Re: virt-manager with SSH and 2FA with TOTP?
Hi Erik!
Am 14.04.25 um 12:59 schrieb Erik Huelsmann:
Hi Andreas,
On Mon, Apr 14, 2025 at 12:18 PM Andreas Haumer via Users <
users(a)lists.libvirt.org> wrote:
[...]
>
> A *single* tunnel for each VM would be ok.
> But does it have to open *several* SSH tunnels for a single VM console
> connection?
>
Have you tried using SSH's ControlMaster setting to prevent new connections
from being set up, instead reusing the master (first) connection?
This was also suggested by Tom Hughes and I can confirm that it indeed
solves the problems with the virtual console in virt-manager!
See my message to this ML a few minutes ago.
Thank you both for this hint!
I didn't know this SSH feature.
[...]
Have you looked at SSH certiicates? They will allow you to restrict
validity of the certificate to short periods; it's possible to require a
certificate instead of just a key.
The other option is to use smartcards to store an ssh certificate. I do
this with a yubikey: the smartcard unlocks at configured points in time. In
case of a yubikey, touching it is enough. From there, everything works as
it would with a regular ssh-agent resident key.
By the way: the key in the home directory should have a password set.
Adding it to ssh-agent using ssh-add removes the necessity to enter the
password every time. The key an attacker can get their hands on will be
password protected though.
Just some ideas to further improve your security while maintaining healthy
sanity :-)
Thanks for your valuable ideas!
Some of them I already used in the past (password protected SSH keys),
some of them I haven't yet but will explore in the future (SSH certificates).
KR
- andreas
--
Andreas Haumer
*x Software + Systeme | mailto:andreas@xss.co.at
Karmarschgasse 51/2/20 | https://www.xss.co.at/
A-1100 Vienna, Austria | Tel: +43-1-6060114