9:52 a.m.
Some questions which seem to be left ambigious by the documentation
for virConnectAuthCallbackPtr:
http://libvirt.org/html/libvirt-libvirt.html#virConnectAuthCallbackPtr
(1) For a single open, can this be called multiple times? I'm
thinking, some authentication methods might give the user N attempts
at typing the password, which might result in N callbacks here.
(2) The documentation says: "Returns: 0 if all interactions were
filled, or -1 upon error". However it also says "If an interaction
cannot be filled, fill in NULL and 0". Does that mean it's OK (not an
error, return 0) if a result field is set to NULL?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
10:02 a.m.
Another comment about virConnectOpenAuth:
Is it possible to test uses of this API from scripts? It'd be nice if
the test driver allowed you to test authentication, but I notice in
the source that all uses of virConnectAuthPtr are marked
ATTRIBUTE_UNUSED, so I guess that's not a possible route.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
5:14 a.m.
On Sat, Oct 13, 2012 at 04:02:56PM +0100, Richard W.M. Jones wrote:
Another comment about virConnectOpenAuth:
Is it possible to test uses of this API from scripts? It'd be nice if
the test driver allowed you to test authentication, but I notice in
the source that all uses of virConnectAuthPtr are marked
ATTRIBUTE_UNUSED, so I guess that's not a possible route.
Hmm, yes, that's a bit sucky. The test driver ought to be enhanced to
allow testing of this.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
11:47 a.m.
On Sat, Oct 13, 2012 at 03:52:06PM +0100, Richard W.M. Jones wrote:
Some questions which seem to be left ambigious by the documentation
for virConnectAuthCallbackPtr:
http://libvirt.org/html/libvirt-libvirt.html#virConnectAuthCallbackPtr
(1) For a single open, can this be called multiple times? I'm
thinking, some authentication methods might give the user N attempts
at typing the password, which might result in N callbacks here.
Testing and reviewing the libssh2 backend, it seems this
must be true (ie. N >= 1).
BTW I cannot get the libssh2 backend in libvirt to work. For
every host it says:
libvirt_auth.c: authentication required for libvirt URI
'qemu+libssh2://localhost/system'
libvirt_auth.c: credential 'echoprompt'
Accept SSH host key with hash '<correct host key>' for host
'localhost:22' (y/n)?: y
libguestfs: error: could not connect to libvirt (code 85, domain 50): SSH transport
error: SSH host key for 'localhost' (<correct host key>) was not accepted
No idea what I'm doing wrong. Nothing in the logs on the server
indicate that anything is wrong on the remote side.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
12:08 p.m.
On Sat, Oct 13, 2012 at 05:47:24PM +0100, Richard W.M. Jones wrote:
BTW I cannot get the libssh2 backend in libvirt to work. For
every host it says:
libvirt_auth.c: authentication required for libvirt URI
'qemu+libssh2://localhost/system'
libvirt_auth.c: credential 'echoprompt'
Accept SSH host key with hash '<correct host key>' for host
'localhost:22' (y/n)?: y
libguestfs: error: could not connect to libvirt (code 85, domain 50): SSH transport
error: SSH host key for 'localhost' (<correct host key>) was not accepted
No idea what I'm doing wrong. Nothing in the logs on the server
indicate that anything is wrong on the remote side.
Peter,
This is because of a bug in the libvirt code:
if (!askKey.result ||
STRCASENEQ(askKey.result, "y")) {
virReportError(VIR_ERR_SSH,
_("SSH host key for '%s' (%s) was not
accepted"),
sess->hostname, keyhash);
VIR_FREE(keyhash);
VIR_FREE(askKey.result);
return -1;
}
The problem with this code is that it ignores the resultlen field.
If the caller passes result[] = { 'y' } (no trailing \0), resultlen = 1,
(which IMHO is a correct use of the API as described by the
documentation), then STRCASENEQ above will not match the string.
You need to use something like:
askKey.resultlen >= 1 && askKey.result[0] == 'y'
or else some sort of memcmp function.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
5:17 a.m.
