QA:Testcase Virtualization VNC Authentication Digest MD5

See Test_Day:2009-05-07_Virtualization_VNC_Authentication.

This test area is concerned with testing Digest-MD5 authentication for the VNC Authentication feature added in Fedora 11.

NB, Digest-MD5 auth is *not* considered a strong auth scheme by modern standards. It is merely useful for testing SASL integration in services like libvirt / vnc

= Initial setup =

libvirtd setup
When using Digest-MD5 auth for VNC, it is intended that Digest-MD5 is also used for libvirt. Thus the first step is to get libvirtd using SASL + Digest-MD5 auth


 * Configure SASL Digest_MD5 for libvirt
 * Add --listen flag to /etc/sysconfig/libvirtd
 * Set the 'listen_tcp=1' in /etc/libvirt/libvirtd.conf
 * Restart libvirtd daemon (service libvirtd restart)
 * Verify it is listening on 0.0.0.0 (use netstat -t -l -p | grep libvirtd)

Now try to connect from remote host $ virsh --connect qemu+tcp://hostname/system

It should prompt for username+password previously configured. If this is working, move on...

QEMU setup
Now, it is time to configure SASL/Digest-MD5 for VNC


 * Edit /etc/libvirt/qemu.conf
 * Set vnc_sasl=1
 * Set vnc_listen="0.0.0.0"
 * Create /etc/sasl2/qemu.conf containing

mech_list: digest-md5 sasldb_path: /etc/libvirt/qemu-vnc-password.db


 * Restart libvirtd (service libvirtd restart)
 * Create password with a test user, entering password when prompted

# saslpasswd2 -a libvirt test

= Test case =

Pick one of the access method to test, or test several, and provide results at bottom of page

Local desktop access

 * 1) Run virt-manager from your desktop session and connect to the default QEMU connection
 * 2) PolicyKit should popup a dialog to authenticate with root password
 * 3) Start a previously installed guest OS
 * 4) Open the graphical console for the guest
 * 5) You should be prompted to enter a user and password before the VNC console is displayed

Remote access with virt-manager

 * 1) Run virt-manager from a different machine than the one running libvirtd
 * 2) Open a connection to the remote host, selecting 'Remote password or kerberos' as connection type
 * 3) virt-manager should prompt for username and password before opening libvirt connection
 * 4) Start a previously installed guest OS
 * 5) Open the graphical console for the guest
 * 6) You should be prompted to enter a user and password before the VNC console is displayed

Remote access with virt-viewer

 * 1) Start a guest on the virtualization host, using 'virsh start' or virt-manager as desired.
 * 2) From a different machine than the one running libvirtd, launch virt-viewer from the command line

virt-viewer --connect qemu+tcp://somehostname/system GUEST-NAME


 * 1) It should prompt for username and password to connect to libvirtd
 * 2) It should then prompt for username and password to connect to VNC

Remote access with vinagre

 * 1) Start a guest on the virtualization host, using 'virsh start'
 * 2) Run 'virsh vncdisplay GUEST-NAME' and note the VNC display number
 * 3) From a desktop session on a different machine than the one running libvirtd, launch vinagre from the applications menu
 * 4) Open a new VNC connection in vinagre, providing the hostname and VNC display number just identified
 * 5) It should then prompt for username and password to connect to VNC

= Results =

For access method column, use one of


 * 1) Local virt-manager
 * 2) Remote virt-manager
 * 3) Remote virt-viewer
 * 4) Remote vinagre