QA:Testcase Virtualization VNC Authentication Digest MD5

From FedoraProject

Jump to: navigation, search

See Test_Day:2009-05-07_Virtualization_VNC_Authentication.

This test area is concerned with testing Digest-MD5 authentication for the VNC Authentication feature added in Fedora 11.

NB, Digest-MD5 auth is *not* considered a strong auth scheme by modern standards. It is merely useful for testing SASL integration in services like libvirt / vnc

Contents

Initial setup

libvirtd setup

When using Digest-MD5 auth for VNC, it is intended that Digest-MD5 is also used for libvirt. Thus the first step is to get libvirtd using SASL + Digest-MD5 auth

  • Configure SASL Digest_MD5 for libvirt [1]
  • Add --listen flag to /etc/sysconfig/libvirtd
  • Set the 'listen_tcp=1' in /etc/libvirt/libvirtd.conf
  • Restart libvirtd daemon (service libvirtd restart)
  • Verify it is listening on 0.0.0.0 (use netstat -t -l -p | grep libvirtd)

Now try to connect from remote host

  $ virsh --connect qemu+tcp://hostname/system

It should prompt for username+password previously configured. If this is working, move on...

QEMU setup

Now, it is time to configure SASL/Digest-MD5 for VNC

  • Edit /etc/libvirt/qemu.conf
  • Set vnc_sasl=1
  • Set vnc_listen="0.0.0.0"
  • Create /etc/sasl2/qemu.conf containing
 mech_list: digest-md5
 sasldb_path: /etc/libvirt/qemu-vnc-password.db
  • Restart libvirtd (service libvirtd restart)
  • Create password with a test user, entering password when prompted
 # saslpasswd2 -a libvirt  test

Test case

Pick one of the access method to test, or test several, and provide results at bottom of page

Local desktop access

  1. Run virt-manager from your desktop session and connect to the default QEMU connection
  2. PolicyKit should popup a dialog to authenticate with root password
  3. Start a previously installed guest OS
  4. Open the graphical console for the guest
  5. You should be prompted to enter a user and password before the VNC console is displayed

Remote access with virt-manager

  1. Run virt-manager from a different machine than the one running libvirtd
  2. Open a connection to the remote host, selecting 'Remote password or kerberos' as connection type
  3. virt-manager should prompt for username and password before opening libvirt connection
  4. Start a previously installed guest OS
  5. Open the graphical console for the guest
  6. You should be prompted to enter a user and password before the VNC console is displayed

Remote access with virt-viewer

  1. Start a guest on the virtualization host, using 'virsh start' or virt-manager as desired.
  2. From a different machine than the one running libvirtd, launch virt-viewer from the command line
      virt-viewer --connect qemu+tcp://somehostname/system GUEST-NAME
  1. It should prompt for username and password to connect to libvirtd
  2. It should then prompt for username and password to connect to VNC

Remote access with vinagre

  1. Start a guest on the virtualization host, using 'virsh start'
  2. Run 'virsh vncdisplay GUEST-NAME' and note the VNC display number
  3. From a desktop session on a different machine than the one running libvirtd, launch vinagre from the applications menu
  4. Open a new VNC connection in vinagre, providing the hostname and VNC display number just identified
  5. It should then prompt for username and password to connect to VNC

Results

For access method column, use one of

  1. Local virt-manager
  2. Remote virt-manager
  3. Remote virt-viewer
  4. Remote vinagre
User Access method Status Comments
DanielBerrange Remote virt-manager FAIL Connects to libvirt, connects to VNC, but closes connection because it doesn't know how to fetch a VNC username rhbz #499589
DanielBerrange Remote virt-viewer FAIL libvir: Remote error : Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) rhbz #499594
DanielBerrange Remote virt-viewer FAIL Tried using qemu+ssh, and --direct flag to workaround libvirt auth problem. Now prompts for VNC creds, but gives wrong data back to server rhbz #499595