10:47 a.m.
Most of the nwfilter tests utilize SSH connections to execute some commands to
cross reference whether the requested change in libvirt took effect. However,
fedora 31 disables password-based auth for root login which breaks the test
suite.
Erik Skultety (2):
lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
nwfilter: Make use of the SSH pubkey auth rather than password-based
auth
lib/Sys/Virt/TCK.pm | 30 ++++++++++++++++++++++++-
scripts/nwfilter/210-no-mac-spoofing.t | 2 +-
scripts/nwfilter/220-no-ip-spoofing.t | 2 +-
scripts/nwfilter/230-no-mac-broadcast.t | 2 +-
scripts/nwfilter/240-no-arp-spoofing.t | 2 +-
5 files changed, 33 insertions(+), 5 deletions(-)
--
2.24.1
10:47 a.m.
New subject: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
The reason for this change is our Fedora 31 test image, because starting
with Fedora 31, the SSH policy for root logins with password
authentication changed and password auth is now disabled by default.
Since we were relying on this, we're now unable to log in to the guest
as root. Let's convert to the SSH keys usage.
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
index a641d01..5a5c9e4 100644
--- a/lib/Sys/Virt/TCK.pm
+++ b/lib/Sys/Virt/TCK.pm
@@ -408,6 +408,32 @@ sub has_disk_image {
return -f $target
}
+sub ssh_key_path {
+ my $self = shift;
+ my $basedir = shift;
+
+ return catfile($basedir, "ssh", "id_rsa");
+}
+
+sub create_host_ssh_keys {
+ my $self = shift;
+
+ my $scratch = $self->scratch_dir;
+ my $ssh_dir_path = catfile($scratch, "ssh");
+ my $ssh_key_path = $self->ssh_key_path($scratch);
+
+ if (! -d "$ssh_dir_path") {
+ mkdir "$ssh_dir_path", 0700;
+ }
+
+ if (! -e "$ssh_key_path") {
+ print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
+ system "ssh-keygen -q -t rsa -f $ssh_key_path -N ''";
+ }
+
+ return $ssh_key_path;
+}
+
sub create_virt_builder_disk {
my $self = shift;
my $bucket = shift;
@@ -424,8 +450,10 @@ sub create_virt_builder_disk {
return $target;
}
+ my $ssh_key_path = $self->create_host_ssh_keys;
+
print "# running virt-builder $osname\n";
- system "virt-builder", "--install", "dsniff",
"--selinux-relabel", "--root-password",
"password:$password", "--output", $target, $osname;
+ system "virt-builder", "--install", "dsniff",
"--selinux-relabel", "--root-password",
"password:$password", "--ssh-inject",
"root:file:$ssh_key_path.pub", "--output", $target, $osname;
die "cannot run virt-builder: $?" if $? != 0;
--
2.24.1
11:01 a.m.
New subject: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
The reason for this change is our Fedora 31 test image, because
starting
with Fedora 31, the SSH policy for root logins with password
authentication changed and password auth is now disabled by default.
Since we were relying on this, we're now unable to log in to the guest
as root. Let's convert to the SSH keys usage.
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
11:08 a.m.
New subject: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
The reason for this change is our Fedora 31 test image, because
starting
with Fedora 31, the SSH policy for root logins with password
authentication changed and password auth is now disabled by default.
Since we were relying on this, we're now unable to log in to the guest
as root. Let's convert to the SSH keys usage.
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
index a641d01..5a5c9e4 100644
--- a/lib/Sys/Virt/TCK.pm
+++ b/lib/Sys/Virt/TCK.pm
@@ -408,6 +408,32 @@ sub has_disk_image {
return -f $target
}
+sub ssh_key_path {
+ my $self = shift;
+ my $basedir = shift;
+
+ return catfile($basedir, "ssh", "id_rsa");
+}
+
+sub create_host_ssh_keys {
+ my $self = shift;
+
+ my $scratch = $self->scratch_dir;
+ my $ssh_dir_path = catfile($scratch, "ssh");
+ my $ssh_key_path = $self->ssh_key_path($scratch);
+
+ if (! -d "$ssh_dir_path") {
+ mkdir "$ssh_dir_path", 0700;
+ }
+
+ if (! -e "$ssh_key_path") {
+ print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
I'm wondering whether I should actually use diag here^ instead, do you have a
suggestion Dan?
