Re: [Kimchi-devel] [PATCH 0/4] ticket support for guest

On 05/26/2014 02:38 PM, Hongliang Wang wrote: > > On 05/26/2014 02:27 PM, Zhou Zheng Sheng wrote: >> on 2014/05/26 13:32, Yu Xin Huo wrote: >>> I strongly dislike the way to change password frequently. >>> >>> Password is designed for user to recognize himself for authentication. >>> Frequently changing password make password itself meaningless to user. >>> >>> As it is VNC password, this will almost make vnc unaccessible to user. >>> Personally, I dislike to use browser to console the VM at all. >>> >>> I suspect whether there is *a justification reasonable enough* to take >>> the way that "changing password". >>> >>> So please exactly clarify what *threat* this "change password" strategy >>> is protecting against? >>> >> Some back-end background. >> >> The problem is that noVNC and HTML5 Spice traffic is carried on >> websocket outside of Kimchi server. It operates as following. >> >> noVNC --websocket--> websockify --tcp-> VNC server of the hypervisor. >> >> Since Kimchi is out of this route, we don't have means to authenticate >> user. The user can copy the noVNC page URL to another machine without >> loggin to Kimchi, and he can still access VNC. > For this part, I'd prefer access VNC through any VNC viewer after I > created a VM, instead of only access it through Kimchi. I checked Virt Manager just now and it works the similar as your design for Kimchi. So is it possible if I want to access Kimchi VM through VNC clients (e.g., my browser is relatively too old to use noVNC) ? In this case, I think a possible solution is: 1. Create a VM with bridged network that I can access it from other machines 2. Install VNC server in it 3. Configuration the VNC server 4. Access it through VNC clients Does it make sense? So it will be a complete solution.