[libvirt-tck PATCH 0/2] Convert to SSH pubkey auth rather than password-based auth
Most of the nwfilter tests utilize SSH connections to execute some commands to cross reference whether the requested change in libvirt took effect. However, fedora 31 disables password-based auth for root login which breaks the test suite. Erik Skultety (2): lib: TCK.pm: Favour pubkey auth over passwords on SSH connections nwfilter: Make use of the SSH pubkey auth rather than password-based auth lib/Sys/Virt/TCK.pm | 30 ++++++++++++++++++++++++- scripts/nwfilter/210-no-mac-spoofing.t | 2 +- scripts/nwfilter/220-no-ip-spoofing.t | 2 +- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 2 +- 5 files changed, 33 insertions(+), 5 deletions(-) -- 2.24.1
The reason for this change is our Fedora 31 test image, because starting with Fedora 31, the SSH policy for root logins with password authentication changed and password auth is now disabled by default. Since we were relying on this, we're now unable to log in to the guest as root. Let's convert to the SSH keys usage. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index a641d01..5a5c9e4 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -408,6 +408,32 @@ sub has_disk_image { return -f $target } +sub ssh_key_path { + my $self = shift; + my $basedir = shift; + + return catfile($basedir, "ssh", "id_rsa"); +} + +sub create_host_ssh_keys { + my $self = shift; + + my $scratch = $self->scratch_dir; + my $ssh_dir_path = catfile($scratch, "ssh"); + my $ssh_key_path = $self->ssh_key_path($scratch); + + if (! -d "$ssh_dir_path") { + mkdir "$ssh_dir_path", 0700; + } + + if (! -e "$ssh_key_path") { + print "# generating a new SSH RSA key pair under $ssh_dir_path\n"; + system "ssh-keygen -q -t rsa -f $ssh_key_path -N ''"; + } + + return $ssh_key_path; +} + sub create_virt_builder_disk { my $self = shift; my $bucket = shift; @@ -424,8 +450,10 @@ sub create_virt_builder_disk { return $target; } + my $ssh_key_path = $self->create_host_ssh_keys; + print "# running virt-builder $osname\n"; - system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--output", $target, $osname; + system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--ssh-inject", "root:file:$ssh_key_path.pub", "--output", $target, $osname; die "cannot run virt-builder: $?" if $? != 0; -- 2.24.1
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
The reason for this change is our Fedora 31 test image, because starting with Fedora 31, the SSH policy for root logins with password authentication changed and password auth is now disabled by default. Since we were relying on this, we're now unable to log in to the guest as root. Let's convert to the SSH keys usage.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
The reason for this change is our Fedora 31 test image, because starting with Fedora 31, the SSH policy for root logins with password authentication changed and password auth is now disabled by default. Since we were relying on this, we're now unable to log in to the guest as root. Let's convert to the SSH keys usage.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index a641d01..5a5c9e4 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -408,6 +408,32 @@ sub has_disk_image { return -f $target }
+sub ssh_key_path { + my $self = shift; + my $basedir = shift; + + return catfile($basedir, "ssh", "id_rsa"); +} + +sub create_host_ssh_keys { + my $self = shift; + + my $scratch = $self->scratch_dir; + my $ssh_dir_path = catfile($scratch, "ssh"); + my $ssh_key_path = $self->ssh_key_path($scratch); + + if (! -d "$ssh_dir_path") { + mkdir "$ssh_dir_path", 0700; + } + + if (! -e "$ssh_key_path") { + print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
I'm wondering whether I should actually use diag here^ instead, do you have a suggestion Dan?
On Tue, Jan 21, 2020 at 06:08:01PM +0100, Erik Skultety wrote:
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
The reason for this change is our Fedora 31 test image, because starting with Fedora 31, the SSH policy for root logins with password authentication changed and password auth is now disabled by default. Since we were relying on this, we're now unable to log in to the guest as root. Let's convert to the SSH keys usage.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index a641d01..5a5c9e4 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -408,6 +408,32 @@ sub has_disk_image { return -f $target }
+sub ssh_key_path { + my $self = shift; + my $basedir = shift; + + return catfile($basedir, "ssh", "id_rsa"); +} + +sub create_host_ssh_keys { + my $self = shift; + + my $scratch = $self->scratch_dir; + my $ssh_dir_path = catfile($scratch, "ssh"); + my $ssh_key_path = $self->ssh_key_path($scratch); + + if (! -d "$ssh_dir_path") { + mkdir "$ssh_dir_path", 0700; + } + + if (! -e "$ssh_key_path") { + print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
I'm wondering whether I should actually use diag here^ instead, do you have a suggestion Dan?
