[libvirt PATCH v5 29/32] schema: add configuration for host verification of ssh disks
Peter Krempa
pkrempa at redhat.com
Fri Feb 17 10:00:40 UTC 2023
On Thu, Feb 16, 2023 at 16:59:33 -0600, Jonathon Jongsma wrote:
> On 2/16/23 10:45 AM, Peter Krempa wrote:
> > On Tue, Feb 14, 2023 at 11:08:16 -0600, Jonathon Jongsma wrote:
> > > In order to make ssh disks usable, we need to be able to validate a
> > > remote host. To do this, add a <knownHosts> xml element for ssh disks to
> > > allow the user to specify a location for a file that contains known host
> > > keys. Implementation to follow.
> > >
> > > Signed-off-by: Jonathon Jongsma <jjongsma at redhat.com>
> > > ---
> > > docs/formatdomain.rst | 6 ++++++
> > > src/conf/schemas/domaincommon.rng | 11 +++++++++++
> > > 2 files changed, 17 insertions(+)
> > >
> > > diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> > > index bf071255c5..d5ad5d80b0 100644
> > > --- a/docs/formatdomain.rst
> > > +++ b/docs/formatdomain.rst
> > > @@ -2953,6 +2953,12 @@ paravirtualized driver is specified via the ``disk`` element.
> > > If the reconnect feature is enabled, accepts ``yes`` and ``no``
> > > ``timeout``
> > > The amount of seconds after which hypervisor tries to reconnect.
> > > + ``knownHosts``
> > > + For storage accessed via the ``ssh`` protocol, this element configures a
> > > + path to a file containing a list of known ssh hosts to be used to verify
> > > + the remote host. The location of the file is specified via the ``path``
> > > + attribute.
> > > + :since:`Since 9.1.0`
> >
> > How does nbdkit do enrollment here? Does it expect a pre-filled set of
> > known hosts? Or does it allow new host on first use?
> >
>
> It expects a prefilled known hosts file. Here's what it says in the manpage
> for nbdkit-ssh-plugin:
>
> Known hosts
> The SSH server’s host key is checked at connection time, and must be
> present and correct in the local "known hosts" file.
>
> If you have never connected to the SSH server before then the
> connection will usually fail. You can:
>
> • connect to the server first using ssh(1) so you can manually
> accept the host key, or
>
> • provide the host key in an alternate file which you specify using
> the "known-hosts" option, or
>
> • set verify-remote-host=false on the command line. This latter
> option is dangerous because it allows a MITM attack to be conducted against
> you.
Okay. The fact that it expects a pre-filled knownHosts should be
mentioned in the docs. I think it's a reasonable limitation. I'd not
bother with allowing to disable verification at all.
With docs updated:
Reviewed-by: Peter Krempa <pkrempa at redhat.com>
More information about the libvir-list
mailing list