On 10/13/12 19:08, Richard W.M. Jones wrote:
On Sat, Oct 13, 2012 at 05:47:24PM +0100, Richard W.M. Jones wrote:
> BTW I cannot get the libssh2 backend in libvirt to work. For
> every host it says:
>
> libvirt_auth.c: authentication required for libvirt URI
'qemu+libssh2://localhost/system'
> libvirt_auth.c: credential 'echoprompt'
> Accept SSH host key with hash '<correct host key>' for host
'localhost:22' (y/n)?: y
> libguestfs: error: could not connect to libvirt (code 85, domain 50): SSH
transport error: SSH host key for 'localhost' (<correct host key>) was not
accepted
>
> No idea what I'm doing wrong. Nothing in the logs on the server
> indicate that anything is wrong on the remote side.
Peter,
This is because of a bug in the libvirt code:
if (!askKey.result ||
STRCASENEQ(askKey.result, "y")) {
virReportError(VIR_ERR_SSH,
_("SSH host key for '%s' (%s) was not
accepted"),
sess->hostname, keyhash);
VIR_FREE(keyhash);
VIR_FREE(askKey.result);
return -1;
}
The problem with this code is that it ignores the resultlen field.
If the caller passes result[] = { 'y' } (no trailing \0), resultlen = 1,
(which IMHO is a correct use of the API as described by the
documentation), then STRCASENEQ above will not match the string.
You need to use something like:
askKey.resultlen >= 1 && askKey.result[0] == 'y'
or else some sort of memcmp function.
Rich.
Hm, that seems to be a fair point. I'll have a look and try to fix this
today.
Peter
5:28 a.m.
On Mon, Oct 15, 2012 at 12:17:42PM +0200, Peter Krempa wrote:
On 10/13/12 19:08, Richard W.M. Jones wrote:
>On Sat, Oct 13, 2012 at 05:47:24PM +0100, Richard W.M. Jones wrote:
>>BTW I cannot get the libssh2 backend in libvirt to work. For
>>every host it says:
>>
>> libvirt_auth.c: authentication required for libvirt URI
'qemu+libssh2://localhost/system'
>> libvirt_auth.c: credential 'echoprompt'
>> Accept SSH host key with hash '<correct host key>' for host
'localhost:22' (y/n)?: y
>> libguestfs: error: could not connect to libvirt (code 85, domain 50): SSH
transport error: SSH host key for 'localhost' (<correct host key>) was not
accepted
>>
>>No idea what I'm doing wrong. Nothing in the logs on the server
>>indicate that anything is wrong on the remote side.
>
>Peter,
>
>This is because of a bug in the libvirt code:
>
> if (!askKey.result ||
> STRCASENEQ(askKey.result, "y")) {
> virReportError(VIR_ERR_SSH,
> _("SSH host key for '%s' (%s) was not
accepted"),
> sess->hostname, keyhash);
> VIR_FREE(keyhash);
> VIR_FREE(askKey.result);
> return -1;
> }
>
>The problem with this code is that it ignores the resultlen field.
>
>If the caller passes result[] = { 'y' } (no trailing \0), resultlen = 1,
>(which IMHO is a correct use of the API as described by the
>documentation), then STRCASENEQ above will not match the string.
>
>You need to use something like:
>
> askKey.resultlen >= 1 && askKey.result[0] == 'y'
>
>or else some sort of memcmp function.
>
>Rich.
>
Hm, that seems to be a fair point. I'll have a look and try to fix
this today.
And FWIW this case would fail (badly) too:
result[] = { 'y', ... }; // ie. some random data
resultlen = 0
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
5:17 a.m.
On Sat, Oct 13, 2012 at 06:08:42PM +0100, Richard W.M. Jones wrote:
On Sat, Oct 13, 2012 at 05:47:24PM +0100, Richard W.M. Jones wrote:
> BTW I cannot get the libssh2 backend in libvirt to work. For
> every host it says:
>
> libvirt_auth.c: authentication required for libvirt URI
'qemu+libssh2://localhost/system'
> libvirt_auth.c: credential 'echoprompt'
> Accept SSH host key with hash '<correct host key>' for host
'localhost:22' (y/n)?: y
> libguestfs: error: could not connect to libvirt (code 85, domain 50): SSH
transport error: SSH host key for 'localhost' (<correct host key>) was not
accepted
>
> No idea what I'm doing wrong. Nothing in the logs on the server
> indicate that anything is wrong on the remote side.
