[libvirt PATCH 07/11] virnetclient: Use 'if' consistently
Daniel P. Berrangé
berrange at redhat.com
Mon Feb 14 10:25:48 UTC 2022
On Mon, Feb 14, 2022 at 01:56:17AM -0800, Andrea Bolognani wrote:
> On Fri, Feb 11, 2022 at 05:46:31PM +0000, Daniel P. Berrangé wrote:
> > > - return g_strdup_printf("sh -c 'which virt-ssh-helper 1>/dev/null 2>&1; "
> > > - "if test $? = 0; then "
> > > + return g_strdup_printf("sh -c 'if which virt-ssh-helper >/dev/null 2>&1; then "
> > > "%s; "
> > > "else "
> > > "%s; "
> >
> > I understand the motivation, but please don't change this. Applications
> > like OpenStack have configured ssh authorized_keys files with the
> > specific command that libvirt invokes. So changes like this will break
> > their SSH configs. We caused this pain when we first introduced the
> > virt-ssh-helper, but at least that was giving them a functional
> > improvement and they could use a URI parameter to force the old command
> > string. This change is just prettiness for no functional improvement
> > so is not worth breaking apps for.
>
> Can you please provide pointers to the OpenStack implementation of
> this and the issue that resulted from introducing virt-ssh-helper?
I don't know where the code is. I just know that they were broken
by our changes in this area.
> AFAICT the only way to restrict what commands a user can run after
> successfully authenticating is to specify command=... before the
> corresponding key in authorized_keys and I don't see how this change,
> or indeed the one that happened when virt-ssh-helper was added, could
> interfere with that.
The command that was listed in the authorized_keys file no longer
matched what libvirt was actually invoking, so it was rightly
rejected.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list