[libvirt] [PATCH 0/1] qemu: Add Secure Shell (ssh) network block device.
Richard W.M. Jones
rjones at redhat.com
Mon Apr 15 11:18:43 UTC 2013
On Mon, Apr 15, 2013 at 11:31:08AM +0100, Daniel P. Berrange wrote:
> Yep, that would make it easier. Also if you did SSH key auth, but allowed
> passphrases to be passed in, instead of pulled from an agent (in same way
> SSH does if no agent is running).
Because qemu is running as a different user (qemu.qemu) it most likely
won't have access to $HOME/.ssh/id_rsa, even assuming it knew which
$HOME to go to.
For ssh key auth, it would be helpful if both the raw key file
contents and the passphrase could be stored as libvirt secrets. Is
that possible?
If so, qemu can pass both to libssh2_userauth_publickey. Almost as in
this example: http://libssh2.org/examples/ssh2.html , combined with
looking at how libssh2_userauth_publickey_fromfile is implemented:
http://git.libssh2.org/?p=libssh2.git;a=blob;f=src/userauth.c;h=a0733d5da05ff7b3656e915e503665b63c82111f;hb=HEAD#l1214
I'm also a bit concerned that the solution should be usable for
ordinary users. qemu -drive file=ssh://... currently Just Works.
----
Next questions:
- How should host_key_check be modelled via the libvirt XML / API?
- We want the user to be able to select different authentication
methods (at least, password, publickey, agent [insecurely]). How
would you see these being modelled in the API? Particularly since
these may require associated secret(s).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
More information about the libvir-list
mailing list