virt-manager with SSH and 2FA with TOTP?

Hi! (I hope, this is the right list for my question. I already posted it to the debian-user ML, but someone pointed me to this list. Alas, there is no virt-manager ML anymore) In our network we have several Debian systems working as VM host running QEMU+KVM based virtual machines. I usually use virt-manager on my workstation as GUI to connect to the VM host, manage the VMs and also to connect to the VM console if needed. To connect to the VM host I use SSH with public key authentication. On the commandline with virsh this looks like this (example): andreas@ws1:~> virsh -c qemu+ssh://root@maxwell/system Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # So far, so good. Recently I decided to increase our internal network security standards and activated 2FA with time-based one-time passwords on several hosts. (The idea is to eventually have 2FA for SSH for all users on all hosts in our network) This works very well and even quite comfortable with authenticator-apps on my smartphone or KeePassXC on my workstation generating the TOTP. Example: andreas@ws1:~> ssh root@mach Enter OTP: Linux mach 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 root@mach:~# So for a successful SSH connection I now have to enter a valid TOTP (generated by the authenticator app) and then it connects. Connecting to the host with virsh on the commandline also works in a similar way: andreas@ws1:~> virsh -c qemu+ssh://root@mach/system Enter OTP: Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # All fine. Works as designed... When I use virt-manager to connect to the VM host, the GUI opens a dialog asking for the OTP and then connects, showing the list of all configured VMs etc. I can also open the configuration of a given VM, manage and change it. All fine, too... But when I try to use virt-manager to connect to the console of a specific VM, it doesn't work as expected. virt-manager opens a new window for the console, but also endlessly keeps opening password entry dialogs. As soon as I enter the current OTP and klick "ok", another dialog is opened, again asking for another OTP. And so on... (These are one-time passwords, valid for 30 seconds, which cannot be re-used) I can connect to the VM console with a SPICE viewer like remmina using SSH port forwarding like this: andreas@ws1:~> ssh -L 5906:localhost:5906 root@mach Enter OTP: root@mach:~# (where 5906 is the SPICE port for the VM in question) And then use remmina to connect to port 5906 on localhost. This gives me the SPICE console of the VM. Of course, this is not as comfortable as using virt-manager. But with virt-manager I haven't found a way to successfully connect to the VM console with 2FA in place. So, finally, my question: Did anyone on this list manage to use virt-manager to connect to a VM console using SSH with 2FA? Thanks! - andreas -- Andreas Haumer *x Software + Systeme | mailto:andreas@xss.co.at Karmarschgasse 51/2/20 | https://www.xss.co.at/ A-1100 Vienna, Austria | Tel: +43-1-6060114