I guess we do use diag in the rest of the file, so it would be worth being consistent, even if it is functionally identical. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
...
+ if (! -e "$ssh_key_path") { + print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
I'm wondering whether I should actually use diag here^ instead, do you have a suggestion Dan?
I guess we do use diag in the rest of the file, so it would be worth being consistent, even if it is functionally identical.
Got it, consider it changed. Thanks, Erik
Not only have SSH keys been a good practice for a while, it fixes our SSH connections to the f31 test vm. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- scripts/nwfilter/210-no-mac-spoofing.t | 2 +- scripts/nwfilter/220-no-ip-spoofing.t | 2 +- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index 95f003a..9798c4f 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -95,7 +95,7 @@ ok($ping =~ "10 received", "ping $guestip test"); diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", - password => $tck->root_password(), + key_path => $tck->ssh_key_path($tck->scratch_dir()), master_opts => [-o => "UserKnownHostsFile=/dev/null", -o => "StrictHostKeyChecking=no"]); diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index bacb861..9615d99 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -89,7 +89,7 @@ ok($ebtable =~ "$guestip", "check ebtables entry"); diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", - password => $tck->root_password(), + key_path => $tck->ssh_key_path($tck->scratch_dir()), master_opts => [-o => "UserKnownHostsFile=/dev/null", -o => "StrictHostKeyChecking=no"]); diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index b518a81..59683fa 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -117,7 +117,7 @@ system("/usr/sbin/tcpdump -v -i virbr0 -n host $networkipbroadcast and ether hos diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", - password => $tck->root_password(), + key_path => $tck->ssh_key_path($tck->scratch_dir()), master_opts => [-o => "UserKnownHostsFile=/dev/null", -o => "StrictHostKeyChecking=no"]); diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 77b36d2..2c860ed 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -98,7 +98,7 @@ system("/usr/sbin/tcpdump -v -i virbr0 not ip > /tmp/tcpdump.log &"); diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", - password => $tck->root_password(), + key_path => $tck->ssh_key_path($tck->scratch_dir()), master_opts => [-o => "UserKnownHostsFile=/dev/null", -o => "StrictHostKeyChecking=no"]); -- 2.24.1
On Tue, Jan 21, 2020 at 05:47:17PM +0100, Erik Skultety wrote:
Not only have SSH keys been a good practice for a while, it fixes our SSH connections to the f31 test vm.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- scripts/nwfilter/210-no-mac-spoofing.t | 2 +- scripts/nwfilter/220-no-ip-spoofing.t | 2 +- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index 95f003a..9798c4f 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -95,7 +95,7 @@ ok($ping =~ "10 received", "ping $guestip test"); diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", - password => $tck->root_password(), + key_path => $tck->ssh_key_path($tck->scratch_dir()),
Tabs in indent here & the other four places. Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Tue, Jan 21, 2020 at 05:02:09PM +0000, Daniel P. Berrangé wrote:
On Tue, Jan 21, 2020 at 05:47:17PM +0100, Erik Skultety wrote:
Not only have SSH keys been a good practice for a while, it fixes our SSH connections to the f31 test vm.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- scripts/nwfilter/210-no-mac-spoofing.t | 2 +- scripts/nwfilter/220-no-ip-spoofing.t | 2 +- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index 95f003a..9798c4f 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -95,7 +95,7 @@ ok($ping =~ "10 received", "ping $guestip test"); diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", - password => $tck->root_password(), + key_path => $tck->ssh_key_path($tck->scratch_dir()),
Tabs in indent here & the other four places.
Shoot, I created the patches in a VM where I don't have all my editor settings, sorry, will change. Thanks, Erik
participants (2)
-
Daniel P. Berrangé -
Erik Skultety