3:47 a.m.
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts.
---
src/remote/remote_driver.c | 1 +
src/rpc/virnetclient.c | 3 ++-
src/rpc/virnetclient.h | 1 +
src/rpc/virnetsocket.c | 3 +++
src/rpc/virnetsocket.h | 1 +
tests/virnetsockettest.c | 2 ++
6 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index f318740..a2f54c8 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn,
command,
username,
no_tty,
+ no_verify,
netcat ? netcat : "nc",
sockname)))
goto failed;
diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index b551b99..fc0fef8 100644
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path)
{
virNetSocketPtr sock;
- if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, netcat,
path, &sock) < 0)
+ if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, noVerify,
netcat, path, &sock) < 0)
return NULL;
return virNetClientNew(sock, NULL);
diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index de0782c..6acdf50 100644
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path);
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 4b0c2ee..e827b4f 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr *retsock)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
if (noTTY)
virCommandAddArgList(cmd, "-T", "-o",
"BatchMode=yes",
"-e", "none", NULL);
+ if (noVerify)
+ virCommandAddArgList(cmd, "-oStrictHostKeyChecking=no", NULL);
virCommandAddArgList(cmd, nodename,
netcat ? netcat : "nc",
"-U", path, NULL);
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index 356d6c6..5f882ac 100644
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr *addr);
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index f6c7274..87f3dfa 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -377,6 +377,7 @@ struct testSSHData {
const char *binary;
const char *username;
bool noTTY;
+ bool noVerify;
const char *netcat;
const char *path;
@@ -397,6 +398,7 @@ static int testSocketSSH(const void *opaque)
data->binary,
data->username,
data->noTTY,
+ data->noVerify,
data->netcat,
data->path,
&csock) < 0)
--
1.7.5.4
3:38 a.m.
2011/7/2 Oskari Saarenmaa <os(a)ohmu.fi>:
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts.
---
src/remote/remote_driver.c | 1 +
src/rpc/virnetclient.c | 3 ++-
src/rpc/virnetclient.h | 1 +
src/rpc/virnetsocket.c | 3 +++
src/rpc/virnetsocket.h | 1 +
tests/virnetsockettest.c | 2 ++
6 files changed, 10 insertions(+), 1 deletions(-)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char
*nodename,
if (noTTY)
virCommandAddArgList(cmd, "-T", "-o",
"BatchMode=yes",
"-e", "none", NULL);
+ if (noVerify)
+ virCommandAddArgList(cmd, "-oStrictHostKeyChecking=no", NULL);
This should be virCommandAddArgList(cmd, "-o",
"StrictHostKeyChecking=no", NULL); to match the style of the noTTY
option.
The patch looks okay, but is incomplete. It needs to mention that
no_verify now works for ssh too in docs/remote.html.in and
virnetsockettest.c needs an additional test case for ssh+no_verify
like the test case for shh+no_tty (SSH test 2).
--
Matthias Bolte
http://photron.blogspot.com
2:50 p.m.
New subject: [libvirt] [PATCHv2] remote/ssh: support for no_verify.
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts. Includes a test and documentation.
---
Thanks for the review, here's an updated patch.
docs/remote.html.in | 9 +++++++--
src/remote/remote_driver.c | 1 +
src/rpc/virnetclient.c | 3 ++-
src/rpc/virnetclient.h | 1 +
src/rpc/virnetsocket.c | 3 +++
src/rpc/virnetsocket.h | 1 +
tests/virnetsockettest.c | 22 +++++++++++++++++++---
7 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/docs/remote.html.in b/docs/remote.html.in
index f6a0683..39d65aa 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -279,9 +279,14 @@ Note that parameter values must be
<td>
<code>no_verify</code>
</td>
- <td> tls </td>
- <td>
- If set to a non-zero value, this disables client checks of the
+ <td> ssh, tls </td>
+ <td>
+ SSH: If set to a non-zero value, this disables client's strict host key
+ checking making it auto-accept new host keys. Existing host keys will
+ still be validated.
