Re: [Libvirt] SSH with certificates

On Wed, May 06, 2009 at 03:33:47PM +0200, Christian Weyermann wrote: > Hello everybody, > > We are trying to use libvirt with qemu over ssh and our goal is to have > authentication done by certificates. Therefore I created a keypair on > the client and send the public key to the server. Std. SSH connections > work without an password prompt as expected (ssh <ip> -l user), but if I > try "sudo virsh -c qemu+ssh://user@<ip>/system" it prompts for a > password (Beside that password prompt it works as expected). > > Is there anything else I have to do beside registering the public key at > the server? > Do you really mean x509 certificates, or are you actually talking about RSA/DSA public keys ? I wasn't aware that any SSH did x509 certs for authentication. Why are you using 'sudo' for this ? It seems rather pointless to switch to root to run virsh, since it is connecting to a remote host and you can trivially do that as your normal user. Using 'sudo' will almost certainly stop ssh connecting to the 'ssh-agent' in your session. Also note, you can explicitly prevent all password prompts from ssh by add '?no_tty=1' to the end of the URI There should never be any need to use sudo for virsh in any reasonable modern Linux desktop. libvirt will use PolicyKit to authenticate securely as non-root for local connections, and remote connections should just be run as the normal user Regards, Daniel