[libvirt] Bug 736983 SSH GSSAPI login broken
Hi, after I upgraded from libvirt-0.9.0 I noticed that GSSAPIAuthentication for openssh was no longer working, I always ended up with the password prompt. stracing and debug logging on the server revealed that gssapi was never tried. Adding KRB5CCNAME to the ssh command's environment solved the problem. https://bugzilla.redhat.com/show_bug.cgi?id=736983 I would like to propose the following patch: Index: libvirt-0.9.5-rc1/src/rpc/virnetsocket.c =================================================================== --- libvirt-0.9.5-rc1.orig/src/rpc/virnetsocket.c 2011-09-08 19:37:31.000000000 +0200 +++ libvirt-0.9.5-rc1/src/rpc/virnetsocket.c 2011-09-08 19:37:54.000000000 +0200 @@ -615,6 +615,7 @@ cmd = virCommandNew(binary ? binary : "ssh"); virCommandAddEnvPassCommon(cmd); + virCommandAddEnvPass(cmd, "KRB5CCNAME"); virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); virCommandAddEnvPass(cmd, "SSH_ASKPASS"); virCommandAddEnvPass(cmd, "DISPLAY"); -- Matthias Witte - witte@netzquadrat.de Telefon: +49 (0)211-30 20 33-18 Telefax: +49 (0)211-30 20 33-22 [netzquadrat] GmbH - Gladbacher Str. 74 - 40219 Düsseldorf HRB Düsseldorf 36121 - Geschäftsführer: Thilo Salmon, Tim Mois Steuernummer: 106/5719/1836, Umsatzsteuer-ID: DE246863050
On 09.09.2011 15:03, Matthias Witte wrote:
Hi,
after I upgraded from libvirt-0.9.0 I noticed that GSSAPIAuthentication for openssh was no longer working, I always ended up with the password prompt.
stracing and debug logging on the server revealed that gssapi was never tried.
Adding KRB5CCNAME to the ssh command's environment solved the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=736983
I would like to propose the following patch:
Index: libvirt-0.9.5-rc1/src/rpc/virnetsocket.c =================================================================== --- libvirt-0.9.5-rc1.orig/src/rpc/virnetsocket.c 2011-09-08 19:37:31.000000000 +0200 +++ libvirt-0.9.5-rc1/src/rpc/virnetsocket.c 2011-09-08 19:37:54.000000000 +0200 @@ -615,6 +615,7 @@
cmd = virCommandNew(binary ? binary : "ssh"); virCommandAddEnvPassCommon(cmd); + virCommandAddEnvPass(cmd, "KRB5CCNAME"); virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); virCommandAddEnvPass(cmd, "SSH_ASKPASS"); virCommandAddEnvPass(cmd, "DISPLAY");
ACK. I listed you in AUTHORS; let me know if you prefer any alternate spelling. Michal
On Fri, Sep 09, 2011 at 03:03:44PM +0200, Matthias Witte wrote:
Hi,
after I upgraded from libvirt-0.9.0 I noticed that GSSAPIAuthentication for openssh was no longer working, I always ended up with the password prompt.
stracing and debug logging on the server revealed that gssapi was never tried.
Adding KRB5CCNAME to the ssh command's environment solved the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=736983
I would like to propose the following patch:
Index: libvirt-0.9.5-rc1/src/rpc/virnetsocket.c =================================================================== --- libvirt-0.9.5-rc1.orig/src/rpc/virnetsocket.c 2011-09-08 19:37:31.000000000 +0200 +++ libvirt-0.9.5-rc1/src/rpc/virnetsocket.c 2011-09-08 19:37:54.000000000 +0200 @@ -615,6 +615,7 @@
cmd = virCommandNew(binary ? binary : "ssh"); virCommandAddEnvPassCommon(cmd); + virCommandAddEnvPass(cmd, "KRB5CCNAME"); virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); virCommandAddEnvPass(cmd, "SSH_ASKPASS"); virCommandAddEnvPass(cmd, "DISPLAY");
We should also pass through KRB5_KTNAME I believe Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Hallo,
Adding KRB5CCNAME to the ssh command's environment solved the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=736983
I would like to propose the following patch:
Index: libvirt-0.9.5-rc1/src/rpc/virnetsocket.c =================================================================== --- libvirt-0.9.5-rc1.orig/src/rpc/virnetsocket.c 2011-09-08 19:37:31.000000000 +0200 +++ libvirt-0.9.5-rc1/src/rpc/virnetsocket.c 2011-09-08 19:37:54.000000000 +0200 @@ -615,6 +615,7 @@
cmd = virCommandNew(binary ? binary : "ssh"); virCommandAddEnvPassCommon(cmd); + virCommandAddEnvPass(cmd, "KRB5CCNAME"); virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); virCommandAddEnvPass(cmd, "SSH_ASKPASS"); virCommandAddEnvPass(cmd, "DISPLAY");
We should also pass through KRB5_KTNAME I believe
There might be legitimate applications that I am completely unaware of. But with regard to gssapi authentication und usage of ssh as client application by libvirt I think this is not necessary. To obtain my credentials I would use an application like heimdal-kcm or k5start or kinit per cronjob. These would need access to a keytab. libvirt itself would only need to know about a keytab if there was a internal mechanism in libvirt to obtain and renew credentials for its own principal. Kind regards! -- Matthias Witte - witte@netzquadrat.de Telefon: +49 (0)211-30 20 33-18 Telefax: +49 (0)211-30 20 33-22 [netzquadrat] GmbH - Gladbacher Str. 74 - 40219 Düsseldorf HRB Düsseldorf 36121 - Geschäftsführer: Thilo Salmon, Tim Mois Steuernummer: 106/5719/1836, Umsatzsteuer-ID: DE246863050
participants (3)
-
Daniel P. Berrange -
Matthias Witte -
Michal Privoznik