Hardening Spice security with TLS¶
TLS support allows to encrypt all/some of the channels Spice uses for its communication. A separate port is used for the encrypted channels.
Change libvirtd configuration¶
The certificate must be specified in libvirtd configuration file in /etc/libvirt/qemu.conf
Uncomment the lines: spice_listen=”0.0.0.0”, spice_tls=1 and spice_tls_x509_cert_dir=”/etc/pki/libvirt-spice”
# SPICE is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
#
# NB, strong recommendation to enable TLS + x509 certificate
# verification when allowing public access
#
spice_listen = "0.0.0.0"
# Enable use of TLS encryption on the SPICE server.
#
# It is necessary to setup CA and issue a server certificate
# before enabling this.
#
spice_tls = 1
# Use of TLS requires that x509 certificates be issued. The
# default it to keep them in /etc/pki/libvirt-spice. This directory
# must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# This option allows the certificate directory to be changed.
#
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
Add path in Apparmor¶
You may want to add this path to Apparmor, in some Linux distributions it is not necessary, ie Ubuntu from 18.04.
Add /etc/pki/libvirt-spice/** r,
in /etc/apparmor.d/abstractions/libvirt-qemu
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
/etc/pki/libvirt-spice/** r,
Note
Remmember restart the services: systemctl restart apparmor.service
& systemctl restart libvirtd.service
Create self signed certificate¶
Download and run the create_cert.sh script.
#!/bin/bash
SERVER_IP="$1"
if [ -z "$SERVER_IP" ]; then
echo "Error, server ip required."
echo " Usage: $0 ip"
exit -1
fi
# change the next line
SUBJECT="/C=IL/L=Raanana/O=Red Hat"
SERVER_KEY=server-key.pem
# creating a key for our ca
if [ ! -e ca-key.pem ]; then
openssl genrsa -aes256 -out ca-key.pem 2048
fi
# creating a ca
if [ ! -e ca-cert.pem ]; then
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem \
-subj "${SUBJECT}/CN=my CA"
fi
# create server key
if [ ! -e $SERVER_KEY ]; then
openssl genrsa -out $SERVER_KEY
fi
# create a certificate signing request (csr)
if [ ! -e server-key.csr ]; then
openssl req -new -key $SERVER_KEY -out server-key.csr -subj "$SUBJECT/CN=$SERVER_IP"
fi
# signing our server certificate with this ca
if [ ! -e server-cert.pem ]; then
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
fi
# now create a key that doesn't require a passphrase
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
mv $SERVER_KEY $SERVER_KEY.secure
mv $SERVER_KEY.insecure $SERVER_KEY
# copy *.pem file to /etc/pki/libvirt-spice
if [ ! -d "/etc/pki/libvirt-spice" ]
then
mkdir -p /etc/pki/libvirt-spice
fi
cp ./*.pem /etc/pki/libvirt-spice
chown :kvm /etc/pki/libvirt-spice/*pem
chmod g+rx /etc/pki/libvirt-spice/*pem
# echo --host-subject
echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
Warning
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.
Disable Spice Password¶
More information about removing SPICE password for all the networks.