[Libvirt] SSH with certificates

Christian Weyermann WeyermannCh41582 at ohm-hochschule.de
Sun May 24 15:51:31 UTC 2009

Daniel P. Berrange schrieb:
> On Wed, May 06, 2009 at 03:33:47PM +0200, Christian Weyermann wrote:
>> Hello everybody,
>> We are trying to use libvirt with qemu over ssh and our goal is to have
>> authentication done by certificates. Therefore I created a keypair on
>> the client and send the public key to the server. Std. SSH connections
>> work without an password prompt as expected (ssh <ip> -l user), but if I
>> try "sudo virsh -c qemu+ssh://user@<ip>/system" it prompts for a
>> password (Beside that password prompt it works as expected).
>> Is there anything else I have to do beside registering the public key at
>> the server?
> Do you really mean x509 certificates, or are you actually talking about
> RSA/DSA public keys ?  I wasn't aware that any SSH did x509 certs for
> authentication.
> Why are you using 'sudo' for this ? It seems rather pointless to switch
> to root to run virsh, since it is connecting to a remote host and you 
> can trivially do that as your normal user. Using 'sudo' will almost
> certainly stop ssh connecting to the 'ssh-agent' in your session.
> Also note, you can explicitly prevent all password prompts from ssh
> by add '?no_tty=1' to the end of the URI
> There should never be any need to use sudo for virsh in any reasonable
> modern Linux desktop. libvirt will use PolicyKit to authenticate securely
> as non-root for local connections, and remote connections should just be
> run as the normal user
> Regards,
> Daniel

Thanks, for your help The problem has been the sudo. Soo stupid from
me... If I do sudo ssh will look in the home directoy of root and, of
course, there is no ssh key there. So he prompts me for authentication.

More information about the libvir-list mailing list