy. Simply use OpenSSH and port forwarding.

With OpenSSH Server installed (Debian: sudo apt-get install openssh-server) on the host system, you can start the KVM virtual with the option:
-vnc 127.0.0.1:1

This will listen only on the local interface, so remote connections cannot be made.

Then using the secure SSH client to connect from a remote system, and forward the port over the connection:

ssh -L 8888:hostname:5901 mylogin@hostname

-where hostname is the host name or IP of the hosting server
-5901 is the assigned VNC listening channel (5900 + the channel number I started the KVM guest with ":1")
-mylogin is an account with SSH access on the host server, and access to the KVM guest
-8888 is my local port that I will now securely connect to with

vncviewer localhost:8888

This will connect your VNC client to the system specified.

This secures remote connections. Using the "password" option is still useful to limit access from the host's console for local connections.

Thanks for all the useful tips you have on your site.

ssh option

Monday, June 9, 2008 - 08:38 Haydn Solomon

Hi Dave,

Thanks for your comments. There was another comment referring to the ssh option in another article I wrote about running guest headless at the following link.

Running VNC Guest headless

I wanted to point out the quickest and easiest way to secure a VM guest although it certainly isn't the best as authentication is not encrypted. However, thanks for pointing out the additional options.

I should have clicked the

Tuesday, June 10, 2008 - 08:27 Dave (not verified)

I should have clicked the link in the second line; I would have seen it. Feel free to delete my redundant post...

When I start a kvm as a

Monday, August 25, 2008 - 08:57 J (not verified)

When I start a kvm as a daemon, how can I access the monitor? The machine can only be accessed by ssh. I am using Debian Lenny and just can figure it out.

Good question J, Doesn't seem

Tuesday, August 26, 2008 - 07:23 Haydn Solomon

Good question J,

Doesn't seem that this feature is documented anywhere that I could find so I wrote a post about it here.

Access monitor across the network

See if this helps.

I installed RHEV-H 5.4 on

Friday, January 29, 2010 - 04:10 Anonymous (not verified)

I installed RHEV-H 5.4 on Intel VT machine and installed RHEBV - manager on windows 2003 server. The connection to manager was successful while installing the hypervisor but no entry is updated in the list of hosts in the manager.

Change password forever

Tuesday, August 31, 2010 - 07:48 Anonymous (not verified)

How can I change the vnc password in -daemonize mode? I dont want to set it everytime I start the virtual machines.
Thank you!

Ups, I think I've messed up

Monday, July 4, 2011 - 13:07 lenn (not verified)

Ups, I think I've messed up things a little. I run the KVM machine headless for quite a while now, but it have never crossed my mind that I should use a password in order to increase security. I do have a good antivirus and considering few people use my computer everything should be OK, but I will make sure to update it and use a password though, just to be sure nothing goes wrong.

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *

Input format

Filtered HTML

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
Lines and paragraphs break automatically.

Full HTML

Web page addresses and e-mail addresses turn into links automatically.
Lines and paragraphs break automatically.
Pairs of<blockquote> tags will be styled as a block that indicates a quotation.
Pairs of<blockquote> tags will be styled as a block that indicates a quotation.

More information about formatting options

Word verification: * Type the characters you see in this picture.

(verify using audio)

Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.