Re: [Libvirt] VNC auth per VM

On Mon, Jun 08, 2009 at 02:00:58PM +0200, Christian Weyermann wrote: > Daniel P. Berrange schrieb: > >> On Mon, Jun 08, 2009 at 11:35:00AM +0200, Christian Weyermann wrote: >> >> >>> Hello everybody, >>> >>> I encountered the following problem. I want my users to only be able to >>> connect to their own virtual machines via VNC. Is there any way to do so? >>> >>> >> The VNC authentication setup is currently being done per-host, so there >> is no way to define ACLs per-(user,vm) tuple as you describe. >> >> > Do you think, there might be a chance reaching this goal anyway, using > VNC-Kerberos Auth via SASL, as the virt-viewer supports SASL? > No, afraid that won't help you. The key issue is that there is no way to specify authorization data on a per-VM basis. So if you authenticate successfully you have access. We need to add a way to check the authenticated username against an access control list of some form.