[libvirt] Accessing libvirtd remotely as non-root user
I manage libvirtd on a few remote machines, and my security policies require me to disable root login via SSH. Up to this point, I've been using root due to the systems being in staging, but this is the final step before they're moved to production. What is the current proscribed method of connecting virt-manager or virsh to a remote system with a non-root account? I keep getting "authentication failed: no agent is available to authenticate" with a user that is in the kvm and qemu groups on the systems I've tried using the ssh transport. Thanks in advance Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA
On Thu, Jun 11, 2015 at 05:26:20PM -0500, Dan Mossor wrote:
I manage libvirtd on a few remote machines, and my security policies require me to disable root login via SSH. Up to this point, I've been using root due to the systems being in staging, but this is the final step before they're moved to production.
What is the current proscribed method of connecting virt-manager or virsh to a remote system with a non-root account? I keep getting "authentication failed: no agent is available to authenticate" with a user that is in the kvm and qemu groups on the systems I've tried using the ssh transport.
This guide ought to help you set it up http://wiki.libvirt.org/page/SSHPolicyKitSetup Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 06/12/2015 03:48 AM, Daniel P. Berrange wrote:
On Thu, Jun 11, 2015 at 05:26:20PM -0500, Dan Mossor wrote:
I manage libvirtd on a few remote machines, and my security policies require me to disable root login via SSH. Up to this point, I've been using root due to the systems being in staging, but this is the final step before they're moved to production.
What is the current proscribed method of connecting virt-manager or virsh to a remote system with a non-root account? I keep getting "authentication failed: no agent is available to authenticate" with a user that is in the kvm and qemu groups on the systems I've tried using the ssh transport.
This guide ought to help you set it up
http://wiki.libvirt.org/page/SSHPolicyKitSetup
Regards, Daniel
Hmmm... I've created the polkit rule as stated in [1], but I still received the "no agent is available to authenticate" error. Do I need to restart anything to pick it up? Dan [1]https://goldmann.pl/blog/2012/12/03/configuring-polkit-in-fedora-18-to-acces... -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA
On 06/12/2015 03:48 AM, Daniel P. Berrange wrote:
On Thu, Jun 11, 2015 at 05:26:20PM -0500, Dan Mossor wrote:
I manage libvirtd on a few remote machines, and my security policies require me to disable root login via SSH. Up to this point, I've been using root due to the systems being in staging, but this is the final step before they're moved to production.
What is the current proscribed method of connecting virt-manager or virsh to a remote system with a non-root account? I keep getting "authentication failed: no agent is available to authenticate" with a user that is in the kvm and qemu groups on the systems I've tried using the ssh transport.
This guide ought to help you set it up
http://wiki.libvirt.org/page/SSHPolicyKitSetup
Regards, Daniel
Ok, so I finally got it working. The SSHPolicyKitSetup page at the libvirt wiki states right at the top that "As of polkit 0.106 the .pkla format is no more, and these configuration files must be written in Javascript." Further down the page, it reinforces this statement with "The information in this section is obsolete; see the top of this page for more information." However, both of those statements are incorrect. Following the directions provided by [1] from the wiki page produced zero results - the operation still failed with "authentication failed: no agent is available to authenticate" when attempting to connect. Various hits from a Google search on that specific error string found _plenty_ of recent forum posts (recent as in less than 6 months old) with the exact same issue as me, with zero solutions. I did see one promising thing in passing that polkit-pkla-compat is still shipped by default as part of the polkit suite. So, further digging led me to [2], which in essence was the section of the libvirtd wiki page that the page claimed was obsolete. Creating the .pkla authorization file finally enabled non-root privileged user management of a remote KVM host. Now, the next step is to tie the polkit authorization into LDAP. More research.... Dan [1] http://goldmann.pl/blog/2012/12/03/configuring-polkit-in-fedora-18-to-access... [2] https://fedorapeople.org/groups/docs/cookbook/#access-to-libvirt-without-roo... -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA
On 06/12/2015 12:14 PM, Dan Mossor wrote:
On 06/12/2015 03:48 AM, Daniel P. Berrange wrote:
On Thu, Jun 11, 2015 at 05:26:20PM -0500, Dan Mossor wrote:
I manage libvirtd on a few remote machines, and my security policies require me to disable root login via SSH. Up to this point, I've been using root due to the systems being in staging, but this is the final step before they're moved to production.
What is the current proscribed method of connecting virt-manager or virsh to a remote system with a non-root account? I keep getting "authentication failed: no agent is available to authenticate" with a user that is in the kvm and qemu groups on the systems I've tried using the ssh transport.
This guide ought to help you set it up
Ok, so I finally got it working.
The SSHPolicyKitSetup page at the libvirt wiki states right at the top that "As of polkit 0.106 the .pkla format is no more, and these configuration files must be written in Javascript."
Further down the page, it reinforces this statement with "The information in this section is obsolete; see the top of this page for more information."
However, both of those statements are incorrect. Following the directions provided by [1] from the wiki page produced zero results - the operation still failed with "authentication failed: no agent is available to authenticate" when attempting to connect. [...]
It sounds like you're volunteering to update the wiki page :-) (Seriously, auto account creation is disabled on the wiki, but Dan Berrange has the necessary credentials to create an account for you.)
On 06/12/2015 12:58 PM, Laine Stump wrote:
On 06/12/2015 12:14 PM, Dan Mossor wrote:
On 06/12/2015 03:48 AM, Daniel P. Berrange wrote:
On Thu, Jun 11, 2015 at 05:26:20PM -0500, Dan Mossor wrote:
I manage libvirtd on a few remote machines, and my security policies require me to disable root login via SSH. Up to this point, I've been using root due to the systems being in staging, but this is the final step before they're moved to production.
What is the current proscribed method of connecting virt-manager or virsh to a remote system with a non-root account? I keep getting "authentication failed: no agent is available to authenticate" with a user that is in the kvm and qemu groups on the systems I've tried using the ssh transport.
This guide ought to help you set it up
Ok, so I finally got it working.
The SSHPolicyKitSetup page at the libvirt wiki states right at the top that "As of polkit 0.106 the .pkla format is no more, and these configuration files must be written in Javascript."
Further down the page, it reinforces this statement with "The information in this section is obsolete; see the top of this page for more information."
However, both of those statements are incorrect. Following the directions provided by [1] from the wiki page produced zero results - the operation still failed with "authentication failed: no agent is available to authenticate" when attempting to connect. [...]
It sounds like you're volunteering to update the wiki page :-)
(Seriously, auto account creation is disabled on the wiki, but Dan Berrange has the necessary credentials to create an account for you.)
I'd love to. If one of y'all would contact me off-list with account instructions/details, I'll get right on it. Regards, -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA
participants (3)
-
Dan Mossor -
Daniel P. Berrange -
Laine Stump