> Currently this is expected behavior as virt-manager opens new tunnel for
> each spice connection. Not sure if it is possible to change or how
> difficult it would be to use only single ssh tunnel.
>
A *single* tunnel for each VM would be ok.
But does it have to open *several* SSH tunnels for a single VM console connection?
Have you tried using SSH's ControlMaster setting to prevent new connections from being set up, instead reusing the master (first) connection?
> I have no experience with ssh+2fa but if ssh keys can be still used in
> addition to password+totp users can copy their keys to the remote hosts
> and avoid entering the password at all.
>
> If your goal is to use only password+totp and not allowing ssh keys
> virt-manager will ask for the password several times.
>
The goal is to have SSH keys + TOTP for increased security.
Rationale: SSH keys are stored in the users home directory and are
static. If an attacker gains access to the users account in some way,
he or she will get access to the SSH keys as well and thus have doors
wide opened to all servers where SSH public key authentication alone
is used.
As we rely heavily on SSH for remote access to all servers in our
network we consider this a security problem and thus we want to
establish 2FA for all SSH connections in our network.
We have this setup implemented purely with SSHD and PAM configuration
settings. No fancy tricks or fairy dust needed.
We have it running for several weeks now and it works very well.
At least at the command line level between Linux systems, which is
our major use case for this.
Have you looked at SSH certiicates? They will allow you to restrict validity of the certificate to short periods; it's possible to require a certificate instead of just a key.
The other option is to use smartcards to store an ssh certificate. I do this with a yubikey: the smartcard unlocks at configured points in time. In case of a yubikey, touching it is enough. From there, everything works as it would with a regular ssh-agent resident key.
By the way: the key in the home directory should have a password set. Adding it to ssh-agent using ssh-add removes the necessity to enter the password every time. The key an attacker can get their hands on will be password protected though.
Just some ideas to further improve your security while maintaining healthy sanity :-)