1. Patchew
  2. Libvirt
  3. [libvirt-tck PATCH 0/2] Convert to SSH pubkey auth rather than password-based auth
  4. View patch

[libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections

Erik Skultety posted 2 patches 6 years ago
[libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
Posted by Erik Skultety 6 years ago 
The reason for this change is our Fedora 31 test image, because starting
with Fedora 31, the SSH policy for root logins with password
authentication changed and password auth is now disabled by default.
Since we were relying on this, we're now unable to log in to the guest
as root. Let's convert to the SSH keys usage.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
---
 lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
index a641d01..5a5c9e4 100644
--- a/lib/Sys/Virt/TCK.pm
+++ b/lib/Sys/Virt/TCK.pm
@@ -408,6 +408,32 @@ sub has_disk_image {
     return -f $target
 }
 
+sub ssh_key_path {
+    my $self = shift;
+    my $basedir = shift;
+
+    return catfile($basedir, "ssh", "id_rsa");
+}
+
+sub create_host_ssh_keys {
+    my $self = shift;
+
+    my $scratch = $self->scratch_dir;
+    my $ssh_dir_path = catfile($scratch, "ssh");
+    my $ssh_key_path = $self->ssh_key_path($scratch);
+
+    if (! -d "$ssh_dir_path") {
+        mkdir "$ssh_dir_path", 0700;
+    }
+
+    if (! -e "$ssh_key_path") {
+        print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
+        system "ssh-keygen -q -t rsa -f $ssh_key_path -N ''";
+    }
+
+    return $ssh_key_path;
+}
+
 sub create_virt_builder_disk {
     my $self = shift;
     my $bucket = shift;
@@ -424,8 +450,10 @@ sub create_virt_builder_disk {
         return $target;
     }
 
+    my $ssh_key_path = $self->create_host_ssh_keys;
+
     print "# running virt-builder $osname\n";
-    system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--output", $target, $osname;
+    system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--root-password", "password:$password", "--ssh-inject", "root:file:$ssh_key_path.pub", "--output", $target, $osname;
 
     die "cannot run virt-builder: $?" if $? != 0;
 
-- 
2.24.1
Re: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
Posted by Daniel P. Berrangé 6 years ago 
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
> The reason for this change is our Fedora 31 test image, because starting
> with Fedora 31, the SSH policy for root logins with password
> authentication changed and password auth is now disabled by default.
> Since we were relying on this, we're now unable to log in to the guest
> as root. Let's convert to the SSH keys usage.
> 
> Signed-off-by: Erik Skultety <eskultet@redhat.com>
> ---
>  lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
>  1 file changed, 29 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
Posted by Erik Skultety 6 years ago 
On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
> The reason for this change is our Fedora 31 test image, because starting
> with Fedora 31, the SSH policy for root logins with password
> authentication changed and password auth is now disabled by default.
> Since we were relying on this, we're now unable to log in to the guest
> as root. Let's convert to the SSH keys usage.
>
> Signed-off-by: Erik Skultety <eskultet@redhat.com>
> ---
>  lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
>  1 file changed, 29 insertions(+), 1 deletion(-)
>
> diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
> index a641d01..5a5c9e4 100644
> --- a/lib/Sys/Virt/TCK.pm
> +++ b/lib/Sys/Virt/TCK.pm
> @@ -408,6 +408,32 @@ sub has_disk_image {
>      return -f $target
>  }
>
> +sub ssh_key_path {
> +    my $self = shift;
> +    my $basedir = shift;
> +
> +    return catfile($basedir, "ssh", "id_rsa");
> +}
> +
> +sub create_host_ssh_keys {
> +    my $self = shift;
> +
> +    my $scratch = $self->scratch_dir;
> +    my $ssh_dir_path = catfile($scratch, "ssh");
> +    my $ssh_key_path = $self->ssh_key_path($scratch);
> +
> +    if (! -d "$ssh_dir_path") {
> +        mkdir "$ssh_dir_path", 0700;
> +    }
> +
> +    if (! -e "$ssh_key_path") {
> +        print "# generating a new SSH RSA key pair under $ssh_dir_path\n";

I'm wondering whether I should actually use diag here^ instead, do you have a
suggestion Dan?
Re: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
Posted by Daniel P. Berrangé 6 years ago 
On Tue, Jan 21, 2020 at 06:08:01PM +0100, Erik Skultety wrote:
> On Tue, Jan 21, 2020 at 05:47:16PM +0100, Erik Skultety wrote:
> > The reason for this change is our Fedora 31 test image, because starting
> > with Fedora 31, the SSH policy for root logins with password
> > authentication changed and password auth is now disabled by default.
> > Since we were relying on this, we're now unable to log in to the guest
> > as root. Let's convert to the SSH keys usage.
> >
> > Signed-off-by: Erik Skultety <eskultet@redhat.com>
> > ---
> >  lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++-
> >  1 file changed, 29 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
> > index a641d01..5a5c9e4 100644
> > --- a/lib/Sys/Virt/TCK.pm
> > +++ b/lib/Sys/Virt/TCK.pm
> > @@ -408,6 +408,32 @@ sub has_disk_image {
> >      return -f $target
> >  }
> >
> > +sub ssh_key_path {
> > +    my $self = shift;
> > +    my $basedir = shift;
> > +
> > +    return catfile($basedir, "ssh", "id_rsa");
> > +}
> > +
> > +sub create_host_ssh_keys {
> > +    my $self = shift;
> > +
> > +    my $scratch = $self->scratch_dir;
> > +    my $ssh_dir_path = catfile($scratch, "ssh");
> > +    my $ssh_key_path = $self->ssh_key_path($scratch);
> > +
> > +    if (! -d "$ssh_dir_path") {
> > +        mkdir "$ssh_dir_path", 0700;
> > +    }
> > +
> > +    if (! -e "$ssh_key_path") {
> > +        print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
> 
> I'm wondering whether I should actually use diag here^ instead, do you have a
> suggestion Dan?

I guess we do use diag in the rest of the file, so it would be worth
being consistent, even if it is functionally identical.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections
Posted by Erik Skultety 6 years ago 
...
> > > +    if (! -e "$ssh_key_path") {
> > > +        print "# generating a new SSH RSA key pair under $ssh_dir_path\n";
> >
> > I'm wondering whether I should actually use diag here^ instead, do you have a
> > suggestion Dan?
>
> I guess we do use diag in the rest of the file, so it would be worth
> being consistent, even if it is functionally identical.

Got it, consider it changed.

Thanks,
Erik

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.