Re: [libvirt] [PATCHv2] remote/ssh: support for no_verify.
2011/7/11 Oskari Saarenmaa o...@ohmu.fi:
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts. Includes a test and documentation.
---
Thanks for the review, here's an updated patch.
docs/remote.html.in | 9 +++--
src/remote/remote_driver.c | 1 +
src/rpc/virnetclient.c | 3 ++-
src/rpc/virnetclient.h | 1 +
src/rpc/virnetsocket.c | 3 +++
src/rpc/virnetsocket.h | 1 +
tests/virnetsockettest.c | 22 +++---
7 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index f6c7274..e003a23 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -510,20 +513,33 @@ mymain(void)
ret = -1;
struct testSSHData sshData3 = {
+ .nodename = somehost,
+ .service = 9000,
+ .username = fred,
+ .netcat = netcat,
+ .noTTY = false,
+ .noVerify = true,
+ .path = /tmp/socket,
+ .expectOut = -p 9000 -l fred -o StrictHostKeyChecking=no somehost
netcat -U /tmp/socket\n,
+ };
+ if (virtTestRun(SSH test 3, 1, testSocketSSH, sshData2) 0)
You use sshData2 in test 3, shouldn't this be sshData3?
+
+ struct testSSHData sshData4 = {
.nodename = nosuchhost,
.path = /tmp/socket,
.failConnect = true,
};
- if (virtTestRun(SSH test 3, 1, testSocketSSH, sshData3) 0)
+ if (virtTestRun(SSH test 4, 1, testSocketSSH, sshData3) 0)
ret = -1;
Here it should be sshData4 instead of sshData3, I think.
- struct testSSHData sshData4 = {
+ struct testSSHData sshData5 = {
.nodename = crashyhost,
.path = /tmp/socket,
.expectOut = crashyhost nc -U /tmp/socket\n,
.dieEarly = true,
};
- if (virtTestRun(SSH test 4, 1, testSocketSSH, sshData4) 0)
+ if (virtTestRun(SSH test 5, 1, testSocketSSH, sshData4) 0)
ret = -1;
And here it should be sshData5 instead of sshData4, shouldn't it?
I'm squashing in this diff to fix the off-by-one problem and pushing
the result, thanks.
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index e003a23..1697ced 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -522,7 +522,7 @@ mymain(void)
.path = /tmp/socket,
.expectOut = -p 9000 -l fred -o StrictHostKeyChecking=no
somehost netcat -U /tmp/socket\n,
};
-if (virtTestRun(SSH test 3, 1, testSocketSSH, sshData2) 0)
+if (virtTestRun(SSH test 3, 1, testSocketSSH, sshData3) 0)
ret = -1;
struct testSSHData sshData4 = {
@@ -530,7 +530,7 @@ mymain(void)
.path = /tmp/socket,
.failConnect = true,
};
-if (virtTestRun(SSH test 4, 1, testSocketSSH, sshData3) 0)
+if (virtTestRun(SSH test 4, 1, testSocketSSH, sshData4) 0)
ret = -1;
struct testSSHData sshData5 = {
@@ -539,7 +539,7 @@ mymain(void)
.expectOut = crashyhost nc -U /tmp/socket\n,
.dieEarly = true,
};
-if (virtTestRun(SSH test 5, 1, testSocketSSH, sshData4) 0)
+if (virtTestRun(SSH test 5, 1, testSocketSSH, sshData5) 0)
ret = -1;
#endif
I'm also adding you to the authors list.
--
Matthias Bolte
http://photron.blogspot.com
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCHv2] remote/ssh: support for no_verify.
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts. Includes a test and documentation.
---
Thanks for the review, here's an updated patch.
docs/remote.html.in|9 +++--
src/remote/remote_driver.c |1 +
src/rpc/virnetclient.c |3 ++-
src/rpc/virnetclient.h |1 +
src/rpc/virnetsocket.c |3 +++
src/rpc/virnetsocket.h |1 +
tests/virnetsockettest.c | 22 +++---
7 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/docs/remote.html.in b/docs/remote.html.in
index f6a0683..39d65aa 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -279,9 +279,14 @@ Note that parameter values must be
td
codeno_verify/code
/td
-td tls /td
-td
- If set to a non-zero value, this disables client checks of the
+td ssh, tls /td
+td
+ SSH: If set to a non-zero value, this disables client's strict host key
+ checking making it auto-accept new host keys. Existing host keys will
+ still be validated.
+ br/
+ br/
+ TLS: If set to a non-zero value, this disables client checks of the
server's certificate. Note that to disable server checks of
the client's certificate or IP address you must
a href=#Remote_libvirtd_configurationchange the libvirtd
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 5c0457e..6921c15 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn,
command,
username,
no_tty,
+no_verify,
netcat ? netcat : nc,
sockname)))
goto failed;
diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index 6a112ee..b9f0fc8 100644
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path)
{
virNetSocketPtr sock;
-if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY,
netcat, path, sock) 0)
+if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY,
noVerify, netcat, path, sock) 0)
return NULL;
return virNetClientNew(sock, NULL);
diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index de0782c..6acdf50 100644
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path);
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 3392047..41d9954 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr *retsock)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
if (noTTY)
virCommandAddArgList(cmd, -T, -o, BatchMode=yes,
-e, none, NULL);
+if (noVerify)
+virCommandAddArgList(cmd, -o, StrictHostKeyChecking=no, NULL);
virCommandAddArgList(cmd, nodename,
netcat ? netcat : nc,
-U, path, NULL);
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index 356d6c6..5f882ac 100644
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr
Re: [libvirt] [PATCHv2] remote/ssh: support for no_verify.
On Mon, Jul 11, 2011 at 10:50:31PM +0300, Oskari Saarenmaa wrote: Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the no_verify extra parameter was specified. This won't disable host key checking for already known hosts. Includes a test and documentation. --- Thanks for the review, here's an updated patch. docs/remote.html.in|9 +++-- src/remote/remote_driver.c |1 + src/rpc/virnetclient.c |3 ++- src/rpc/virnetclient.h |1 + src/rpc/virnetsocket.c |3 +++ src/rpc/virnetsocket.h |1 + tests/virnetsockettest.c | 22 +++--- 7 files changed, 34 insertions(+), 6 deletions(-) ACK, this looks nice to me. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
