Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

18.2. Remote Management with SSH

The ssh package provides an encrypted network protocol that can securely send management functions to remote virtualization servers. The method described below uses the libvirt management connection, securely tunneled over an SSH connection, to manage the remote machines. All the authentication is done using SSH public key cryptography and passwords or passphrases gathered by your local SSH agent. In addition, the VNC console for each guest is tunneled over SSH.
When using using SSH for remotely managing your virtual machines, be aware of the following problems:
  • You require root log in access to the remote machine for managing virtual machines.
  • The initial connection setup process may be slow.
  • There is no standard or trivial way to revoke a user's key on all hosts or guests.
  • SSH does not scale well with larger numbers of remote machines.

Note

Red Hat Virtualization enables remote management of large numbers of virtual machines. For further details, see the Red Hat Virtualization documentation.
The following packages are required for SSH access:
  • openssh
  • openssh-askpass
  • openssh-clients
  • openssh-server
Configuring Password-less or Password-managed SSH Access for virt-manager

The following instructions assume you are starting from scratch and do not already have SSH keys set up. If you have SSH keys set up and copied to the other systems, you can skip this procedure.

Important

SSH keys are user-dependent and may only be used by their owners. A key's owner is the user who generated it. Keys may not be shared across different users.
virt-manager must be run by the user who owns the keys to connect to the remote host. That means, if the remote systems are managed by a non-root user, virt-manager must be run in unprivileged mode. If the remote systems are managed by the local root user, then the SSH keys must be owned and created by root.
You cannot manage the local host as an unprivileged user with virt-manager.
  1. Optional: Changing user

    Change user, if required. This example uses the local root user for remotely managing the other hosts and the local host.
    $ su -
  2. Generating the SSH key pair

    Generate a public key pair on the machine where virt-manager is used. This example uses the default key location, in the ~/.ssh/ directory.
    # ssh-keygen -t rsa
  3. Copying the keys to the remote hosts

    Remote login without a password, or with a pass-phrase, requires an SSH key to be distributed to the systems being managed. Use the ssh-copy-id command to copy the key to root user at the system address provided (in the example, root@host2.example.com).
    # ssh-copy-id -i ~/.ssh/id_rsa.pub root@host2.example.com
    root@host2.example.com's password:
    
    Afterwards, try logging into the machine and check the .ssh/authorized_keys file to make sure unexpected keys have not been added:
    ssh root@host2.example.com
    Repeat for other systems, as required.
  4. Optional: Add the passphrase to the ssh-agent

    Add the pass-phrase for the SSH key to the ssh-agent, if required. On the local host, use the following command to add the pass-phrase (if there was one) to enable password-less login.
    # ssh-add ~/.ssh/id_rsa
    This command will fail to run if the ssh-agent is not running. To avoid errors or conflicts, make sure that your SSH parameters are set correctly. See the Red Hat Enterprise System Administration Guide for more information.
The libvirt daemon (libvirtd)

The libvirt daemon provides an interface for managing virtual machines. You must have the libvirtd daemon installed and running on every remote host that you intend to manage this way.

$ ssh root@somehost
# systemctl enable libvirtd.service
# systemctl start libvirtd.service
After libvirtd and SSH are configured, you should be able to remotely access and manage your virtual machines. You should also be able to access your guests with VNC at this point.
Accessing Remote Hosts with virt-manager

Remote hosts can be managed with the virt-manager GUI tool. SSH keys must belong to the user executing virt-manager for password-less login to work.

  1. Start virt-manager.
  2. Open the FileAdd Connection menu.
    Add connection menu

    Figure 18.1. Add connection menu

  3. Use the drop down menu to select hypervisor type, and click the Connect to remote host check box to open the Connection Method (in this case Remote tunnel over SSH), enter the User name and Hostname, then click Connect.