[PATCH v2 1/6] Introduce OpenSSH authorized key file mgmt APIs

Michal Privoznik mprivozn at redhat.com
Mon Nov 16 17:41:57 UTC 2020 

On 11/16/20 3:46 PM, Peter Krempa wrote:
> On Mon, Nov 16, 2020 at 13:20:58 +0100, Michal Privoznik wrote:
>> When setting up a new guest or when a management software wants
>> to allow access to an existing guest the
>> virDomainSetUserPassword() API can be used, but that might be not
>> good enough if user want to ssh into the guest. Not only sshd has
>> to be configured to accept password authentication (which is
>> usually not the case for root), user have to type in their
>> password. Using SSH keys is more convenient. Therefore, two new
>> APIs are introduced:
>>
>> virDomainAuthorizedSSHKeysGet() which lists authorized keys for
>> given user, and
>>
>> virDomainAuthorizedSSHKeysSet() which modifies the authorized
>> keys file for given user (append, set or remove keys from the
>> file).
>>
>> It's worth nothing that while authorized_keys file entries have
>> some structure (as defined by sshd(8)), expressing that structure
>> goes beyond libvirt's focus and thus "keys" are nothing but an
>> opaque string to libvirt.
>>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>> ---
>>   include/libvirt/libvirt-domain.h |  17 ++++
>>   src/driver-hypervisor.h          |  15 ++++
>>   src/libvirt-domain.c             | 133 +++++++++++++++++++++++++++++++
>>   src/libvirt_public.syms          |   6 ++
>>   4 files changed, 171 insertions(+)
> 
> [..]
> 
>> diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
>> index 3c5f55176a..47b821f7d4 100644
>> --- a/src/libvirt-domain.c
>> +++ b/src/libvirt-domain.c
>> @@ -12758,3 +12758,136 @@ virDomainBackupGetXMLDesc(virDomainPtr domain,
>>       virDispatchError(conn);
>>       return NULL;
>>   }
>> +
>> +
>> +/**
>> + * virDomainAuthorizedSSHKeysGet:
>> + * @domain: a domain object
>> + * @user: user to list keys for
>> + * @keys: pointer to a variable to store authorized keys
>> + * @flags: extra flags; not used yet, so callers should always pass 0
>> + *
>> + * For given @user in @domain fetch list of public SSH authorized
>> + * keys and store them into @keys array which is allocated upon
>> + * successful return. The caller is responsible for freeing @keys
>> + * when no longer needed.
> 
> One nit. We tend to NULL-terminate such lists so that users can use
> various checks for iteration.
> 

Ah, good point. I guess it makes sense to NULL terminate only if 
actually returning something, i.e. if the retval > 0.

Michal

More information about the libvir-list mailing list