[Libvirt] SSH with certificates

[Christian Weyermann]

Daniel P. Berrange schrieb:
> On Wed, May 06, 2009 at 03:33:47PM +0200, Christian Weyermann wrote:
>   
>> Hello everybody,
>>
>> We are trying to use libvirt with qemu over ssh and our goal is to have
>> authentication done by certificates. Therefore I created a keypair on
>> the client and send the public key to the server. Std. SSH connections
>> work without an password prompt as expected (ssh <ip> -l user), but if I
>> try "sudo virsh -c qemu+ssh://user@<ip>/system" it prompts for a
>> password (Beside that password prompt it works as expected).
>>
>> Is there anything else I have to do beside registering the public key at
>> the server?
>>     
>
> Do you really mean x509 certificates, or are you actually talking about
> RSA/DSA public keys ?  I wasn't aware that any SSH did x509 certs for
> authentication.
>
> Why are you using 'sudo' for this ? It seems rather pointless to switch
> to root to run virsh, since it is connecting to a remote host and you 
> can trivially do that as your normal user. Using 'sudo' will almost
> certainly stop ssh connecting to the 'ssh-agent' in your session.
>
> Also note, you can explicitly prevent all password prompts from ssh
> by add '?no_tty=1' to the end of the URI
>
>
> There should never be any need to use sudo for virsh in any reasonable
> modern Linux desktop. libvirt will use PolicyKit to authenticate securely
> as non-root for local connections, and remote connections should just be
> run as the normal user
>
> Regards,
> Daniel
>   

Thanks, for your help The problem has been the sudo. Soo stupid from
me... If I do sudo ssh will look in the home directoy of root and, of
course, there is no ssh key there. So he prompts me for authentication.