Re: [libvirt PATCH 07/11] virnetclient: Use 'if' consistently

> > I understand the motivation, but please don't change this. Applications > > like OpenStack have configured ssh authorized_keys files with the > > specific command that libvirt invokes. So changes like this will break > > their SSH configs. We caused this pain when we first introduced the > > virt-ssh-helper, but at least that was giving them a functional > > improvement and they could use a URI parameter to force the old command > > string. This change is just prettiness for no functional improvement > > so is not worth breaking apps for. > > Can you please provide pointers to the OpenStack implementation of > this and the issue that resulted from introducing virt-ssh-helper? I don't know where the code is. I just know that they were broken by our changes in this area. > AFAICT the only way to restrict what commands a user can run after > successfully authenticating is to specify command=... before the > corresponding key in authorized_keys and I don't see how this change, > or indeed the one that happened when virt-ssh-helper was added, could > interfere with that. The command that was listed in the authorized_keys file no longer matched what libvirt was actually invoking, so it was rightly rejected.