Peter,
This is because of a bug in the libvirt code:
if (!askKey.result ||
STRCASENEQ(askKey.result, "y")) {
virReportError(VIR_ERR_SSH,
_("SSH host key for '%s' (%s) was not
accepted"),
sess->hostname, keyhash);
VIR_FREE(keyhash);
VIR_FREE(askKey.result);
return -1;
}
The problem with this code is that it ignores the resultlen field.
If the caller passes result[] = { 'y' } (no trailing \0), resultlen = 1,
(which IMHO is a correct use of the API as described by the
documentation), then STRCASENEQ above will not match the string.
You need to use something like:
askKey.resultlen >= 1 && askKey.result[0] == 'y'
or else some sort of memcmp function.
We probably ought to clarify the docs that any strings should be NULL
terminated, and that the resultlen does not include the NULL terminator
in its count. Most of the auth code looks to assume that the returned
data is NULL terminated.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
5:29 a.m.
On Mon, Oct 15, 2012 at 11:17:55AM +0100, Daniel P. Berrange wrote:
On Sat, Oct 13, 2012 at 06:08:42PM +0100, Richard W.M. Jones wrote:
> On Sat, Oct 13, 2012 at 05:47:24PM +0100, Richard W.M. Jones wrote:
> > BTW I cannot get the libssh2 backend in libvirt to work. For
> > every host it says:
> >
> > libvirt_auth.c: authentication required for libvirt URI
'qemu+libssh2://localhost/system'
> > libvirt_auth.c: credential 'echoprompt'
> > Accept SSH host key with hash '<correct host key>' for host
'localhost:22' (y/n)?: y
> > libguestfs: error: could not connect to libvirt (code 85, domain 50): SSH
transport error: SSH host key for 'localhost' (<correct host key>) was not
accepted
> >
> > No idea what I'm doing wrong. Nothing in the logs on the server
> > indicate that anything is wrong on the remote side.
>
> Peter,
>
> This is because of a bug in the libvirt code:
>
> if (!askKey.result ||
> STRCASENEQ(askKey.result, "y")) {
> virReportError(VIR_ERR_SSH,
> _("SSH host key for '%s' (%s) was not
accepted"),
> sess->hostname, keyhash);
> VIR_FREE(keyhash);
> VIR_FREE(askKey.result);
> return -1;
> }
>
> The problem with this code is that it ignores the resultlen field.
>
> If the caller passes result[] = { 'y' } (no trailing \0), resultlen = 1,
> (which IMHO is a correct use of the API as described by the
> documentation), then STRCASENEQ above will not match the string.
>
> You need to use something like:
>
> askKey.resultlen >= 1 && askKey.result[0] == 'y'
>
> or else some sort of memcmp function.
We probably ought to clarify the docs that any strings should be NULL
terminated, and that the resultlen does not include the NULL terminator
in its count. Most of the auth code looks to assume that the returned
data is NULL terminated.
Indeed I changed libguestfs to pass strings which are NUL-terminated
(not NULL!) with the \0 termination not included in the result count.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
5:13 a.m.
On Sat, Oct 13, 2012 at 03:52:06PM +0100, Richard W.M. Jones wrote:
Some questions which seem to be left ambigious by the documentation
for virConnectAuthCallbackPtr:
http://libvirt.org/html/libvirt-libvirt.html#virConnectAuthCallbackPtr
(1) For a single open, can this be called multiple times? I'm
thinking, some authentication methods might give the user N attempts
at typing the password, which might result in N callbacks here.
It depends on the driver and auth mechanism, but yes, the callback can
be invoked multiple times. The remote driver tries to ask for as many
credentials at the same time as possible, but SASL allows for triggering
the auth callback multiuple during the auth process. The ESX driver will
actually ask for credentials separately IIRC.
(2) The documentation says: "Returns: 0 if all interactions
were
filled, or -1 upon error". However it also says "If an interaction
cannot be filled, fill in NULL and 0". Does that mean it's OK (not an
error, return 0) if a result field is set to NULL?
Correct, filling in NULL and 0 is an allowed non-error condition, to
indicate that the user didn't have any data to provide for that field.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4422
days inactive
4424
days old
9 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Peter Krempa -
Richard W.M. Jones