[Libvirt] SSH with certificates

Daniel P. Berrange berrange at redhat.com
Wed May 6 13:44:18 UTC 2009

On Wed, May 06, 2009 at 03:33:47PM +0200, Christian Weyermann wrote:
> Hello everybody,
> We are trying to use libvirt with qemu over ssh and our goal is to have
> authentication done by certificates. Therefore I created a keypair on
> the client and send the public key to the server. Std. SSH connections
> work without an password prompt as expected (ssh <ip> -l user), but if I
> try "sudo virsh -c qemu+ssh://user@<ip>/system" it prompts for a
> password (Beside that password prompt it works as expected).
> Is there anything else I have to do beside registering the public key at
> the server?

Do you really mean x509 certificates, or are you actually talking about
RSA/DSA public keys ?  I wasn't aware that any SSH did x509 certs for

Why are you using 'sudo' for this ? It seems rather pointless to switch
to root to run virsh, since it is connecting to a remote host and you 
can trivially do that as your normal user. Using 'sudo' will almost
certainly stop ssh connecting to the 'ssh-agent' in your session.

Also note, you can explicitly prevent all password prompts from ssh
by add '?no_tty=1' to the end of the URI

There should never be any need to use sudo for virsh in any reasonable
modern Linux desktop. libvirt will use PolicyKit to authenticate securely
as non-root for local connections, and remote connections should just be
run as the normal user

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list