Hi! (This might not be a Debian specific question, but at least the systems in question are running Debian, so I hope it's OK to ask here on this list. Please give me a hint if you know a better place to ask)
In our network we have several Debian systems working as VM host
running QEMU+KVM based virtual machines.
I usually use virt-manager on my workstation as GUI to connect
to the VM host, manage the VMs and also to connect to the VM
console if needed.
To connect to the VM host I use SSH with public key authentication.
On the commandline with virsh this looks like this (example):
andreas@ws1:~> virsh -c qemu+ssh://root@maxwell/system
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
So far, so good.
Recently I decided to increase our internal network security standards
and activated 2FA with time-based one-time passwords on several hosts.
(The idea is to eventually have 2FA for SSH for all users on all hosts
in our network)
This works very well and even quite comfortable with authenticator-apps
on my smartphone or KeePassXC on my workstation generating the TOTP.
Example:
andreas@ws1:~> ssh root@mach
Enter OTP:
Linux mach 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06)
x86_64
root@mach:~#
So for a successful SSH connection I now have to enter a valid TOTP (generated
by the
authenticator app) and then it connects.
Connecting to the host with virsh on the commandline also works in a similar
way:
andreas@ws1:~> virsh -c qemu+ssh://root@mach/system
Enter OTP:
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
All fine. Works as designed...
When I use virt-manager to connect to the VM host, the GUI opens
a dialog asking for the OTP and then connects, showing the list of
all configured VMs etc. I can also open the configuration of a
given VM, manage and change it.
All fine, too...
But when I try to use virt-manager to connect to the console of a
specific VM, it doesn't work as expected.
virt-manager opens a new window for the console, but also endlessly
keeps opening password entry dialogs.
As soon as I enter the current OTP and klick "ok", another dialog
is opened, again asking for another OTP. And so on...
(These are one-time passwords, valid for 30 seconds, which cannot be re-used)
I can connect to the VM console with a SPICE viewer like remmina
using SSH port forwarding like this:
andreas@ws1:~> ssh -L 5906:localhost:5906 root@mach
Enter OTP:
root@mach:~#
(where 5906 is the SPICE port for the VM in question)
And then use remmina to connect to port 5906 on localhost.
This gives me the SPICE console of the VM.
Of course, this is not as comfortable as using virt-manager.
But with virt-manager I haven't found a way to successfully
connect to the VM console with 2FA in place.
So, finally, my question: Did anyone on this list manage to
use virt-manager to connect to a VM console using SSH with 2FA?
Thanks!
- andreas
--
Andreas Haumer
*x Software + Systeme | mailto:andr...@xss.co.at
Karmarschgasse 51/2/20 | https://www.xss.co.at/
A-1100 Vienna, Austria | Tel: +43-1-6060114
OpenPGP_0xC499B27867173E11.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
