manremote-accessReviewed March 6, 2026
Remote TLS, TCP, and auth basics
Remote libvirt access can travel over SSH or over TLS/TCP. SSH is usually the simplest path. TLS/TCP is the right fit when you want a managed API endpoint, certificate identity, and central auth policy. Transport choices
tlstcpsaslvirtproxyd
Remote libvirt access can travel over SSH or over TLS/TCP. SSH is usually the simplest path. TLS/TCP is the right fit when you want a managed API endpoint, certificate identity, and central auth policy.
Transport choices
qemu+ssh://user@host/system: simple and secure, piggybacks on SSH access.qemu+tls://host/system: certificate-based transport, often paired with SASL or policy controls.- Plain TCP without protection is for lab-only scenarios and usually not acceptable in production.
Core TLS settings
/etc/libvirt/virtproxyd.confini
listen_tls = 1
listen_tcp = 0
auth_tls = "sasl"What to verify first
BASH
systemctl status virtproxyd.socket virtproxyd-tls.socket
ss -ltnp | grep 16514
virsh -c qemu+tls://hv-a/system hostnamevirtproxyd-tls.socket
Check virtproxyd-tls.socket when a TLS client cannot establish the remote API session at all.
Auth layers
Connection success depends on more than certificates. The stack can include listener state, certificate trust, SASL, and local authorization policy on the destination host.