On Tue, Feb 14, 2023 at 11:08:18 -0600, Jonathon Jongsma wrote: > Authenticating via key file to an ssh server is often preferable to > logging in via password. In order to support this functionality add a > new <identity> xml element for ssh disks that allows the user to specify > a keyfile, username and optional ssh-agent socket location. Example > configuration: > > <disk type='network'> > <source protocol='ssh' ...> > <identity keyfile='/path/to/id_rsa' username='myusername'/> > ... > </source> > ... > </disk> > > Signed-off-by: Jonathon Jongsma <jjong...@redhat.com> > --- > docs/formatdomain.rst | 8 ++++++++ > src/conf/schemas/domaincommon.rng | 22 +++++++++++++++++++++- > 2 files changed, 29 insertions(+), 1 deletion(-) > > diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst > index d5ad5d80b0..ea3d1a5a06 100644 > --- a/docs/formatdomain.rst > +++ b/docs/formatdomain.rst > @@ -2945,6 +2945,14 @@ paravirtualized driver is specified via the ``disk`` > element. > of these attributes is omitted, then that field is assumed to be the > default value for the current system. If both ``user`` and ``group`` > are intended to be default, then the entire element may be omitted. > + > + When using an ``ssh`` protocol, this element is used to enable > + authentication via ssh keys. In this configuration, the element has > three > + attributes. The ``username`` attribute specifies the name of the user > on > + the remote server. A path to an ssh key can be specified in the > + ``keyfile`` attribute. If the ssh key is password-protected, the key > can > + be added to an ssh-agent and the path to the ssh-agent socket can be > + specified in the ``agentsock`` attribute.
Reword this so that it says that the ssh key can be used with an agent even when it is not protected. Or in fact promote the agent first and mention that a password-less key can be used without an agent with the keyfile option. > ``reconnect`` > For disk type ``vhostuser`` configures reconnect timeout if the > connection > is lost. It has two mandatory attributes: > diff --git a/src/conf/schemas/domaincommon.rng > b/src/conf/schemas/domaincommon.rng > index f38f1f3ff1..a15ce97ef3 100644 > --- a/src/conf/schemas/domaincommon.rng > +++ b/src/conf/schemas/domaincommon.rng > @@ -2168,6 +2168,22 @@ > </element> > </define> > > + <define name="diskSourceNetworkProtocolSSHKeyDef"> > + <element name="identity"> > + <attribute name="keyfile"> > + <ref name="absFilePath"/> > + </attribute> > + <attribute name="username"> > + <ref name="genericName"/> > + </attribute> > + <optional> > + <attribute name="agentsock"> > + <ref name="absFilePath"/> > + </attribute> > + </optional> And tweak the schema to allow agent without keyfile. Reviewed-by: Peter Krempa <pkre...@redhat.com>
