On Fri, Apr 11, 2025 at 09:14:23PM +0200, Andreas Haumer via Users wrote: > Hi! > > (I hope, this is the right list for my question. I already > posted it to the debian-user ML, but someone pointed me to > this list. Alas, there is no virt-manager ML anymore)
Hi, virt-manager uses github discussions instead of ML. > In our network we have several Debian systems working as VM host > running QEMU+KVM based virtual machines. > > I usually use virt-manager on my workstation as GUI to connect > to the VM host, manage the VMs and also to connect to the VM > console if needed. > > To connect to the VM host I use SSH with public key authentication. > > On the commandline with virsh this looks like this (example): > > andreas@ws1:~> virsh -c qemu+ssh://root@maxwell/system > Welcome to virsh, the virtualization interactive terminal. > > Type: 'help' for help with commands > 'quit' to quit > > virsh # > > So far, so good. > > Recently I decided to increase our internal network security standards > and activated 2FA with time-based one-time passwords on several hosts. > (The idea is to eventually have 2FA for SSH for all users on all hosts > in our network) > > This works very well and even quite comfortable with authenticator-apps > on my smartphone or KeePassXC on my workstation generating the TOTP. > > Example: > > andreas@ws1:~> ssh root@mach > Enter OTP: > Linux mach 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 > (2025-03-06) x86_64 > root@mach:~# > > So for a successful SSH connection I now have to enter a valid TOTP > (generated by the > authenticator app) and then it connects. > > Connecting to the host with virsh on the commandline also works in a similar > way: > > andreas@ws1:~> virsh -c qemu+ssh://root@mach/system > Enter OTP: > Welcome to virsh, the virtualization interactive terminal. > > Type: 'help' for help with commands > 'quit' to quit > > virsh # > > All fine. Works as designed... > > When I use virt-manager to connect to the VM host, the GUI opens > a dialog asking for the OTP and then connects, showing the list of > all configured VMs etc. I can also open the configuration of a > given VM, manage and change it. > > All fine, too... > > But when I try to use virt-manager to connect to the console of a > specific VM, it doesn't work as expected. > virt-manager opens a new window for the console, but also endlessly > keeps opening password entry dialogs. > As soon as I enter the current OTP and klick "ok", another dialog > is opened, again asking for another OTP. And so on... > (These are one-time passwords, valid for 30 seconds, which cannot be re-used) > > I can connect to the VM console with a SPICE viewer like remmina > using SSH port forwarding like this: > > andreas@ws1:~> ssh -L 5906:localhost:5906 root@mach > Enter OTP: > root@mach:~# > > (where 5906 is the SPICE port for the VM in question) > > And then use remmina to connect to port 5906 on localhost. > This gives me the SPICE console of the VM. > > Of course, this is not as comfortable as using virt-manager. > But with virt-manager I haven't found a way to successfully > connect to the VM console with 2FA in place. > > So, finally, my question: Did anyone on this list manage to > use virt-manager to connect to a VM console using SSH with 2FA? Currently this is expected behavior as virt-manager opens new tunnel for each spice connection. Not sure if it is possible to change or how difficult it would be to use only single ssh tunnel. I have no experience with ssh+2fa but if ssh keys can be still used in addition to password+totp users can copy their keys to the remote hosts and avoid entering the password at all. If your goal is to use only password+totp and not allowing ssh keys virt-manager will ask for the password several times. Pavel > Thanks! > > - andreas > > -- > Andreas Haumer > *x Software + Systeme | mailto:andr...@xss.co.at > Karmarschgasse 51/2/20 | https://www.xss.co.at/ > A-1100 Vienna, Austria | Tel: +43-1-6060114 >
signature.asc
Description: PGP signature
