[Ovirt-devel] [PATCH node] Use --no-check-certificate with wget
Perry Myers
pmyers at redhat.com
Wed Feb 25 12:53:30 UTC 2009
Ian Main wrote:
> This patch adds the --no-check-certificate to wget for all wgets since
> the server now requires ssl and doesn't have a valid cert. I'm not
> certain this is the best way to handle this case but I'm posting this
> patch anyway to see if it works and if it's an acceptable solution.
> Note that I have not yet tested this either. :)
ovirt-listen-awake is only used on the 'demo setup' (i.e. running guests
on the host where the ovirt-appliance is running) so no issues with that.
The other two places are during normal oVirt Node startup. This method of
retrieving keytabs from the oVirt Server was already insecure (and noted
as such) so this doesn't make it any worse. However, we should make it
clear that just because the keytabs are retrieved over SSL there is still
no guarantee of security using this scheme.
The only secure method of distributing keytabs at the moment is providing
them via sneaker-net on a USB thumb drive.
Perry
> Signed-off-by: Ian Main <imain at redhat.com>
> ---
> ovirt-listen-awake/ovirt-listen-awake.c | 2 +-
> scripts/ovirt | 2 +-
> scripts/ovirt-awake | 2 +-
> scripts/ovirt-early | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/ovirt-listen-awake/ovirt-listen-awake.c b/ovirt-listen-awake/ovirt-listen-awake.c
> index 7ecd0a7..9af5bbf 100644
> --- a/ovirt-listen-awake/ovirt-listen-awake.c
> +++ b/ovirt-listen-awake/ovirt-listen-awake.c
> @@ -208,7 +208,7 @@ int main(int argc, char *argv[])
> // (in particular, which DNS server to use to resolve, and which
> // domainname). Until I come up with a good solution for that, I'll
> // have to leave this as-is.
> - system("wget -q http://192.168.50.2:80/ipa/config/krb5.ini -O /etc/krb5.conf");
> + system("wget -q --no-check-certificate http://192.168.50.2:80/ipa/config/krb5.ini -O /etc/krb5.conf");
> system("ovirt-awake start 192.168.50.2 12120 /etc/libvirt/krb5.tab");
> }
> else {
> diff --git a/scripts/ovirt b/scripts/ovirt
> index 4c336ae..8296783 100755
> --- a/scripts/ovirt
> +++ b/scripts/ovirt
> @@ -18,7 +18,7 @@ start() {
> if [ -n "$SRV_HOST" -a -n "$SRV_PORT" ]; then
> krb5_conf=/etc/krb5.conf
> # FIXME this is IPA specific
> - wget -q \
> + wget -q --no-check-certificate \
> http://$SRV_HOST:$SRV_PORT/ipa/config/krb5.ini -O $krb5_conf.tmp
> if [ $? -ne 0 ]; then
> log "Failed to get $krb5_conf"; return 1
> diff --git a/scripts/ovirt-awake b/scripts/ovirt-awake
> index c369933..56fcb57 100644
> --- a/scripts/ovirt-awake
> +++ b/scripts/ovirt-awake
> @@ -64,7 +64,7 @@ start () {
> if [ -n "$KEYTAB" -a -n "$KEYTAB_FILE" ]; then
> echo "Retrieving keytab: '$KEYTAB'"
>
> - wget -q "$KEYTAB" --output-document="$KEYTAB_FILE"
> + wget -q "$KEYTAB" --no-check-certificate --output-document="$KEYTAB_FILE"
> else
> echo "No keytab to retrieve"
> fi
> diff --git a/scripts/ovirt-early b/scripts/ovirt-early
> index b757614..5194446 100755
> --- a/scripts/ovirt-early
> +++ b/scripts/ovirt-early
> @@ -39,7 +39,7 @@ configure_from_network() {
> cfgdb=$(mktemp)
> get_mac_addresses
> log "MACs to use: $macs"
> - wget -O $cfgdb \
> + wget -O $cfgdb --no-check-certificate \
> "http://$SRV_HOST:$SRV_PORT/ovirt/managed_node/config?host=$(hostname)&macs=$macs"
> if [ $? -eq 0 ]; then
> log "Remote configuration bundle retrieved to $cfgdb"
--
|=- Red Hat, Engineering, Emerging Technologies, Boston -=|
|=- Email: pmyers at redhat.com -=|
|=- Office: +1 412 474 3552 Mobile: +1 703 362 9622 -=|
|=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|
More information about the ovirt-devel
mailing list