Re: virt-manager with SSH and 2FA with TOTP?

On Mon, Apr 14, 2025 at 12:17:44PM +0200, Andreas Haumer via Users wrote:

> But currently if a user opens the virtual console of a single VM in > virt-manager, it asks for the TOTP repeatedly in a very short time. > And this is the real problem. > It looks as if virt-manager opens several SSH connections for a single > SPICE connection (I don't know the internal details of the connection > between virt-manager and the VM host, though, so this might be a totally > wrong guess) Yes, SPICE is designed to use a separate TCP socket for different classess of data (frambuffer, mouse, keyboard, audio, etc). > This is very bad as in our setup TOTP keys can not be reused. > One would have to wait 30 seconds for the next TOTP. And repeat this > for several times in a row. This is not acceptable from a users POV. > > We could fall back to SPICE viewers like Remmina for VM console access. > But it would be more comfortable if VM console access integrated with > virt-manager could be used as well. virt-manager currently has a trivial SSH tunnel impl that establishes a new SSH connection for each connection, running netcat on the remote side to forward the TCP data over the primary SSH channel. It would be conceptually possible to change virt-manager to make use of SSH's port tunnelling feature instead of using 'netcat'. The code is mostly in virtManager/details/sshtunnels.py if someone wants to have a crack at it. The challenge would be you need some global caching to open SSH only once and then have to keep track of when to tear down the tunnel since you can't directy see how many of the tunnelled ports are currently in use.