11:10 a.m.
New subject: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
On Tue, Jan 21, 2020 at 06:08:01PM +0100, Erik Skultety wrote:
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
> The reason for this change is our Fedora 31 test image, because starting
> with Fedora 31, the SSH policy for root logins with password
> authentication changed and password auth is now disabled by default.
> Since we were relying on this, we're now unable to log in to the guest
> as root. Let's convert to the SSH keys usage.
>
> Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
> ---
> lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
> 1 file changed, 29 insertions(+), 1 deletion(-)
>
> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
> index a641d01..5a5c9e4 100644
> --- a/lib/Sys/Virt/TCK.pm
> +++ b/lib/Sys/Virt/TCK.pm
> @@ -408,6 +408,32 @@ sub has_disk_image {
> return -f $target
> }
>
> +sub ssh_key_path {
> + my $self = shift;
> + my $basedir = shift;
> +
> + return catfile($basedir, "ssh", "id_rsa");
> +}
> +
> +sub create_host_ssh_keys {
> + my $self = shift;
> +
> + my $scratch = $self->scratch_dir;
> + my $ssh_dir_path = catfile($scratch, "ssh");
> + my $ssh_key_path = $self->ssh_key_path($scratch);
> +
> + if (! -d "$ssh_dir_path") {
> + mkdir "$ssh_dir_path", 0700;
> + }
> +
> + if (! -e "$ssh_key_path") {
> + print "# generating a new SSH RSA key pair under
$ssh_dir_path\n";
I'm wondering whether I should actually use diag here^ instead, do you have a
suggestion Dan?
I guess we do use diag in the rest of the file, so it would be worth
being consistent, even if it is functionally identical.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
11:17 a.m.
New subject: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
...
> > + if (! -e "$ssh_key_path") {
> > + print "# generating a new SSH RSA key pair under
$ssh_dir_path\n";
>
> I'm wondering whether I should actually use diag here^ instead, do you have a
> suggestion Dan?
I guess we do use diag in the rest of the file, so it would be worth
being consistent, even if it is functionally identical.
Got it, consider it changed.
Thanks,
Erik
10:47 a.m.
New subject: [libvirt-tck PATCH 2/2] nwfilter: Make use of the SSH pubkey auth rather than password-based auth
Not only have SSH keys been a good practice for a while, it fixes our
SSH connections to the f31 test vm.
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
scripts/nwfilter/210-no-mac-spoofing.t | 2 +-
scripts/nwfilter/220-no-ip-spoofing.t | 2 +-
scripts/nwfilter/230-no-mac-broadcast.t | 2 +-
scripts/nwfilter/240-no-arp-spoofing.t | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/scripts/nwfilter/210-no-mac-spoofing.t
b/scripts/nwfilter/210-no-mac-spoofing.t
index 95f003a..9798c4f 100644
--- a/scripts/nwfilter/210-no-mac-spoofing.t
+++ b/scripts/nwfilter/210-no-mac-spoofing.t
@@ -95,7 +95,7 @@ ok($ping =~ "10 received", "ping $guestip test");
diag "ssh'ing into $guestip";
my $ssh = Net::OpenSSH->new($guestip,
user => "root",
- password => $tck->root_password(),
+ key_path => $tck->ssh_key_path($tck->scratch_dir()),
master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
-o =>
"StrictHostKeyChecking=no"]);
diff --git a/scripts/nwfilter/220-no-ip-spoofing.t
b/scripts/nwfilter/220-no-ip-spoofing.t
index bacb861..9615d99 100644
--- a/scripts/nwfilter/220-no-ip-spoofing.t
+++ b/scripts/nwfilter/220-no-ip-spoofing.t
@@ -89,7 +89,7 @@ ok($ebtable =~ "$guestip", "check ebtables entry");
diag "ssh'ing into $guestip";
my $ssh = Net::OpenSSH->new($guestip,
user => "root",
- password => $tck->root_password(),
+ key_path => $tck->ssh_key_path($tck->scratch_dir()),
master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
