[PATCH 1/6] Introduce OpenSSH authorized key file mgmt APIs
Michal Privoznik
mprivozn at redhat.com
Wed Nov 11 13:43:42 UTC 2020
On 11/11/20 9:06 AM, Peter Krempa wrote:
> On Tue, Nov 10, 2020 at 16:11:41 +0100, Michal Privoznik wrote:
>> When setting up a new guest or when a management software wants
>> to allow access to an existing guest the
>> virDomainSetUserPassword() API can be used, but that might be not
>> good enough if user want to ssh into the guest. Not only sshd has
>
> Doesn't management software already run something inside the VM which
> does all of this?
Not really. oVirt does, Kubevirt doesn't.
>
>> to be configured to accept password authentication (which is
>> usually not the case for root), user have to type in their
>> password. Using SSH keys is more convenient. Therefore, two new
>> APIs are introduced:
>>
>> virDomainAuthorizedSSHKeysGet() which lists authorized keys for
>> given user, and
>>
>> virDomainAuthorizedSSHKeysSet() which modifies the authorized
>> keys file for given user (append, set or remove keys from the
>> file).
>>
>> It's worth nothing that while authorized_keys file entries have
>> some structure (as defined by sshd(8)), expressing that structure
>> goes beyond libvirt's focus and thus "keys" are nothing but an
>> opaque string to libvirt.
>
> To be fair, I surely hope that the qemu-guest-agent feature is disabled
> by default. This seems a bit scary to me.
>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>> ---
>> include/libvirt/libvirt-domain.h | 17 +++++
>> src/driver-hypervisor.h | 15 ++++
>> src/libvirt-domain.c | 115 +++++++++++++++++++++++++++++++
>> src/libvirt_public.syms | 6 ++
>> 4 files changed, 153 insertions(+)
>
>
>> diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
>> index 3c5f55176a..0a55a48952 100644
>> --- a/src/libvirt-domain.c
>> +++ b/src/libvirt-domain.c
>> @@ -12758,3 +12758,118 @@ virDomainBackupGetXMLDesc(virDomainPtr domain,
>> virDispatchError(conn);
>> return NULL;
>> }
>> +
>> +
>> +/**
>> + * virDomainAuthorizedSSHKeysGet:
>> + * @domain: a domain object
>> + * @user: user to list keys for
>> + * @keys: pointer to a variable to store authorized keys
>> + * @flags: extra flags; not used yet, so callers should always pass 0
>> + *
>> + * For given @user in @domain fetch list of public SSH authorized
>> + * keys and store them into @keys array which is allocated upon
>> + * successful return. The caller is responsible for freeing @keys
>> + * when no longer needed.
>> + *
>> + * Keys are in OpenSSH format (see sshd(8)) but from libvirt's
>> + * point of view are opaque strings, i.e. not interpreted.
>
> Missing mention that hypervisor may require use of guest-agent.
>
>> + *
>> + * Returns: number of keys stored in @keys,
>> + * -1 otherwise.
>> + */
>> +int virDomainAuthorizedSSHKeysGet(virDomainPtr domain,
>> + const char *user,
>> + char ***keys,
>> + unsigned int flags)
>> +{
>> + virConnectPtr conn;
>> +
>> + VIR_DOMAIN_DEBUG(domain, "user=%s, keys=%p, flags=0x%x",
>> + user, keys, flags);
>> +
>> + virResetLastError();
>> +
>> + virCheckDomainReturn(domain, -1);
>> + virCheckNonNullArgReturn(user, -1);
>> + virCheckNonNullArgReturn(keys, -1);
>> + conn = domain->conn;
>
> This API IMO _must_ use 'virCheckReadOnlyGoto(conn->flags, error);'
>
> read-only users should not be able to access the guest agent for
> security reasons and also getting the list of authorized keys may
> actually leak somewhat sensitive data (allowing identification of the
> user)
>
Ah, good point. I keep forgetting about RO connection.
Michal
More information about the libvir-list
mailing list