Hi. On Tue, 29 Dec 2015 21:05:20 +0000 Andrew Wood <andrewjamesw...@ymail.com> wrote:
> On 30/10/15 09:36, Reco wrote: > > Specifing $SOME_IP instead of 0.0.0.0 should be possible, although I > > have to admit that I've never tried it (127.0.0.1 does not count). But > > 'refused to start' lacks some specific details: 1) What vnc stanza > > have you use? 2) What's the list of IPs on the host that runs QEMU? > > > VNC follows the simple rule: VNC port + 5900 = TCP port. So, you > > should either use tcp port 11801, or specify 0.0.0.0:1. Reco > > Sorry for the delay in picking this up, I do a bit of experimenting with > it as and when. > > It works now it was because I was trying to specify the port literally > rather than +1. Who thought of that? It seems rather strange. Does than > mean you cant put it on a port below 5900? Not by QEMU itself: $ qemu-system-x86_64 -vnc 127.0.0.1:-1 qemu-system-x86_64: Failed to start VNC server on `127.0.0.1:-1': can't convert to a number: -1 It should be possible though if you use 'nat' table of iptables, or any port bouncer. For example this should allow to connect to QEMU's VNC via tcp port 443: iptables -t nat -I PREROUTING -p tcp --dport 443 \ -j REDIRECT --to-ports 5901 > Also is there any option in QEMU to require some sort of VNC > authentication? Yes. A basic form of authentication would look like this: qemu-system-x86_64 -vnc 127.0.0.1:1,password=foo Since supplying a password in process' arguments is an extremely bad idea - you'd probably better use SASL. See qemu-system-x86-64(1). > I cant find anything online about it under QEMU but I > believe the VNC protocol does support authentication? Indeed it does. The trouble is - every form of VNC authentication is an extension of VNC protocol, and QEMU managed to implement its own VNC-via-TLS, for example). A basic QEMU's password authentication works with TightVNC client though. > Would it for example be possible to ask it to verify a users username & > password against the standard Debian users file and even go one step > further and allow or deny access to certain qemu guests based on the > users group? Even such authentication is not possible via simple means, as that would require two things: 1) Running QEMU as root. A very bad idea. 2) Implementing PAM authentication in QEMU. It is not there (yet?). Best you can do is either have 'one password fits all' security model, or a custom 'username-password' pairs SASL database. If you manage to convince SASL to work with Kerberos, and to convince Debian OS users also authenticate with Kerberos - than you'll have an illusion of what you're trying to achieve. Reco