+ <br/>
+ <br/>
+ TLS: If set to a non-zero value, this disables client checks of the
server's certificate. Note that to disable server checks of
the client's certificate or IP address you must
<a href="#Remote_libvirtd_configuration">change the libvirtd
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 5c0457e..6921c15 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn,
command,
username,
no_tty,
+ no_verify,
netcat ? netcat : "nc",
sockname)))
goto failed;
diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index 6a112ee..b9f0fc8 100644
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path)
{
virNetSocketPtr sock;
- if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, netcat,
path, &sock) < 0)
+ if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, noVerify,
netcat, path, &sock) < 0)
return NULL;
return virNetClientNew(sock, NULL);
diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index de0782c..6acdf50 100644
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path);
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 3392047..41d9954 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr *retsock)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
if (noTTY)
virCommandAddArgList(cmd, "-T", "-o",
"BatchMode=yes",
"-e", "none", NULL);
+ if (noVerify)
+ virCommandAddArgList(cmd, "-o", "StrictHostKeyChecking=no",
NULL);
virCommandAddArgList(cmd, nodename,
netcat ? netcat : "nc",
"-U", path, NULL);
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index 356d6c6..5f882ac 100644
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr *addr);
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index f6c7274..e003a23 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -377,6 +377,7 @@ struct testSSHData {
const char *binary;
const char *username;
bool noTTY;
+ bool noVerify;
const char *netcat;
const char *path;
@@ -397,6 +398,7 @@ static int testSocketSSH(const void *opaque)
data->binary,
data->username,
data->noTTY,
+ data->noVerify,
data->netcat,
data->path,
&csock) < 0)
@@ -503,6 +505,7 @@ mymain(void)
.username = "fred",
.netcat = "netcat",
.noTTY = true,
+ .noVerify = false,
.path = "/tmp/socket",
.expectOut = "-p 9000 -l fred -T -o BatchMode=yes -e none somehost netcat -U
/tmp/socket\n",
};
@@ -510,20 +513,33 @@ mymain(void)
ret = -1;
struct testSSHData sshData3 = {
+ .nodename = "somehost",
+ .service = "9000",
+ .username = "fred",
+ .netcat = "netcat",
+ .noTTY = false,
+ .noVerify = true,
+ .path = "/tmp/socket",
+ .expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no somehost netcat -U
/tmp/socket\n",
+ };
+ if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData2) < 0)
+ ret = -1;
+
+ struct testSSHData sshData4 = {
.nodename = "nosuchhost",
.path = "/tmp/socket",
.failConnect = true,
};
- if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0)
+ if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData3) < 0)
ret = -1;
- struct testSSHData sshData4 = {
+ struct testSSHData sshData5 = {
.nodename = "crashyhost",
.path = "/tmp/socket",
.expectOut = "crashyhost nc -U /tmp/socket\n",
.dieEarly = true,
};
- if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+ if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData4) < 0)
ret = -1;
#endif
--
1.7.6
2:57 p.m.
New subject: [libvirt] [PATCHv2] remote/ssh: support for no_verify.
On Mon, Jul 11, 2011 at 10:50:31PM +0300, Oskari Saarenmaa wrote:
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts. Includes a test and documentation.
---
Thanks for the review, here's an updated patch.
docs/remote.html.in | 9 +++++++--
src/remote/remote_driver.c | 1 +
src/rpc/virnetclient.c | 3 ++-
src/rpc/virnetclient.h | 1 +
src/rpc/virnetsocket.c | 3 +++
src/rpc/virnetsocket.h | 1 +
tests/virnetsockettest.c | 22 +++++++++++++++++++---
7 files changed, 34 insertions(+), 6 deletions(-)
ACK, this looks nice to me.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
8:13 a.m.
New subject: [libvirt] [PATCHv2] remote/ssh: support for no_verify.
2011/7/11 Oskari Saarenmaa <os(a)ohmu.fi>:
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts. Includes a test and documentation.
---
Thanks for the review, here's an updated patch.
docs/remote.html.in | 9 +++++++--
src/remote/remote_driver.c | 1 +
src/rpc/virnetclient.c | 3 ++-
src/rpc/virnetclient.h | 1 +
src/rpc/virnetsocket.c | 3 +++
src/rpc/virnetsocket.h | 1 +
tests/virnetsockettest.c | 22 +++++++++++++++++++---
7 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index f6c7274..e003a23 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -510,20 +513,33 @@ mymain(void)
ret = -1;
struct testSSHData sshData3 = {
+ .nodename = "somehost",
+ .service = "9000",
+ .username = "fred",
+ .netcat = "netcat",
+ .noTTY = false,
+ .noVerify = true,
+ .path = "/tmp/socket",
+ .expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no somehost netcat
-U /tmp/socket\n",
+ };
+ if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData2) < 0)
You use sshData2 in test 3, shouldn't this be sshData3?
+
+ struct testSSHData sshData4 = {
.nodename = "nosuchhost",
.path = "/tmp/socket",
.failConnect = true,
};
- if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0)
+ if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData3) < 0)
ret = -1;
Here it should be sshData4 instead of sshData3, I think.
- struct testSSHData sshData4 = {
+ struct testSSHData sshData5 = {
.nodename = "crashyhost",
.path = "/tmp/socket",
.expectOut = "crashyhost nc -U /tmp/socket\n",
.dieEarly = true,
};
- if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+ if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData4) < 0)
ret = -1;
And here it should be sshData5 instead of sshData4, shouldn't it?
I'm squashing in this diff to fix the off-by-one problem and pushing
the result, thanks.
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index e003a23..1697ced 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -522,7 +522,7 @@ mymain(void)
.path = "/tmp/socket",
.expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no
somehost netcat -U /tmp/socket\n",
};
- if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData2) < 0)
+ if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0)
ret = -1;
struct testSSHData sshData4 = {
@@ -530,7 +530,7 @@ mymain(void)
.path = "/tmp/socket",
.failConnect = true,
};
- if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData3) < 0)
+ if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
ret = -1;
struct testSSHData sshData5 = {
@@ -539,7 +539,7 @@ mymain(void)
.expectOut = "crashyhost nc -U /tmp/socket\n",
.dieEarly = true,
};
- if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData4) < 0)
+ if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData5) < 0)
ret = -1;
#endif
I'm also adding you to the authors list.
--
Matthias Bolte
http://photron.blogspot.com
4882
days inactive
4892
days old
4 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Matthias Bolte -
Oskari Saarenmaa