Score:0

QEMU/KVM: how to protect monitor access?

cn flag

Runing QEMU/KVM with monitor: kvm ...some_parameters... -monitor unix:/my_path/my_fifo,server,nowait

We can then connect using socat - UNIX-CONNECT:/my_path/my_fifo then type commands.
Easy and handy.

I'd like to expose the monitor interface to the local network (probably using socat, according to the securing method), which is resonably safe. How can I protect access to the monitor?

I do not see any available password option, certificate, etc. So I suspect I have to rely on a method external to QEMU/KVM.

Score:1
za flag

You can use SSH to access such a socket securely, leveraging the security options provided by SSH. You don't need socat at all, because SSH allows forwarding socket-to-socket or tcp-to-socket via -L option:

     -L [bind_address:]port:host:hostport
     -L [bind_address:]port:remote_socket
     -L local_socket:host:hostport
     -L local_socket:remote_socket

E.g. if your qemu process runs with -monitor unix:/my_path/my_fifo,server,nowait option, use ssh virtualization-host -L /tmp/monitor:/my_path/my_fifo to connect, and then connect to local socket /tmp/monitor, or use ssh virtualization-host -L 12345:/my_path/my_fifo and telnet to localhost:12345 (SSH client will listen only on localhost in this case).

To achieve better security, use SSH keys to connect to monitors. On the remote virtualization host, create a user who'll have rw rights on the /my_path/my_fifo object. Create a key pair and put the public key into that user's ~/.ssh/authorized_keys file in a restricted way to only allow forwarding:

restrict,port-forwarding,command="/bin/false" ssh-... ..... (the public key string)

To connect, use a command which doesn't allocate a shell and doesn't run a command, useful just for forwards:

ssh monitoruser@virtualization-host -i mointor_private_key -L 12345:/my_path/my_fifo -N

and finally, use telnet localhost 12345 to access the monitor socket forwarded via SSH.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.