0

Runing QEMU/KVM with monitor: kvm ...some_parameters... -monitor unix:/my_path/my_fifo,server,nowait

We can then connect using socat - UNIX-CONNECT:/my_path/my_fifo then type commands.
Easy and handy.

I'd like to expose the monitor interface to the local network (probably using socat, according to the securing method), which is resonably safe. How can I protect access to the monitor?

I do not see any available password option, certificate, etc. So I suspect I have to rely on a method external to QEMU/KVM.

Gregory MOUSSAT
  • 1,737
  • 2
  • 25
  • 48

1 Answers1

1

You can use SSH to access such a socket securely, leveraging the security options provided by SSH. You don't need socat at all, because SSH allows forwarding socket-to-socket or tcp-to-socket via -L option:

     -L [bind_address:]port:host:hostport
     -L [bind_address:]port:remote_socket
     -L local_socket:host:hostport
     -L local_socket:remote_socket

E.g. if your qemu process runs with -monitor unix:/my_path/my_fifo,server,nowait option, use ssh virtualization-host -L /tmp/monitor:/my_path/my_fifo to connect, and then connect to local socket /tmp/monitor, or use ssh virtualization-host -L 12345:/my_path/my_fifo and telnet to localhost:12345 (SSH client will listen only on localhost in this case).

To achieve better security, use SSH keys to connect to monitors. On the remote virtualization host, create a user who'll have rw rights on the /my_path/my_fifo object. Create a key pair and put the public key into that user's ~/.ssh/authorized_keys file in a restricted way to only allow forwarding:

restrict,port-forwarding,command="/bin/false" ssh-... ..... (the public key string)

To connect, use a command which doesn't allocate a shell and doesn't run a command, useful just for forwards:

ssh monitoruser@virtualization-host -i mointor_private_key -L 12345:/my_path/my_fifo -N

and finally, use telnet localhost 12345 to access the monitor socket forwarded via SSH.

Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39