-o =>
"StrictHostKeyChecking=no"]);
diff --git a/scripts/nwfilter/230-no-mac-broadcast.t
b/scripts/nwfilter/230-no-mac-broadcast.t
index b518a81..59683fa 100644
--- a/scripts/nwfilter/230-no-mac-broadcast.t
+++ b/scripts/nwfilter/230-no-mac-broadcast.t
@@ -117,7 +117,7 @@ system("/usr/sbin/tcpdump -v -i virbr0 -n host
$networkipbroadcast and ether hos
diag "ssh'ing into $guestip";
my $ssh = Net::OpenSSH->new($guestip,
user => "root",
- password => $tck->root_password(),
+ key_path => $tck->ssh_key_path($tck->scratch_dir()),
master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
-o =>
"StrictHostKeyChecking=no"]);
diff --git a/scripts/nwfilter/240-no-arp-spoofing.t
b/scripts/nwfilter/240-no-arp-spoofing.t
index 77b36d2..2c860ed 100644
--- a/scripts/nwfilter/240-no-arp-spoofing.t
+++ b/scripts/nwfilter/240-no-arp-spoofing.t
@@ -98,7 +98,7 @@ system("/usr/sbin/tcpdump -v -i virbr0 not ip >
/tmp/tcpdump.log &");
diag "ssh'ing into $guestip";
my $ssh = Net::OpenSSH->new($guestip,
user => "root",
- password => $tck->root_password(),
+ key_path => $tck->ssh_key_path($tck->scratch_dir()),
master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
-o =>
"StrictHostKeyChecking=no"]);
--
2.24.1
11:02 a.m.
New subject: [libvirt-tck PATCH 2/2] nwfilter: Make use of the SSH pubkey auth rather than password-based auth
On Tue, Jan 21, 2020 at 05:47:17PM +0100, Erik Skultety wrote:
Not only have SSH keys been a good practice for a while, it fixes
our
SSH connections to the f31 test vm.
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
scripts/nwfilter/210-no-mac-spoofing.t | 2 +-
scripts/nwfilter/220-no-ip-spoofing.t | 2 +-
scripts/nwfilter/230-no-mac-broadcast.t | 2 +-
scripts/nwfilter/240-no-arp-spoofing.t | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/scripts/nwfilter/210-no-mac-spoofing.t
b/scripts/nwfilter/210-no-mac-spoofing.t
index 95f003a..9798c4f 100644
--- a/scripts/nwfilter/210-no-mac-spoofing.t
+++ b/scripts/nwfilter/210-no-mac-spoofing.t
@@ -95,7 +95,7 @@ ok($ping =~ "10 received", "ping $guestip test");
diag "ssh'ing into $guestip";
my $ssh = Net::OpenSSH->new($guestip,
user => "root",
- password => $tck->root_password(),
+ key_path => $tck->ssh_key_path($tck->scratch_dir()),
Tabs in indent here & the other four places.
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
11:05 a.m.
New subject: [libvirt-tck PATCH 2/2] nwfilter: Make use of the SSH pubkey auth rather than password-based auth
On Tue, Jan 21, 2020 at 05:02:09PM +0000, Daniel P. Berrangé wrote:
On Tue, Jan 21, 2020 at 05:47:17PM +0100, Erik Skultety wrote:
> Not only have SSH keys been a good practice for a while, it fixes our
> SSH connections to the f31 test vm.
>
> Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
> ---
> scripts/nwfilter/210-no-mac-spoofing.t | 2 +-
> scripts/nwfilter/220-no-ip-spoofing.t | 2 +-
> scripts/nwfilter/230-no-mac-broadcast.t | 2 +-
> scripts/nwfilter/240-no-arp-spoofing.t | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/scripts/nwfilter/210-no-mac-spoofing.t
b/scripts/nwfilter/210-no-mac-spoofing.t
> index 95f003a..9798c4f 100644
> --- a/scripts/nwfilter/210-no-mac-spoofing.t
> +++ b/scripts/nwfilter/210-no-mac-spoofing.t
> @@ -95,7 +95,7 @@ ok($ping =~ "10 received", "ping $guestip
test");
> diag "ssh'ing into $guestip";
> my $ssh = Net::OpenSSH->new($guestip,
> user => "root",
> - password => $tck->root_password(),
> + key_path => $tck->ssh_key_path($tck->scratch_dir()),
Tabs in indent here & the other four places.
Shoot, I created the patches in a VM where I don't have all my editor settings,
sorry, will change.
Thanks,
Erik
1767
days inactive
1767
days old
8 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Erik Skultety